All GRUB configuration files must be group-owned by root

Docs > Plateforme de sécurité Datadog > OOTB Rules > All GRUB configuration files must be group-owned by root

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Description

The files in /boot/grub2 should be group-owned by the root group to prevent destruction or modification of the file. To properly set the group owner of /boot/grub2, run the command:

$ sudo chgrp root /boot/grub2

Rationale

The root group is a highly-privileged group. Furthermore, the group-owner of this file should not have any access privileges anyway.

Remediation

Shell script

The following script can be run on the host to remediate the issue.

#!/bin/bash

# Remediation is applicable only in certain platforms
if ( rpm --quiet -q grub2-common && rpm --quiet -q kernel-core ); then

newgroup=""
if getent group "0" >/dev/null 2>&1; then
  newgroup="0"
fi

if [[ -z "${newgroup}" ]]; then
  >&2 echo "0 is not a defined group on the system"
else
find -P /boot/grub2/ -maxdepth 1 -type f  ! -group 0 -regextype posix-extended -regex '^.*$' -exec chgrp --no-dereference "$newgroup" {} \;

fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Ansible playbook

The following playbook can be run with Ansible to remediate the issue.

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-89940-1
  - configure_strategy
  - file_groupowner_boot_grub2
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Set the file_groupowner_boot_grub2_newgroup variable if represented by gid
  ansible.builtin.set_fact:
    file_groupowner_boot_grub2_newgroup: '0'
  when: ( "grub2-common" in ansible_facts.packages and "kernel-core" in ansible_facts.packages
    )
  tags:
  - CCE-89940-1
  - configure_strategy
  - file_groupowner_boot_grub2
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Find /boot/grub2/ file(s) matching ^.*$
  ansible.builtin.command: find -P /boot/grub2/ -maxdepth 1 -type f  ! -group 0 -regextype
    posix-extended -regex "^.*$"
  register: files_found
  changed_when: false
  failed_when: false
  check_mode: false
  when: ( "grub2-common" in ansible_facts.packages and "kernel-core" in ansible_facts.packages
    )
  tags:
  - CCE-89940-1
  - configure_strategy
  - file_groupowner_boot_grub2
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Ensure group owner on /boot/grub2/ file(s) matching ^.*$
  ansible.builtin.file:
    path: '{{ item }}'
    follow: false
    group: '{{ file_groupowner_boot_grub2_newgroup }}'
    state: file
  with_items:
  - '{{ files_found.stdout_lines }}'
  when: ( "grub2-common" in ansible_facts.packages and "kernel-core" in ansible_facts.packages
    )
  tags:
  - CCE-89940-1
  - configure_strategy
  - file_groupowner_boot_grub2
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed