Title

RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require a unique superusers name upon booting into single-user mode and maintenance. (Cat II impact)

Discussion

If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 8 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.

Check Content

For systems that use BIOS, this is Not Applicable. Verify that a unique name is set as the "superusers" account: $ sudo grep -iw "superusers" /boot/efi/EFI/redhat/grub.cfg set superusers="[someuniquestringhere]" export superusers If "superusers" is not set to a unique name or is missing a name, this is a finding.

Fix Text

Configure the system to have a unique name for the grub superusers account. Edit the /etc/grub.d/01_users file and add or modify the following lines: set superusers="[someuniquestringhere]" export superusers password_pbkdf2 [someuniquestringhere] ${GRUB2_PASSWORD} Generate a new grub.cfg file with the following command: $ sudo grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg

Additional Identifiers

Rule ID: SV-244521r743812_rule

Vulnerability ID: V-244521

Group Title: SRG-OS-000080-GPOS-00048

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.