content icon indicating copy to clipboard operation
content copied to clipboard
verified publisher icon ComplianceAsCode

CIS 1.5.1 Ensure permissions on bootloader config are configured (Scored)

Open shawndwells opened this issue 5 years ago • 3 comments

CIS_Red_Hat_Enterprise_Linux_8_Benchmark_v1.0.0 (1).pdf

### 1.5.1 Ensure permissions on bootloader config are configured (Scored)
#### chown root:root /boot/grub2/grub.cfg
- file_owner_grub2_cfg
- file_groupowner_grub2_cfg

#### chmod og-rwx /boot/grub2/grub.cfg
- file_permissions_grub2_cfg

#### chown root:root /boot/grub2/grubenv
#### chmod og-rwx /boot/grub2/grubenv

Need new rules for evaluating grubenv, akin to the grub.cfg checks

shawndwells avatar Mar 06 '20 23:03 shawndwells

This requirement itself is actually bugged upstream as it doesn't account for EFI installs which keep their grub.cfg in a different place.

It doesn't satisfy CIS CAT Assessor, but for now I can remediate this one on my EFI systems with:

chown root:root /boot/efi/EFI/redhat/grub.cfg
chmod og-rwx /boot/efi/EFI/redhat/grub.cfg
chown root:root /boot/efi/EFI/redhat/grubenv
chmod og-rwx /boot/efi/EFI/redhat/grubenv
chown root:root /boot/grub2/grubenv
chmod og-rwx /boot/grub2/grubenv

alexhaydock avatar May 26 '21 22:05 alexhaydock

This requirement itself is actually bugged upstream as it doesn't account for EFI installs which keep their grub.cfg in a different place.

It doesn't satisfy CIS CAT Assessor, but for now I can remediate this one on my EFI systems with:

chown root:root /boot/efi/EFI/redhat/grub.cfg
chmod og-rwx /boot/efi/EFI/redhat/grub.cfg
chown root:root /boot/efi/EFI/redhat/grubenv
chmod og-rwx /boot/efi/EFI/redhat/grubenv
chown root:root /boot/grub2/grubenv
chmod og-rwx /boot/grub2/grubenv

Maybe rules from the UEFI folder should be included in the CIS profile as well.

ggbecker avatar May 27 '21 07:05 ggbecker

Maybe rules from the UEFI folder should be included in the CIS profile as well.

This might be a good idea.

Interestingly, the upstream bug for this one in CIS has been open for 4 years without any action: https://workbench.cisecurity.org/community/14/tickets/4720

Edit: I posted a comment on the dormant bug thread above and got a reply that this has been addressed in benchmark v3.1.0 for RHEL 7, and in v1.0.1 for RHEL 8, and that the CIS CAT Assessor update which will validate this control properly will release in late May 2021.

So it looks like we will have to add the UEFI rules anyway, since they'll now be part of the official benchmark spec.

alexhaydock avatar May 27 '21 08:05 alexhaydock