1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
|
documentation_complete: true
title: 'UEFI Boot Loader Is Not Installed On Removeable Media'
description: |-
The system must not allow removable media to be used as the boot loader.
Remove alternate methods of booting the system from removable media.
<tt>usb0</tt>, <tt>cd</tt>, <tt>fd0</tt>, etc. are some examples of removeable
media which should not exist in the lines:
<pre>set root='hd0,msdos1'</pre>
rationale: |-
Malicious users with removable boot media can gain access to a system
configured to use removable media as the boot loader.
severity: medium
references:
srg: SRG-OS-000364-GPOS-00151
stigid@ol7: OL07-00-021700
ocil_clause: 'it is not'
ocil: |-
To verify the system is not configured to use a boot loader on removable media,
check that the grub configuration file has the set root command in each menu
entry with the following commands:
<pre>$ sudo grep -cw menuentry {{{ grub2_uefi_boot_path }}}/grub.cfg</pre>
Note that the <pre>-c</pre> option for the <pre>grep</pre> command will print
only the count of <pre>menuentry</pre> occurrences. This number should match
the number of occurrences reported by the following command:
<pre>$ sudo grep "set root='hd0" {{{ grub2_uefi_boot_path }}}/grub.cfg</pre>
The output should return something similar to:
<pre>set root='hd0,msdos1'</pre>
<tt>usb0</tt>, <tt>cd</tt>, <tt>fd0</tt>, etc. are some examples of removeable
media which should not exist in the lines:
<pre>set root='hd0,msdos1'</pre>
|
