From 2938a2d5afee82efb9d23c16654aa5c9dd07de47 Mon Sep 17 00:00:00 2001
From: mboelen <michael@cisofy.com>
Date: Thu, 13 Nov 2014 00:58:11 +0100
Subject: [PATCH] GRUB2 password protection test
---
include/tests_boot_services | 30 ++++++++++++++++++------------
1 file changed, 18 insertions(+), 12 deletions(-)
diff --git a/include/tests_boot_services b/include/tests_boot_services
index f2c123af..7355cea4 100644
--- a/include/tests_boot_services
+++ b/include/tests_boot_services
@@ -5,8 +5,8 @@
# Lynis
# ------------------
#
-# Copyright 2007-2014, Michael Boelen (michael@rootkit.nl), The Netherlands
-# Web site: http://www.rootkit.nl
+# Copyright 2007-2014, CISOfy & Michael Boelen, The Netherlands
+# Web site: https://cisofy.com
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
@@ -107,24 +107,30 @@
if [ ! "${GRUBCONFFILE}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
Register --test-no BOOT-5122 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check for GRUB boot password"
if [ ${SKIPTEST} -eq 0 ]; then
+ FOUND=0
logtext "Found file ${GRUBCONFFILE}, proceeding with tests."
FileIsReadable ${GRUBCONFFILE}
if [ ${CANREAD} -eq 1 ]; then
FIND=`cat ${GRUBCONFFILE} | grep 'password --md5' | grep -v '^#'`
FIND2=`cat ${GRUBCONFFILE} | grep 'password --encrypted' | grep -v '^#'`
- if [ "${FIND}" = "" -a "${FIND2}" = "" ]; then
- Display --indent 6 --text "- Checking for password protection" --result WARNING --color RED
- logtext "Result: Didn't find MD5/SHA1 hashed password line in GRUB boot file!"
- logtext "Risk: user can switch to single user mode by editing current menu items or bypassing them."
- logtext "Additional information: Do NOT use a plaintext password, since the grub.conf or menu.lst file is most likely to be world readable!"
- logtext "If an unsecured OS like DOS is used, add 'lock' below that entry and setup a password with the password option, to prevent direct system access."
- ReportSuggestion ${TEST_NO} "Set a password on GRUB bootloader to prevent altering boot configuration (e.g. boot in single user mode without password)"
- logtext "Tip: Run grub-crypt or grub-md5-crypt and create a hashed password. Add a line below the line timeout=<value>, add: password --md5 <password hash> or password --encrypted <password hash> for SHA1 encrypted password"
- AddHP 0 2
- else
+ FIND3=`cat ${GRUBCONFFILE} | grep 'set superusers' | grep -v '^#'`
+ FIND4=`cat ${GRUBCONFFILE} | grep 'password_pbkdf2' | grep -v '^#'`
+ # GRUB1: MD5 or SHA1
+ if [ ! "${FIND}" = "" -o ! "${FIND2}" = "" ]; then
+ FOUND=1
+ # GRUB2: Superusers and password should be defined
+ elif [ ! "${FIND3}" = "" -a ! "${FIND4}" = "" ]; then
+ FOUND=1
+ fi
+ if [ ${FOUND} -eq 1 ]; then
Display --indent 6 --text "- Checking for password protection" --result OK --color GREEN
logtext "Result: GRUB has password protection."
AddHP 4 4
+ else
+ Display --indent 6 --text "- Checking for password protection" --result WARNING --color RED
+ logtext "Result: Didn't find hashed password line in GRUB boot file!"
+ ReportSuggestion ${TEST_NO} "Set a password on GRUB bootloader to prevent altering boot configuration (e.g. boot in single user mode without password)"
+ AddHP 0 2
fi
else
logtext "Result: Can not read ${GRUBCONFFILE} (no permission)"