Details
Single user mode (rescue mode) is used for recovery when the system detects an issue during boot or by manual selection from the bootloader.
Rationale:
Requiring authentication in single user mode (rescue mode) prevents an unauthorized user from rebooting the system into single user to gain root privileges without credentials.
Solution
Edit /usr/lib/systemd/system/rescue.service and /usr/lib/systemd/system/emergency.service and set ExecStart to use /sbin/sulogin or /usr/sbin/sulogin:
ExecStart=-/bin/sh -c ‘/sbin/sulogin; /usr/bin/systemctl –fail –no-block default’
Notes:
The systemctl option –fail is synonymous with –job-mode=fail . Using either is acceptable.
This Benchmark recommendation maps to:
Red Hat Enterprise Linux 7 Security Technical Implementation Guide:
Version 2, Release: 3 Benchmark Date: 26 Apr 2019
Vul ID: V-77823
Rule ID: SV-92519r2_rule
STIG ID: RHEL-07-010481
Severity: CAT II
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Configuration Management.This control applies to the following type of system Unix.