UCF STIG Viewer Logo

RHEL 8 operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes.


Overview

Finding ID Version Rule ID IA Controls Severity
V-230235 RHEL-08-010150 SV-230235r743925_rule High
Description
If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 8 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.
STIG Date
Red Hat Enterprise Linux 8 Security Technical Implementation Guide 2022-06-15

Details

Check Text ( C-32904r743923_chk )
For systems that use UEFI, this is Not Applicable.

Check to see if an encrypted grub superusers password is set. On systems that use a BIOS, use the following command:

$ sudo grep -iw grub2_password /boot/grub2/user.cfg

GRUB2_PASSWORD=grub.pbkdf2.sha512.[password_hash]

If the grub superusers password does not begin with "grub.pbkdf2.sha512", this is a finding.
Fix Text (F-32879r743924_fix)
Configure the system to require a grub bootloader password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the /boot/grub2/user.cfg file.

Generate an encrypted grub2 password for the grub superusers account with the following command:

$ sudo grub2-setpassword
Enter password:
Confirm password: