OpenControls Logo

STIG Viewer

Oracle Linux operating systems version 7.2 or newer with a Basic Input/Output System (BIOS) must require authentication upon booting into single-user and maintenance modes.

Overview

Finding IDVersionRule IDIA ControlsSeverity
V-221700OL07-00-010482SV-221700r958472_ruleCCI-000213high
Description
If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for Oracle Linux 7 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.
STIGDate
Oracle Linux 7 Security Technical Implementation Guide2025-05-08

Related Frameworks

4 paths across 3 frameworks
NIST 800-531 mapping
AC-3
1.00
  • DISA · 3 · disa_xccdf · related
  • DISA · 2025-01-23 · disa_cci_list · equivalent
NIST 800-1712 mappings
3.1.1
1.00
  • DISA · 3 · disa_xccdf · related
  • DISA · 2025-01-23 · disa_cci_list · equivalent
  • NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
3.1.2
1.00
  • DISA · 3 · disa_xccdf · related
  • DISA · 2025-01-23 · disa_cci_list · equivalent
  • NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI1 mapping
CCI-000213
1.00
  • DISA · 3 · disa_xccdf · related

Details

Check Text (C-221700r958472_chk)

For systems that use UEFI, this is Not Applicable. For systems that are running a version of Oracle Linux prior to 7.2, this is Not Applicable. Check to see if an encrypted grub superusers password is set. On systems that use BIOS, use the following command: $ sudo grep -iw grub2_password /boot/grub2/user.cfg GRUB2_PASSWORD=grub.pbkdf2.sha512.[password_hash] If the grub superusers password does not begin with "grub.pbkdf2.sha512", this is a finding.

Fix Text (F-23404r744070_fix)

Configure the system to encrypt the boot password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the /boot/grub2/user.cfg file. Generate an encrypted grub2 password for the grub superusers account with the following command: $ sudo grub2-setpassword Enter password: Confirm password: