1.4.1 Ensure permissions on bootloader config are configured

Information

The grub configuration file contains information on boot settings and passwords for
unlocking boot options. The grub configuration is usually grub.cfg stored in /boot/grub2/
or /boot/grub/.

Rationale:

Setting the permissions to read and write for root only prevents non-root users from
seeing the boot parameters or changing them. Non-root users who read the boot
parameters may be able to identify weaknesses in security upon boot and be able to exploit
them.

Solution

Run the following commands to set permissions on your grub configuration:

# chown root:root /boot/grub2/grub.cfg
# chmod og-rwx /boot/grub2/grub.cfg

OR

# chown root:root /boot/grub/grub.cfg
# chmod og-rwx /boot/grub/grub.cfg

Notes:

This recommendation is designed around the grub bootloader, if LILO or another
bootloader is in use in your environment enact equivalent settings.

Replace /boot/grub2/grub.cfg with the appropriate grub configuration file for your
environment

See Also

https://workbench.cisecurity.org/files/2420

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, CSCv6|5.1, CSCv7|5.1

Plugin: Unix

Control ID: e9e087f45d7162965d0e0c6fc6966325ae7495b97b42b3e3b51791eb403f2eed