Verify /boot/efi/EFI/redhat/user.cfg User Ownership
An XCCDF Rule
Description
The file /boot/efi/EFI/redhat/user.cfg
should be owned by the root
user to prevent reading or modification of the file.
To properly set the owner of /boot/efi/EFI/redhat/user.cfg
, run the command:
$ sudo chown root /boot/efi/EFI/redhat/user.cfg
Rationale
Only root should be able to modify important boot parameters. Also, non-root users who read the boot parameters may be able to identify weaknesses in security upon boot and be able to exploit them.
- ID
- xccdf_org.ssgproject.content_rule_file_owner_efi_user_cfg
- Severity
- Medium
- References
- Updated
Remediation - Ansible
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-86019-7
- CJIS-5.5.2.2
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ -d /sys/firmware/efi ] && rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
chown 0 /boot/efi/EFI/redhat/user.cfg
else