OL 9 must require a unique superuser's name upon booting into single-user and maintenance modes.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| high | V-271451 | SRG-OS-000080-GPOS-00048 | OL09-00-000050 | SV-271451r1137691_rule | 2026-02-17 | 1 |
Description
Having a nondefault grub superuser username makes password-guessing attacks less effective.
ℹ️ Check
Verify that OL 9 requires a unique username for the grub superuser account.
Verify the boot loader superuser account has been set with the following command:
$ sudo grep -A1 "superusers" /etc/grub2.cfg
set superusers="<superusers-account>"
export superusers
password_pbkdf2 root ${GRUB2_PASSWORD}
The <superusers-account> is the actual account name different from common names like root, admin, or administrator.
If superusers contains easily guessable usernames, this is a finding.
✔️ Fix
Configure OL 9 to have a unique username for the grub superuser account.
Edit the "/etc/grub.d/01_users" file and add or modify the following lines in the "### BEGIN /etc/grub.d/01_users ###" section:
set superusers="superusers-account"
export superusers
Once the superuser account has been added, update the grub.cfg file by running:
$ sudo grubby --update-kernel=ALL'