Details

If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for OL 8 and is designed to require a password to boot into single-user mode or modify the boot menu.

Solution

Configure the system to replace ‘root’ with a unique name for the grub superusers account.

Edit the /etc/grub.d/01_users file and add or modify the following lines:

set superusers='[someuniqueUserNamehere]’
export superusers
password_pbkdf2 [someuniqueUserNamehere] ${GRUB2_PASSWORD}

Generate a new grub.cfg file with the following command:

$ sudo grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg

Supportive Information

The following resource is also helpful.

• https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Oracle_Linux_8_V1R1_STIG.ziphttps://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Oracle_Linux_8_V1R1_STIG.zip

This security hardening control applies to the following category of controls within NIST 800-53: Access Control.This control applies to the following type of system Unix.

References

• 800-53|AC-3
• CAT|II
• CCI|CCI-000213
• Rule-ID|SV-248538r779180_rule
• STIG-ID|OL08-00-010141
• Vuln-ID|V-248538

Source

• Tenable.com/audits