Skip to content

Verify /boot/efi/EFI/redhat/user.cfg User Ownership

An XCCDF Rule

Description

The file /boot/efi/EFI/redhat/user.cfg should be owned by the root user to prevent reading or modification of the file. To properly set the owner of /boot/efi/EFI/redhat/user.cfg, run the command:

$ sudo chown root /boot/efi/EFI/redhat/user.cfg 

Rationale

Only root should be able to modify important boot parameters. Also, non-root users who read the boot parameters may be able to identify weaknesses in security upon boot and be able to exploit them.

ID
xccdf_org.ssgproject.content_rule_file_owner_efi_user_cfg
Severity
Medium
References
Updated



Remediation - Ansible

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-86019-7
  - CJIS-5.5.2.2

Remediation - Shell Script

# Remediation is applicable only in certain platforms
if [ -d /sys/firmware/efi ] && rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then

chown 0 /boot/efi/EFI/redhat/user.cfg

else