Details

If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for OL 8 and is designed to require a password to boot into single-user mode or modify the boot menu.

Solution

Configure the system to require a grub bootloader password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the ‘/boot/grub2/user.cfg’ file.

Generate an encrypted grub2 password for the grub superusers account with the following command:

$ sudo grub2-setpassword
Enter password:
Confirm password:

Supportive Information

The following resource is also helpful.

• https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Oracle_Linux_8_V1R1_STIG.ziphttps://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Oracle_Linux_8_V1R1_STIG.zip

This security hardening control applies to the following category of controls within NIST 800-53: Access Control.This control applies to the following type of system Unix.

References

• 800-53|AC-3
• CAT|I
• CCI|CCI-000213
• Rule-ID|SV-248540r779186_rule
• STIG-ID|OL08-00-010150
• Vuln-ID|V-248540

Source

• Tenable.com/audits