The Red Hat Enterprise Linux operating system must not allow removable media to be used as the boot loader unless approved.

STIG ID: RHEL-07-021700  |  SRG: SRG-OS-000364-GPOS-00151 |  Severity: medium |  CCI: CCI-000368,CCI-000318,CCI-001813,CCI-001814,CCI-001812 |  Vulnerability Id: V-204501 | 

Vulnerability Discussion

Malicious users with removable boot media can gain access to a system configured to use removable media as the boot loader. If removable media is designed to be used as the boot loader, the requirement must be documented with the Information System Security Officer (ISSO).

Check

Verify the system is not configured to use a boot loader on removable media.

Note: GRUB 2 reads its configuration from the "/boot/grub2/grub.cfg" file on traditional BIOS-based machines and from the "/boot/efi/EFI/redhat/grub.cfg" file on UEFI machines.

Check for the existence of alternate boot loader configuration files with the following command:

# find / -name grub.cfg
/boot/grub2/grub.cfg

If a "grub.cfg" is found in any subdirectories other than "/boot/grub2" and "/boot/efi/EFI/redhat", ask the System Administrator if there is documentation signed by the ISSO to approve the use of removable media as a boot loader.

Check that the grub configuration file has the set root command in each menu entry with the following commands:

# grep -c menuentry /boot/grub2/grub.cfg
1
# grep 'set root' /boot/grub2/grub.cfg
set root=(hd0,1)

If the system is using an alternate boot loader on removable media, and documentation does not exist approving the alternate configuration, this is a finding.

Fix

Remove alternate methods of booting the system from removable media or document the configuration to boot from removable media with the ISSO.