The Photon operating system must require authentication upon booting into single-user and maintenance modes.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-256508	PHTN-30-000031	SV-256508r887198_rule		High

Description
If the system does not require authentication before it boots into single-user mode, anyone with console access to the system can trivially access all files on the system. GRUB2 is the boot loader for Photon OS and can be configured to require a password to boot into single-user mode or make modifications to the boot menu. Note: Photon does not support building grub changes via grub2-mkconfig.

STIG	Date
VMware vSphere 7.0 vCenter Appliance Photon OS Security Technical Implementation Guide	2023-12-01

Details

Check Text ( C-60183r887196_chk )
At the command line, run the following command: # grep -i ^password_pbkdf2 /boot/grub2/grub.cfg If there is not output, this is a finding. If the output does not begin with "password_pbkdf2 root", this is a finding.

Fix Text (F-60126r887197_fix)
At the command line, run the following command: # grub2-mkpasswd-pbkdf2 Enter a secure password and ensure this password is stored for break-glass situations. The vCenter root account cannot be recovered without knowing this separate password. Copy the resulting encrypted string. An example string is below: grub.pbkdf2.sha512.10000.983A13DF3C51BB2B5130F0B86DDBF0DEA1AAF766BD1F16B7840F79CE3E35494C4B99F505C99C150071E563DF1D7FE1F45456D5960C4C79DAB6C49298B02A5558.5B2C49E12D43CC5A876F6738462DE4EFC24939D4BE486CDB72CFBCD87FDE93FBAFCB817E01B90F23E53C2502C3230502BC3113BE4F80B0AFC0EE956E735F7F86 Navigate to and open: /boot/grub2/grub.cfg Find the line that begins with "set rootpartition". Below this line, paste the following on its own line: set superusers="root" Below this, paste the following, substituting the encrypted string from the steps above: password_pbkdf2 root Photon ships with one menuentry block by default. Copy that entire block and paste it right below itself. Example: menuentry "Photon" { linux "/"$photon_linux root=$rootpartition net.ifnames=0 $photon_cmdline coredump_filter=0x37 consoleblank=0 if [ "$photon_initrd" ]; then initrd "/"$photon_initrd fi } menuentry "Photon" { linux "/"$photon_linux root=$rootpartition net.ifnames=0 $photon_cmdline coredump_filter=0x37 consoleblank=0 if [ "$photon_initrd" ]; then initrd "/"$photon_initrd fi } Modify the first menuentry block to add the "--unrestricted" option as follows: menuentry "Photon" --unrestricted { Modify the second menuentry block to add the allowed user as follows: menuentry "Recover Photon" --users root { This concludes the fix. To verify, here is an example grub.cfg snippet: ... set rootpartition=PARTUUID=326e5b0f-42fb-471a-8209-18964c4a2ed3 set superusers="root" password_pbkdf2 root grub.pbkdf2.sha512.10000.983A13DF3C51BB2B5130F0B86DDBF0DEA1AAF766BD1F16B7840F79CE3E35494C4B99F505C99C150071E563DF1D7FE1F45456D5960C4C79DAB6C49298B02A5558.5B2C49E12D43CC5A876F6738462DE4EFC24939D4BE486CDB72CFBCD87FDE93FBAFCB817E01B90F23E53C2502C3230502BC3113BE4F80B0AFC0EE956E735F7F86 menuentry "Photon" --unrestricted { linux "/"$photon_linux root=$rootpartition net.ifnames=0 $photon_cmdline coredump_filter=0x37 consoleblank=0 if [ "$photon_initrd" ]; then initrd "/"$photon_initrd fi } menuentry "Recover Photon" --users root { linux "/"$photon_linux root=$rootpartition net.ifnames=0 $photon_cmdline coredump_filter=0x37 consoleblank=0 if [ "$photon_initrd" ]; then initrd "/"$photon_initrd fi }

Fix Text (F-60126r887197_fix)

At the command line, run the following command:

# grub2-mkpasswd-pbkdf2

Enter a secure password and ensure this password is stored for break-glass situations. The vCenter root account cannot be recovered without knowing this separate password. Copy the resulting encrypted string.

An example string is below:

grub.pbkdf2.sha512.10000.983A13DF3C51BB2B5130F0B86DDBF0DEA1AAF766BD1F16B7840F79CE3E35494C4B99F505C99C150071E563DF1D7FE1F45456D5960C4C79DAB6C49298B02A5558.5B2C49E12D43CC5A876F6738462DE4EFC24939D4BE486CDB72CFBCD87FDE93FBAFCB817E01B90F23E53C2502C3230502BC3113BE4F80B0AFC0EE956E735F7F86

Navigate to and open:

/boot/grub2/grub.cfg

Find the line that begins with "set rootpartition". Below this line, paste the following on its own line:

set superusers="root"

Below this, paste the following, substituting the encrypted string from the steps above:

password_pbkdf2 root

Photon ships with one menuentry block by default. Copy that entire block and paste it right below itself.

Example:
menuentry "Photon" {
linux "/"$photon_linux root=$rootpartition net.ifnames=0 $photon_cmdline coredump_filter=0x37 consoleblank=0
if [ "$photon_initrd" ]; then
initrd "/"$photon_initrd
fi
}
menuentry "Photon" {
linux "/"$photon_linux root=$rootpartition net.ifnames=0 $photon_cmdline coredump_filter=0x37 consoleblank=0
if [ "$photon_initrd" ]; then
initrd "/"$photon_initrd
fi
}

Modify the first menuentry block to add the "--unrestricted" option as follows:

menuentry "Photon" --unrestricted {

Modify the second menuentry block to add the allowed user as follows:

menuentry "Recover Photon" --users root {

This concludes the fix. To verify, here is an example grub.cfg snippet:

...
set rootpartition=PARTUUID=326e5b0f-42fb-471a-8209-18964c4a2ed3
set superusers="root"
password_pbkdf2 root grub.pbkdf2.sha512.10000.983A13DF3C51BB2B5130F0B86DDBF0DEA1AAF766BD1F16B7840F79CE3E35494C4B99F505C99C150071E563DF1D7FE1F45456D5960C4C79DAB6C49298B02A5558.5B2C49E12D43CC5A876F6738462DE4EFC24939D4BE486CDB72CFBCD87FDE93FBAFCB817E01B90F23E53C2502C3230502BC3113BE4F80B0AFC0EE956E735F7F86

menuentry "Photon" --unrestricted {
linux "/"$photon_linux root=$rootpartition net.ifnames=0 $photon_cmdline coredump_filter=0x37 consoleblank=0
if [ "$photon_initrd" ]; then
initrd "/"$photon_initrd
fi
}

menuentry "Recover Photon" --users root {
linux "/"$photon_linux root=$rootpartition net.ifnames=0 $photon_cmdline coredump_filter=0x37 consoleblank=0
if [ "$photon_initrd" ]; then
initrd "/"$photon_initrd
fi
}