AlmaLinux OS 9 must require a unique superuser's name upon booting into single-user and maintenance modes.

STIG ID: ALMA-09-006400  |  SRG: SRG-OS-000080-GPOS-00048 |  Severity: medium |  CCI: CCI-000213 |  Vulnerability Id: V-269138

Vulnerability Discussion

Having a nondefault grub superuser username makes password-guessing attacks less effective.

Check

Verify the boot loader superuser account has been set with the following command:

$ grep -A1 "superusers" /etc/grub2.cfg

set superusers="superman"
export superusers
password_pbkdf2 superman ${GRUB2_PASSWORD}

In this example "superman" is the actual account name, changed from the default "root".

If superusers contains easily guessable usernames, this is a finding.

Fix

Configure AlmaLinux OS 9 to have a unique username for the grub superuser account using the following commands:

$ sed -ri 's/root/superman/' /etc/grub.d/01_users

$ grub2-mkconfig -o /boot/grub2/grub.cfg
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.