Pareto Security
Start for Free

Existing customer? Login

CIS ISO NIST CSF Essentials SOC

Boot is secure

Time to fix

< 5m

What

This check verifies that your Linux system's boot process is secured against tampering. A secure boot process prevents unauthorized modifications to the bootloader and kernel, protecting against bootkits and other low-level attacks.

How to secure your boot process

Important

Modifying boot security settings can prevent your system from starting. Always have a recovery plan (live USB/CD) before making changes, and test thoroughly in a virtual machine first if possible.

Enable Secure Boot (UEFI)

If your system supports UEFI Secure Boot:

  • Access your system's BIOS/UEFI settings during boot
  • Navigate to the Security or Boot section
  • Enable Secure Boot
  • Ensure your Linux distribution supports Secure Boot (most modern distributions do)

Check Secure Boot status:

mokutil --sb-state
Distribution-specific Kernel Signing

Only Fedora and Ubuntu have signed kernels by default that work with Secure Boot out of the box. For other distributions, you'll need to manually sign the kernel to enable Secure Boot.

If you're using a different distribution (such as Arch Linux, Debian, openSUSE, etc.), refer to your distribution's specific documentation for kernel signing procedures to enable Secure Boot compatibility.