Details

The operating system must not allow removable media to be used as the boot loader unless approved.

Rationale:

Malicious users with removable boot media can gain access to a system configured to use removable media as the boot loader. If removable media is designed to be used as the boot loader, the requirement must be documented with the Information System Security Officer (ISSO).

Solution

Remove alternate methods of booting the system from removable media or document the configuration to boot from removable media with the Authorizing Official.
Example: vim /etc/default/grub
Add this in the first menu entry

set root=(hd0,1)

Any changes made to /etc/default/grub require you to run grub2-mkconfig to re-generate the /boot/grub2/grub.cfg file.
Example:

# grub2-mkconfig -o /boot/grub2/grub.cfg

Supportive Information

The following resource is also helpful.

• https://workbench.cisecurity.org/files/3636

This security hardening control applies to the following category of controls within NIST 800-53: Configuration Management.This control applies to the following type of system Unix.

References

• 800-53|CM-3f.
• 800-53|CM-5(1)
• 800-53|CM-6c.
• 800-53|CM-11(2)
• CCI|CCI-000318
• CCI|CCI-000368
• CCI|CCI-001812
• CCI|CCI-001813
• CCI|CCI-001814
• CSCv7|5.1
• Rule-ID|SV-204501r603261_rule
• STIG-ID|RHEL-07-021700

Source

• Tenable.com/audits