An error occurred:

Check: RHEL-07-010492

Red Hat Enterprise Linux 7 STIG: RHEL-07-010492 (in versions v3 r14 through v3 r5)

Title

Red Hat Enterprise Linux operating systems version 7.2 or newer booted with United Extensible Firmware Interface (UEFI) must have a unique name for the grub superusers account when booting into single-user mode and maintenance. (Cat II impact)

Discussion

If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 7 and is designed to require a password to boot into single-user mode or make modifications to the boot menu. The GRUB 2 superuser account is an account of last resort. Establishing a unique username for this account hardens the boot loader against brute force attacks. Due to the nature of the superuser account database being distinct from the OS account database, this allows the use of a username that is not among those within the OS account database. Examples of non-unique superusers names are root, superuser, unlock, etc.

Check Content

For systems that use BIOS, this is Not Applicable. For systems that are running a version of RHEL prior to 7.2, this is Not Applicable. Verify that a unique name is set as the "superusers" account: $ sudo grep -iw "superusers" /boot/efi/EFI/redhat/grub.cfg set superusers="[someuniquestringhere]" export superusers If "superusers" is identical to any OS account name or is missing a name, this is a finding.

Fix Text

Configure the system to have a unique name for the grub superusers account. Edit the /etc/grub.d/01_users file and add or modify the following lines: set superusers="[someuniquestringhere]" export superusers password_pbkdf2 [someuniquestringhere] ${GRUB2_PASSWORD} Generate a new grub.cfg file with the following command: $ sudo grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg

Additional Identifiers

Rule ID: SV-244558r833187_rule

Vulnerability ID: V-244558

Group Title: SRG-OS-000080-GPOS-00048

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000213

The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
AC-3

Access Enforcement