Detections
Analytics

1.13 RHEL-09-212020

Information

RHEL 9 must require a unique superusers name upon booting into single-user and maintenance modes.

GROUP ID: V-257789
RULE ID: SV-257789r1069356

Having a nondefault grub superuser username makes password-guessing attacks less effective.

Solution

Configure RHEL 9 to have a unique username for the grub superuser account.

Edit the "/etc/grub.d/01_users" file and add or modify the following lines with a nondefault username for the superuser account:

set superusers="<accountname>"
export superusers

Once the superuser account has been added, update the grub.cfg file by running:

Regenerate the GRUB configuration:

$ sudo grub2-mkconfig -o /boot/grub2/grub.cfg

Reboot the system:

$ sudo reboot

See Also

https://workbench.cisecurity.org/benchmarks/22008

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-3, CAT|I, CCI|CCI-000213, Rule-ID|SV-257789r1069356_rule, STIG-ID|RHEL-09-212020, Vuln-ID|V-257789

Plugin: Unix

Control ID: a8815019081fe77a1e03e6c51c76f97ed9de9f19fda810847003b8c408919e84