SV-221702r603260_rule
V-221702
SRG-OS-000080-GPOS-00048
OL07-00-010491
CAT I
10
Configure the system to encrypt the boot password for root.
Generate an encrypted grub2 password for root with the following command:
Note: The hash generated is an example.
# grub2-setpassword
Enter password:
Confirm password:
Edit the /boot/efi/EFI/redhat/grub.cfg file and add or modify the following lines in the "### BEGIN /etc/grub.d/01_users ###" section:
set superusers="root"
export superusers
For systems that use BIOS, this is Not Applicable.
For systems that are running a version of RHEL prior to 7.2, this is Not Applicable.
Check to see if an encrypted root password is set. On systems that use UEFI, use the following command:
# grep -iw grub2_password /boot/efi/EFI/redhat/user.cfg
GRUB2_PASSWORD=grub.pbkdf2.sha512.[password_hash]
If the root password does not begin with "grub.pbkdf2.sha512", this is a finding.
Verify that the "root" account is set as the "superusers":
# grep -iw "superusers" /boot/efi/EFI/redhat/grub.cfg
set superusers="root"
export superusers
If "superusers" is not set to "root" this is a finding.
V-221702
False
OL07-00-010491
For systems that use BIOS, this is Not Applicable.
For systems that are running a version of RHEL prior to 7.2, this is Not Applicable.
Check to see if an encrypted root password is set. On systems that use UEFI, use the following command:
# grep -iw grub2_password /boot/efi/EFI/redhat/user.cfg
GRUB2_PASSWORD=grub.pbkdf2.sha512.[password_hash]
If the root password does not begin with "grub.pbkdf2.sha512", this is a finding.
Verify that the "root" account is set as the "superusers":
# grep -iw "superusers" /boot/efi/EFI/redhat/grub.cfg
set superusers="root"
export superusers
If "superusers" is not set to "root" this is a finding.
M
4089