Is it possible to remove read/write (rw) permissions from Others in both GRUB2 files grub.cfg and user.cfg?

Solution Verified - Updated -

Issue

  • Disclaimer: Links contained herein to external website(s) are provided for convenience only. Red Hat has not reviewed the links and is not responsible for the content or its availability. The inclusion of any link to an external website does not imply endorsement by Red Hat of the website or their entities, products or services. You agree that Red Hat is not responsible or liable for any loss or expenses that may result due to your use of (or reliance on) the external site or content.

  • There is a requirement to comply with the CIS Benchmark for Red Hat Enterprise Linux at CIS Red Hat Enterprise Linux 7 STIG BNenchmark v2.0.0. For further information about the CIS Benchmark please visit CIS Benchmark for RHEL.

  • There is an audit finding by an auditing tool from Tenable to Ensure permissions on bootloader config are configured - grub.cfg

  • As per the CIS Benchmark; Security administrators request to remove read and write (rw) permissions from Others from the GRUB2 files /boot/grub2/grub.cfg and /boot/grub2/user.cfg.

  • On BIOS-based systems, the default permissions of /boot/grub2/grub.cfg and /boot/grub2/user.cfg allows Others the read access.

  • Non-root users who are capable of reading the boot parameters may be able to identify weaknesses in security upon boot and be able to exploit them.

Environment

  • Red Hat Enterprise Linux 7/8/9.

  • GRUB2 on BIOS-based Systems.

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content