Skip to content

Disable Recovery Booting

An XCCDF Rule

Description

OpenEmbedded systems support an "recovery boot" option that can be used to prevent services from being started. The GRUB_DISABLE_RECOVERY configuration option in /etc/default/grub should be set to true to disable the generation of recovery mode menu entries. It is also required to change the runtime configuration, run:

$ sudo grubby --update-kernel=ALL

Rationale

Using recovery boot, the console user could disable auditing, firewalls, or other services, weakening system security.

ID
xccdf_org.ssgproject.content_rule_grub2_disable_recovery
Severity
Medium
References
Updated



Remediation - Ansible

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - grub2_disable_recovery
  - low_complexity

Remediation - Shell Script

# Remediation is applicable only in certain platforms
if rpm --quiet -q grub2-common; then

if grep -q '^GRUB_DISABLE_RECOVERY=.*'  '/etc/default/grub' ; then
    sed -i 's/GRUB_DISABLE_RECOVERY=.*/GRUB_DISABLE_RECOVERY=true/' "/etc/default/grub"
else