800-53|SI-7(9)

Title

VERIFY BOOT PROCESS

Description

The information system verifies the integrity of the boot process of [Assignment: organization-defined devices].

Supplemental

Ensuring the integrity of boot processes is critical to starting devices in known/trustworthy states. Integrity verification mechanisms provide organizational personnel with assurance that only trusted code is executed during boot processes.

Reference Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

Parent Title: SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY

Family: SYSTEM AND INFORMATION INTEGRITY

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.2.3.9 Set 'Choose the boot-start drivers that can be initialized:' to 'Enabled:Good, unknown and bad but critical'WindowsCIS Windows 8 L1 v1.0.0
1.2.4.2.2.28 Set 'Minimum characters:' to 'Enabled:7 or more characters'WindowsCIS Windows 8 L1 v1.0.0
1.4.1 Ensure permissions on bootloader config are configuredUnixCIS Ubuntu Linux 14.04 LTS Workstation L1 v2.1.0
1.4.1 Ensure permissions on bootloader config are configuredUnixCIS SUSE Linux Enterprise Server 11 L1 v2.1.1
1.4.1 Ensure permissions on bootloader config are configuredUnixCIS Amazon Linux v2.1.0 L1
1.4.1 Ensure permissions on bootloader config are configuredUnixCIS Ubuntu Linux 14.04 LTS Server L1 v2.1.0
1.4.1 Ensure permissions on bootloader config are configuredUnixCIS SUSE Linux Enterprise Workstation 11 L1 v2.1.1
1.4.2 Ensure authentication required for single user modeUnixCIS Amazon Linux v2.1.0 L1
1.4.3 Ensure boot loader does not allow removable mediaUnixCIS Amazon Linux 2 STIG v1.0.0 L3
1.4.3 Ensure interactive boot is not enabledUnixCIS Amazon Linux v2.1.0 L1
1.6.1.1 Ensure SELinux is not disabled in bootloader configuration - 'enforcing'UnixCIS Ubuntu Linux 14.04 LTS Server L2 v2.1.0
1.6.1.1 Ensure SELinux is not disabled in bootloader configuration - 'enforcing'UnixCIS Ubuntu Linux 14.04 LTS Workstation L2 v2.1.0
1.6.1.1 Ensure SELinux is not disabled in bootloader configuration -'selinux'UnixCIS Ubuntu Linux 14.04 LTS Server L2 v2.1.0
1.6.1.1 Ensure SELinux is not disabled in bootloader configuration -'selinux'UnixCIS Ubuntu Linux 14.04 LTS Workstation L2 v2.1.0
1.6.2.1 Ensure AppArmor is not disabled in bootloader configurationUnixCIS Ubuntu Linux 14.04 LTS Server L2 v2.1.0
1.6.2.1 Ensure AppArmor is not disabled in bootloader configurationUnixCIS Ubuntu Linux 14.04 LTS Workstation L2 v2.1.0
2.13 Ensure EFI version is valid and being regularly checked - daemonUnixCIS Apple macOS 10.13 L1 v1.1.0
2.13 Ensure EFI version is valid and being regularly checked - itegrity-checkUnixCIS Apple macOS 10.13 L1 v1.1.0
3.1 Set User/Group Owner on bootloader configUnixCIS Ubuntu 12.04 LTS Benchmark L1 v1.1.0
3.1 Set User/Group Owner on bootloader configUnixCIS Debian Linux 7 L1 v1.0.0
3.2 Set Permissions on bootloader configUnixCIS Ubuntu 12.04 LTS Benchmark L1 v1.1.0
3.2 Set Permissions on bootloader configUnixCIS Debian Linux 7 L1 v1.0.0
3.3 Set Boot Loader Password - passwordUnixCIS Ubuntu 12.04 LTS Benchmark L1 v1.1.0
3.3 Set Boot Loader Password - set superusersUnixCIS Ubuntu 12.04 LTS Benchmark L1 v1.1.0
6.13 Secure the GRUB Menu - should pass if /boot/grub/menu.lst permissions are OK.UnixCIS Solaris 10 L1 v5.2
6.16 Set EEPROM Security Mode and Log Failed Access (SPARC) - eeprom security-#badlogins = 0UnixCIS Solaris 11 L1 v1.1.0
6.16 Set EEPROM Security Mode and Log Failed Access (SPARC) - eeprom security-#badlogins = 0UnixCIS Solaris 11.1 L1 v1.0.0
6.16 Set EEPROM Security Mode and Log Failed Access (SPARC) - eeprom security-#badlogins = 0UnixCIS Solaris 11.2 L1 v1.1.0
6.16 Set EEPROM Security Mode and Log Failed Access (SPARC) - eeprom security-mode = commandUnixCIS Solaris 11 L1 v1.1.0
6.16 Set EEPROM Security Mode and Log Failed Access (SPARC) - eeprom security-mode = commandUnixCIS Solaris 11.1 L1 v1.0.0
6.16 Set EEPROM Security Mode and Log Failed Access (SPARC) - eeprom security-mode = commandUnixCIS Solaris 11.2 L1 v1.1.0
6.17 Secure the GRUB Menu (Intel) - grub.d/01_passwordUnixCIS Solaris 11.1 L1 v1.0.0
6.17 Secure the GRUB Menu (Intel) - grub.d/01_passwordUnixCIS Solaris 11.2 L1 v1.1.0
6.17 Secure the GRUB Menu (Intel) - menu.lst permsUnixCIS Solaris 11 L1 v1.1.0
6.17 Secure the GRUB Menu (Intel) - passwd.cfgUnixCIS Solaris 11.2 L1 v1.1.0
6.17 Secure the GRUB Menu (Intel) - passwd.cfgUnixCIS Solaris 11.1 L1 v1.0.0
18.9.11.2.10 Ensure 'Configure minimum PIN length for startup' is set to 'Enabled: 7 or more characters'WindowsCIS Windows 7 Workstation Level 2 + Bitlocker v3.2.0
18.9.11.2.10 Ensure 'Configure minimum PIN length for startup' is set to 'Enabled: 7 or more characters'WindowsCIS Windows 7 Workstation Bitlocker v3.2.0
18.9.11.2.10 Ensure 'Configure minimum PIN length for startup' is set to 'Enabled: 7 or more characters'WindowsCIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
Allow Secure Boot for integrity validationWindowsMSCT Windows 10 1803 v1.0.0
Allow Secure Boot for integrity validationWindowsMSCT Windows 10 v1507 v1.0.0
Boot-Start Driver Initialization PolicyWindowsMSCT Windows Server v2004 MS v1.0.0
Boot-Start Driver Initialization PolicyWindowsMSCT Windows Server 1903 MS v1.19.9
Boot-Start Driver Initialization PolicyWindowsMSCT Windows Server 1903 DC v1.19.9
Boot-Start Driver Initialization PolicyWindowsMSCT Windows 11 v1.0.0
Boot-Start Driver Initialization PolicyWindowsMSCT Windows Server 2016 MS v1.0.0
Boot-Start Driver Initialization PolicyWindowsMSCT Windows Server v1909 MS v1.0.0
Boot-Start Driver Initialization PolicyWindowsMSCT Windows Server 2022 v1.0.0
Boot-Start Driver Initialization PolicyWindowsMSCT Windows Server v20H2 MS v1.0.0
Boot-Start Driver Initialization PolicyWindowsMSCT Windows Server 2019 DC v1.0.0