diff --git a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/policy/stig/shared.yml b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/policy/stig/shared.yml
index 9ed13f583fd..cd3f7c9ddc0 100644
--- a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/policy/stig/shared.yml
+++ b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/policy/stig/shared.yml
@@ -13,12 +13,21 @@ checktext: |-
ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue
- If this line is not returned, or is commented out, this is a finding.
+ In case the output does not match, check if the ExecStart directive is not overridden:
+
+ grep ExecStart /etc/systemd/system/rescue.service.d/*.conf
+
+ The output should contain two lines:
+ ExecStart=
+ ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue
+
+ If the line is not returned in any of cases mentioned above, or is commented out, this is a finding.
fixtext: |-
Configure {{{ full_name }}} to require authentication for single-user mode.
- Add or modify the following line in the "/usr/lib/systemd/system/rescue.service" file:
+ Add following two lines to the file "/etc/systemd/system/rescue.service.d/10-remediation.conf":
+ ExecStart=
ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue
diff --git a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml
index 1846c60d1e8..bc0beb98a79 100644
--- a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/rule.yml
@@ -64,6 +64,17 @@ ocil: |-
ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"
{{%- endif %}}
+ In case the output does not match, check if the ExecStart directive is not overridden:
+ grep ExecStart /etc/systemd/system/rescue.service.d/*.conf
+ The output should contain two lines:
+ ExecStart=
+ {{% if product in ["fedora", "rhcos4", "sle12", "sle15", "slmicro5"] or 'ol' in families or 'rhel' in product -%}}
+ ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue
+ {{%- else -%}}
+ ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"
+ {{%- endif %}}
+
+
{{% if product not in ["ol8", "rhel8"] %}}
Then, verify that the rescue service is in the runlevel1.target.
Run the following command:
@@ -85,11 +96,12 @@ ocil: |-
fixtext: |-
Configure {{{ full_name }}} to require authentication in single user mode.
- Add or update the following line in "/usr/lib/systemd/system/rescue.service":
+ Ensure that there are following two lines in /etc/systemd/system/rescue.service.d/10-remediation.conf:
+ ExecStart=
{{% if product in ["fedora", "sle12", "sle15", "slmicro5"] or 'ol' in families or 'rhel' in product -%}}
- ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue
+ ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue
{{%- else -%}}
- ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"
+ ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"
{{%- endif %}}
srg_requirement: '{{{ full_name }}} must require authentication upon booting into rescue mode.'