UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Systems with a Basic Input/Output System (BIOS) must require authentication upon booting into single-user and maintenance modes.


Overview

Finding ID Version Rule ID IA Controls Severity
V-71961 RHEL-07-010480 SV-86585r2_rule High
Description
If the system does not require valid root authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 7 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.
STIG Date
Red Hat Enterprise Linux 7 Security Technical Implementation Guide 2017-07-08

Details

Check Text ( C-72193r2_chk )
Check to see if an encrypted root password is set. On systems that use a BIOS, use the following command:

# grep -i ^password_pbkdf2 /boot/grub2/grub.cfg
password_pbkdf2 superusers-account password-hash

If the root password entry does not begin with "password_pbkdf2", this is a finding.
Fix Text (F-78313r1_fix)
Configure the system to encrypt the boot password for root.

Generate an encrypted grub2 password for root with the following command:

Note: The hash generated is an example.

# grub-mkpasswd-pbkdf2
Enter Password:
Reenter Password:
PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.F3A7CFAA5A51EED123BE8238C23B25B2A6909AFC9812F0D45

Using this hash, modify the "/etc/grub.d/10_linux" file with the following commands to add the password to the root entry:

# cat << EOF
> set superusers="root" password_pbkdf2 smithj grub.pbkdf2.sha512.10000.F3A7CFAA5A51EED123BE8238C23B25B2A6909AFC9812F0D45
> EOF

Generate a new "grub.conf" file with the new password with the following commands:

# grub2-mkconfig --output=/tmp/grub2.cfg
# mv /tmp/grub2.cfg /boot/grub2/grub.cfg