1.4.3 Ensure authentication required for single user mode (Not Scored) [SecScan]

This page is read only. You can view the source, but not change it. Ask your administrator if you think this is wrong.

====== 1.4.3 Ensure authentication required for single user mode (Not Scored) ======
=====Profile Applicability=====  
<code>
Level 1 - Server 
Level 1 - Workstation
</code>
=====Description=====
Single user mode (rescue mode) is used for recovery when the system detects an issue during boot or by manual selection from the bootloader.
=====Rationale=====
Requiring authentication in single user mode (rescue mode) prevents an unauthorized user from rebooting the system into single user to gain root privileges without credentials.
=====Audit===== 
Run the following commands and verify that ''/sbin/sulogin'' is used as shown:
<Code:bash>
# grep /sbin/sulogin /usr/lib/systemd/system/rescue.service 
ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default" 
# grep /sbin/sulogin /usr/lib/systemd/system/emergency.service
ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"
</Code>
=====Remediation===== 
Edit ''/usr/lib/systemd/system/rescue.service'' and ''/usr/lib/systemd/system/emergency.service'' and set ''ExecStart'' to use ''/sbin/sulogin'':
<Code:bash>
ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"
</Code>