documentation_complete: true


title: 'UEFI Boot Loader Is Not Installed On Removable Media'

description: |-
    The system must not allow removable media to be used as the boot loader.
    Remove alternate methods of booting the system from removable media.
    <tt>usb0</tt>, <tt>cd</tt>, <tt>fd0</tt>, etc. are some examples of removable
    media which should not exist in the lines:
    <pre>set root='hd0,msdos1'</pre>

rationale: |-
    Malicious users with removable boot media can gain access to a system
    configured to use removable media as the boot loader.

severity: medium

references:
    srg: SRG-OS-000364-GPOS-00151
    stigid@ol7: OL07-00-021700

ocil_clause: 'it is not'

ocil: |-
    To verify the system is not configured to use a boot loader on removable media,
    check that the grub configuration file has the set root command in each menu
    entry with the following commands:
    <pre>$ sudo grep -cw menuentry {{{ grub2_uefi_boot_path }}}/grub.cfg</pre>
    Note that the <pre>-c</pre> option for the <pre>grep</pre> command will print
    only the count of <pre>menuentry</pre> occurrences. This number should match
    the number of occurrences reported by the following command:
    <pre>$ sudo grep "set root='hd0" {{{ grub2_uefi_boot_path }}}/grub.cfg</pre>
    The output should return something similar to:
    <pre>set root='hd0,msdos1'</pre>
    <tt>usb0</tt>, <tt>cd</tt>, <tt>fd0</tt>, etc. are some examples of removable
    media which should not exist in the lines:
    <pre>set root='hd0,msdos1'</pre>