The system boot loader configuration file(s) must have mode 0600 or less permissive.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-38583 | RHEL-06-000067 | SV-50384r4_rule | Medium |
| Description |
|---|
| Proper permissions ensure that only the root user can modify important boot parameters. |
| STIG | Date |
|---|---|
| Red Hat Enterprise Linux 6 Security Technical Implementation Guide | 2017-05-19 |
Details
| Check Text ( C-46141r5_chk ) |
|---|
| To check the permissions of "/boot/grub/grub.conf", run the command: $ sudo ls -lL /boot/grub/grub.conf If the system uses UEFI check the permissions of “/boot/efi/EFI/redhat/grub.conf” file: $ sudo ls –lL /boot/efi/EFI/redhat/grub.conf If properly configured, the output should indicate the following permissions: "-rw-------" If it does not, this is a finding. |
| Fix Text (F-43531r3_fix) |
|---|
| File permissions for "/boot/grub/grub.conf" and “/boot/efi/EFI/redhat/grub.conf” should be set to 600, which is the default. To properly set the permissions of "/boot/grub/grub.conf", run the command: $ chmod 600 /boot/grub/grub.conf To properly set the permissions of “/boot/efi/EFI/redhat/grub.conf”, run the command: $ chmod 600 /boot/efi/EFI/redhat/grub.conf Boot partitions based on VFAT, NTFS, or other non-standard configurations may require alternative measures. |