1.4.3 Ensure authentication is required when booting into rescue mode - emergency.service

Information

Rescue mode (former single user mode) is used for recovery when the system detects an issue during boot or by manual selection from the bootloader.

Rationale:

Requiring authentication in rescue mode (former single user mode) prevents an unauthorized user from rebooting the system into rescue mode to gain root privileges without credentials.

Solution

The systemd drop-in files must be created if it is necessary to change the default settings:
Create the file /etc/systemd/system/rescue.service.d/00-require-auth.conf which contains only the configuration to be overridden:

[Service]
ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue

Additional Information:

systemd-unit(5)

See Also

https://workbench.cisecurity.org/files/3939

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1), CSCv7|4.4

Plugin: Unix

Control ID: 442796fe05904d0eef29c8ad4ebe575fa736e67cf83e5898571bd0586a056273