ComplianceAsCode · Mab879 · Dec 1, 2025 · vojtapolasek · Dec 12, 2025
diff --git a/components/grub2.yml b/components/grub2.yml
@@ -56,6 +56,9 @@ rules:
 - grub2_vsyscall_argument
 - uefi_no_removeable_media
 - grub2_init_on_free
+- file_permissions_boot_grub2
+- file_owner_boot_grub2
+- file_groupowner_boot_grub2
 templates:
 - grub2_bootloader_argument
 - grub2_bootloader_argument_absent
@@ -499,15 +499,12 @@ controls:
       levels:
           - l1_server
           - l1_workstation
-      status: pending
+      status: automated
       notes: This requirement demands a deeper review of the rules.
       rules:
-          - file_groupowner_grub2_cfg
-          - file_owner_grub2_cfg
-          - file_permissions_grub2_cfg
-          - file_groupowner_user_cfg
-          - file_owner_user_cfg
-          - file_permissions_user_cfg
+          - file_permissions_boot_grub2
+          - file_owner_boot_grub2
+          - file_groupowner_boot_grub2
 
     - id: 1.5.1
       title: Ensure core file size is configured (Automated)

diff --git a/linux_os/guide/system/bootloader-grub2/file_groupowner_boot_grub2/rule.yml b/linux_os/guide/system/bootloader-grub2/file_groupowner_boot_grub2/rule.yml
@@ -0,0 +1,25 @@
+documentation_complete: true
+
+title:  'All GRUB configuration files must be group-owned by root'
+
+description: |-
+    The files in <tt>{{{ grub2_uefi_boot_path }}}</tt> should
+    be group-owned by the <tt>root</tt> group to prevent
+    destruction or modification of the file.
+    {{{ describe_file_group_owner(file=grub2_uefi_boot_path, group="root") }}}
+
+rationale: |-
+    The <tt>root</tt> group is a highly-privileged group. Furthermore, the group-owner of this
+    file should not have any access privileges anyway.
+
+severity: unknown
+
+identifiers:
+    cce@rhel10: CCE-89940-1
+
+template:
+    name: file_groupowner
+    vars:
+        filepath: {{{ grub2_uefi_boot_path }}}/
+        gid_or_name: '0'
+        file_regex: ^.*$
diff --git a/linux_os/guide/system/bootloader-grub2/file_owner_boot_grub2/rule.yml b/linux_os/guide/system/bootloader-grub2/file_owner_boot_grub2/rule.yml
@@ -0,0 +1,24 @@
+documentation_complete: true
+
+title:  'All GRUB configuration files must be owned by root'
+
+description: |-
+    The files in <tt>{{{ grub2_uefi_boot_path }}}/grub.cfg</tt> should
-    The files in <tt>{{{ grub2_uefi_boot_path }}}/grub.cfg</tt> should
+    The files in <tt>{{{ grub2_uefi_boot_path }}}</tt> should
-    The files in <tt>{{{ grub2_uefi_boot_path }}}/grub.cfg</tt> should
+    The files in <tt>{{{ grub2_uefi_boot_path }}}</tt> should
+    be owned by the <tt>root</tt> user to prevent
+    destruction or modification of the file.
+    {{{ describe_file_owner(file=grub2_uefi_boot_path, owner="root") }}}
+
+rationale: |-
+    To prevent unauthorized access and modifications to boot configuration.
+
+severity: unknown
+
+identifiers:
+    cce@rhel10: CCE-89088-9
+
+template:
+    name: file_owner
+    vars:
+        filepath: {{{ grub2_uefi_boot_path }}}/
+        uid_or_name: '0'
+        file_regex: ^.*$
diff --git a/linux_os/guide/system/bootloader-grub2/file_permissions_boot_grub2/rule.yml b/linux_os/guide/system/bootloader-grub2/file_permissions_boot_grub2/rule.yml
@@ -0,0 +1,25 @@
+documentation_complete: true
+
+title:  'All GRUB configuration files must have mode 0600 or more restrictive'
+
+description: |-
+    The files in <tt>{{{ grub2_uefi_boot_path }}}</tt> should
+    have mode <tt>0600</tt> to prevent
+    destruction or modification of the file.
+    {{{ describe_file_permissions(file=grub2_uefi_boot_path, perms="0600") }}}
+
+rationale: |-
+    The file mode 0600 prevents unauthorized access and modifications to boot settings.
+
+severity: unknown
+
+identifiers:
+    cce@rhel10: CCE-90556-2
+
+template:
+    name: file_permissions
+    vars:
+        filepath: {{{ grub2_uefi_boot_path }}}/
+        filemode: '0600'
+        allow_stricter_permissions: "true"
+        file_regex: ^.*$
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
@@ -1402,7 +1402,6 @@ CCE-89082-2
 CCE-89083-0
 CCE-89084-8
 CCE-89087-1
-CCE-89088-9
 CCE-89090-5
 CCE-89092-1
 CCE-89094-7
@@ -1936,7 +1935,6 @@ CCE-89935-1
 CCE-89936-9
 CCE-89937-7
 CCE-89938-5
-CCE-89940-1
 CCE-89941-9
 CCE-89942-7
 CCE-89943-5
@@ -2337,7 +2335,6 @@ CCE-90551-3
 CCE-90552-1
 CCE-90553-9
 CCE-90555-4
-CCE-90556-2
 CCE-90558-8
 CCE-90559-6
 CCE-90561-2

