|Finding ID||Version||Rule ID||IA Controls||Severity|
|If the system allows a user to boot into single-user or maintenance mode without authentication, any user that invokes single-user or maintenance mode is granted privileged access to all system information.|
|SUSE Linux Enterprise Server 15 Security Technical Implementation Guide||2022-12-07|
|Check Text ( C-38008r618729_chk )|
| Verify that the SUSE operating system has set an encrypted root password. |
Note: If the system does not use UEFI, this requirement is Not Applicable.
Check that the encrypted password is set for root with the following command:
> sudo cat /boot/efi/EFI/sles/grub.cfg | grep -i password
password_pbkdf2 root grub.pbkdf2.sha512.10000.VeryLongString
If the root password entry does not begin with "password_pbkdf2", this is a finding.
|Fix Text (F-37971r618730_fix)|
| Note: If the system does not use UEFI, this requirement is Not Applicable. |
Configure the SUSE operating system to encrypt the boot password.
Generate an encrypted (GRUB2) password for root with the following command:
PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.MFU48934NJD84NF8NSD39993JDHF84NG
Using the hash from the output, modify the "/etc/grub.d/40_custom" file and add the following two lines to add a boot password for the root entry:
password_pbkdf2 root grub.pbkdf2.sha512.VeryLongString
Generate an updated "grub.conf" file with the new password using the following commands:
> sudo grub2-mkconfig --output=/tmp/grub2.cfg
> sudo mv /tmp/grub2.cfg /boot/efi/EFI/sles/grub.cfg