File: rule.yml

package info (click to toggle)
scap-security-guide 0.1.78-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 114,600 kB
  • sloc: xml: 245,305; sh: 84,381; python: 33,093; makefile: 27
file content (97 lines) | stat: -rw-r--r-- 4,286 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
 
documentation_complete: true


title: 'Set the UEFI Boot Loader Admin Username to a Non-Default Value'

description: |-
    The grub2 boot loader should have a superuser account and password
    protection enabled to protect boot-time settings.
    <br /><br />
    To maximize the protection, select a password-protected superuser account with unique name, and modify the
    <tt>/etc/grub.d/01_users</tt> configuration file to reflect the account name change.
    <br /><br />
    It is highly suggested not to use common administrator account names like root,
    admin, or administrator for the grub2 superuser account.
    <br /><br />
    Change the superuser to a different username (The default is 'root').
    <pre>$ sed -i 's/\(set superusers=\).*/\1"&lt;unique user ID&gt;"/g' /etc/grub.d/01_users</pre>
    The line mentioned above must be followed by the line
    <pre>export superusers</pre>
    so that the <tt>superusers</tt> is honored.
    <br /><br />
    Once the superuser account has been added,
    update the
    <tt>grub.cfg</tt> file by running:
    {{%- if "rhel" in product %}}
    <pre>grub2-mkconfig -o /boot/grub2/grub.cfg</pre>
    {{%- else %}}
    <pre>{{{ grub_command("update") }}}</pre>
    {{%- endif %}}

rationale: |-
    Having a non-default grub superuser username makes password-guessing attacks less effective.


severity: medium

identifiers:
    cce@rhcos4: CCE-83540-5
    cce@rhel8: CCE-83542-1
    cce@rhel9: CCE-89427-9
    cce@rhel10: CCE-89685-2

references:
    cis-csc: 11,12,14,15,16,18,3,5
    cobit5: DSS05.02,DSS05.04,DSS05.05,DSS05.07,DSS06.03,DSS06.06
    cui: 3.4.5
    hipaa: 164.308(a)(1)(ii)(B),164.308(a)(7)(i),164.308(a)(7)(ii)(A),164.310(a)(1),164.310(a)(2)(i),164.310(a)(2)(ii),164.310(a)(2)(iii),164.310(b),164.310(c),164.310(d)(1),164.310(d)(2)(iii)
    isa-62443-2009: 4.3.3.2.2,4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4
    isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.11,SR 1.12,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.6,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.2,SR 2.3,SR 2.4,SR 2.5,SR 2.6,SR 2.7'
    iso27001-2013: A.6.1.2,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
    nist: CM-6(a)
    nist-csf: PR.AC-4,PR.AC-6,PR.PT-3
    srg: SRG-OS-000080-GPOS-00048
    stigid@ol7: OL07-00-010492
    stigid@ol8: OL08-00-010141

ocil_clause: 'superuser account is not set or is set to an existing name or to a common name'

ocil: |-
    To verify the boot loader superuser account has been set, run the following
    command:
    <pre>sudo grep -A1 "superusers" {{{ grub2_uefi_boot_path }}}/grub.cfg</pre>
    The output should show the following:
    <pre>set superusers="<b>superusers-account</b>"
    export superusers</pre>
    where superusers-account is the actual account name different from common names like root,
    admin, or administrator and different from any other existing user name.

warnings:
    - general: |-
        To prevent hard-coded admin usernames, automatic remediation of this control is not available. Remediation
        must be automated as a component of machine provisioning, or followed manually as outlined above.

        Also, do NOT manually add the superuser account and password to the
        <tt>grub.cfg</tt> file as the grub2-mkconfig command overwrites this file.


fixtext: |-
    Configure {{{ full_name }}} to have a unique username for the grub superuser account.

    Select a password-protected superuser account with unique name, and modify the
    "/etc/grub.d/01_users" configuration file to reflect the account name change.

    Add or edit the following line in /etc/grub.d/01_users:

    set superusers="superusers-account"
    export superusers

    Once the superuser account has been added, update the grub.cfg file by running:

    {{%- if "rhel" in product %}}
    <pre>grub2-mkconfig -o /boot/grub2/grub.cfg</pre>
    {{%- else %}}
    <pre>{{{ grub_command("update") }}}</pre>
    {{%- endif %}}

srg_requirement: '{{{ full_name }}} systems booted with United Extensible Firmware Interface (UEFI) must require a unique superusers name upon booting into single-user mode and maintenance.'