Systems with a Basic Input/Output System (BIOS) must require authentication upon booting into single-user and maintenance modes.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-71961 | RHEL-07-010480 | SV-86585r2_rule | High |
| Description |
|---|
| If the system does not require valid root authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 7 and is designed to require a password to boot into single-user mode or make modifications to the boot menu. |
| STIG | Date |
|---|---|
| Red Hat Enterprise Linux 7 Security Technical Implementation Guide | 2017-07-08 |
Details
| Check Text ( C-72193r2_chk ) |
|---|
| Check to see if an encrypted root password is set. On systems that use a BIOS, use the following command: # grep -i ^password_pbkdf2 /boot/grub2/grub.cfg password_pbkdf2 superusers-account password-hash If the root password entry does not begin with "password_pbkdf2", this is a finding. |
| Fix Text (F-78313r1_fix) |
|---|
| Configure the system to encrypt the boot password for root. Generate an encrypted grub2 password for root with the following command: Note: The hash generated is an example. # grub-mkpasswd-pbkdf2 Enter Password: Reenter Password: PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.F3A7CFAA5A51EED123BE8238C23B25B2A6909AFC9812F0D45 Using this hash, modify the "/etc/grub.d/10_linux" file with the following commands to add the password to the root entry: # cat << EOF > set superusers="root" password_pbkdf2 smithj grub.pbkdf2.sha512.10000.F3A7CFAA5A51EED123BE8238C23B25B2A6909AFC9812F0D45 > EOF Generate a new "grub.conf" file with the new password with the following commands: # grub2-mkconfig --output=/tmp/grub2.cfg # mv /tmp/grub2.cfg /boot/grub2/grub.cfg |