Check: RHEL-07-021700
RHEL 7 STIG:
RHEL-07-021700
(in versions v3 r15 through v3 r13)
Title
The Red Hat Enterprise Linux operating system must not allow removable media to be used as the boot loader unless approved. (Cat II impact)
Discussion
Malicious users with removable boot media can gain access to a system configured to use removable media as the boot loader. If removable media is designed to be used as the boot loader, the requirement must be documented with the information system security officer (ISSO).
Check Content
Verify the system is not configured to use a boot loader on removable media. Note: GRUB 2 reads its configuration from the "/boot/grub2/grub.cfg" file on traditional BIOS-based machines and from the "/boot/efi/EFI/redhat/grub.cfg" file on UEFI machines. Check for the existence of alternate boot loader configuration files with the following command: # find / -name grub.cfg /boot/efi/EFI/redhat/grub.cfg If a "grub.cfg" is found in any subdirectories other than "/boot/grub2/" and "/boot/efi/EFI/redhat/", ask the system administrator (SA) if there is documentation signed by the ISSO to approve the use of removable media as a boot loader. List the number of menu entries defined in the grub configuration file with the following command (the number will vary between systems): # grep -cw menuentry /boot/efi/EFI/redhat/grub.cfg 4 Check that the grub configuration file has the "set root" command for each menu entry with the following command ("set root" defines the disk and partition or directory where the kernel and GRUB 2 modules are stored): # grep 'set root' /boot/efi/EFI/redhat/grub.cfg set root='hd0,gpt2' set root='hd0,gpt2' set root='hd0,gpt2' set root='hd0,gpt2' If the system is using an alternate boot loader on removable media, and documentation does not exist approving the alternate configuration, this is a finding.
Fix Text
Remove alternate methods of booting the system from removable media or document the configuration to boot from removable media with the ISSO.
Additional Identifiers
Rule ID: SV-204501r958796_rule
Vulnerability ID: V-204501
Group Title: SRG-OS-000364-GPOS-00151
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000318 |
Monitor and review activities associated with configuration-controlled changes to the system. |
| CCI-000368 |
Document any deviations from the established configuration settings for organization-defined system components based on organization-defined operational requirements. |
| CCI-001812 |
The information system prohibits user installation of software without explicit privileged status. |
| CCI-001813 |
Enforce access restrictions using organization-defined mechanisms. |
| CCI-001814 |
The Information system supports auditing of the enforcement actions. |