Ensure /boot Located On Separate Partition
An XCCDF Rule
Description
It is recommended that the /boot
directory resides on a separate
partition. This makes it easier to apply restrictions e.g. through the
noexec
mount option. Eventually, the /boot
partition can
be configured not to be mounted automatically with the noauto
mount
option.
Rationale
The /boot
partition contains the kernel and bootloader files.
Access to this partition should be restricted.
- ID
- xccdf_org.ssgproject.content_rule_partition_for_boot
- Severity
- Medium
- References
- Updated
Remediation - Anaconda Pre-Install Instructions
part /boot
Remediation - OS Build Blueprint
[[customizations.filesystem]]
mountpoint = "/boot"
size = 1073741824