1.4.4 Ensure UEFI requires authentication for single-user and maintenance modes - superusers


If the operating system is using Unified Extensible Firmware Interface (UEFI) it must require authentication upon booting into single-user and maintenance modes.


If the system does not require valid root authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader and is designed to require a password to boot into single-user mode or make modifications to the boot menu.


Create an encrypted password with grub2-setpassword:

# grub2-setpassword
Enter password: <password>
Confirm password: <password>

Edit the /boot/efi/EFI/redhat/grub.cfg file and add or modify the following lines in the ### BEGIN /etc/grub.d/01_users ### section:
Example: vim /boot/efi/EFI/redhat/grub.cfg

set superusers='root'
export superusers

Run the following command to update the grub2 configuration:

# grub2-mkconfig -o /boot/grub2/grub.cfg


This recommendation is only valid for Amazon Linux 2 when it is used on-premise.


This Benchmark recommendation maps to:

Red Hat Enterprise Linux 7 Security Technical Implementation Guide:

Version 2, Release: 3 Benchmark Date: 26 Apr 2019

Vul ID: V-81007

Rule ID: SV-95719r1_rule

STIG ID: RHEL-07-010491

Severity: CAT I

See Also


Item Details


References: 800-53|CM-6, CSCv7|5.1

Plugin: Unix

Control ID: bbab8b6b9a47648ad79af626aa5759cfa234614795f1618eea24cbf499e9276c