diff --git a/components/grub2.yml b/components/grub2.yml
index 8b146654250..b1821fff2a8 100644
--- a/components/grub2.yml
+++ b/components/grub2.yml
@@ -56,6 +56,9 @@ rules:
- grub2_vsyscall_argument
- uefi_no_removeable_media
- grub2_init_on_free
+- file_permissions_boot_grub2
+- file_owner_boot_grub2
+- file_groupowner_boot_grub2
templates:
- grub2_bootloader_argument
- grub2_bootloader_argument_absent
diff --git a/controls/cis_rhel10.yml b/controls/cis_rhel10.yml
index 9a1f13794d3..919a3556cce 100644
--- a/controls/cis_rhel10.yml
+++ b/controls/cis_rhel10.yml
@@ -499,15 +499,12 @@ controls:
levels:
- l1_server
- l1_workstation
- status: pending
+ status: automated
notes: This requirement demands a deeper review of the rules.
rules:
- - file_groupowner_grub2_cfg
- - file_owner_grub2_cfg
- - file_permissions_grub2_cfg
- - file_groupowner_user_cfg
- - file_owner_user_cfg
- - file_permissions_user_cfg
+ - file_permissions_boot_grub2
+ - file_owner_boot_grub2
+ - file_groupowner_boot_grub2
- id: 1.5.1
title: Ensure core file size is configured (Automated)
diff --git a/linux_os/guide/system/bootloader-grub2/file_groupowner_boot_grub2/rule.yml b/linux_os/guide/system/bootloader-grub2/file_groupowner_boot_grub2/rule.yml
new file mode 100644
index 00000000000..e3f274df70c
--- /dev/null
+++ b/linux_os/guide/system/bootloader-grub2/file_groupowner_boot_grub2/rule.yml
@@ -0,0 +1,25 @@
+documentation_complete: true
+
+title: 'All GRUB configuration files must be group-owned by root'
+
+description: |-
+ The files in {{{ grub2_uefi_boot_path }}} should
+ be group-owned by the root group to prevent
+ destruction or modification of the file.
+ {{{ describe_file_group_owner(file=grub2_uefi_boot_path, group="root") }}}
+
+rationale: |-
+ The root group is a highly-privileged group. Furthermore, the group-owner of this
+ file should not have any access privileges anyway.
+
+severity: medium
+
+identifiers:
+ cce@rhel10: CCE-89940-1
+
+template:
+ name: file_groupowner
+ vars:
+ filepath: {{{ grub2_uefi_boot_path }}}/
+ gid_or_name: '0'
+ file_regex: ^.*$
diff --git a/linux_os/guide/system/bootloader-grub2/file_owner_boot_grub2/rule.yml b/linux_os/guide/system/bootloader-grub2/file_owner_boot_grub2/rule.yml
new file mode 100644
index 00000000000..56bd73898f3
--- /dev/null
+++ b/linux_os/guide/system/bootloader-grub2/file_owner_boot_grub2/rule.yml
@@ -0,0 +1,24 @@
+documentation_complete: true
+
+title: 'All GRUB configuration files must be owned by root'
+
+description: |-
+ The files in {{{ grub2_uefi_boot_path }}} should
+ be owned by the root user to prevent
+ destruction or modification of the file.
+ {{{ describe_file_owner(file=grub2_uefi_boot_path, owner="root") }}}
+
+rationale: |-
+ To prevent unauthorized access and modifications to boot configuration.
+
+severity: medium
+
+identifiers:
+ cce@rhel10: CCE-89088-9
+
+template:
+ name: file_owner
+ vars:
+ filepath: {{{ grub2_uefi_boot_path }}}/
+ uid_or_name: '0'
+ file_regex: ^.*$
diff --git a/linux_os/guide/system/bootloader-grub2/file_permissions_boot_grub2/rule.yml b/linux_os/guide/system/bootloader-grub2/file_permissions_boot_grub2/rule.yml
new file mode 100644
index 00000000000..119e3aa42c2
--- /dev/null
+++ b/linux_os/guide/system/bootloader-grub2/file_permissions_boot_grub2/rule.yml
@@ -0,0 +1,25 @@
+documentation_complete: true
+
+title: 'All GRUB configuration files must have mode 0600 or more restrictive'
+
+description: |-
+ The files in {{{ grub2_uefi_boot_path }}} should
+ have mode 0600 to prevent
+ destruction or modification of the file.
