The system's boot loader configuration file(s) must have mode 0600 or less permissive.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-227985 | GEN008720 | SV-227985r854522_rule | Medium |
| Description |
|---|
| File permissions greater than 0600 on boot loader configuration files could allow an unauthorized user to view or modify sensitive information pertaining to system boot instructions. |
| STIG | Date |
|---|---|
| Solaris 10 X86 Security Technical Implementation Guide | 2022-09-07 |
Details
| Check Text ( C-30147r490405_chk ) |
|---|
| This check applies to the global zone only. Determine the type of zone that you are currently securing. # zonename If the command output is "global", this check applies. Check the permission of the menu.lst file. On systems that have a ZFS root, the menu.lst file is typically located at /pool-name/boot/grub/menu.lst where "pool-name" is the mount point for the top-level dataset. On systems that have a UFS root, the menu.lst file is typically located at /boot/grub/menu.lst . Procedure: # ls -lL /pool-name/boot/grub/menu.lst or # ls -lL /boot/grub/menu.lst If menu.lst has a mode more permissive than 0600, this is a finding. |
| Fix Text (F-30135r490406_fix) |
|---|
| Change the mode of the menu.lst file to 0600. # chmod 0600 /pool-name/boot/grub/menu.lst or # chmod 0600 /boot/grub/menu.lst |