Verify the UEFI Boot Loader grub.cfg Group Ownership
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
Description
The file /boot/efi/EFI/redhat/grub.cfg
should
be group-owned by the root
group to prevent
destruction or modification of the file.
To properly set the group owner of /boot/efi/EFI/redhat/grub.cfg
, run the command:
$ sudo chgrp root /boot/efi/EFI/redhat/grub.cfg
Rationale
The root
group is a highly-privileged group. Furthermore, the group-owner of this
file should not have any access privileges anyway.
Shell script
The following script can be run on the host to remediate the issue.
#!/bin/bash
# Remediation is applicable only in certain platforms
if [ -d /sys/firmware/efi ] && rpm --quiet -q grub2-common && { [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; }; then
chgrp 0 /boot/efi/EFI/redhat/grub.cfg
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
Ansible playbook
The following playbook can be run with Ansible to remediate the issue.
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-83430-9
- CJIS-5.5.2.2
- NIST-800-171-3.4.5
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-7.1
- configure_strategy
- file_groupowner_efi_grub2_cfg
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Test for existence /boot/efi/EFI/redhat/grub.cfg
stat:
path: /boot/efi/EFI/redhat/grub.cfg
register: file_exists
when:
- '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
- '"grub2-common" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
- CCE-83430-9
- CJIS-5.5.2.2
- NIST-800-171-3.4.5
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-7.1
- configure_strategy
- file_groupowner_efi_grub2_cfg
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed
- name: Ensure group owner 0 on /boot/efi/EFI/redhat/grub.cfg
file:
path: /boot/efi/EFI/redhat/grub.cfg
group: '0'
when:
- '"/boot/efi" in ansible_mounts | map(attribute="mount") | list'
- '"grub2-common" in ansible_facts.packages'
- ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
- file_exists.stat is defined and file_exists.stat.exists
tags:
- CCE-83430-9
- CJIS-5.5.2.2
- NIST-800-171-3.4.5
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSS-Req-7.1
- configure_strategy
- file_groupowner_efi_grub2_cfg
- low_complexity
- low_disruption
- medium_severity
- no_reboot_needed