Add noauto Option to /boot
An XCCDF Rule
Description
The noauto
mount option is used to prevent automatic mounting of th
/boot
partition.
Add the noauto
option to the fourth column of
/etc/fstab
for the line which controls mounting of
/boot
.
warning alert: Warning
Although contents of the
/boot
partition should not be needed
during normal system operation, they might need to be accessible during
system maintenance and upgrades. Make sure that applying this rule will
not break upgrade or maintenance processes affecting the system.Rationale
The /boot
partition contains the kernel and the bootloader. Access
to the partition after the boot process finishes should not be needed. Files
contained within this partition can be analysed and gained information can
be used for exploit creation.
- ID
- xccdf_org.ssgproject.content_rule_mount_option_boot_noauto
- Severity
- Medium
- References
- Updated
Remediation - Anaconda Pre-Install Instructions
part /boot --mountoptions="noauto"
Remediation - Ansible
- name: 'Add noauto Option to /boot: Check information associated to mountpoint'
command: findmnt --fstab '/boot'
register: device_name
failed_when: device_name.rc > 1
changed_when: false
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
function perform_remediation {
# the mount point /boot has to be defined in /etc/fstab