Red Hat Enterprise Linux operating systems prior to version 7.2 with a Basic Input/Output System (BIOS) must require authentication upon booting into single-user and maintenance modes.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-71961	RHEL-07-010480	SV-86585r5_rule		High

Description
If the system does not require valid root authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 7 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.

STIG	Date
Red Hat Enterprise Linux 7 Security Technical Implementation Guide	2018-11-28

Details

Check Text ( C-72193r5_chk )
For systems that use UEFI, this is Not Applicable. For systems that are running RHEL 7.2 or newer, this is Not Applicable. Check to see if an encrypted root password is set. On systems that use a BIOS, use the following command: # grep -i ^password_pbkdf2 /boot/grub2/grub.cfg password_pbkdf2 [superusers-account] [password-hash] If the root password entry does not begin with "password_pbkdf2", this is a finding. If the "superusers-account" is not set to "root", this is a finding.

Check Text ( C-72193r5_chk )

For systems that use UEFI, this is Not Applicable.
For systems that are running RHEL 7.2 or newer, this is Not Applicable.

Check to see if an encrypted root password is set. On systems that use a BIOS, use the following command:

# grep -i ^password_pbkdf2 /boot/grub2/grub.cfg

password_pbkdf2 [superusers-account] [password-hash]

If the root password entry does not begin with "password_pbkdf2", this is a finding.

If the "superusers-account" is not set to "root", this is a finding.

Fix Text (F-78313r3_fix)
Configure the system to encrypt the boot password for root. Generate an encrypted grub2 password for root with the following command: Note: The hash generated is an example. # grub2-mkpasswd-pbkdf2 Enter Password: Reenter Password: PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.F3A7CFAA5A51EED123BE8238C23B25B2A6909AFC9812F0D45 Edit "/etc/grub.d/40_custom" and add the following lines below the comments: # vi /etc/grub.d/40_custom set superusers="root" password_pbkdf2 root {hash from grub2-mkpasswd-pbkdf2 command} Generate a new "grub.conf" file with the new password with the following commands: # grub2-mkconfig --output=/tmp/grub2.cfg # mv /tmp/grub2.cfg /boot/grub2/grub.cfg

Fix Text (F-78313r3_fix)

Configure the system to encrypt the boot password for root.

Generate an encrypted grub2 password for root with the following command:

Note: The hash generated is an example.

# grub2-mkpasswd-pbkdf2

Enter Password:
Reenter Password:
PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.F3A7CFAA5A51EED123BE8238C23B25B2A6909AFC9812F0D45

Edit "/etc/grub.d/40_custom" and add the following lines below the comments:

# vi /etc/grub.d/40_custom

set superusers="root"

password_pbkdf2 root {hash from grub2-mkpasswd-pbkdf2 command}

Generate a new "grub.conf" file with the new password with the following commands:

# grub2-mkconfig --output=/tmp/grub2.cfg
# mv /tmp/grub2.cfg /boot/grub2/grub.cfg