{"description": "Ubuntu 22.04 systems support an \"recovery boot\" option that can be used\nto prevent services from being started. The <tt>GRUB_DISABLE_RECOVERY</tt>\nconfiguration option in <tt>/etc/default/grub</tt> should be set to\n<tt>true</tt> to disable the generation of recovery mode menu entries. It is\nalso required to change the runtime configuration, run:\n<pre>$ sudo update-grub </pre>", "rationale": "Using recovery boot, the console user could disable auditing, firewalls,\nor other services, weakening system security.", "severity": "medium", "references": {"ospp": ["FIA_UAU.1"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "GRUB_DISABLE_RECOVERY is not set to true or is missing", "ocil": "Verify that <tt>GRUB_DISABLE_RECOVERY</tt> is set to </tt>true</tt> in <tt>/etc/default/grub</tt> to disable recovery boot.\nRun the following command:\n\n$ sudo grep GRUB_DISABLE_RECOVERY /etc/default/grub", "oval_external_content": null, "fixtext": "Configure the GRUB 2 boot loader to disable recovery mode boot loader entries.\nAdd or edit the following line in /etc/default/grub:\n\nGRUB_DISABLE_RECOVERY=true\n\nThen, run the following command:\n\n$ sudo update-grub ", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["grub2 and system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["grub2_and_system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Disable Recovery Booting", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/bootloader-grub2/grub2_disable_recovery/rule.yml", "template": null}