Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-221699 | OL07-00-010481 | SV-221699r603260_rule | Medium |
Description |
---|
If the system does not require valid root authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. |
STIG | Date |
---|---|
Oracle Linux 7 Security Technical Implementation Guide | 2023-03-06 |
Check Text ( C-23414r419169_chk ) |
---|
Verify the operating system must require authentication upon booting into single-user and maintenance modes. Check that the operating system requires authentication upon booting into single-user mode with the following command: # grep -i execstart /usr/lib/systemd/system/rescue.service | grep -i sulogin ExecStart=-/bin/sh -c "/usr/sbin/sulogin; /usr/bin/systemctl --fail --no-block default" If "ExecStart" does not have "/usr/sbin/sulogin" as an option, this is a finding. |
Fix Text (F-23403r419170_fix) |
---|
Configure the operating system to require authentication upon booting into single-user and maintenance modes. Add or modify the "ExecStart" line in "/usr/lib/systemd/system/rescue.service" to include "/usr/sbin/sulogin": ExecStart=-/bin/sh -c "/usr/sbin/sulogin; /usr/bin/systemctl --fail --no-block default" |