1.4.1 Ensure permissions on bootloader config are not overridden - chmod

Information

The permissions on /boot/grub/grub.cfg are changed to 444 when grub.cfg is updated by the update-grub command

Rationale:

Setting the permissions to read and write for root only prevents non-root users from seeing the boot parameters or changing them. Non-root users who read the boot parameters may be able to identify weaknesses in security upon boot and be able to exploit them.

Solution

Run the following command to update chmod 444 to chmod 400 in /usr/sbin/grub-mkconfig:

# sed -ri 's/chmod\s+[0-7][0-7][0-7]\s+\$\{grub_cfg\}\.new/chmod 400 ${grub_cfg}.new/' /usr/sbin/grub-mkconfig

Run the following command to remove check on password not being set to before running chmod command:

# sed -ri 's/ && ! grep "\^password" \$\{grub_cfg\}.new >\/dev\/null//' /usr/sbin/grub-mkconfig

Default Value:

if [ 'x${grub_cfg}' != 'x' ] && ! grep '^password' ${grub_cfg}.new >/dev/null; then

chmod 444 ${grub_cfg}.new || true

fi

See Also

https://workbench.cisecurity.org/files/3208

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b.

Plugin: Unix

Control ID: 1af2653ab12dc678cee480038b16e7d39d7e579180712cd57fe74f34df3d8e44