Add rules for access to all files under /boot/grub2

Author: Mab879

components/grub2.yml

@@ -56,6 +56,9 @@ rules:
 - grub2_vsyscall_argument
 - uefi_no_removeable_media
 - grub2_init_on_free
+- file_permissions_boot_grub2
+- file_owner_boot_grub2
+- file_groupowner_boot_grub2
 templates:
 - grub2_bootloader_argument
 - grub2_bootloader_argument_absent

controls/cis_rhel10.yml

@@ -499,15 +499,12 @@ controls:
       levels:
           - l1_server
           - l1_workstation
-      status: pending
+      status: automated
       notes: This requirement demands a deeper review of the rules.
       rules:
-          - file_groupowner_grub2_cfg
-          - file_owner_grub2_cfg
-          - file_permissions_grub2_cfg
-          - file_groupowner_user_cfg
-          - file_owner_user_cfg
-          - file_permissions_user_cfg
+          - file_permissions_boot_grub2
+          - file_owner_boot_grub2
+          - file_groupowner_boot_grub2
 
     - id: 1.5.1
       title: Ensure core file size is configured (Automated)

linux_os/guide/system/bootloader-grub2/file_groupowner_boot_grub2/rule.yml

@@ -0,0 +1,25 @@
+documentation_complete: true
+
+title:  'All GRUB configuration files must be group-owned by root'
+
+description: |-
+    The files in <tt>{{{ grub2_uefi_boot_path }}}</tt> should
+    be group-owned by the <tt>root</tt> group to prevent
+    destruction or modification of the file.
+    {{{ describe_file_group_owner(file=grub2_uefi_boot_path, group="root") }}}
+
+rationale: |-
+    The <tt>root</tt> group is a highly-privileged group. Furthermore, the group-owner of this
+    file should not have any access privileges anyway.
+
+severity: unknown
+
+identifiers:
+    cce@rhel10: CCE-89940-1
+
+template:
+    name: file_groupowner
+    vars:
+        filepath: {{{ grub2_uefi_boot_path }}}/
+        gid_or_name: '0'
+        file_regex: ^.*$

linux_os/guide/system/bootloader-grub2/file_owner_boot_grub2/rule.yml

@@ -0,0 +1,24 @@
+documentation_complete: true
+
+title:  'All GRUB configuration files must be owned by root'
+
+description: |-
+    The files in <tt>{{{ grub2_uefi_boot_path }}}/grub.cfg</tt> should
+    be owned by the <tt>root</tt> user to prevent
+    destruction or modification of the file.
+    {{{ describe_file_owner(file=grub2_uefi_boot_path, owner="root") }}}
+
+rationale: |-
+    To prevent unauthorized access and modifications to boot configuration.
+
+severity: unknown
+
+identifiers:
+    cce@rhel10: CCE-89088-9
+
+template:
+    name: file_owner
+    vars:
+        filepath: {{{ grub2_uefi_boot_path }}}/
+        uid_or_name: '0'
+        file_regex: ^.*$

linux_os/guide/system/bootloader-grub2/file_permissions_boot_grub2/rule.yml

@@ -0,0 +1,25 @@
+documentation_complete: true
+
+title:  'All GRUB configuration files must have mode 0600 or more restrictive'
+
+description: |-
+    The files in <tt>{{{ grub2_uefi_boot_path }}}</tt> should
+    have mode <tt>0600</tt> to prevent
+    destruction or modification of the file.
+    {{{ describe_file_permissions(file=grub2_uefi_boot_path, perms="0600") }}}
+
+rationale: |-
+    The file mode 0600 prevents unauthorized access and modifications to boot settings.
+
+severity: unknown
+
+identifiers:
+    cce@rhel10: CCE-90556-2
+
+template:
+    name: file_permissions
+    vars:
+        filepath: {{{ grub2_uefi_boot_path }}}/
+        filemode: '0600'
+        allow_stricter_permissions: "true"
+        file_regex: ^.*$

shared/references/cce-redhat-avail.txt

@@ -1402,7 +1402,6 @@ CCE-89082-2
 CCE-89083-0
 CCE-89084-8
 CCE-89087-1
-CCE-89088-9
 CCE-89090-5
 CCE-89092-1
 CCE-89094-7
@@ -1936,7 +1935,6 @@ CCE-89935-1
 CCE-89936-9
 CCE-89937-7
 CCE-89938-5
-CCE-89940-1
 CCE-89941-9
 CCE-89942-7
 CCE-89943-5
@@ -2337,7 +2335,6 @@ CCE-90551-3
 CCE-90552-1
 CCE-90553-9
 CCE-90555-4
-CCE-90556-2
 CCE-90558-8
 CCE-90559-6
 CCE-90561-2

