STIGQter STIGQter: STIG Summary: Red Hat Enterprise Linux 7 Security Technical Implementation Guide Version: 3 Release: 3 Benchmark Date: 23 Apr 2021:

Red Hat Enterprise Linux operating systems version 7.2 or newer using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes.

DISA Rule

SV-204440r603261_rule

Vulnerability Number

V-204440

Group Title

SRG-OS-000080-GPOS-00048

Rule Version

RHEL-07-010491

Severity

CAT I

CCI(s)

Weight

10

Fix Recommendation

Configure the system to encrypt the boot password for root.

Generate an encrypted grub2 password for root with the following command:

Note: The hash generated is an example.

# grub2-setpassword
Enter password:
Confirm password:

Edit the /boot/efi/EFI/redhat/grub.cfg file and add or modify the following lines in the "### BEGIN /etc/grub.d/01_users ###" section:

set superusers="root"
export superusers

Check Contents

For systems that use BIOS, this is Not Applicable.

For systems that are running a version of RHEL prior to 7.2, this is Not Applicable.

Check to see if an encrypted root password is set. On systems that use UEFI, use the following command:

# grep -iw grub2_password /boot/efi/EFI/redhat/user.cfg
GRUB2_PASSWORD=grub.pbkdf2.sha512.[password_hash]

If the root password does not begin with "grub.pbkdf2.sha512", this is a finding.

Verify that the "root" account is set as the "superusers":

# grep -iw "superusers" /boot/efi/EFI/redhat/grub.cfg
set superusers="root"
export superusers

If "superusers" is not set to "root", this is a finding.

Vulnerability Number

V-204440

Documentable

False

Rule Version

RHEL-07-010491

Severity Override Guidance

For systems that use BIOS, this is Not Applicable.

For systems that are running a version of RHEL prior to 7.2, this is Not Applicable.

Check to see if an encrypted root password is set. On systems that use UEFI, use the following command:

# grep -iw grub2_password /boot/efi/EFI/redhat/user.cfg
GRUB2_PASSWORD=grub.pbkdf2.sha512.[password_hash]

If the root password does not begin with "grub.pbkdf2.sha512", this is a finding.

Verify that the "root" account is set as the "superusers":

# grep -iw "superusers" /boot/efi/EFI/redhat/grub.cfg
set superusers="root"
export superusers

If "superusers" is not set to "root", this is a finding.

Check Content Reference

M

Target Key

2899

Comments