Vulnerability Discussion
If the system does not require valid authentication before it boots into single-user or maintenance mode, anyone who invokes single-user or maintenance mode is granted privileged access to all files on the system. GRUB 2 is the default boot loader for RHEL 8 and is designed to require a password to boot into single-user mode or make modifications to the boot menu.
Check
For systems that use BIOS, this is Not Applicable.
Check to see if an encrypted root password is set. On systems that use UEFI, use the following command:
$ sudo grep -iw grub2_password /boot/efi/EFI/redhat/user.cfg
GRUB2_PASSWORD=grub.pbkdf2.sha512.[password_hash]
If the root password does not begin with "grub.pbkdf2.sha512", this is a finding.
Verify that a unique account name is set as the "superusers":
$ sudo grep -iw "superusers" /boot/efi/EFI/redhat/grub.cfg
set superusers="[someuniquestringhere]"
export superusers
If "superusers" is not set to a unique name or is missing a name, this is a finding.
Fix
Configure the system to require a grub bootloader password for the grub superuser account.
Generate an encrypted grub2 password for the grub superuser account with the following command:
$ sudo grub2-setpassword
Enter password:
Confirm password:
Edit the /boot/efi/EFI/redhat/grub.cfg file and add or modify the following lines in the "### BEGIN /etc/grub.d/01_users ###" section:
set superusers="[someuniquestringhere]"
export superusers