Require Authentication for Emergency Systemd Target
An XCCDF Rule
Description
Emergency mode is intended as a system recovery
method, providing a single user root access to the system
during a failed boot sequence.
By default, Emergency mode is protected by requiring a password and is set
in /usr/lib/systemd/system/emergency.service
.
Rationale
This prevents attackers with physical access from trivially bypassing security on the machine and gaining root access. Such accesses are further prevented by configuring the bootloader password.
- ID
- xccdf_org.ssgproject.content_rule_require_emergency_target_auth
- Severity
- Medium
- References
- Updated
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
service_file="/usr/lib/systemd/system/emergency.service"
Remediation - Ansible
- name: Require emergency mode password
lineinfile:
create: true
dest: /usr/lib/systemd/system/emergency.service
regexp: ^#?ExecStart=
line: ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block