highsystemverified ✓rollback-safe
Set GRUB user configuration file permissions
grub-user-cfg-permissions · RHEL ≥ 8 · 1 impl
Description
The GRUB user configuration file /boot/grub2/user.cfg contains the bootloader password hash and should have restrictive permissions.
Rationale
The user.cfg file contains the hashed GRUB password. Unauthorized access could allow attackers to attempt offline password cracking or modify the password configuration.
Check → Remediate
Checkcommand
test -f /boot/grub2/user.cfg && stat -c '%a %U %G' /boot/grub2/user.cfg | grep -E '^600 root root$' || test ! -f /boot/grub2/user.cfg
- expected_exit:
- 0
Remediatefile_permissions
- path:
- /boot/grub2/user.cfg
- mode:
- 0600
- owner:
- root
- group:
- root
Framework references
CIS
rhel8 1.4.2rhel10 1.4.2
NIST 800-53
AC-3AC-6
Live verification
rhel8:check
#grub#bootloader#permissions#physical-security