1.4.2 Ensure permissions on bootloader config are configured - user.cfg

Information

The grub configuration file contains information on boot settings and passwords for unlocking boot options. The grub2 configuration is usually grub.cfg. On newer grub2 systems the encrypted bootloader password is contained in user.cfg.

If the system uses UEFI, /boot/efi is a vfat filesystem. The vfat filesystem itself doesn't have the concept of permissions but can be mounted under Linux with whatever permissions desired.

Rationale:

Setting the permissions to read and write for root only prevents non-root users from seeing the boot parameters or changing them. Non-root users who read the boot parameters may be able to identify weaknesses in security upon boot and be able to exploit them.

Solution

Run the following commands to set ownership and permissions on your grub configuration file(s):

# chown root:root /boot/grub2/grub.cfg
# test -f /boot/grub2/user.cfg && chown root:root /boot/grub2/user.cfg
# chmod og-rwx /boot/grub2/grub.cfg
# test -f /boot/grub2/user.cfg && chmod og-rwx /boot/grub2/user.cfg

OR If the system uses UEFI, edit /etc/fstab and add the fmask=0077 option:
Example:

<device> /boot/efi vfat defaults,umask=0027,fmask=0077,uid=0,gid=0 0 0

Note: This may require a re-boot to enable the change

Additional Information:

This recommendation is designed around the grub2 bootloader.

If LILO or another bootloader is in use in your environment:

Enact equivalent settings

Replace /boot/grub2/grub.cfg and /boot/grub2/user.cfg with the appropriate boot configuration files for your environment

See Also

https://workbench.cisecurity.org/files/3490