1.4.1 Ensure permissions on bootloader config are configured (Scored)
Profile Applicability
Level 1 - Server Level 1 - Workstation
Description
The grub configuration file contains information on boot settings and passwords for unlocking boot options. The grub configuration is usually located at /boot/grub2/grub.cfg
and linked as /etc/grub2.conf
.
Rationale
Setting the permissions to read and write for root only prevents non-root users from seeing the boot parameters or changing them. Non-root users who read the boot parameters may be able to identify weaknesses in security upon boot and be able to exploit them.
Audit
Run the following command and verify Uid
and Gid
are both 0/root
and Access
does not grant permissions to group
or other
:
# stat /boot/grub2/grub.cfg Access: (0600/-rw-------) Uid: ( 0/ root) Gid: ( 0/ root)
Remediation
Run the following commands to set permissions on your grub
configuration:
# chown root:root /boot/grub2/grub.cfg # chmod og-rwx /boot/grub2/grub.cfg
Notes
This recommendation is designed around the grub bootloader, if LILO or another bootloader is in use in your environment enact equivalent settings.