Skip to content

Disable Recovery Booting

An XCCDF Rule

Description

Anolis OS 23 systems support an "recovery boot" option that can be used to prevent services from being started. The GRUB_DISABLE_RECOVERY configuration option in /etc/default/grub should be set to true to disable the generation of recovery mode menu entries. It is also required to change the runtime configuration, run:

$ sudo grubby --update-kernel=ALL

Rationale

Using recovery boot, the console user could disable auditing, firewalls, or other services, weakening system security.

ID
xccdf_org.ssgproject.content_rule_grub2_disable_recovery
Severity
Medium
References
Updated



Remediation - Ansible

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - grub2_disable_recovery
  - low_complexity

Remediation - Shell Script

# Remediation is applicable only in certain platforms
if rpm --quiet -q grub2-common; then

if grep -q '^GRUB_DISABLE_RECOVERY=.*'  '/etc/default/grub' ; then
    sed -i 's/GRUB_DISABLE_RECOVERY=.*/GRUB_DISABLE_RECOVERY=true/' "/etc/default/grub"
else