1.3.2 Ensure permissions on bootloader config are configured

Information

The grub files contain information on boot settings and passwords for unlocking boot options.

Setting the permissions to read and write for root only prevents non-root users from seeing the boot parameters or changing them. Non-root users who read the boot parameters may be able to identify weaknesses in security upon boot and be able to exploit them.

Solution

Run the following to update the mode, ownership, and group ownership of the grub configuration files:

-IF- the system uses UEFI (Files located in /boot/efi/EFI/* )

Edit /etc/fstab and add the fmask=0077 uid=0 and gid=0 options:

Example:

<device> /boot/efi vfat defaults,umask=0027,fmask=0077,uid=0,gid=0 0 0

Note: This may require a re-boot to enable the change

-OR-

-IF- the system uses BIOS (Files located in /boot/grub2/* )

Run the following commands to set ownership and permissions on your grub configuration file(s):

# [ -f /boot/grub2/grub.cfg ] &amp;&amp; chown root:root /boot/grub2/grub.cfg
# [ -f /boot/grub2/grub.cfg ] &amp;&amp; chmod u-x,go-rwx /boot/grub2/grub.cfg

# [ -f /boot/grub2/grubenv ] &amp;&amp; chown root:root /boot/grub2/grubenv
# [ -f /boot/grub2/grubenv ] &amp;&amp; chmod u-x,go-rwx /boot/grub2/grubenv

# [ -f /boot/grub2/user.cfg ] &amp;&amp; chown root:root /boot/grub2/user.cfg
# [ -f /boot/grub2/user.cfg ] &amp;&amp; chmod u-x,go-rwx /boot/grub2/user.cfg

See Also

https://workbench.cisecurity.org/benchmarks/15289

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: Unix

Control ID: bf0e5d720147f672dba87def2c108496fcf4556885015f5ccc4ed0df7eb99683