Verify that Interactive Boot is Disabled

An XCCDF Rule

Description

Red Hat Enterprise Linux 10 systems support an "interactive boot" option that can be used to prevent services from being started. On a Red Hat Enterprise Linux 10 system, interactive boot can be enabled by providing a 1, yes, true, or on value to the systemd.confirm_spawn kernel argument in /etc/default/grub. Remove any instance of

systemd.confirm_spawn=(1|yes|true|on)

from the kernel arguments in that file to disable interactive boot. Recovery booting must also be disabled. Confirm that GRUB_DISABLE_RECOVERY=true is set in /etc/default/grub. It is also required to change the runtime configuration, run:

/sbin/grubby --update-kernel=ALL --remove-args="systemd.confirm_spawn"

grub2-mkconfig -o /boot/grub2/grub.cfg

Rationale

Using interactive or recovery boot, the console user could disable auditing, firewalls, or other services, weakening system security.

ID: xccdf_org.ssgproject.content_rule_grub2_disable_interactive_boot
Severity: Medium
References: 11 12 14 15 16 18 3 5

DSS05.02 DSS05.04 DSS05.05 DSS05.07 DSS06.03 DSS06.06

3.1.2 3.4.5

CCI-000366

164.308(a)(1)(ii)(B) 164.308(a)(7)(i) 164.308(a)(7)(ii)(A) 164.310(a)(1) 164.310(a)(2)(i) 164.310(a)(2)(ii) 164.310(a)(2)(iii) 164.310(b) 164.310(c) 164.310(d)(1) 164.310(d)(2)(iii)

4.3.3.2.2 4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4

SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7

A.6.1.2 A.7.1.1 A.9.1.2 A.9.2.1 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5

CM-6(a) SC-2(1)

PR.AC-4 PR.AC-6 PR.PT-3

SRG-OS-000480-GPOS-00227

CCE-89661-3
Updated: 5 days ago

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-89661-3
  - NIST-800-171-3.1.2  - NIST-800-171-3.4.5
  - NIST-800-53-CM-6(a)
  - NIST-800-53-SC-2(1)
  - grub2_disable_interactive_boot
  - low_complexity
  - low_disruption
  - medium_severity
  - reboot_required
  - restrict_strategy

- name: Verify GRUB_DISABLE_RECOVERY=true
  lineinfile:
    path: /etc/default/grub
    regexp: ^GRUB_DISABLE_RECOVERY=.*
    line: GRUB_DISABLE_RECOVERY=true
    state: present
  when:
  - '"kernel" in ansible_facts.packages'
  - '"grub2-common" in ansible_facts.packages'
  tags:
  - CCE-89661-3
  - NIST-800-171-3.1.2
  - NIST-800-171-3.4.5
  - NIST-800-53-CM-6(a)
  - NIST-800-53-SC-2(1)
  - grub2_disable_interactive_boot
  - low_complexity
  - low_disruption
  - medium_severity
  - reboot_required
  - restrict_strategy

- name: Verify that Interactive Boot is Disabled in /etc/default/grub
  replace:
    dest: /etc/default/grub
    regexp: systemd.confirm_spawn(=(1|yes|true|on)|\b)
    replace: systemd.confirm_spawn=no
  when:
  - '"kernel" in ansible_facts.packages'
  - '"grub2-common" in ansible_facts.packages'
  tags:
  - CCE-89661-3
  - NIST-800-171-3.1.2
  - NIST-800-171-3.4.5
  - NIST-800-53-CM-6(a)
  - NIST-800-53-SC-2(1)
  - grub2_disable_interactive_boot
  - low_complexity
  - low_disruption
  - medium_severity
  - reboot_required
  - restrict_strategy

- name: Verify that Interactive Boot is Disabled (runtime)
  command: /sbin/grubby --update-kernel=ALL --remove-args="systemd.confirm_spawn"
  when:
  - '"kernel" in ansible_facts.packages'
  - '"grub2-common" in ansible_facts.packages'
  tags:
  - CCE-89661-3
  - NIST-800-171-3.1.2
  - NIST-800-171-3.4.5
  - NIST-800-53-CM-6(a)
  - NIST-800-53-SC-2(1)
  - grub2_disable_interactive_boot
  - low_complexity
  - low_disruption
  - medium_severity
  - reboot_required
  - restrict_strategy

- name: Regen grub.cfg handle updated GRUB_DISABLE_RECOVERY and confirm_spawn
  command: grub2-mkconfig -o  /boot/grub2/grub.cfg
  when:
  - '"kernel" in ansible_facts.packages'
  - '"grub2-common" in ansible_facts.packages'
  tags:
  - CCE-89661-3
  - NIST-800-171-3.1.2
  - NIST-800-171-3.4.5
  - NIST-800-53-CM-6(a)
  - NIST-800-53-SC-2(1)
  - grub2_disable_interactive_boot
  - low_complexity
  - low_disruption
  - medium_severity
  - reboot_required
  - restrict_strategy

# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel && { rpm --quiet -q grub2-common; }; then

# Verify that Interactive Boot is Disabled in /etc/default/grub
CONFIRM_SPAWN_YES="systemd.confirm_spawn\(=\(1\|yes\|true\|on\)\|\b\)"
CONFIRM_SPAWN_NO="systemd.confirm_spawn=no"
if grep -q "\(GRUB_CMDLINE_LINUX\|GRUB_CMDLINE_LINUX_DEFAULT\)" /etc/default/grub
then
	sed -i "s/${CONFIRM_SPAWN_YES}/${CONFIRM_SPAWN_NO}/" /etc/default/grub
fi

# make sure GRUB_DISABLE_RECOVERY=true
if grep -q '^GRUB_DISABLE_RECOVERY=.*'  '/etc/default/grub' ; then
       # modify the GRUB command-line if an GRUB_DISABLE_RECOVERY= arg already exists
       sed -i 's/GRUB_DISABLE_RECOVERY=.*/GRUB_DISABLE_RECOVERY=true/' /etc/default/grub
else
       # no GRUB_DISABLE_RECOVERY=arg is present, append it to file
       echo "GRUB_DISABLE_RECOVERY=true"  >> '/etc/default/grub'
fi



# Remove 'systemd.confirm_spawn' kernel argument also from runtime settings
/sbin/grubby --update-kernel=ALL --remove-args="systemd.confirm_spawn"


#Regen grub.cfg handle updated GRUB_DISABLE_RECOVERY and confirm_spawn
grub2-mkconfig -o /boot/grub2/grub.cfg

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Verify that Interactive Boot is Disabled

Description

Rationale

Remediation - Ansible

Remediation - Shell Script