UCF STIG Viewer Logo

The Red Hat Enterprise Linux operating system must not allow removable media to be used as the boot loader unless approved.


Overview

Finding ID Version Rule ID IA Controls Severity
V-72075 RHEL-07-021700 SV-86699r2_rule Medium
Description
Malicious users with removable boot media can gain access to a system configured to use removable media as the boot loader. If removable media is designed to be used as the boot loader, the requirement must be documented with the Information System Security Officer (ISSO).
STIG Date
Red Hat Enterprise Linux 7 Security Technical Implementation Guide 2018-11-28

Details

Check Text ( C-72307r2_chk )
Verify the system is not configured to use a boot loader on removable media.

Note: GRUB 2 reads its configuration from the "/boot/grub2/grub.cfg" file on traditional BIOS-based machines and from the "/boot/efi/EFI/redhat/grub.cfg" file on UEFI machines.

Check for the existence of alternate boot loader configuration files with the following command:

# find / -name grub.cfg
/boot/grub2/grub.cfg

If a "grub.cfg" is found in any subdirectories other than "/boot/grub2" and "/boot/efi/EFI/redhat", ask the System Administrator if there is documentation signed by the ISSO to approve the use of removable media as a boot loader.

Check that the grub configuration file has the set root command in each menu entry with the following commands:

# grep -c menuentry /boot/grub2/grub.cfg
1
# grep 'set root' /boot/grub2/grub.cfg
set root=(hd0,1)

If the system is using an alternate boot loader on removable media, and documentation does not exist approving the alternate configuration, this is a finding.
Fix Text (F-78427r1_fix)
Remove alternate methods of booting the system from removable media or document the configuration to boot from removable media with the ISSO.