STIGQter: STIG Summary: Red Hat Enterprise Linux 8 Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 23 Apr 2021:

RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance.

DISA Rule

SV-230234r627750_rule

Vulnerability Number

V-230234

Group Title

SRG-OS-000080-GPOS-00048

Rule Version

RHEL-08-010140

Severity

CAT I

CCI(s)

• CCI-000213 - The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.

Weight

10

Fix Recommendation

Configure the system to require a grub bootloader password for the grub superuser account.

Generate an encrypted grub2 password for the grub superuser account with the following command:

$ sudo grub2-setpassword
Enter password:
Confirm password:

Edit the /boot/efi/EFI/redhat/grub.cfg file and add or modify the following lines in the "### BEGIN /etc/grub.d/01_users ###" section:

set superusers="[someuniquestringhere]"
export superusers

Check Contents

For systems that use BIOS, this is Not Applicable.

Check to see if an encrypted root password is set. On systems that use UEFI, use the following command:

$ sudo grep -iw grub2_password /boot/efi/EFI/redhat/user.cfg

GRUB2_PASSWORD=grub.pbkdf2.sha512.[password_hash]

If the root password does not begin with "grub.pbkdf2.sha512", this is a finding.

Verify that a unique account name is set as the "superusers":

$ sudo grep -iw "superusers" /boot/efi/EFI/redhat/grub.cfg
set superusers="[someuniquestringhere]"
export superusers

If "superusers" is not set to a unique name or is missing a name, this is a finding.

Vulnerability Number

V-230234

Documentable

False

Rule Version

RHEL-08-010140

Severity Override Guidance

For systems that use BIOS, this is Not Applicable.

Check to see if an encrypted root password is set. On systems that use UEFI, use the following command:

$ sudo grep -iw grub2_password /boot/efi/EFI/redhat/user.cfg

GRUB2_PASSWORD=grub.pbkdf2.sha512.[password_hash]

If the root password does not begin with "grub.pbkdf2.sha512", this is a finding.

Verify that a unique account name is set as the "superusers":

$ sudo grep -iw "superusers" /boot/efi/EFI/redhat/grub.cfg
set superusers="[someuniquestringhere]"
export superusers

If "superusers" is not set to a unique name or is missing a name, this is a finding.

Check Content Reference

M

Target Key

2921

Comments