800-53|SI-7(9)

Title

VERIFY BOOT PROCESS

Description

The information system verifies the integrity of the boot process of [Assignment: organization-defined devices].

Supplemental

Ensuring the integrity of boot processes is critical to starting devices in known/trustworthy states. Integrity verification mechanisms provide organizational personnel with assurance that only trusted code is executed during boot processes.

Reference Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

Parent Title: SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY

Family: SYSTEM AND INFORMATION INTEGRITY

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.2.3.9 Set 'Choose the boot-start drivers that can be initialized:' to 'Enabled:Good, unknown and bad but critical'WindowsCIS Windows 8 L1 v1.0.0
1.2.4.2.2.28 Set 'Minimum characters:' to 'Enabled:7 or more characters'WindowsCIS Windows 8 L1 v1.0.0
1.4.1 Ensure permissions on bootloader config are configuredUnixCIS SUSE Linux Enterprise Server 11 L1 v2.1.1
1.4.1 Ensure permissions on bootloader config are configuredUnixCIS Ubuntu Linux 14.04 LTS Workstation L1 v2.1.0
1.4.1 Ensure permissions on bootloader config are configuredUnixCIS Amazon Linux v2.1.0 L1
1.4.1 Ensure permissions on bootloader config are configuredUnixCIS Ubuntu Linux 14.04 LTS Server L1 v2.1.0
1.4.1 Ensure permissions on bootloader config are configuredUnixCIS SUSE Linux Enterprise Workstation 11 L1 v2.1.1
1.4.2 Ensure authentication required for single user modeUnixCIS Amazon Linux v2.1.0 L1
1.4.3 Ensure boot loader does not allow removable mediaUnixCIS Amazon Linux 2 STIG v1.0.0 L3
1.4.3 Ensure interactive boot is not enabledUnixCIS Amazon Linux v2.1.0 L1
1.4.3 Ensure permissions on bootloader config are configuredUnixCIS Ubuntu Linux 18.04 LTS Server L1 v2.1.0
1.4.3 Ensure permissions on bootloader config are configuredUnixCIS Ubuntu Linux 18.04 LTS Workstation L1 v2.1.0
1.6.1.1 Ensure SELinux is not disabled in bootloader configuration - 'enforcing'UnixCIS Ubuntu Linux 14.04 LTS Workstation L2 v2.1.0
1.6.1.1 Ensure SELinux is not disabled in bootloader configuration - 'enforcing'UnixCIS Ubuntu Linux 14.04 LTS Server L2 v2.1.0
1.6.1.1 Ensure SELinux is not disabled in bootloader configuration -'selinux'UnixCIS Ubuntu Linux 14.04 LTS Workstation L2 v2.1.0
1.6.1.1 Ensure SELinux is not disabled in bootloader configuration -'selinux'UnixCIS Ubuntu Linux 14.04 LTS Server L2 v2.1.0
1.6.1.2 Ensure AppArmor is enabled in the bootloader configuration - apparmorUnixCIS Ubuntu Linux 18.04 LTS Workstation L1 v2.1.0
1.6.1.2 Ensure AppArmor is enabled in the bootloader configuration - apparmorUnixCIS Ubuntu Linux 18.04 LTS Server L1 v2.1.0
1.6.1.2 Ensure AppArmor is enabled in the bootloader configuration - securityUnixCIS Ubuntu Linux 18.04 LTS Workstation L1 v2.1.0
1.6.1.2 Ensure AppArmor is enabled in the bootloader configuration - securityUnixCIS Ubuntu Linux 18.04 LTS Server L1 v2.1.0
1.6.2.1 Ensure AppArmor is not disabled in bootloader configurationUnixCIS Ubuntu Linux 14.04 LTS Server L2 v2.1.0
