1.4.4 Ensure UEFI requires authentication for single-user and maintenance modes - superusers

Information

If the operating system is using Unified Extensible Firmware Interface (UEFI) it must require authentication upon booting into single-user and maintenance modes.

Rationale:

If the system does not require valid root authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader and is designed to require a password to boot into single-user mode or make modifications to the boot menu.

Solution

Create an encrypted password with grub2-setpassword:

# grub2-setpassword
Enter password: <password>
Confirm password: <password>

Edit the /boot/efi/EFI/redhat/grub.cfg file and add or modify the following lines in the ### BEGIN /etc/grub.d/01_users ### section:
Example: vim /boot/efi/EFI/redhat/grub.cfg

set superusers='root'
export superusers

Run the following command to update the grub2 configuration:

# grub2-mkconfig -o /boot/grub2/grub.cfg

Impact:

This recommendation is only valid for Amazon Linux 2 when it is used on-premise.

Notes:

This Benchmark recommendation maps to:

Red Hat Enterprise Linux 7 Security Technical Implementation Guide:

Version 2, Release: 3 Benchmark Date: 26 Apr 2019



Vul ID: V-81007

Rule ID: SV-95719r1_rule

STIG ID: RHEL-07-010491

Severity: CAT I

See Also

https://workbench.cisecurity.org/files/2688

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, CSCv7|5.1

Plugin: Unix

Control ID: 50572307c0c6a2c6bc0889c8912d1d37f9ca9cefe9d171955752a0af44c9668f