All GRUB configuration files must have mode 0600 or more restrictive
Description
The files in /boot/grub2 should
have mode 0600 to prevent
destruction or modification of the file.
To properly set the permissions of /boot/grub2, run the command:
$ sudo chmod 0600 /boot/grub2
Rationale
The file mode 0600 prevents unauthorized access and modifications to boot settings.
Shell script
The following script can be run on the host to remediate the issue.
#!/bin/bash
# Remediation is applicable only in certain platforms
if ( rpm --quiet -q grub2-common && rpm --quiet -q kernel-core ); then
find -P /boot/grub2/ -maxdepth 1 -perm /u+xs,g+xwrs,o+xwrt -type f -regextype posix-extended -regex '^.*$' -exec chmod u-xs,g-xwrs,o-xwrt {} \;
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
Ansible playbook
The following playbook can be run with Ansible to remediate the issue.
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-90556-2
- configure_strategy
- file_permissions_boot_grub2
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Find /boot/grub2/ file(s)
ansible.builtin.command: find -P /boot/grub2/ -maxdepth 1 -perm /u+xs,g+xwrs,o+xwrt -type
f -regextype posix-extended -regex "^.*$"
register: files_found
changed_when: false
failed_when: false
check_mode: false
when: ( "grub2-common" in ansible_facts.packages and "kernel-core" in ansible_facts.packages
)
tags:
- CCE-90556-2
- configure_strategy
- file_permissions_boot_grub2
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Set permissions for /boot/grub2/ file(s)
ansible.builtin.file:
path: '{{ item }}'
mode: u-xs,g-xwrs,o-xwrt
state: file
with_items:
- '{{ files_found.stdout_lines }}'
when: ( "grub2-common" in ansible_facts.packages and "kernel-core" in ansible_facts.packages
)
tags:
- CCE-90556-2
- configure_strategy
- file_permissions_boot_grub2
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