tests/data/profile_stability/rhel10/cis.profile

@@ -159,6 +159,7 @@ file_groupowner_backup_etc_group
 file_groupowner_backup_etc_gshadow
 file_groupowner_backup_etc_passwd
 file_groupowner_backup_etc_shadow
+file_groupowner_boot_grub2
 file_groupowner_cron_allow
 file_groupowner_cron_d
 file_groupowner_cron_daily
@@ -177,10 +178,8 @@ file_groupowner_etc_security_opasswd
 file_groupowner_etc_security_opasswd_old
 file_groupowner_etc_shadow
 file_groupowner_etc_shells
-file_groupowner_grub2_cfg
 file_groupowner_sshd_config
 file_groupowner_sshd_drop_in_config
-file_groupowner_user_cfg
 file_groupownership_audit_binaries
 file_groupownership_audit_configuration
 file_groupownership_sshd_private_key
@@ -190,6 +189,7 @@ file_owner_backup_etc_group
 file_owner_backup_etc_gshadow
 file_owner_backup_etc_passwd
 file_owner_backup_etc_shadow
+file_owner_boot_grub2
 file_owner_cron_allow
 file_owner_cron_d
 file_owner_cron_daily
@@ -208,10 +208,8 @@ file_owner_etc_security_opasswd
 file_owner_etc_security_opasswd_old
 file_owner_etc_shadow
 file_owner_etc_shells
-file_owner_grub2_cfg
 file_owner_sshd_config
 file_owner_sshd_drop_in_config
-file_owner_user_cfg
 file_ownership_audit_binaries
 file_ownership_audit_configuration
 file_ownership_home_directories
@@ -227,6 +225,7 @@ file_permissions_backup_etc_group
 file_permissions_backup_etc_gshadow
 file_permissions_backup_etc_passwd
 file_permissions_backup_etc_shadow
+file_permissions_boot_grub2
 file_permissions_cron_allow
 file_permissions_cron_d
 file_permissions_cron_daily
@@ -245,14 +244,12 @@ file_permissions_etc_security_opasswd
 file_permissions_etc_security_opasswd_old
 file_permissions_etc_shadow
 file_permissions_etc_shells
-file_permissions_grub2_cfg
 file_permissions_home_directories
 file_permissions_sshd_config
 file_permissions_sshd_drop_in_config
 file_permissions_sshd_private_key
 file_permissions_sshd_pub_key
 file_permissions_unauthorized_world_writable
-file_permissions_user_cfg
 file_permissions_var_log_audit
 firewalld_loopback_traffic_trusted
 gid_passwd_group_same

tests/data/profile_stability/rhel10/cis_server_l1.profile

@@ -79,6 +79,7 @@ file_groupowner_backup_etc_group
 file_groupowner_backup_etc_gshadow
 file_groupowner_backup_etc_passwd
 file_groupowner_backup_etc_shadow
+file_groupowner_boot_grub2
 file_groupowner_cron_allow
 file_groupowner_cron_d
 file_groupowner_cron_daily
@@ -97,17 +98,16 @@ file_groupowner_etc_security_opasswd
 file_groupowner_etc_security_opasswd_old
 file_groupowner_etc_shadow
 file_groupowner_etc_shells
-file_groupowner_grub2_cfg
 file_groupowner_sshd_config
 file_groupowner_sshd_drop_in_config
-file_groupowner_user_cfg
 file_groupownership_sshd_private_key
 file_groupownership_sshd_pub_key
 file_owner_at_allow
 file_owner_backup_etc_group
 file_owner_backup_etc_gshadow
 file_owner_backup_etc_passwd
 file_owner_backup_etc_shadow
+file_owner_boot_grub2
 file_owner_cron_allow
 file_owner_cron_d
 file_owner_cron_daily
@@ -126,10 +126,8 @@ file_owner_etc_security_opasswd
 file_owner_etc_security_opasswd_old
 file_owner_etc_shadow
 file_owner_etc_shells
-file_owner_grub2_cfg
 file_owner_sshd_config
 file_owner_sshd_drop_in_config
-file_owner_user_cfg
 file_ownership_home_directories
 file_ownership_sshd_private_key
 file_ownership_sshd_pub_key
@@ -140,6 +138,7 @@ file_permissions_backup_etc_group
 file_permissions_backup_etc_gshadow
 file_permissions_backup_etc_passwd
 file_permissions_backup_etc_shadow
+file_permissions_boot_grub2
 file_permissions_cron_allow
 file_permissions_cron_d
 file_permissions_cron_daily
@@ -158,14 +157,12 @@ file_permissions_etc_security_opasswd
 file_permissions_etc_security_opasswd_old
 file_permissions_etc_shadow
 file_permissions_etc_shells
-file_permissions_grub2_cfg
 file_permissions_home_directories
 file_permissions_sshd_config
 file_permissions_sshd_drop_in_config
 file_permissions_sshd_private_key
 file_permissions_sshd_pub_key
 file_permissions_unauthorized_world_writable
-file_permissions_user_cfg
 firewalld_loopback_traffic_trusted
 gid_passwd_group_same
 group_unique_id

