Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Set a password on GRUB boot loader - password already set #1422

Open
SheetLightning opened this issue Jul 19, 2023 · 0 comments
Open

Set a password on GRUB boot loader - password already set #1422

SheetLightning opened this issue Jul 19, 2023 · 0 comments

Comments

@SheetLightning
Copy link

SheetLightning commented Jul 19, 2023
edited

Describe the bug
Getting the suggestion "Set a password on GRUB boot loader to prevent altering boot configuration". A PBKDF2 encrypted password has already been set and confirmed to be working.

Version

  • Distribution [Ubuntu 22.04.2 LTS]
  • Lynis version [3.0.8]

Expected behavior
Was not expecting the tool to flag this as a problem although Lynis is perhaps not programmed to check for the password in files other then 10_linux so I am not sure whether this classes as a bug of a feature request?

Output
suggestion[]=BOOT-5122|Set a password on GRUB boot loader to prevent altering boot configuration (e.g. boot in single user mode without password)|-|-|

Additional context
Ubuntu is running in a virtual machine on KVM/QEMU. The password is set up to allow the machine can boot without the user being prompted for the password at boot up, but the user IS prompted for the password if they attempt to use any GRUB commands such as edit mode for example.

The password is created with grub-mkpasswd-pbkdf2 and added to a 00_before_header file. The 10_linux file is then modified to allow unrestricted boot-up by replacing the lines:

      echo "menuentry '$(echo "$title" | grub_quote)' ${CLASS} \$menuentry_id_option 'gnulinux-$version-$type-$boot_device_id' {" | sed "s/^/$submenu_indentation/"
  else
      echo "menuentry '$(echo "$os" | grub_quote)' ${CLASS} \$menuentry_id_option 'gnulinux-simple-$boot_device_id' {" | sed "s/^/$submenu_indentation/"

with:

      echo "menuentry '$(echo "$title" | grub_quote)' ${CLASS} \$menuentry_id_option 'gnulinux-$version-$type-$boot_device_id' {" | sed "s/^/$submenu_indentation/"
  else
      OLD_CLASS="$CLASS"
      if [ "$(echo "$os" | grub_quote)" = "Ubuntu" ]; then
          CLASS="$CLASS  --unrestricted"
      fi
      echo "menuentry '$(echo "$os" | grub_quote)' ${CLASS} \$menuentry_id_option 'gnulinux-simple-$boot_device_id' {" | sed "s/^/$submenu_indentation/"
      CLASS="$OLD_CLASS"

sudo update-grub is run after this.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@SheetLightning