1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
|
documentation_complete: true
title: 'Verify {{{ grub2_boot_path }}}/user.cfg User Ownership'
description: |-
The file <tt>{{{ grub2_boot_path }}}/user.cfg</tt> should be owned by the <tt>root</tt>
user to prevent reading or modification of the file.
{{{ describe_file_owner(file=grub2_boot_path ~ "/user.cfg", owner="root") }}}
rationale: |-
Only root should be able to modify important boot parameters. Also, non-root users who read
the boot parameters may be able to identify weaknesses in security upon boot and be able to
exploit them.
severity: medium
identifiers:
cce@rhel8: CCE-86015-5
cce@rhel9: CCE-86016-3
cce@rhel10: CCE-90573-7
references:
cis-csc: 12,13,14,15,16,18,3,5
cjis: 5.5.2.2
cobit5: APO01.06,DSS05.04,DSS05.07,DSS06.02
cui: 3.4.5
hipaa: 164.308(a)(1)(ii)(B),164.308(a)(7)(i),164.308(a)(7)(ii)(A),164.310(a)(1),164.310(a)(2)(i),164.310(a)(2)(ii),164.310(a)(2)(iii),164.310(b),164.310(c),164.310(d)(1),164.310(d)(2)(iii)
isa-62443-2009: 4.3.3.7.3
isa-62443-2013: 'SR 2.1,SR 5.2'
iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
nist: CM-6(a),AC-6(1)
nist-csf: PR.AC-4,PR.DS-5
pcidss: Req-7.1
ocil_clause: '{{{ ocil_clause_file_owner(file=grub2_boot_path ~ "/user.cfg", owner="root") }}}'
ocil: |-
{{{ ocil_file_owner(file=grub2_boot_path ~ "/user.cfg", owner="root") }}}
platform: not container
template:
name: file_owner
vars:
filepath: {{{ grub2_boot_path }}}/user.cfg
uid_or_name: '0'
|
