File: rule.yml

package info (click to toggle)
scap-security-guide 0.1.78-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 114,600 kB
  • sloc: xml: 245,305; sh: 84,381; python: 33,093; makefile: 27
file content (58 lines) | stat: -rw-r--r-- 2,774 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
 
documentation_complete: true


title: 'Verify that Interactive Boot is Disabled'

description: |-
    {{{ full_name }}} systems support an "interactive boot" option that can
    be used to prevent services from being started. On a {{{ full_name }}}
    system, interactive boot can be enabled by providing a <tt>1</tt>,
    <tt>yes</tt>, <tt>true</tt>, or <tt>on</tt> value to the
    <tt>systemd.confirm_spawn</tt> kernel argument in <tt>/etc/default/grub</tt>.
    Remove any instance of <pre>systemd.confirm_spawn=(1|yes|true|on)</pre> from
    the kernel arguments in that file to disable interactive boot.
    Recovery booting must also be disabled. Confirm that
    <tt>GRUB_DISABLE_RECOVERY=true</tt> is set in  <tt>/etc/default/grub</tt>.
    It is also required to change the runtime configuration, run:
    {{% if 'sle' in product %}}
    <pre>/usr/bin/grub2-editenv - unset systemd.confirm_spawn></pre>
    {{% else %}}
    <pre>/sbin/grubby --update-kernel=ALL --remove-args="systemd.confirm_spawn"</pre>
    {{% endif %}}
    <pre>grub2-mkconfig -o {{{ grub2_boot_path }}}/grub.cfg</pre>

rationale: |-
    Using interactive or recovery boot, the console user could disable auditing, firewalls,
    or other services, weakening system security.

severity: medium

identifiers:
    cce@rhcos4: CCE-82551-3
    cce@rhel8: CCE-80826-1
    cce@rhel9: CCE-87114-5
    cce@rhel10: CCE-89661-3
    cce@sle15: CCE-91152-9

references:
    cis-csc: 11,12,14,15,16,18,3,5
    cobit5: DSS05.02,DSS05.04,DSS05.05,DSS05.07,DSS06.03,DSS06.06
    cui: 3.1.2,3.4.5
    hipaa: 164.308(a)(1)(ii)(B),164.308(a)(7)(i),164.308(a)(7)(ii)(A),164.310(a)(1),164.310(a)(2)(i),164.310(a)(2)(ii),164.310(a)(2)(iii),164.310(b),164.310(c),164.310(d)(1),164.310(d)(2)(iii)
    isa-62443-2009: 4.3.3.2.2,4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4
    isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.11,SR 1.12,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.6,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.2,SR 2.3,SR 2.4,SR 2.5,SR 2.6,SR 2.7'
    iso27001-2013: A.6.1.2,A.7.1.1,A.9.1.2,A.9.2.1,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
    nist: SC-2(1),CM-6(a)
    nist-csf: PR.AC-4,PR.AC-6,PR.PT-3
    srg: SRG-OS-000480-GPOS-00227

ocil_clause: 'Interactive boot is enabled at boot time'

ocil: |-
    Inspect <tt>/etc/default/grub</tt> for any instances of
    <tt>systemd.confirm_spawn=(1|yes|true|on)</tt> in the kernel boot arguments.
    Presence of a <tt>systemd.confirm_spawn=(1|yes|true|on)</tt> indicates
    that interactive boot is enabled at boot time and verify that
    <tt>GRUB_DISABLE_RECOVERY=true</tt> to disable recovery boot.

platform: grub2