STIGQter: STIG Summary: Red Hat Enterprise Linux 7 Security Technical Implementation Guide Version: 3 Release: 3 Benchmark Date: 23 Apr 2021:

The Red Hat Enterprise Linux operating system must not allow removable media to be used as the boot loader unless approved.

DISA Rule

SV-204501r603261_rule

Vulnerability Number

V-204501

Group Title

SRG-OS-000364-GPOS-00151

Rule Version

RHEL-07-021700

Severity

CAT II

CCI(s)

• CCI-000368 - The organization documents any deviations from the established configuration settings for organization-defined information system components based on organization-defined operational requirements.
• CCI-001812 - The information system prohibits user installation of software without explicit privileged status.
• CCI-001814 - The Information system supports auditing of the enforcement actions.
• CCI-001813 - The information system enforces access restrictions.
• CCI-000318 - The organization audits and reviews activities associated with configuration-controlled changes to the system.

Weight

10

Fix Recommendation

Remove alternate methods of booting the system from removable media or document the configuration to boot from removable media with the ISSO.

Check Contents

Verify the system is not configured to use a boot loader on removable media.

Note: GRUB 2 reads its configuration from the "/boot/grub2/grub.cfg" file on traditional BIOS-based machines and from the "/boot/efi/EFI/redhat/grub.cfg" file on UEFI machines.

Check for the existence of alternate boot loader configuration files with the following command:

# find / -name grub.cfg
/boot/grub2/grub.cfg

If a "grub.cfg" is found in any subdirectories other than "/boot/grub2" and "/boot/efi/EFI/redhat", ask the System Administrator if there is documentation signed by the ISSO to approve the use of removable media as a boot loader.

Check that the grub configuration file has the set root command in each menu entry with the following commands:

# grep -c menuentry /boot/grub2/grub.cfg
1
# grep 'set root' /boot/grub2/grub.cfg
set root=(hd0,1)

If the system is using an alternate boot loader on removable media, and documentation does not exist approving the alternate configuration, this is a finding.

Vulnerability Number

V-204501

Documentable

False

Rule Version

RHEL-07-021700

Severity Override Guidance

Verify the system is not configured to use a boot loader on removable media.

Note: GRUB 2 reads its configuration from the "/boot/grub2/grub.cfg" file on traditional BIOS-based machines and from the "/boot/efi/EFI/redhat/grub.cfg" file on UEFI machines.

Check for the existence of alternate boot loader configuration files with the following command:

# find / -name grub.cfg
/boot/grub2/grub.cfg

If a "grub.cfg" is found in any subdirectories other than "/boot/grub2" and "/boot/efi/EFI/redhat", ask the System Administrator if there is documentation signed by the ISSO to approve the use of removable media as a boot loader.

Check that the grub configuration file has the set root command in each menu entry with the following commands:

# grep -c menuentry /boot/grub2/grub.cfg
1
# grep 'set root' /boot/grub2/grub.cfg
set root=(hd0,1)

If the system is using an alternate boot loader on removable media, and documentation does not exist approving the alternate configuration, this is a finding.

Check Content Reference

M

Target Key

2899

Comments