For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/default_rules/def-000-3i3.md. A documentation index is available at /llms.txt.

All GRUB configuration files must be owned by root

Description

The files in /boot/grub2 should be owned by the root user to prevent destruction or modification of the file. To properly set the owner of /boot/grub2, run the command:

$ sudo chown root /boot/grub2

Rationale

To prevent unauthorized access and modifications to boot configuration.

Remediation

Shell script

The following script can be run on the host to remediate the issue.

#!/bin/bash

# Remediation is applicable only in certain platforms
if ( rpm --quiet -q grub2-common && rpm --quiet -q kernel-core ); then

newown=""
if id "0" >/dev/null 2>&1; then
  newown="0"
fi

if [[ -z "$newown" ]]; then
  >&2 echo "0 is not a defined user on the system"
else

find -P /boot/grub2/ -maxdepth 1 -type f  ! -user 0 -regextype posix-extended -regex '^.*$' -exec chown --no-dereference "$newown" {} \;

fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Ansible playbook

The following playbook can be run with Ansible to remediate the issue.

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-89088-9
  - configure_strategy
  - file_owner_boot_grub2
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Set the file_owner_boot_grub2_newown variable if represented by uid
  ansible.builtin.set_fact:
    file_owner_boot_grub2_newown: '0'
  when: ( "grub2-common" in ansible_facts.packages and "kernel-core" in ansible_facts.packages
    )
  tags:
  - CCE-89088-9
  - configure_strategy
  - file_owner_boot_grub2
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Find /boot/grub2/ file(s) matching ^.*$
  ansible.builtin.command: find -P /boot/grub2/ -maxdepth 1 -type f  ! -user 0 -regextype
    posix-extended -regex "^.*$"
  register: files_found
  changed_when: false
  failed_when: false
  check_mode: false
  when: ( "grub2-common" in ansible_facts.packages and "kernel-core" in ansible_facts.packages
    )
  tags:
  - CCE-89088-9
  - configure_strategy
  - file_owner_boot_grub2
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Ensure owner on /boot/grub2/ file(s) matching ^.*$
  ansible.builtin.file:
    path: '{{ item }}'
    follow: false
    owner: '{{ file_owner_boot_grub2_newown }}'
    state: file
  with_items:
  - '{{ files_found.stdout_lines }}'
  when: ( "grub2-common" in ansible_facts.packages and "kernel-core" in ansible_facts.packages
    )
  tags:
  - CCE-89088-9
  - configure_strategy
  - file_owner_boot_grub2
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed