STIGQter: STIG Summary: Canonical Ubuntu 18.04 LTS Security Technical Implementation Guide Version: 2 Release: 3 Benchmark Date: 23 Apr 2021: STIGQter: STIG Summary: Canonical Ubuntu 18.04 LTS Security Technical Implementation Guide Version: 2 Release: 3 Benchmark Date: 23 Apr 2021:SV-219147r610963_rule
V-219147
SRG-OS-000080-GPOS-00048
UBTU-18-010000
CAT I
10
Configure the system to require a password for authentication upon booting into single-user and maintenance modes.
Generate an encrypted (grub) password for root with the following command:
# grub-mkpasswd-pbkdf2
Enter Password:
Reenter Password:
PBKDF2 hash of your password is grub.pbkdf2.sha512.10000.MFU48934NJD84NF8NSD39993JDHF84NG
Using the hash from the output, modify the "/etc/grub.d/40_custom" file with the following command to add a boot password:
# sudo sed -i '$i set superusers=\"root\"\npassword_pbkdf2 root <hash>' /etc/grub.d/40_custom
where <hash> is the hash generated by grub-mkpasswd-pbdkf2 command.
Generate an updated "grub.conf" file with the new password by using the following command:
# update-grub
Verify that an encrypted root password is set. This is only applicable on systems that use a basic Input/Output System BIOS.
Run the following command to verify the encrypted password is set:
# grep –i password /boot/grub/grub.cfg
password_pbkdf2 root grub.pbkdf2.sha512.10000.MFU48934NJA87HF8NSD34493GDHF84NG
If the root password entry does not begin with “password_pbkdf2”, this is a finding.
V-219147
False
UBTU-18-010000
Verify that an encrypted root password is set. This is only applicable on systems that use a basic Input/Output System BIOS.
Run the following command to verify the encrypted password is set:
# grep –i password /boot/grub/grub.cfg
password_pbkdf2 root grub.pbkdf2.sha512.10000.MFU48934NJA87HF8NSD34493GDHF84NG
If the root password entry does not begin with “password_pbkdf2”, this is a finding.
M
4055