+ {{{ describe_file_permissions(file=grub2_uefi_boot_path, perms="0600") }}}
+
+rationale: |-
+ The file mode 0600 prevents unauthorized access and modifications to boot settings.
+
+severity: medium
+
+identifiers:
+ cce@rhel10: CCE-90556-2
+
+template:
+ name: file_permissions
+ vars:
+ filepath: {{{ grub2_uefi_boot_path }}}/
+ filemode: '0600'
+ allow_stricter_permissions: "true"
+ file_regex: ^.*$
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index ae9d27db3ac..fe029a2ad9f 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -1387,7 +1387,6 @@ CCE-89082-2
CCE-89083-0
CCE-89084-8
CCE-89087-1
-CCE-89088-9
CCE-89090-5
CCE-89092-1
CCE-89094-7
@@ -1920,7 +1919,6 @@ CCE-89935-1
CCE-89936-9
CCE-89937-7
CCE-89938-5
-CCE-89940-1
CCE-89941-9
CCE-89942-7
CCE-89943-5
@@ -2319,7 +2317,6 @@ CCE-90551-3
CCE-90552-1
CCE-90553-9
CCE-90555-4
-CCE-90556-2
CCE-90558-8
CCE-90559-6
CCE-90561-2
diff --git a/tests/data/profile_stability/rhel10/cis.profile b/tests/data/profile_stability/rhel10/cis.profile
index 516ce20496c..23aeb51e210 100644
--- a/tests/data/profile_stability/rhel10/cis.profile
+++ b/tests/data/profile_stability/rhel10/cis.profile
@@ -161,6 +161,7 @@ file_groupowner_backup_etc_group
file_groupowner_backup_etc_gshadow
file_groupowner_backup_etc_passwd
file_groupowner_backup_etc_shadow
+file_groupowner_boot_grub2
file_groupowner_cron_allow
file_groupowner_cron_d
file_groupowner_cron_daily
@@ -179,10 +180,8 @@ file_groupowner_etc_security_opasswd
file_groupowner_etc_security_opasswd_old
file_groupowner_etc_shadow
file_groupowner_etc_shells
-file_groupowner_grub2_cfg
file_groupowner_sshd_config
file_groupowner_sshd_drop_in_config
-file_groupowner_user_cfg
file_groupownership_audit_binaries
file_groupownership_audit_configuration
file_groupownership_sshd_private_key
@@ -192,6 +191,7 @@ file_owner_backup_etc_group
file_owner_backup_etc_gshadow
file_owner_backup_etc_passwd
file_owner_backup_etc_shadow
+file_owner_boot_grub2
file_owner_cron_allow
file_owner_cron_d
file_owner_cron_daily
@@ -210,10 +210,8 @@ file_owner_etc_security_opasswd
file_owner_etc_security_opasswd_old
file_owner_etc_shadow
file_owner_etc_shells
-file_owner_grub2_cfg
file_owner_sshd_config
file_owner_sshd_drop_in_config
-file_owner_user_cfg
file_ownership_audit_binaries
file_ownership_audit_configuration
file_ownership_home_directories
@@ -229,6 +227,7 @@ file_permissions_backup_etc_group
file_permissions_backup_etc_gshadow
file_permissions_backup_etc_passwd
file_permissions_backup_etc_shadow
+file_permissions_boot_grub2
file_permissions_cron_allow
file_permissions_cron_d
file_permissions_cron_daily
@@ -247,14 +246,12 @@ file_permissions_etc_security_opasswd
file_permissions_etc_security_opasswd_old
file_permissions_etc_shadow
file_permissions_etc_shells
-file_permissions_grub2_cfg
file_permissions_home_directories
file_permissions_sshd_config
file_permissions_sshd_drop_in_config
file_permissions_sshd_private_key
file_permissions_sshd_pub_key
file_permissions_unauthorized_world_writable
-file_permissions_user_cfg
file_permissions_var_log_audit
firewalld-backend
firewalld_loopback_traffic_trusted
diff --git a/tests/data/profile_stability/rhel10/cis_server_l1.profile b/tests/data/profile_stability/rhel10/cis_server_l1.profile
index e80c33fe872..eeb5024539a 100644
