Details

Single user mode (rescue mode) is used for recovery when the system detects an issue during boot or by manual selection from the bootloader.

Rationale:

Requiring authentication in single user mode (rescue mode) prevents an unauthorized user from rebooting the system into single user to gain root privileges without credentials.

Solution

Edit /usr/lib/systemd/system/rescue.service and add/modify the following line:

ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue

Edit /usr/lib/systemd/system/emergency.service and add/modify the following line:

ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency

Supportive Information

The following resource is also helpful.

• https://workbench.cisecurity.org/files/3682

This security hardening control applies to the following category of controls within NIST 800-53: Configuration Management, Identification and Authentication.This control applies to the following type of system Unix.

References

• 800-53|CM-1
• 800-53|CM-2
• 800-53|CM-6
• 800-53|CM-7
• 800-53|IA-5
• CSCv7|5.1

Source

• Tenable.com/audits