1.4.3 Ensure authentication is required when booting into rescue mode - emergency.service

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Rescue mode (former single user mode) is used for recovery when the system detects an issue during boot or by manual selection from the bootloader.

Rationale:

Requiring authentication in rescue mode (former single user mode) prevents an unauthorized user from rebooting the system into rescue mode to gain root privileges without credentials.

Solution

The systemd drop-in files must be created if it is necessary to change the default settings:
Create the file /etc/systemd/system/rescue.service.d/00-require-auth.conf which contains only the configuration to be overridden:

[Service]
ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue

Additional Information:

systemd-unit(5)

See Also

https://workbench.cisecurity.org/files/3939