Details

If the operating system is using Unified Extensible Firmware Interface (UEFI) it must require authentication upon booting into single-user and maintenance modes.

Rationale:

If the system does not require valid root authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader and is designed to require a password to boot into single-user mode or make modifications to the boot menu.

Solution

Create an encrypted password with grub2-setpassword:

# grub2-setpassword
Enter password: Confirm password:

Edit the /boot/efi/EFI/redhat/grub.cfg file and add or modify the following lines in the ### BEGIN /etc/grub.d/01_users ### section:
Example: vim /boot/efi/EFI/redhat/grub.cfg

set superusers=’root’
export superusers

Run the following command to update the grub2 configuration:

# grub2-mkconfig -o /boot/grub2/grub.cfg

Impact:

This recommendation is only valid for Amazon Linux 2 when it is used on-premise.

Notes:

This Benchmark recommendation maps to:

Red Hat Enterprise Linux 7 Security Technical Implementation Guide:

Version 2, Release: 3 Benchmark Date: 26 Apr 2019

Vul ID: V-81007

Rule ID: SV-95719r1_rule

STIG ID: RHEL-07-010491

Severity: CAT I

Supportive Information

The following resource is also helpful.

• https://workbench.cisecurity.org/files/2688https://workbench.cisecurity.org/files/2688

This security hardening control applies to the following category of controls within NIST 800-53: Access Control.This control applies to the following type of system Unix.

References

• 800-53|AC-3

Source

• Tenable.com/audits