--- a/tests/data/profile_stability/rhel10/cis_server_l1.profile
+++ b/tests/data/profile_stability/rhel10/cis_server_l1.profile
@@ -81,6 +81,7 @@ file_groupowner_backup_etc_group
file_groupowner_backup_etc_gshadow
file_groupowner_backup_etc_passwd
file_groupowner_backup_etc_shadow
+file_groupowner_boot_grub2
file_groupowner_cron_allow
file_groupowner_cron_d
file_groupowner_cron_daily
@@ -99,10 +100,8 @@ file_groupowner_etc_security_opasswd
file_groupowner_etc_security_opasswd_old
file_groupowner_etc_shadow
file_groupowner_etc_shells
-file_groupowner_grub2_cfg
file_groupowner_sshd_config
file_groupowner_sshd_drop_in_config
-file_groupowner_user_cfg
file_groupownership_sshd_private_key
file_groupownership_sshd_pub_key
file_owner_at_allow
@@ -110,6 +109,7 @@ file_owner_backup_etc_group
file_owner_backup_etc_gshadow
file_owner_backup_etc_passwd
file_owner_backup_etc_shadow
+file_owner_boot_grub2
file_owner_cron_allow
file_owner_cron_d
file_owner_cron_daily
@@ -128,10 +128,8 @@ file_owner_etc_security_opasswd
file_owner_etc_security_opasswd_old
file_owner_etc_shadow
file_owner_etc_shells
-file_owner_grub2_cfg
file_owner_sshd_config
file_owner_sshd_drop_in_config
-file_owner_user_cfg
file_ownership_home_directories
file_ownership_sshd_private_key
file_ownership_sshd_pub_key
@@ -142,6 +140,7 @@ file_permissions_backup_etc_group
file_permissions_backup_etc_gshadow
file_permissions_backup_etc_passwd
file_permissions_backup_etc_shadow
+file_permissions_boot_grub2
file_permissions_cron_allow
file_permissions_cron_d
file_permissions_cron_daily
@@ -160,14 +159,12 @@ file_permissions_etc_security_opasswd
file_permissions_etc_security_opasswd_old
file_permissions_etc_shadow
file_permissions_etc_shells
-file_permissions_grub2_cfg
file_permissions_home_directories
file_permissions_sshd_config
file_permissions_sshd_drop_in_config
file_permissions_sshd_private_key
file_permissions_sshd_pub_key
file_permissions_unauthorized_world_writable
-file_permissions_user_cfg
firewalld-backend
firewalld_loopback_traffic_trusted
gid_passwd_group_same
diff --git a/tests/data/profile_stability/rhel10/cis_workstation_l1.profile b/tests/data/profile_stability/rhel10/cis_workstation_l1.profile
index 6b8488a853c..c2452728e0a 100644
--- a/tests/data/profile_stability/rhel10/cis_workstation_l1.profile
+++ b/tests/data/profile_stability/rhel10/cis_workstation_l1.profile
@@ -79,6 +79,7 @@ file_groupowner_backup_etc_group
file_groupowner_backup_etc_gshadow
file_groupowner_backup_etc_passwd
file_groupowner_backup_etc_shadow
+file_groupowner_boot_grub2
file_groupowner_cron_allow
file_groupowner_cron_d
file_groupowner_cron_daily
@@ -97,10 +98,8 @@ file_groupowner_etc_security_opasswd
file_groupowner_etc_security_opasswd_old
file_groupowner_etc_shadow
file_groupowner_etc_shells
-file_groupowner_grub2_cfg
file_groupowner_sshd_config
file_groupowner_sshd_drop_in_config
-file_groupowner_user_cfg
file_groupownership_sshd_private_key
file_groupownership_sshd_pub_key
file_owner_at_allow
@@ -108,6 +107,7 @@ file_owner_backup_etc_group
file_owner_backup_etc_gshadow
file_owner_backup_etc_passwd
file_owner_backup_etc_shadow
+file_owner_boot_grub2
file_owner_cron_allow
file_owner_cron_d
file_owner_cron_daily
@@ -126,10 +126,8 @@ file_owner_etc_security_opasswd
file_owner_etc_security_opasswd_old
