← Rules Catalog
mediumsystemverified

Ensure GRUB uses a unique superusers name

grub-unique-superuser · RHEL ≥ 8 · 1 impl

Description

The GRUB bootloader must define a unique superusers name that is not a default or predictable value (root, admin, superuser, unlock).

Rationale

Using default or predictable GRUB superuser names makes it easier for attackers to guess credentials. A unique name adds a layer of obscurity.

Check → Remediate

Checkcommand
# Check for GRUB superusers setting
superuser=""
for f in /boot/grub2/grub.cfg /boot/efi/EFI/redhat/grub.cfg; do
  if [ -f "$f" ]; then
    superuser=$(grep -E '^\s*set\s+superusers=' "$f" 2>/dev/null | sed 's/.*superusers="\{0,1\}\([^"]*\)"\{0,1\}/\1/' | head -1)
    break
  fi
done
if [ -z "$superuser" ]; then
  echo "FAIL: No superusers directive found in GRUB config"
  exit 1
fi
for bad in root admin superuser unlock; do
  if [ "$superuser" = "$bad" ]; then
    echo "FAIL: GRUB superusers name is default/predictable: $superuser"
    exit 1
  fi
done
echo "OK: GRUB superusers name is unique: $superuser"
exit 0
expected_exit:
0
Remediatemanual
note:
Configure a unique GRUB superuser name: grub2-setpassword. Edit /etc/grub.d/01_users to set a unique superusers name, then regenerate grub.cfg.

Framework references

STIG

V-281167 / RHEL-10-600010V-257789 / RHEL-09-212020V-244521V-244522 / RHEL-08-010149

NIST 800-53

AC-3IA-2

Live verification

rhel8:check
#grub#bootloader#authentication#physical-security