Detections
Analytics

1.17 OL08-00-010140

Information

OL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user mode and maintenance.

GROUP ID: V-248537
RULE ID: SV-248537r958472

If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for OL 8 and is designed to require a password to boot into single-user mode or modify the boot menu.

Solution

Configure the system to require an encrypted grub bootloader password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the "/boot/efi/EFI/redhat/user.cfg" file.

Generate an encrypted grub2 password for the grub superusers account with the following command:

$ sudo grub2-setpassword

Enter password:
Confirm password:

See Also

https://workbench.cisecurity.org/benchmarks/23791

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-3, CAT|I, CCI|CCI-000213, Rule-ID|SV-248537r958472_rule, STIG-ID|OL08-00-010140, Vuln-ID|V-248537

Plugin: Unix

Control ID: fa821cea21d0b961680524b4a3b337a5f376cda3adaca5778212ac2c2a40a35b