tests/data/profile_stability/rhel10/cis_workstation_l1.profile

@@ -77,6 +77,7 @@ file_groupowner_backup_etc_group
 file_groupowner_backup_etc_gshadow
 file_groupowner_backup_etc_passwd
 file_groupowner_backup_etc_shadow
+file_groupowner_boot_grub2
 file_groupowner_cron_allow
 file_groupowner_cron_d
 file_groupowner_cron_daily
@@ -95,17 +96,16 @@ file_groupowner_etc_security_opasswd
 file_groupowner_etc_security_opasswd_old
 file_groupowner_etc_shadow
 file_groupowner_etc_shells
-file_groupowner_grub2_cfg
 file_groupowner_sshd_config
 file_groupowner_sshd_drop_in_config
-file_groupowner_user_cfg
 file_groupownership_sshd_private_key
 file_groupownership_sshd_pub_key
 file_owner_at_allow
 file_owner_backup_etc_group
 file_owner_backup_etc_gshadow
 file_owner_backup_etc_passwd
 file_owner_backup_etc_shadow
+file_owner_boot_grub2
 file_owner_cron_allow
 file_owner_cron_d
 file_owner_cron_daily
@@ -124,10 +124,8 @@ file_owner_etc_security_opasswd
 file_owner_etc_security_opasswd_old
 file_owner_etc_shadow
 file_owner_etc_shells
-file_owner_grub2_cfg
 file_owner_sshd_config
 file_owner_sshd_drop_in_config
-file_owner_user_cfg
 file_ownership_home_directories
 file_ownership_sshd_private_key
 file_ownership_sshd_pub_key
@@ -138,6 +136,7 @@ file_permissions_backup_etc_group
 file_permissions_backup_etc_gshadow
 file_permissions_backup_etc_passwd
 file_permissions_backup_etc_shadow
+file_permissions_boot_grub2
 file_permissions_cron_allow
 file_permissions_cron_d
 file_permissions_cron_daily
@@ -156,14 +155,12 @@ file_permissions_etc_security_opasswd
 file_permissions_etc_security_opasswd_old
 file_permissions_etc_shadow
 file_permissions_etc_shells
-file_permissions_grub2_cfg
 file_permissions_home_directories
 file_permissions_sshd_config
 file_permissions_sshd_drop_in_config
 file_permissions_sshd_private_key
 file_permissions_sshd_pub_key
 file_permissions_unauthorized_world_writable
-file_permissions_user_cfg
 firewalld_loopback_traffic_trusted
 gid_passwd_group_same
 group_unique_id

tests/data/profile_stability/rhel10/cis_workstation_l2.profile

@@ -159,6 +159,7 @@ file_groupowner_backup_etc_group
 file_groupowner_backup_etc_gshadow
 file_groupowner_backup_etc_passwd
 file_groupowner_backup_etc_shadow
+file_groupowner_boot_grub2
 file_groupowner_cron_allow
 file_groupowner_cron_d
 file_groupowner_cron_daily
@@ -177,10 +178,8 @@ file_groupowner_etc_security_opasswd
 file_groupowner_etc_security_opasswd_old
 file_groupowner_etc_shadow
 file_groupowner_etc_shells
-file_groupowner_grub2_cfg
 file_groupowner_sshd_config
 file_groupowner_sshd_drop_in_config
-file_groupowner_user_cfg
 file_groupownership_audit_binaries
 file_groupownership_audit_configuration
 file_groupownership_sshd_private_key
@@ -190,6 +189,7 @@ file_owner_backup_etc_group
 file_owner_backup_etc_gshadow
 file_owner_backup_etc_passwd
 file_owner_backup_etc_shadow
+file_owner_boot_grub2
 file_owner_cron_allow
 file_owner_cron_d
 file_owner_cron_daily
@@ -208,10 +208,8 @@ file_owner_etc_security_opasswd
 file_owner_etc_security_opasswd_old
 file_owner_etc_shadow
 file_owner_etc_shells
-file_owner_grub2_cfg
 file_owner_sshd_config
 file_owner_sshd_drop_in_config
-file_owner_user_cfg
 file_ownership_audit_binaries
 file_ownership_audit_configuration
 file_ownership_home_directories
@@ -227,6 +225,7 @@ file_permissions_backup_etc_group
 file_permissions_backup_etc_gshadow
 file_permissions_backup_etc_passwd
 file_permissions_backup_etc_shadow
+file_permissions_boot_grub2
 file_permissions_cron_allow
 file_permissions_cron_d
 file_permissions_cron_daily
@@ -245,14 +244,12 @@ file_permissions_etc_security_opasswd
 file_permissions_etc_security_opasswd_old
 file_permissions_etc_shadow
 file_permissions_etc_shells
-file_permissions_grub2_cfg
 file_permissions_home_directories
 file_permissions_sshd_config
 file_permissions_sshd_drop_in_config
 file_permissions_sshd_private_key
 file_permissions_sshd_pub_key
 file_permissions_unauthorized_world_writable
-file_permissions_user_cfg
 file_permissions_var_log_audit
 firewalld_loopback_traffic_trusted
 gid_passwd_group_same