Verify that Interactive Boot is Disabled
An XCCDF Rule
Description
Red Hat Virtualization 4 systems support an "interactive boot" option that can
be used to prevent services from being started. On a Red Hat Virtualization 4
system, interactive boot can be enabled by providing a 1
,
yes
, true
, or on
value to the
systemd.confirm_spawn
kernel argument in /etc/default/grub
.
Remove any instance of
systemd.confirm_spawn=(1|yes|true|on)from the kernel arguments in that file to disable interactive boot. Recovery booting must also be disabled. Confirm that
GRUB_DISABLE_RECOVERY=true
is set in /etc/default/grub
.
It is also required to change the runtime configuration, run:
/sbin/grubby --update-kernel=ALL --remove-args="systemd.confirm_spawn"
grub2-mkconfig -o /boot/grub2/grub.cfg
Rationale
Using interactive or recovery boot, the console user could disable auditing, firewalls, or other services, weakening system security.
- ID
- xccdf_org.ssgproject.content_rule_grub2_disable_interactive_boot
- Severity
- Medium
- References
- Updated
Remediation - Ansible
- name: Gather the package facts
package_facts:
manager: auto
tags:
- NIST-800-171-3.1.2
- NIST-800-171-3.4.5
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && { rpm --quiet -q grub2-common; }; then
# Verify that Interactive Boot is Disabled in /etc/default/grub
CONFIRM_SPAWN_YES="systemd.confirm_spawn\(=\(1\|yes\|true\|on\)\|\b\)"
CONFIRM_SPAWN_NO="systemd.confirm_spawn=no"