UCF STIG Viewer Logo

The system must be configured to only boot from the system boot device.


Overview

Finding ID Version Rule ID IA Controls Severity
V-1013 GEN008600 SV-38835r1_rule ECSC-1 High
Description
The ability to boot from removable media is the same as being able to boot into single user, or maintenance, mode without a password. This ability could allow a malicious user to boot the system and perform changes that could compromise or damage the system. It could also allow the system to be used for malicious purposes by a malicious anonymous user.
STIG Date
AIX 6.1 SECURITY TECHNICAL IMPLEMENTATION GUIDE 2018-09-18

Details

Check Text ( C-37096r1_chk )
Determine if the system is configured to boot from devices other than the system startup media.
# bootlist -m normal -o
The returned values should be hdisk{x}. If the system is setup to boot from a non-hard disk device, this is a finding.

Additionally, ask the SA if the machine is setup for multi-boot in the SMS application. If multi-boot is enabled, the firmware will stop at boot time and request which image to boot from the user. If multi-boot is enabled, this is a finding.
Fix Text (F-32367r1_fix)
Configure the system to only boot from system startup media.

# bootlist -m normal hdisk< x >

Set multi-boot to off in the SMS application.