Vulnerability Discussion
If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for OL 8 and is designed to require a password to boot into single-user mode or modify the boot menu.
Check
For systems that use UEFI, this is Not Applicable.
Verify that a unique name is set as the "superusers" account:
$ sudo grep -iw "superusers" /boot/grub2/grub.cfg
set superusers="[someuniqueUserNamehere]"
export superusers
If "superusers" is not set to a unique name or is missing a name, this is a finding.
Fix
Configure the system to replace "root" with a unique name for the grub superusers account.
Edit the /etc/grub.d/01_users file and add or modify the following lines:
set superusers="[someuniqueUserNamehere]"
export superusers
password_pbkdf2 [someuniqueUserNamehere] ${GRUB2_PASSWORD}
Generate a new grub.cfg file with the following command:
$ sudo grub2-mkconfig -o /boot/grub2/grub.cfg