Description: The grub configuration file contains information on boot settings and passwords for unlocking boot options. The grub configuration is usually grub.cfg and grubenv stored in/boot/grub2/` Rationale: Setting the permissions to read and write for root only prevents non-root users from seeing the boot parameters or changing them. Non-root users who read the boot parameters may be able to identify weaknesses in security upon boot and be able to exploit them. Audit: Run the following commands and verify Uid and Gid are both 0/root and Access does not grant permissions to group or other : # stat /boot/grub2/grub.cfg Access: (0600/-rw-------) Uid: ( 0/ root) Gid: ( 0/ root) # stat /boot/grub2/grubenv Access: (0600/-rw-------) Uid: ( 0/ root) Gid: ( 0/ root) Remediation: Run the following commands to set permissions on your grub configuration: # chown root:root /boot/grub2/grub.cfg # chmod og-rwx /boot/grub2/grub.cfg # chown root:root /boot/grub2/grubenv # chmod og-rwx /boot/grub2/grubenv Notes: This recommendation is designed around the grub bootloader, if LILO or another bootloader is in use in your environment enact equivalent settings. Replace /boot/grub2/grub.cfg and /boot/grub2/grubenv with the appropriate configuration file(s) for your environment

[110000000, root, root]

Run the following commands to set permissions on your grub configuration: # chown root:root /boot/grub2/grub.cfg # chmod og-rwx /boot/grub2/grub.cfg # chown root:root /boot/grub2/grubenv # chmod og-rwx /boot/grub2/grubenv