{"description": "The grub2 boot loader should have a superuser account and password\nprotection enabled to protect boot-time settings.\n<br /><br />\nTo maximize the protection, select a password-protected superuser account with unique name, and modify the\n<tt>/etc/grub.d/01_users</tt> configuration file to reflect the account name change.\n<br /><br />\nDo not to use common administrator account names like root,\nadmin, or administrator for the grub2 superuser account.\n<br /><br />\nChange the superuser to a different username (The default is 'root').\n<pre>$ sed -i 's/\\(set superusers=\\).*/\\1\"&lt;unique user ID&gt;\"/g' /etc/grub.d/01_users</pre>\nThe line mentioned above must be followed by the line\n<pre>export superusers</pre>\nso that the <tt>superusers</tt> is honored.\n<br /><br />\nOnce the superuser account has been added,\nupdate the\n<tt>grub.cfg</tt> file by running:\n<pre>update-grub </pre>", "rationale": "Having a non-default grub superuser username makes password-guessing attacks less effective.", "severity": "high", "references": {"cis-csc": ["1", "11", "12", "14", "15", "16", "18", "3", "5"], "cobit5": ["DSS05.02", "DSS05.04", "DSS05.05", "DSS05.07", "DSS05.10", "DSS06.03", "DSS06.06", "DSS06.10"], "cui": ["3.4.5"], "hipaa": ["164.308(a)(1)(ii)(B)", "164.308(a)(7)(i)", "164.308(a)(7)(ii)(A)", "164.310(a)(1)", "164.310(a)(2)(i)", "164.310(a)(2)(ii)", "164.310(a)(2)(iii)", "164.310(b)", "164.310(c)", "164.310(d)(1)", "164.310(d)(2)(iii)"], "isa-62443-2009": ["4.3.3.2.2", "4.3.3.5.1", "4.3.3.5.2", "4.3.3.5.3", "4.3.3.5.4", "4.3.3.5.5", "4.3.3.5.6", "4.3.3.5.7", "4.3.3.5.8", "4.3.3.6.1", "4.3.3.6.2", "4.3.3.6.3", "4.3.3.6.4", "4.3.3.6.5", "4.3.3.6.6", "4.3.3.6.7", "4.3.3.6.8", "4.3.3.6.9", "4.3.3.7.1", "4.3.3.7.2", "4.3.3.7.3", "4.3.3.7.4"], "isa-62443-2013": ["SR 1.1", "SR 1.10", "SR 1.11", "SR 1.12", "SR 1.13", "SR 1.2", "SR 1.3", "SR 1.4", "SR 1.5", "SR 1.6", "SR 1.7", "SR 1.8", "SR 1.9", "SR 2.1", "SR 2.2", "SR 2.3", "SR 2.4", "SR 2.5", "SR 2.6", "SR 2.7"], "iso27001-2013": ["A.18.1.4", "A.6.1.2", "A.7.1.1", "A.9.1.2", "A.9.2.1", "A.9.2.2", "A.9.2.3", "A.9.2.4", "A.9.2.6", "A.9.3.1", "A.9.4.1", "A.9.4.2", "A.9.4.3", "A.9.4.4", "A.9.4.5"], "nist": ["CM-6(a)"], "nist-csf": ["PR.AC-1", "PR.AC-4", "PR.AC-6", "PR.AC-7", "PR.PT-3"], "srg": ["SRG-OS-000080-GPOS-00048"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "superuser account is not set or is set to root, admin, administrator or any other existing user name", "ocil": "To verify the boot loader superuser account has been set, run the following\ncommand:\n<pre>sudo grep -A1 \"superusers\" /boot/grub/grub.cfg</pre>\nThe output should show the following:\n<pre>set superusers=\"<b>superusers-account</b>\"\nexport superusers</pre>\nwhere superusers-account is the actual account name different from common names like root,\nadmin, or administrator and different from any other existing user name.", "oval_external_content": null, "fixtext": "Configure Ubuntu 22.04 to have a unique username for the grub superuser account.\n\nEdit the \"/etc/grub.d/01_users\" file and add or modify the following lines in the \"### BEGIN /etc/grub.d/01_users ###\" section:\n\nset superusers=\"superusers-account\"\nexport superusers\n\nOnce the superuser account has been added, update the grub.cfg file by running:\n<pre>update-grub </pre>", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 systems booted with a BIOS must require a unique superusers name upon booting into single-user and maintenance modes.", "warnings": [{"general": "To prevent hard-coded admin usernames, automatic remediation of this control is not available. Remediation\nmust be automated as a component of machine provisioning, or followed manually as outlined above.\n\nAlso, do NOT manually add the superuser account and password to the\n<tt>grub.cfg</tt> file as the grub2-mkconfig command overwrites this file."}], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must require a unique superusers name upon booting into single-user and maintenance modes.", "vuldiscussion": "Having a nondefault grub superuser username makes password-guessing attacks less effective.", "checktext": "Verify the boot loader superuser account has been set with the following command:\n\n$ sudo grep -A1 \"superusers\" /etc/grub2.cfg\n\nset superusers=\"&lt;accountname&gt;\"\nexport superusers\npassword_pbkdf2 &lt;accountname&gt; ${GRUB2_PASSWORD}\n\nVerify &lt;accountname&gt; is not a common name such as root, admin, or administrator.\n\nIf superusers contains easily guessable usernames, this is a finding.", "fixtext": "Configure Ubuntu 22.04 to have a unique username for the grub superuser account.\n\nEdit the \"/etc/grub.d/01_users\" file and add or modify the following lines with a nondefault username for the superuser account:\n\nset superusers=\"&lt;accountname&gt;\"\nexport superusers\n\nOnce the superuser account has been added, update the grub.cfg file by running:\n\nRegenerate the GRUB configuration:\n\n$ sudo grub2-mkconfig -o /boot/grub2/grub.cfg\n\nReboot the system:\n$ sudo reboot"}}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["grub2 and system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["grub2_and_system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Set the Boot Loader Admin Username to a Non-Default Value", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_admin_username/rule.yml", "template": null}