STIGQter: STIG Summary: Red Hat Enterprise Linux 7 Security Technical Implementation Guide Version: 3 Release: 3 Benchmark Date: 23 Apr 2021:

Red Hat Enterprise Linux operating systems prior to version 7.2 using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes.

DISA Rule

SV-204439r603261_rule

Vulnerability Number

V-204439

Group Title

SRG-OS-000080-GPOS-00048

Rule Version

RHEL-07-010490

Severity

CAT I

CCI(s)

• CCI-000213 - The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.

Weight

10

Fix Recommendation

Configure the system to encrypt the boot password for root.

Generate an encrypted grub2 password for root with the following command:

Note: The hash generated is an example.

# grub2-mkpasswd-pbkdf2

Enter Password:
Reenter Password:
PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.F3A7CFAA5A51EED123BE8238C23B25B2A6909AFC9812F0D45

Edit "/etc/grub.d/40_custom" and add the following lines below the comments:

# vi /etc/grub.d/40_custom

set superusers="root"

password_pbkdf2 root {hash from grub2-mkpasswd-pbkdf2 command}

Generate a new "grub.conf" file with the new password with the following commands:

# grub2-mkconfig --output=/tmp/grub2.cfg
# mv /tmp/grub2.cfg /boot/efi/EFI/redhat/grub.cfg

Check Contents

For systems that use BIOS, this is Not Applicable.
For systems that are running RHEL 7.2 or newer, this is Not Applicable.

Check to see if an encrypted root password is set. On systems that use UEFI, use the following command:

# grep -i password /boot/efi/EFI/redhat/grub.cfg

password_pbkdf2 [superusers-account] [password-hash]

If the root password entry does not begin with "password_pbkdf2", this is a finding.

If the "superusers-account" is not set to "root", this is a finding.

Vulnerability Number

V-204439

Documentable

False

Rule Version

RHEL-07-010490

Severity Override Guidance

For systems that use BIOS, this is Not Applicable.
For systems that are running RHEL 7.2 or newer, this is Not Applicable.

Check to see if an encrypted root password is set. On systems that use UEFI, use the following command:

# grep -i password /boot/efi/EFI/redhat/grub.cfg

password_pbkdf2 [superusers-account] [password-hash]

If the root password entry does not begin with "password_pbkdf2", this is a finding.

If the "superusers-account" is not set to "root", this is a finding.

Check Content Reference

M

Target Key

2899

Comments