Verify /boot/grub2/user.cfg Group Ownership
An XCCDF Rule
Description
The file /boot/grub2/user.cfg
should be group-owned by the root
group to prevent reading or modification of the file.
To properly set the group owner of /boot/grub2/user.cfg
, run the command:
$ sudo chgrp root /boot/grub2/user.cfg
Rationale
The root
group is a highly-privileged group. Furthermore, the group-owner of this
file should not have any access privileges anyway. Non-root users who read the boot parameters
may be able to identify weaknesses in security upon boot and be able to exploit them.
- ID
- xccdf_org.ssgproject.content_rule_file_groupowner_user_cfg
- Severity
- Medium
- References
- Updated
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -d /sys/firmware/efi ] && rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
chgrp 0 /boot/grub2/user.cfg
else
Remediation - Ansible
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-86010-6
- CJIS-5.5.2.2