Disable Recovery Booting
An XCCDF Rule
Description
OpenEmbedded systems support an "recovery boot" option that can be used
to prevent services from being started. The GRUB_DISABLE_RECOVERY
configuration option in /etc/default/grub
should be set to
true
to disable the generation of recovery mode menu entries. It is
also required to change the runtime configuration, run:
$ sudo grubby --update-kernel=ALL
Rationale
Using recovery boot, the console user could disable auditing, firewalls, or other services, weakening system security.
- ID
- xccdf_org.ssgproject.content_rule_grub2_disable_recovery
- Severity
- Medium
- References
- Updated
Remediation - Ansible
- name: Gather the package facts
package_facts:
manager: auto
tags:
- grub2_disable_recovery
- low_complexity
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if rpm --quiet -q grub2-common; then
if grep -q '^GRUB_DISABLE_RECOVERY=.*' '/etc/default/grub' ; then
sed -i 's/GRUB_DISABLE_RECOVERY=.*/GRUB_DISABLE_RECOVERY=true/' "/etc/default/grub"
else