Disable Recovery Booting
An XCCDF Rule
Description
Ubuntu 16.04 systems support an "recovery boot" option that can be used
to prevent services from being started. The GRUB_DISABLE_RECOVERY
configuration option in /etc/default/grub should be set to
true to disable the generation of recovery mode menu entries. It is
also required to change the runtime configuration, run:
$ sudo update-grub
Rationale
Using recovery boot, the console user could disable auditing, firewalls, or other services, weakening system security.
- ID
- xccdf_org.ssgproject.content_rule_grub2_disable_recovery
- Severity
- Medium
- References
- Updated
Remediation - Ansible
- name: Gather the package facts
package_facts:
manager: auto
tags:
- grub2_disable_recovery
- low_complexity
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if dpkg-query --show --showformat='${db:Status-Status}\n' 'grub2-common' 2>/dev/null | grep -q installed; then
if grep -q '^GRUB_DISABLE_RECOVERY=.*' '/etc/default/grub' ; then
sed -i 's/GRUB_DISABLE_RECOVERY=.*/GRUB_DISABLE_RECOVERY=true/' "/etc/default/grub"
else