Require Authentication for Single User Mode
An XCCDF Rule
Description
Single-user mode is intended as a system recovery
method, providing a single user root access to the system by
providing a boot option at startup.
By default, single-user mode is protected by requiring a password and is set
in /usr/lib/systemd/system/rescue.service
.
Rationale
This prevents attackers with physical access from trivially bypassing security on the machine and gaining root access. Such accesses are further prevented by configuring the bootloader password.
- ID
- xccdf_org.ssgproject.content_rule_require_singleuser_auth
- Severity
- Medium
- References
- Updated
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
service_file="/usr/lib/systemd/system/rescue.service"
sulogin='/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"'
Remediation - Ansible
- name: Require single user mode password
lineinfile:
create: true
dest: /usr/lib/systemd/system/rescue.service
regexp: ^#?ExecStart=
line: ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block