Oracle Linux operating systems version 7.2 or newer with a Basic Input/Output System (BIOS) must require authentication upon booting into single-user and maintenance modes.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-221700	OL07-00-010482	SV-221700r603260_rule		High

Description
If the system does not require valid root authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for Oracle Linux 7 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.

STIG	Date
Oracle Linux 7 Security Technical Implementation Guide	2021-04-01

Details

Check Text ( C-23415r419172_chk )
For systems that use BIOS, this is Not Applicable. For systems that are running a version of Oracle Linux prior to 7.2, this is Not Applicable. Check to see if an encrypted root password is set. On systems that use UEFI, use the following command: # grep -iw grub2_password /boot/efi/EFI/redhat/user.cfg GRUB2_PASSWORD=grub.pbkdf2.sha512.[password_hash] If the root password does not begin with "grub.pbkdf2.sha512", this is a finding. Verify that the "root" account is set as the "superusers": # grep -iw "superusers" /boot/efi/EFI/redhat/grub.cfg set superusers="root" export superusers If "superusers" is not set to "root" this is a finding.

Check Text ( C-23415r419172_chk )

For systems that use BIOS, this is Not Applicable.

For systems that are running a version of Oracle Linux prior to 7.2, this is Not Applicable.

Check to see if an encrypted root password is set. On systems that use UEFI, use the following command:

# grep -iw grub2_password /boot/efi/EFI/redhat/user.cfg
GRUB2_PASSWORD=grub.pbkdf2.sha512.[password_hash]

If the root password does not begin with "grub.pbkdf2.sha512", this is a finding.

Verify that the "root" account is set as the "superusers":

# grep -iw "superusers" /boot/efi/EFI/redhat/grub.cfg
set superusers="root"
export superusers

If "superusers" is not set to "root" this is a finding.

Fix Text (F-23404r419173_fix)
Configure the system to encrypt the boot password for root. Generate an encrypted grub2 password for root with the following command: Note: The hash generated is an example. # grub2-setpassword Enter password: Confirm password: Edit the /boot/grub2/grub.cfg file and add or modify the following lines in the "### BEGIN /etc/grub.d/01_users ###" section: set superusers="root" export superusers