Check: OL08-00-010140
Oracle Linux 8 STIG:
OL08-00-010140
(in versions v1 r10 through v1 r1)
Title
OL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user mode and maintenance. (Cat I impact)
Discussion
If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for OL 8 and is designed to require a password to boot into single-user mode or modify the boot menu.
Check Content
For systems that use BIOS, this is not applicable. Determine if an encrypted password is set for the grub superusers account. On systems that use UEFI, use the following command: $ sudo grep -iw grub2_password /boot/efi/EFI/redhat/user.cfg GRUB2_PASSWORD=grub.pbkdf2.sha512.[password_hash] If the grub superusers account password does not begin with "grub.pbkdf2.sha512", this is a finding.
Fix Text
Configure the system to require an encrypted grub bootloader password for the grub superusers account with the grub2-setpassword command, which creates/overwrites the "/boot/efi/EFI/redhat/user.cfg" file. Generate an encrypted grub2 password for the grub superusers account with the following command: $ sudo grub2-setpassword Enter password: Confirm password:
Additional Identifiers
Rule ID: SV-248537r779177_rule
Vulnerability ID: V-248537
Group Title: SRG-OS-000080-GPOS-00048
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000213 |
The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies. |
Controls
Number | Title |
---|---|
AC-3 |
Access Enforcement |