file_owner_etc_shadow
file_owner_etc_shells
-file_owner_grub2_cfg
file_owner_sshd_config
file_owner_sshd_drop_in_config
-file_owner_user_cfg
file_ownership_home_directories
file_ownership_sshd_private_key
file_ownership_sshd_pub_key
@@ -140,6 +138,7 @@ file_permissions_backup_etc_group
file_permissions_backup_etc_gshadow
file_permissions_backup_etc_passwd
file_permissions_backup_etc_shadow
+file_permissions_boot_grub2
file_permissions_cron_allow
file_permissions_cron_d
file_permissions_cron_daily
@@ -158,14 +157,12 @@ file_permissions_etc_security_opasswd
file_permissions_etc_security_opasswd_old
file_permissions_etc_shadow
file_permissions_etc_shells
-file_permissions_grub2_cfg
file_permissions_home_directories
file_permissions_sshd_config
file_permissions_sshd_drop_in_config
file_permissions_sshd_private_key
file_permissions_sshd_pub_key
file_permissions_unauthorized_world_writable
-file_permissions_user_cfg
firewalld-backend
firewalld_loopback_traffic_trusted
gid_passwd_group_same
diff --git a/tests/data/profile_stability/rhel10/cis_workstation_l2.profile b/tests/data/profile_stability/rhel10/cis_workstation_l2.profile
index 67a33734af8..f076a18ba30 100644
--- a/tests/data/profile_stability/rhel10/cis_workstation_l2.profile
+++ b/tests/data/profile_stability/rhel10/cis_workstation_l2.profile
@@ -161,6 +161,7 @@ file_groupowner_backup_etc_group
file_groupowner_backup_etc_gshadow
file_groupowner_backup_etc_passwd
file_groupowner_backup_etc_shadow
+file_groupowner_boot_grub2
file_groupowner_cron_allow
file_groupowner_cron_d
file_groupowner_cron_daily
@@ -179,10 +180,8 @@ file_groupowner_etc_security_opasswd
file_groupowner_etc_security_opasswd_old
file_groupowner_etc_shadow
file_groupowner_etc_shells
-file_groupowner_grub2_cfg
file_groupowner_sshd_config
file_groupowner_sshd_drop_in_config
-file_groupowner_user_cfg
file_groupownership_audit_binaries
file_groupownership_audit_configuration
file_groupownership_sshd_private_key
@@ -192,6 +191,7 @@ file_owner_backup_etc_group
file_owner_backup_etc_gshadow
file_owner_backup_etc_passwd
file_owner_backup_etc_shadow
+file_owner_boot_grub2
file_owner_cron_allow
file_owner_cron_d
file_owner_cron_daily
@@ -210,10 +210,8 @@ file_owner_etc_security_opasswd
file_owner_etc_security_opasswd_old
file_owner_etc_shadow
file_owner_etc_shells
-file_owner_grub2_cfg
file_owner_sshd_config
file_owner_sshd_drop_in_config
-file_owner_user_cfg
file_ownership_audit_binaries
file_ownership_audit_configuration
file_ownership_home_directories
@@ -229,6 +227,7 @@ file_permissions_backup_etc_group
file_permissions_backup_etc_gshadow
file_permissions_backup_etc_passwd
file_permissions_backup_etc_shadow
+file_permissions_boot_grub2
file_permissions_cron_allow
file_permissions_cron_d
file_permissions_cron_daily
@@ -247,14 +246,12 @@ file_permissions_etc_security_opasswd
file_permissions_etc_security_opasswd_old
file_permissions_etc_shadow
file_permissions_etc_shells
-file_permissions_grub2_cfg
file_permissions_home_directories
file_permissions_sshd_config
file_permissions_sshd_drop_in_config
file_permissions_sshd_private_key
file_permissions_sshd_pub_key
file_permissions_unauthorized_world_writable
-file_permissions_user_cfg
file_permissions_var_log_audit
firewalld-backend
firewalld_loopback_traffic_trusted