STIG ID: OL07-00-010481 | SRG: SRG-OS-000080-GPOS-00048 | Severity: medium | CCI: | Vulnerability Id: V-221699
If the system does not require valid root authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system.
Configure the operating system to require authentication upon booting into single-user and maintenance modes.
Add or modify the "ExecStart" line in "/usr/lib/systemd/system/rescue.service" to include "/usr/sbin/sulogin":
ExecStart=-/bin/sh -c "/usr/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"
Verify the operating system must require authentication upon booting into single-user and maintenance modes.
Check that the operating system requires authentication upon booting into single-user mode with the following command:
# grep -i execstart /usr/lib/systemd/system/rescue.service | grep -i sulogin
ExecStart=-/bin/sh -c "/usr/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"
If "ExecStart" does not have "/usr/sbin/sulogin" as an option, this is a finding.