1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
|
documentation_complete: true
title: 'Verify {{{ grub2_boot_path }}}/grub.cfg Permissions'
description: |-
File permissions for <tt>{{{ grub2_boot_path }}}/grub.cfg</tt> should be set to 600.
{{{ describe_file_permissions(file=grub2_boot_path ~ "/grub.cfg", perms="600") }}}
rationale: |-
Proper permissions ensure that only the root user can modify important boot
parameters.
severity: medium
identifiers:
cce@rhel8: CCE-80814-7
cce@rhel9: CCE-83846-6
cce@rhel10: CCE-89290-1
cce@sle12: CCE-92216-1
cce@sle15: CCE-91426-7
cce@slmicro5: CCE-94019-7
references:
cis-csc: 12,13,14,15,16,18,3,5
cis@sle12: 1.5.2
cis@sle15: 1.5.2
cobit5: APO01.06,DSS05.04,DSS05.07,DSS06.02
cui: 3.4.5
hipaa: 164.308(a)(1)(ii)(B),164.308(a)(7)(i),164.308(a)(7)(ii)(A),164.310(a)(1),164.310(a)(2)(i),164.310(a)(2)(ii),164.310(a)(2)(iii),164.310(b),164.310(c),164.310(d)(1),164.310(d)(2)(iii)
isa-62443-2009: 4.3.3.7.3
isa-62443-2013: 'SR 2.1,SR 5.2'
iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
nist: CM-6(a),AC-6(1)
nist-csf: PR.AC-4,PR.DS-5
ocil_clause: 'it does not'
ocil: |-
To check the permissions of {{{ grub2_boot_path }}}/grub.cfg, run the command:
<pre>$ sudo ls -lL {{{ grub2_boot_path }}}/grub.cfg</pre>
If properly configured, the output should indicate the following
permissions: <tt>-rw-------</tt>
platform: not container
template:
name: file_permissions
vars:
filepath: {{{ grub2_boot_path }}}/grub.cfg
filemode: '0600'
|
