← Back to Oracle Linux 8 Security Technical Implementation Guide

V-248540

CAT I (High)

OL 8 operating systems booted with a BIOS must require authentication upon booting into single-user and maintenance modes.

Rule ID

SV-248540r1137691_rule

STIG

Oracle Linux 8 Security Technical Implementation Guide

Version

V2R8

CCIs

CCI-000213

Discussion

If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for OL 8 and is designed to require a password to boot into single-user mode or modify the boot menu.

Check Content

For systems that use UEFI, this is not applicable. 
 
Determine if an encrypted password is set for the grub superusers account. On systems that use a BIOS, use the following command: 
 
$ sudo grep -iw grub2_password /boot/grub2/user.cfg 
 
GRUB2_PASSWORD=grub.pbkdf2.sha512.[password_hash] 
 
If the grub superusers account password does not begin with "grub.pbkdf2.sha512", this is a finding.

Fix Text

Configure the system to require a grub bootloader password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the "/boot/grub2/user.cfg" file. 
 
Generate an encrypted grub2 password for the grub superusers account with the following command: 
 
$ sudo grub2-setpassword 
Enter password: 
Confirm password: