Control: 3.2 Ensure Secure Boot is enabled on Compute Instance

Description

Shielded Instances with Secure Boot enabled prevents unauthorized boot loaders and operating systems from booting. This prevent rootkits, bootkits, and unauthorized software from running before the operating system loads. Secure Boot verifies the digital signature of the system's boot software to check its authenticity. The digital signature ensures the operating system has not been tampered with and is from a trusted source. When the system boots and attempts to execute the software, it will first check the digital signature to ensure validity. If the digital signature is not valid, the system will not allow the software to run. Secure Boot is a feature of UEFI(Unified Extensible Firmware Interface) that only allows approved operating systems to boot up.

A Threat Actor with access to the operating system may seek to alter boot components to persist malware or rootkits during system initialization. Secure Boot helps ensure that the system only runs authentic software by verifying the digital signature of all boot components.

Remediation

Note Secure Boot facility is available on selected VM images and Shapes in OCI. User have to configure Secured Boot at time of instance creation only.

From Console

1. Navigate to https://cloud.oracle.com/compute/instances.
2. Select the instance from the Audit Procedure.
3. Click Terminate.
4. Determine whether or not to permanently delete instance's attached boot volume.
5. Click Terminate instance.
6. Click on Create Instance.
7. Select Image and Shape which supports Shielded Instance configuration. Icon for Shield in front of Image/Shape row indicates support of Shielded Instance.
8. Click on edit of Security Blade.
9. Turn On Shielded Instance, then Turn on the Secure Boot Toggle.
10. Fill in the rest of the details as per requirements.
11. Click Create.

Default Value

Secure Boot is not Enabled.