Skip to content

Require Authentication for Emergency Systemd Target

An XCCDF Rule

Description

Emergency mode is intended as a system recovery method, providing a single user root access to the system during a failed boot sequence.

By default, Emergency mode is protected by requiring a password and is set in /usr/lib/systemd/system/emergency.service.

Rationale

This prevents attackers with physical access from trivially bypassing security on the machine and gaining root access. Such accesses are further prevented by configuring the bootloader password.

ID
xccdf_org.ssgproject.content_rule_require_emergency_target_auth
Severity
Medium
References
Updated



Remediation - Ansible

- name: Require emergency mode password
  ansible.builtin.blockinfile:
    create: true
    dest: /etc/systemd/system/emergency.service.d/10-oscap.conf
    block: |-
      [Service]

Remediation - Shell Script

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

service_dropin_cfg_dir="/etc/systemd/system/emergency.service.d"
service_dropin_file="${service_dropin_cfg_dir}/10-oscap.conf"