Profile Applicability:
• Level 1
Description:
Single user mode (also known as maintenance or rescue mode) provides unrestricted root access to the system. Requiring authentication to enter single user mode prevents unauthorized users from gaining root privileges without proper credentials.
Rationale:
Requiring authentication for single user mode protects the system from unauthorized access, preventing attackers from bypassing normal login procedures and escalating privileges.
Impact:
Pros:
Enhances system security by restricting root access in single user mode.
Prevents unauthorized system maintenance or modifications.
Cons:
May require additional configuration and testing.
Could hinder emergency access if credentials are unavailable.
Default Value:
By default, some systems allow single user mode without authentication, which is a security risk.
Pre-requisites:
Root or sudo privileges to configure bootloader and system settings.
Remediation:
Test Plan:
Using Linux command line:
Verify if single user mode requires authentication:
Check bootloader configuration (e.g., GRUB) for password protection.
Review /etc/inittab or systemd settings for rescue mode authentication.
Implementation Plan:
Using Linux command line:
Configure GRUB to require a password:
- Create a password hash using:
grub2-setpassword
Edit /etc/grub.d/40_custom or /boot/grub2/grub.cfg to include password protection.
Ensure rescue and emergency targets require authentication in systemd.
Backout Plan:
Using Linux command line:
Remove or comment out password settings in GRUB configuration.
Regenerate GRUB configuration.
Test single user mode access without authentication.
References:
CIS Amazon Linux 2 Benchmark v3.0.0
GRUB 2 Manual - Password Protection