Disable Recovery Booting
An XCCDF Rule
Description
Red Hat Enterprise Linux CoreOS 4 systems support an "recovery boot" option that can be used
to prevent services from being started. The GRUB_DISABLE_RECOVERY
configuration option in /etc/default/grub should be set to
true to disable the generation of recovery mode menu entries. It is
also required to change the runtime configuration, run:
$ sudo grubby --update-kernel=ALL
Rationale
Using recovery boot, the console user could disable auditing, firewalls, or other services, weakening system security.
- ID
- xccdf_org.ssgproject.content_rule_grub2_disable_recovery
- Severity
- Medium
- References
- Updated