STIGQter STIGQter: STIG Summary: Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 10 Mar 2021:

Ubuntu operating systems when booted must require authentication upon booting into single-user and maintenance modes.

DISA Rule

SV-238204r653787_rule

Vulnerability Number

V-238204

Group Title

SRG-OS-000080-GPOS-00048

Rule Version

UBTU-20-010009

Severity

CAT I

CCI(s)

Weight

10

Fix Recommendation

Configure the system to require a password for authentication upon booting into single-user and maintenance modes.

Generate an encrypted (grub) password for root with the following command:

$ grub-mkpasswd-pbkdf2
Enter Password:
Reenter Password:
PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.MFU48934NJD84NF8NSD39993JDHF84NG

Using the hash from the output, modify the "/etc/grub.d/40_custom" file with the following command to add a boot password:

$ sudo sed -i '$i set superusers=\"root\"\npassword_pbkdf2 root <hash>' /etc/grub.d/40_custom

where <hash> is the hash generated by grub-mkpasswd-pbdkf2 command.

Generate an updated "grub.conf" file with the new password by using the following command:

$ sudo update-grub

Check Contents

Run the following command to verify the encrypted password is set:

$ grep -i password /boot/grub/grub.cfg

password_pbkdf2 root grub.pbkdf2.sha512.10000.MFU48934NJA87HF8NSD34493GDHF84NG

If the root password entry does not begin with "password_pbkdf2", this is a finding.

Vulnerability Number

V-238204

Documentable

False

Rule Version

UBTU-20-010009

Severity Override Guidance

Run the following command to verify the encrypted password is set:

$ grep -i password /boot/grub/grub.cfg

password_pbkdf2 root grub.pbkdf2.sha512.10000.MFU48934NJA87HF8NSD34493GDHF84NG

If the root password entry does not begin with "password_pbkdf2", this is a finding.

Check Content Reference

M

Target Key

5318

Comments