RHEL-08-010141 - RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require a unique superusers name upon booting into single-user mode and maintenance.

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 8 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.

The GRUB 2 superuser account is an account of last resort. Establishing a unique username for this account hardens the boot loader against brute force attacks. Due to the nature of the superuser account database being distinct from the OS account database, this allows the use of a username that is not among those within the OS account database. Examples of non-unique superusers names are root, superuser, unlock, etc.

Solution

Configure the system to have a unique name for the grub superusers account.

Edit the /etc/grub.d/01_users file and add or modify the following lines:

set superusers='[someuniquestringhere]'
export superusers
password_pbkdf2 [someuniquestringhere] ${GRUB2_PASSWORD}

Generate a new grub.cfg file with the following command:

$ sudo grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_8_V1R13_STIG.zip

Item Details

References: CAT|II, CCI|CCI-000213, Rule-ID|SV-244521r792982_rule, STIG-ID|RHEL-08-010141, Vuln-ID|V-244521

Plugin: Unix

Control ID: bd9d9d0503fc6a486109c2f742c64d2e0a2aebf688c04063078ff074649a1ea6