Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
Oracle Linux operating systems version 7.2 or newer booted with United Extensible Firmware Interface (UEFI) must have a unique name for the grub superusers account when booting into single-user mode and maintenance.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-244556 | OL07-00-010492 | SV-244556r744060_rule | Medium |
| Description |
|---|
| If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for Oracle Linux 7 and is designed to require a password to boot into single-user mode or make modifications to the boot menu. |
| STIG | Date |
|---|---|
| Oracle Linux 7 Security Technical Implementation Guide | 2021-06-14 |
Details
| Check Text ( C-47831r744058_chk ) |
|---|
| For systems that use BIOS, this is Not Applicable. For systems that are running a version of Oracle Linux prior to 7.2, this is Not Applicable. Verify that a unique name is set as the "superusers" account: $ sudo grep -iw "superusers" /boot/efi/EFI/redhat/grub.cfg set superusers="[someuniquestringhere]" export superusers If "superusers" is not set to a unique name or is missing a name, this is a finding. |
| Fix Text (F-47788r744059_fix) |
|---|
| Configure the system to require a grub bootloader password for the grub superusers account. Edit the /boot/efi/EFI/redhat/grub.cfg file and add or modify the following lines in the "### BEGIN /etc/grub.d/01_users ###" section: set superusers="[someuniquestringhere]" export superusers password_pbkdf2 [someuniquestringhere] ${GRUB2_PASSWORD} |