Details

The Linux operating systems version 7.2 or newer booted with a BIOS must have a unique name for the grub superusers account when booting into single-user and maintenance modes.

Rationale:

If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 7 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.

Solution

Configure the system to have a unique name for the grub superusers account.
Edit the /boot/grub2/grub.cfg file and add or modify the following lines in the ‘### BEGIN /etc/grub.d/01_users ###’ section:

set superusers='[someuniquestringhere]’
export superusers
password_pbkdf2 [someuniquestringhere] ${GRUB2_PASSWORD}

Supportive Information

The following resource is also helpful.

• https://workbench.cisecurity.org/files/3636https://workbench.cisecurity.org/files/3636

This security hardening control applies to the following category of controls within NIST 800-53: Access Control.This control applies to the following type of system Unix.

References

• 800-53|AC-3
• CCI|CCI-000213
• Rule-ID|SV-244557r744063_rule
• STIG-ID|RHEL-07-010483

Source

• Tenable.com/audits