Vulnerability Discussion
Malicious users with removable boot media can gain access to a system configured to use removable media as the boot loader. If removable media is designed to be used as the boot loader, the requirement must be documented with the Information System Security Officer (ISSO).
Check
Verify the system is not configured to use a boot loader on removable media.
Note: GRUB 2 reads its configuration from the "/boot/grub2/grub.cfg" file on traditional BIOS-based machines and from the "/boot/efi/EFI/redhat/grub.cfg" file on UEFI machines.
Check for the existence of alternate boot loader configuration files with the following command:
# find / -name grub.cfg
/boot/grub2/grub.cfg
If a "grub.cfg" is found in any subdirectories other than "/boot/grub2" and "/boot/efi/EFI/redhat", ask the System Administrator if there is documentation signed by the ISSO to approve the use of removable media as a boot loader.
Check that the grub configuration file has the set root command in each menu entry with the following commands:
# grep -c menuentry /boot/grub2/grub.cfg
1
# grep 'set root' /boot/grub2/grub.cfg
set root=(hd0,1)
If the system is using an alternate boot loader on removable media, and documentation does not exist approving the alternate configuration, this is a finding.
Fix
Remove alternate methods of booting the system from removable media or document the configuration to boot from removable media with the ISSO.