{"description": "The <tt>noauto</tt> mount option is used to prevent automatic mounting of th\n<tt>/boot</tt> partition. \nAdd the <code>noauto</code> option to the fourth column of\n<tt>/etc/fstab</tt> for the line which controls mounting of\n<code>/boot</code>.", "rationale": "The <tt>/boot</tt> partition contains the kernel and the bootloader. Access\nto the partition after the boot process finishes should not be needed. Files\ncontained within this partition can be analysed and gained information can\nbe used for exploit creation.", "severity": "medium", "references": {}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "the \"/boot\" file system does not have the \"noauto\" option set", "ocil": "Verify the <tt>noauto</tt> option is configured for the <tt>/boot</tt> mount point,\n    run the following command:\n    <pre>$ sudo mount | grep '\\s/boot\\s'</pre>\n    <pre>. . . /boot . . . noauto . . .</pre>\n", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [{"general": "Although contents of the <tt>/boot</tt> partition should not be needed\nduring normal system operation, they might need to be accessible during\nsystem maintenance and upgrades. Make sure that applying this rule will\nnot break upgrade or maintenance processes affecting the system."}], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["not container"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["not_container"], "bash_conditional": null, "fixes": {}, "title": "Add noauto Option to /boot", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/permissions/partitions/mount_option_boot_noauto/rule.yml", "template": {"name": "mount_option", "vars": {"mountpoint": "/boot", "mountoption": "noauto"}, "backends": {}}}