800-53|SI-7(10)

Title

PROTECTION OF BOOT FIRMWARE

Description

The information system implements [Assignment: organization-defined security safeguards] to protect the integrity of boot firmware in [Assignment: organization-defined devices].

Supplemental

Unauthorized modifications to boot firmware may be indicative of a sophisticated, targeted cyber attack. These types of cyber attacks can result in a permanent denial of service (e.g., if the firmware is corrupted) or a persistent malicious code presence (e.g., if code is embedded within the firmware). Devices can protect the integrity of the boot firmware in organizational information systems by: (i) verifying the integrity and authenticity of all updates to the boot firmware prior to applying changes to the boot devices; and (ii) preventing unauthorized processes from modifying the boot firmware.

Reference Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

Parent Title: SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY

Family: SYSTEM AND INFORMATION INTEGRITY

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.4.2 Ensure bootloader password is set - 'passwd_pbkdf2'UnixCIS Ubuntu Linux 14.04 LTS Server L1 v2.1.0
1.4.2 Ensure bootloader password is set - 'passwd_pbkdf2'UnixCIS Ubuntu Linux 18.04 LTS Workstation L1 v2.1.0
1.4.2 Ensure bootloader password is set - 'passwd_pbkdf2'UnixCIS Ubuntu Linux 18.04 LTS Server L1 v2.1.0
1.4.2 Ensure bootloader password is set - 'passwd_pbkdf2'UnixCIS Ubuntu Linux 14.04 LTS Workstation L1 v2.1.0
1.4.2 Ensure bootloader password is set - 'set superusers'UnixCIS Ubuntu Linux 14.04 LTS Server L1 v2.1.0
1.4.2 Ensure bootloader password is set - 'set superusers'UnixCIS Ubuntu Linux 14.04 LTS Workstation L1 v2.1.0
1.4.2 Ensure bootloader password is set - 'set superusers'UnixCIS Ubuntu Linux 18.04 LTS Server L1 v2.1.0
1.4.2 Ensure bootloader password is set - 'set superusers'UnixCIS Ubuntu Linux 18.04 LTS Workstation L1 v2.1.0
1.4.2 Ensure bootloader password is set - password_pbkdf2UnixCIS SUSE Linux Enterprise Workstation 11 L1 v2.1.1
1.4.2 Ensure bootloader password is set - password_pbkdf2UnixCIS SUSE Linux Enterprise Server 11 L1 v2.1.1
1.4.2 Ensure bootloader password is set - superusersUnixCIS SUSE Linux Enterprise Workstation 11 L1 v2.1.1
1.4.2 Ensure bootloader password is set - superusersUnixCIS SUSE Linux Enterprise Server 11 L1 v2.1.1
6.13 Secure the GRUB Menu - Check if 'lock' command is set after failsafe sectionUnixCIS Solaris 10 L1 v5.2
6.13 Secure the GRUB Menu - Check if 'password' is set in /boot/grub/menu.lst. Note: This check only checks if password is setUnixCIS Solaris 10 L1 v5.2
6.17 Secure the GRUB Menu (Intel)UnixCIS Solaris 11.1 L1 v1.0.0
6.17 Secure the GRUB Menu (Intel)UnixCIS Solaris 11 L1 v1.1.0
6.17 Secure the GRUB Menu (Intel) - grub.cfg passwordUnixCIS Solaris 11.2 L1 v1.1.0
6.17 Secure the GRUB Menu (Intel) - grub.cfg passwordUnixCIS Solaris 11.1 L1 v1.0.0
6.17 Secure the GRUB Menu (Intel) - grub.cfg timeout = 30UnixCIS Solaris 11.1 L1 v1.0.0
6.17 Secure the GRUB Menu (Intel) - grub.cfg timeout = 30UnixCIS Solaris 11.2 L1 v1.1.0
6.17 Secure the GRUB Menu (Intel) - grub2_defs.bios GRUB_TIMEOUT = 30UnixCIS Solaris 11.2 L1 v1.1.0
6.17 Secure the GRUB Menu (Intel) - grub2_defs.bios GRUB_TIMEOUT = 30UnixCIS Solaris 11.1 L1 v1.0.0
6.17 Secure the GRUB Menu (Intel) - lockUnixCIS Solaris 11 L1 v1.1.0
6.17 Secure the GRUB Menu (Intel) - menu.conf timeout = 30UnixCIS Solaris 11.1 L1 v1.0.0
6.17 Secure the GRUB Menu (Intel) - menu.conf timeout = 30UnixCIS Solaris 11.2 L1 v1.1.0
6.17 Secure the GRUB Menu (Intel) - passwd.cfg - password_pbkdf2UnixCIS Solaris 11.1 L1 v1.0.0
6.17 Secure the GRUB Menu (Intel) - passwd.cfg - password_pbkdf2UnixCIS Solaris 11.2 L1 v1.1.0
6.17 Secure the GRUB Menu (Intel) - passwd.cfg - superusersUnixCIS Solaris 11.1 L1 v1.0.0
6.17 Secure the GRUB Menu (Intel) - passwd.cfg - superusersUnixCIS Solaris 11.2 L1 v1.1.0
6.17 Secure the GRUB Menu (Intel) - password --md5UnixCIS Solaris 11 L1 v1.1.0
18.9.5.7 Ensure 'Turn On Virtualization Based Security: Kernel-mode Hardware-enforced Stack Protection' is set to 'Enabled: Enabled in enforcement mode'WindowsCIS Microsoft Windows 11 Stand-alone v2.0.0 L1
18.9.5.7 Ensure 'Turn On Virtualization Based Security: Kernel-mode Hardware-enforced Stack Protection' is set to 'Enabled: Enabled in enforcement mode'WindowsCIS Microsoft Windows 11 Enterprise v2.0.0 L1
18.9.5.7 Ensure 'Turn On Virtualization Based Security: Kernel-mode Hardware-enforced Stack Protection' is set to 'Enabled: Enabled in enforcement mode'WindowsCIS Microsoft Windows 11 Enterprise v2.0.0 L1 + BL
18.9.5.7 Ensure 'Turn On Virtualization Based Security: Kernel-mode Hardware-enforced Stack Protection' is set to 'Enabled: Enabled in enforcement mode'WindowsCIS Microsoft Windows 11 Stand-alone v2.0.0 L1 + BL
Brocade - Enforce signature validation for firmwareBrocadeTenable Best Practices Brocade FabricOS
Turn On Virtualization Based Security - ConfigureKernelShadowStacksLaunchWindowsMSCT Windows 11 v23H2 v1.0.0
Turn On Virtualization Based Security - ConfigureKernelShadowStacksLaunchWindowsMSCT Windows 11 v22H2 v1.0.0