{"description": "The system must not allow removable media to be used as the boot loader.\nRemove alternate methods of booting the system from removable media.\nusb0, cd, fd0, etc. are some examples of removable\nmedia which should not exist in the lines:\n
set root='hd0,msdos1'
", "rationale": "Malicious users with removable boot media can gain access to a system\nconfigured to use removable media as the boot loader.", "severity": "medium", "references": {"srg": ["SRG-OS-000364-GPOS-00151"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "it is not", "ocil": "To verify the system is not configured to use a boot loader on removable media,\ncheck that the grub configuration file has the set root command in each menu\nentry with the following commands:\n
$ sudo grep -cw menuentry /boot/grub/grub.cfg
\nNote that the 
-c
option for the 
grep
command will print\nonly the count of 
menuentry
occurrences. This number should match\nthe number of occurrences reported by the following command:\n
$ sudo grep \"set root='hd0\" /boot/grub/grub.cfg
\nThe output should return something similar to:\n
set root='hd0,msdos1'
\nusb0, cd, fd0, etc. are some examples of removable\nmedia which should not exist in the lines:\n
set root='hd0,msdos1'
", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["grub2 and system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["grub2_and_system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Boot Loader Is Not Installed On Removable Media", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/bootloader-grub2/non-uefi/grub2_no_removeable_media/rule.yml", "template": null}