1.6.2.1 Ensure AppArmor is not disabled in bootloader configurationUnixCIS Ubuntu Linux 14.04 LTS Workstation L2 v2.1.0
2.13 Ensure EFI version is valid and being regularly checked - daemonUnixCIS Apple macOS 10.13 L1 v1.1.0
2.13 Ensure EFI version is valid and being regularly checked - itegrity-checkUnixCIS Apple macOS 10.13 L1 v1.1.0
3.1 Set User/Group Owner on bootloader configUnixCIS Debian Linux 7 L1 v1.0.0
3.1 Set User/Group Owner on bootloader configUnixCIS Ubuntu 12.04 LTS Benchmark L1 v1.1.0
3.2 Set Permissions on bootloader configUnixCIS Ubuntu 12.04 LTS Benchmark L1 v1.1.0
3.2 Set Permissions on bootloader configUnixCIS Debian Linux 7 L1 v1.0.0
3.3 Set Boot Loader Password - passwordUnixCIS Ubuntu 12.04 LTS Benchmark L1 v1.1.0
3.3 Set Boot Loader Password - set superusersUnixCIS Ubuntu 12.04 LTS Benchmark L1 v1.1.0
6.13 Secure the GRUB Menu - should pass if /boot/grub/menu.lst permissions are OK.UnixCIS Solaris 10 L1 v5.2
6.16 Set EEPROM Security Mode and Log Failed Access (SPARC) - eeprom security-#badlogins = 0UnixCIS Solaris 11.2 L1 v1.1.0
6.16 Set EEPROM Security Mode and Log Failed Access (SPARC) - eeprom security-#badlogins = 0UnixCIS Solaris 11 L1 v1.1.0
6.16 Set EEPROM Security Mode and Log Failed Access (SPARC) - eeprom security-#badlogins = 0UnixCIS Solaris 11.1 L1 v1.0.0
6.16 Set EEPROM Security Mode and Log Failed Access (SPARC) - eeprom security-mode = commandUnixCIS Solaris 11.2 L1 v1.1.0
6.16 Set EEPROM Security Mode and Log Failed Access (SPARC) - eeprom security-mode = commandUnixCIS Solaris 11 L1 v1.1.0
6.16 Set EEPROM Security Mode and Log Failed Access (SPARC) - eeprom security-mode = commandUnixCIS Solaris 11.1 L1 v1.0.0
6.17 Secure the GRUB Menu (Intel) - grub.d/01_passwordUnixCIS Solaris 11.1 L1 v1.0.0
6.17 Secure the GRUB Menu (Intel) - grub.d/01_passwordUnixCIS Solaris 11.2 L1 v1.1.0
6.17 Secure the GRUB Menu (Intel) - menu.lst permsUnixCIS Solaris 11 L1 v1.1.0
6.17 Secure the GRUB Menu (Intel) - passwd.cfgUnixCIS Solaris 11.2 L1 v1.1.0
6.17 Secure the GRUB Menu (Intel) - passwd.cfgUnixCIS Solaris 11.1 L1 v1.0.0
18.9.11.2.2 Ensure 'Allow Secure Boot for integrity validation' is set to 'Enabled'WindowsCIS Microsoft Windows 10 Enterprise (Release 1809) v1.6.1 BL
18.9.11.2.10 Ensure 'Configure minimum PIN length for startup' is set to 'Enabled: 7 or more characters'WindowsCIS Windows 7 Workstation Bitlocker v3.2.0
18.9.11.2.10 Ensure 'Configure minimum PIN length for startup' is set to 'Enabled: 7 or more characters'WindowsCIS Windows 7 Workstation Level 2 + Bitlocker v3.2.0
18.9.11.2.10 Ensure 'Configure minimum PIN length for startup' is set to 'Enabled: 7 or more characters'WindowsCIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
Allow Secure Boot for integrity validationWindowsMSCT Windows 10 1803 v1.0.0
Allow Secure Boot for integrity validationWindowsMSCT Windows 10 v1507 v1.0.0
Big Sur - Enforce Apple Mobile File IntegrityUnixNIST macOS Big Sur v1.4.0 - 800-53r5 Moderate
BSI-100-2: S 4.200: Handling of USB storage media: Prevent the device driver for USB storage media from starting upUnixBSI-100-2 Red Hat Linux 2005