Skip to content

Add noauto Option to /boot

An XCCDF Rule

Description

The noauto mount option is used to prevent automatic mounting of th /boot partition. Add the noauto option to the fourth column of /etc/fstab for the line which controls mounting of /boot.

warning alert: Warning

Although contents of the /boot partition should not be needed during normal system operation, they might need to be accessible during system maintenance and upgrades. Make sure that applying this rule will not break upgrade or maintenance processes affecting the system.

Rationale

The /boot partition contains the kernel and the bootloader. Access to the partition after the boot process finishes should not be needed. Files contained within this partition can be analysed and gained information can be used for exploit creation.

ID
xccdf_org.ssgproject.content_rule_mount_option_boot_noauto
Severity
Medium
References
Updated



Remediation - Anaconda Pre-Install Instructions


part /boot --mountoptions="noauto"

Remediation - Shell Script

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

function perform_remediation {
    
        # the mount point /boot has to be defined in /etc/fstab

Remediation - Ansible

- name: 'Add noauto Option to /boot: Check information associated to mountpoint'
  command: findmnt --fstab '/boot'
  register: device_name
  failed_when: device_name.rc > 1
  changed_when: false
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]