LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   Change octal permissions for grub.conf to make it secure? (https://www.linuxquestions.org/questions/linux-newbie-8/change-octal-permissions-for-grub-conf-to-make-it-secure-4175629263/)

JockVSJock 05-08-2018 09:31 AM
Change octal permissions for grub.conf to make it secure?
 
I'm working thru hardening a RHEL6 VM that is using EFI/UEFI for the boot loader.

The current permissions are the following:

Code:
[root@server redhat]# pwd ; ls -al
/boot/efi/EFI/redhat
total 264
drwx------. 2 root root  4096 May  7 11:05 .
drwx------. 3 root root  4096 Sep 18  2017 ..
-rwx------. 1 root root  1720 May  7 11:05 grub.conf
-rwx------. 1 root root 254317 Nov  9  2016 grub.efi
[root@server redhat]#
Following a STIG, stating that octal permission need to be 600, not 700.

I can't find any documentation from Red Hat, however I would think it would need to be read/write/execute as if a new kernel gets installed and this is the file that gets executed before going to run init.

I don't think its wise to change this, nor can I change this.

What do others think?

thanks


EDIT: Here is the STIG that I'm referencing:

https://www.stigviewer.com/stig/red_...inding/V-38583

bradvan 05-08-2018 09:54 AM
The rpm sets both to 700. However, grub.conf is just a text file. So, it can be 600 without a problem. grub.efi does need to be executable. The CIS benchmark for RHEL 6 only talks about changing grub.conf, not grub.efi. I think the STIGs are based on CIS?

In response to your edit: Correct. grub.conf can be 600 without any problems. That is what I said. :)


All times are GMT -5. The time now is 12:22 AM.