The Oracle Linux operating system must require authentication upon booting into single-user and maintenance modes.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-221699	OL07-00-010481	SV-221699r958472_rule	CCI-000213	medium
Description
If the system does not require valid root authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system.
STIG			Date
Oracle Linux 7 Security Technical Implementation Guide			2025-05-08

Related Frameworks

4 paths across 3 frameworks

NIST 800-531 mapping

AC-3

1.00

DISA · 3 · disa_xccdf · related
DISA · 2025-01-23 · disa_cci_list · equivalent

NIST 800-1712 mappings

3.1.1

1.00

DISA · 3 · disa_xccdf · related
DISA · 2025-01-23 · disa_cci_list · equivalent
NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent

3.1.2

1.00

DISA · 3 · disa_xccdf · related
DISA · 2025-01-23 · disa_cci_list · equivalent
NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent

CCI1 mapping

CCI-000213

1.00

DISA · 3 · disa_xccdf · related

Details

Check Text (C-221699r958472_chk)

Verify the operating system must require authentication upon booting into single-user and maintenance modes. Check that the operating system requires authentication upon booting into single-user mode with the following command: # grep -i execstart /usr/lib/systemd/system/rescue.service | grep -i sulogin ExecStart=-/bin/sh -c "/usr/sbin/sulogin; /usr/bin/systemctl --fail --no-block default" If "ExecStart" does not have "/usr/sbin/sulogin" as an option, this is a finding.

Fix Text (F-23403r419170_fix)

Configure the operating system to require authentication upon booting into single-user and maintenance modes. Add or modify the "ExecStart" line in "/usr/lib/systemd/system/rescue.service" to include "/usr/sbin/sulogin": ExecStart=-/bin/sh -c "/usr/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"