Details
The permissions on /boot/grub/grub.cfg are changed to 444 when gub.cfg is updated by the update-grub command
Rationale:
Setting the permissions to read and write for root only prevents non-root users from seeing the boot parameters or changing them. Non-root users who read the boot parameters may be able to identify weaknesses in security upon boot and be able to exploit them.
Solution
Run the following command to update chmod 444 to chmod 400 in /usr/sbin/grub-mkconfig:
# sed -ri ‘s/chmods+[0-7][0-7][0-7]s+${grub_cfg}.new/chmod 400 ${grub_cfg}.new/’ /usr/sbin/grub-mkconfig
Run the following command to remove check on password not being set to before running chmod command:
# sed -ri ‘s/ && ! grep ‘^password’ ${grub_cfg}.new >/dev/null//’ /usr/sbin/grub-mkconfig
Default Value:
if [ ‘x${grub_cfg}’ != ‘x’ ] && ! grep ‘^password’ ${grub_cfg}.new >/dev/null; then
chmod 444 ${grub_cfg}.new || true
fi
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Access Control.This control applies to the following type of system Unix.