Require Authentication for Emergency Systemd Target

An XCCDF Rule

Description

Emergency mode is intended as a system recovery method, providing a single user root access to the system during a failed boot sequence.

By default, Emergency mode is protected by requiring a password and is set in /usr/lib/systemd/system/emergency.service.

Rationale

This prevents attackers with physical access from trivially bypassing security on the machine and gaining root access. Such accesses are further prevented by configuring the bootloader password.

ID: xccdf_org.ssgproject.content_rule_require_emergency_target_auth
Severity: Medium
References: 1 11 12 14 15 16 18 3 5

DSS05.02 DSS05.04 DSS05.05 DSS05.07 DSS05.10 DSS06.03 DSS06.06 DSS06.10

3.1.1 3.4.5

CCI-000213

164.308(a)(1)(ii)(B) 164.308(a)(7)(i) 164.308(a)(7)(ii)(A) 164.310(a)(1) 164.310(a)(2)(i) 164.310(a)(2)(ii) 164.310(a)(2)(iii) 164.310(b) 164.310(c) 164.310(d)(1) 164.310(d)(2)(iii)

4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4

SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7

0421 0422 0431 0974 1173 1401 1504 1505 1546 1557 1558 1559 1560 1561

A.18.1.4 A.6.1.2 A.7.1.1 A.9.1.2 A.9.2.1 A.9.2.2 A.9.2.3 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.1 A.9.4.2 A.9.4.3 A.9.4.4 A.9.4.5

AC-3 CM-6(a) IA-2

PR.AC-1 PR.AC-4 PR.AC-6 PR.AC-7 PR.PT-3

SRG-OS-000080-GPOS-00048
Updated: 5 days ago

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - NIST-800-171-3.1.1
  - NIST-800-171-3.4.5  - NIST-800-53-AC-3
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IA-2
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - require_emergency_target_auth
  - restrict_strategy

- name: Require emergency mode password
  ansible.builtin.blockinfile:
    create: true
    dest: /etc/systemd/system/emergency.service.d/10-oscap.conf
    block: |-
      [Service]
      ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency
  when: '"kernel" in ansible_facts.packages'
  tags:
  - NIST-800-171-3.1.1
  - NIST-800-171-3.4.5
  - NIST-800-53-AC-3
  - NIST-800-53-CM-6(a)
  - NIST-800-53-IA-2
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - require_emergency_target_auth
  - restrict_strategy

# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel; then

service_dropin_cfg_dir="/etc/systemd/system/emergency.service.d"
service_dropin_file="${service_dropin_cfg_dir}/10-oscap.conf"

sulogin="/usr/lib/systemd/systemd-sulogin-shell emergency"


mkdir -p "${service_dropin_cfg_dir}"
echo "[Service]" >> "${service_dropin_file}"
echo "ExecStart=-$sulogin" >> "${service_dropin_file}"

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Require Authentication for Emergency Systemd Target

Description

Rationale

Remediation - Ansible

Remediation - Shell Script