mediumsystemverified ✓
Ensure GRUB uses a unique superusers name
grub-unique-superuser · RHEL ≥ 8 · 1 impl
Description
The GRUB bootloader must define a unique superusers name that is not a default or predictable value (root, admin, superuser, unlock).
Rationale
Using default or predictable GRUB superuser names makes it easier for attackers to guess credentials. A unique name adds a layer of obscurity.
Check → Remediate
Checkcommand
# Check for GRUB superusers setting
superuser=""
for f in /boot/grub2/grub.cfg /boot/efi/EFI/redhat/grub.cfg; do
if [ -f "$f" ]; then
superuser=$(grep -E '^\s*set\s+superusers=' "$f" 2>/dev/null | sed 's/.*superusers="\{0,1\}\([^"]*\)"\{0,1\}/\1/' | head -1)
break
fi
done
if [ -z "$superuser" ]; then
echo "FAIL: No superusers directive found in GRUB config"
exit 1
fi
for bad in root admin superuser unlock; do
if [ "$superuser" = "$bad" ]; then
echo "FAIL: GRUB superusers name is default/predictable: $superuser"
exit 1
fi
done
echo "OK: GRUB superusers name is unique: $superuser"
exit 0
- expected_exit:
- 0
Remediatemanual
- note:
- Configure a unique GRUB superuser name: grub2-setpassword. Edit /etc/grub.d/01_users to set a unique superusers name, then regenerate grub.cfg.
Framework references
STIG
V-281167 / RHEL-10-600010V-257789 / RHEL-09-212020V-244521V-244522 / RHEL-08-010149
NIST 800-53
AC-3IA-2
Live verification
rhel8:check
#grub#bootloader#authentication#physical-security