Details

The permissions on /boot/grub/grub.cfg are changed to 444 when grub.cfg is updated by the update-grub command

Rationale:

Setting the permissions to read and write for root only prevents non-root users from seeing the boot parameters or changing them. Non-root users who read the boot parameters may be able to identify weaknesses in security upon boot and be able to exploit them.

Solution

Run the following command to update chmod 444 to chmod 400 in /usr/sbin/grub-mkconfig:

# sed -ri ‘s/chmods+[0-7][0-7][0-7]s+${grub_cfg}.new/chmod 400 ${grub_cfg}.new/’ /usr/sbin/grub-mkconfig

Run the following command to remove check on password not being set to before running chmod command:

# sed -ri ‘s/ && ! grep ‘^password’ ${grub_cfg}.new >/dev/null//’ /usr/sbin/grub-mkconfig

Default Value:

if [ ‘x${grub_cfg}’ != ‘x’ ] && ! grep ‘^password’ ${grub_cfg}.new >/dev/null; then

chmod 444 ${grub_cfg}.new || true

fi

Supportive Information

The following resource is also helpful.

• https://workbench.cisecurity.org/files/3208

This security hardening control applies to the following category of controls within NIST 800-53: Configuration Management.This control applies to the following type of system Unix.

References

• 800-53|CM-6b.

Source

• Tenable.com/audits