The system must be configured to only boot from the system boot device.

From AIX 6.1 SECURITY TECHNICAL IMPLEMENTATION GUIDE

Part of GEN008600

Associated with IA controls: ECSC-1

Associated with: CCI-000366

SV-38835r1_rule The system must be configured to only boot from the system boot device.

Vulnerability discussion

The ability to boot from removable media is the same as being able to boot into single user, or maintenance, mode without a password. This ability could allow a malicious user to boot the system and perform changes that could compromise or damage the system. It could also allow the system to be used for malicious purposes by a malicious anonymous user.

Check content

Determine if the system is configured to boot from devices other than the system startup media. # bootlist -m normal -o The returned values should be hdisk{x}. If the system is setup to boot from a non-hard disk device, this is a finding. Additionally, ask the SA if the machine is setup for multi-boot in the SMS application. If multi-boot is enabled, the firmware will stop at boot time and request which image to boot from the user. If multi-boot is enabled, this is a finding.

Fix text

Configure the system to only boot from system startup media. # bootlist -m normal hdisk< x > Set multi-boot to off in the SMS application.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer