For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/default_rules/def-000-lyu.md. A documentation index is available at /llms.txt.

All GRUB configuration files must be group-owned by root

Description

The files in /boot/grub2 should be group-owned by the root group to prevent destruction or modification of the file. To properly set the group owner of /boot/grub2, run the command:

$ sudo chgrp root /boot/grub2

Rationale

The root group is a highly-privileged group. Furthermore, the group-owner of this file should not have any access privileges anyway.

Remediation

Shell script

The following script can be run on the host to remediate the issue.

#!/bin/bash

# Remediation is applicable only in certain platforms
if ( rpm --quiet -q grub2-common && rpm --quiet -q kernel-core ); then

newgroup=""
if getent group "0" >/dev/null 2>&1; then
  newgroup="0"
fi

if [[ -z "${newgroup}" ]]; then
  >&2 echo "0 is not a defined group on the system"
else
find -P /boot/grub2/ -maxdepth 1 -type f  ! -group 0 -regextype posix-extended -regex '^.*$' -exec chgrp --no-dereference "$newgroup" {} \;

fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Ansible playbook

The following playbook can be run with Ansible to remediate the issue.

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-89940-1
  - configure_strategy
  - file_groupowner_boot_grub2
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Set the file_groupowner_boot_grub2_newgroup variable if represented by gid
  ansible.builtin.set_fact:
    file_groupowner_boot_grub2_newgroup: '0'
  when: ( "grub2-common" in ansible_facts.packages and "kernel-core" in ansible_facts.packages
    )
  tags:
  - CCE-89940-1
  - configure_strategy
  - file_groupowner_boot_grub2
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Find /boot/grub2/ file(s) matching ^.*$
  ansible.builtin.command: find -P /boot/grub2/ -maxdepth 1 -type f  ! -group 0 -regextype
    posix-extended -regex "^.*$"
  register: files_found
  changed_when: false
  failed_when: false
  check_mode: false
  when: ( "grub2-common" in ansible_facts.packages and "kernel-core" in ansible_facts.packages
    )
  tags:
  - CCE-89940-1
  - configure_strategy
  - file_groupowner_boot_grub2
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Ensure group owner on /boot/grub2/ file(s) matching ^.*$
  ansible.builtin.file:
    path: '{{ item }}'
    follow: false
    group: '{{ file_groupowner_boot_grub2_newgroup }}'
    state: file
  with_items:
  - '{{ files_found.stdout_lines }}'
  when: ( "grub2-common" in ansible_facts.packages and "kernel-core" in ansible_facts.packages
    )
  tags:
  - CCE-89940-1
  - configure_strategy
  - file_groupowner_boot_grub2
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed