Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-71963 | RHEL-07-010490 | SV-86587r1_rule | High |
Description |
---|
If the system does not require valid root authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 7 and is designed to require a password to boot into single-user mode or make modifications to the boot menu. |
STIG | Date |
---|---|
Red Hat Enterprise Linux 7 Security Technical Implementation Guide | 2017-07-08 |
Check Text ( C-72195r1_chk ) |
---|
Check to see if an encrypted root password is set. On systems that use UEFI, use the following command: # grep -i password /boot/efi/EFI/redhat/grub.cfg password_pbkdf2 superusers-account password-hash If the root password entry does not begin with "password_pbkdf2", this is a finding. |
Fix Text (F-78315r1_fix) |
---|
Configure the system to encrypt the boot password for root. Generate an encrypted grub2 password for root with the following command: Note: The hash generated is an example. # grub-mkpasswd-pbkdf2 Enter Password: Reenter Password: PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.F3A7CFAA5A51EED123BE8238C23B25B2A6909AFC9812F0D45 Using this hash, modify the "/etc/grub.d/10_linux" file with the following commands to add the password to the root entry: # cat << EOF > set superusers="root" password_pbkdf2 smithj grub.pbkdf2.sha512.10000.F3A7CFAA5A51EED123BE8238C23B25B2A6909AFC9812F0D45 > EOF Generate a new "grub.conf" file with the new password with the following commands: # grub2-mkconfig --output=/tmp/grub2.cfg # mv /tmp/grub2.cfg /boot/efi/EFI/redhat/grub.cfg |