1.4.2 Ensure permissions on bootloader config are configured - grubenv

Information

The grub files contain information on boot settings and passwords for unlocking boot options.

Rationale:

Setting the permissions to read and write for root only prevents non-root users from seeing the boot parameters or changing them. Non-root users who read the boot parameters may be able to identify weaknesses in security upon boot and be able to exploit them.

Solution

Run the following commands to set ownership and permissions on your grub configuration files:
Run the following command to set ownership and permissions on grub.cfg:

# chown root:root /boot/grub2/grub.cfg
# chmod og-rwx /boot/grub2/grub.cfg

Run the following command to set ownership and permissions on grubenv:

# chown root:root /boot/grub2/grubenv
# chmod u-x,og-rwx /boot/grub2/grubenv

Run the following command to set ownership and permissions on user.cfg:

# chown root:root /boot/grub2/user.cfg
# chmod u-x,og-rwx /boot/grub2/user.cfg

Note: This may require a re-boot to enable the change

Default Value:

/boot/grub2/grub.cfg 0700 0/root 0/root

/boot/grub2/grubenv 0600 0/root 0/root

/boot/grub2/user.cfg 0600 0/root 0/root

Additional Information:

This recommendation is designed around the grub bootloader, if LILO or another bootloader is in use in your environment enact equivalent settings.

See Also

https://workbench.cisecurity.org/files/4198

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: Unix

Control ID: f78485475b28b6d895329ba9d0bec805c7e0ea3c5df82cadf8cca1629c31b8dd