← Rules Catalog
highsystemverified rollback-safe

Set GRUB user configuration file permissions

grub-user-cfg-permissions · RHEL ≥ 8 · 1 impl

Description

The GRUB user configuration file /boot/grub2/user.cfg contains the bootloader password hash and should have restrictive permissions.

Rationale

The user.cfg file contains the hashed GRUB password. Unauthorized access could allow attackers to attempt offline password cracking or modify the password configuration.

Check → Remediate

Checkcommand
test -f /boot/grub2/user.cfg && stat -c '%a %U %G' /boot/grub2/user.cfg | grep -E '^600 root root$' || test ! -f /boot/grub2/user.cfg
expected_exit:
0
Remediatefile_permissions
path:
/boot/grub2/user.cfg
mode:
0600
owner:
root
group:
root

Framework references

CIS

rhel8 1.4.2rhel10 1.4.2

NIST 800-53

AC-3AC-6

Live verification

rhel8:check
#grub#bootloader#permissions#physical-security