AlmaLinux OS 9 must require a unique superuser's name upon booting into single-user and maintenance modes.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-269138 | ALMA-09-006400 | SV-269138r1050020_rule | Medium |
| Description |
| Having a nondefault grub superuser username makes password-guessing attacks less effective. |
| STIG | Date |
| CloudLinux AlmaLinux OS 9 Security Technical Implementation Guide | 2025-05-22 |
Details
| Check Text (C-73169r1047790_chk) |
| Verify the boot loader superuser account has been set with the following command: $ grep -A1 "superusers" /etc/grub2.cfg set superusers="superman" export superusers password_pbkdf2 superman ${GRUB2_PASSWORD} In this example "superman" is the actual account name, changed from the default "root". If superusers contains easily guessable usernames, this is a finding. |
| Fix Text (F-73070r1049176_fix) |
| Configure AlmaLinux OS 9 to have a unique username for the grub superuser account using the following commands: $ sed -ri 's/root/superman/' /etc/grub.d/01_users $ grub2-mkconfig -o /boot/grub2/grub.cfg |