@@ -160,6 +160,7 @@ file_groupowner_backup_etc_group
 file_groupowner_backup_etc_gshadow
 file_groupowner_backup_etc_passwd
 file_groupowner_backup_etc_shadow
+file_groupowner_boot_grub2
 file_groupowner_cron_allow
 file_groupowner_cron_d
 file_groupowner_cron_daily
@@ -178,10 +179,8 @@ file_groupowner_etc_security_opasswd
 file_groupowner_etc_security_opasswd_old
 file_groupowner_etc_shadow
 file_groupowner_etc_shells
-file_groupowner_grub2_cfg
 file_groupowner_sshd_config
 file_groupowner_sshd_drop_in_config
-file_groupowner_user_cfg
 file_groupownership_audit_binaries
 file_groupownership_audit_configuration
 file_groupownership_sshd_private_key
@@ -191,6 +190,7 @@ file_owner_backup_etc_group
 file_owner_backup_etc_gshadow
 file_owner_backup_etc_passwd
 file_owner_backup_etc_shadow
+file_owner_boot_grub2
 file_owner_cron_allow
 file_owner_cron_d
 file_owner_cron_daily
@@ -209,10 +209,8 @@ file_owner_etc_security_opasswd
 file_owner_etc_security_opasswd_old
 file_owner_etc_shadow
 file_owner_etc_shells
-file_owner_grub2_cfg
 file_owner_sshd_config
 file_owner_sshd_drop_in_config
-file_owner_user_cfg
 file_ownership_audit_binaries
 file_ownership_audit_configuration
 file_ownership_home_directories
@@ -228,6 +226,7 @@ file_permissions_backup_etc_group
 file_permissions_backup_etc_gshadow
 file_permissions_backup_etc_passwd
 file_permissions_backup_etc_shadow
+file_permissions_boot_grub2
 file_permissions_cron_allow
 file_permissions_cron_d
 file_permissions_cron_daily
@@ -246,14 +245,12 @@ file_permissions_etc_security_opasswd
 file_permissions_etc_security_opasswd_old
 file_permissions_etc_shadow
 file_permissions_etc_shells
-file_permissions_grub2_cfg
 file_permissions_home_directories
 file_permissions_sshd_config
 file_permissions_sshd_drop_in_config
 file_permissions_sshd_private_key
 file_permissions_sshd_pub_key
 file_permissions_unauthorized_world_writable
-file_permissions_user_cfg
 file_permissions_var_log_audit
 firewalld-backend
 firewalld_loopback_traffic_trusted

@@ -80,6 +80,7 @@ file_groupowner_backup_etc_group
 file_groupowner_backup_etc_gshadow
 file_groupowner_backup_etc_passwd
 file_groupowner_backup_etc_shadow
+file_groupowner_boot_grub2
 file_groupowner_cron_allow
 file_groupowner_cron_d
 file_groupowner_cron_daily
@@ -98,17 +99,16 @@ file_groupowner_etc_security_opasswd
 file_groupowner_etc_security_opasswd_old
 file_groupowner_etc_shadow
 file_groupowner_etc_shells
-file_groupowner_grub2_cfg
 file_groupowner_sshd_config
 file_groupowner_sshd_drop_in_config
-file_groupowner_user_cfg
 file_groupownership_sshd_private_key
 file_groupownership_sshd_pub_key
 file_owner_at_allow
 file_owner_backup_etc_group
 file_owner_backup_etc_gshadow
 file_owner_backup_etc_passwd
 file_owner_backup_etc_shadow
+file_owner_boot_grub2
 file_owner_cron_allow
 file_owner_cron_d
 file_owner_cron_daily
@@ -127,10 +127,8 @@ file_owner_etc_security_opasswd
 file_owner_etc_security_opasswd_old
 file_owner_etc_shadow
 file_owner_etc_shells
-file_owner_grub2_cfg
 file_owner_sshd_config
 file_owner_sshd_drop_in_config
-file_owner_user_cfg
 file_ownership_home_directories
 file_ownership_sshd_private_key
 file_ownership_sshd_pub_key
@@ -141,6 +139,7 @@ file_permissions_backup_etc_group
 file_permissions_backup_etc_gshadow
 file_permissions_backup_etc_passwd
 file_permissions_backup_etc_shadow
+file_permissions_boot_grub2
 file_permissions_cron_allow
 file_permissions_cron_d
 file_permissions_cron_daily
@@ -159,7 +158,6 @@ file_permissions_etc_security_opasswd
 file_permissions_etc_security_opasswd_old
 file_permissions_etc_shadow
 file_permissions_etc_shells
-file_permissions_grub2_cfg
 file_permissions_home_directories
 file_permissions_sshd_config
 file_permissions_sshd_drop_in_config

@@ -78,6 +78,7 @@ file_groupowner_backup_etc_group
 file_groupowner_backup_etc_gshadow
 file_groupowner_backup_etc_passwd
 file_groupowner_backup_etc_shadow
+file_groupowner_boot_grub2
 file_groupowner_cron_allow
 file_groupowner_cron_d
 file_groupowner_cron_daily
@@ -96,17 +97,16 @@ file_groupowner_etc_security_opasswd
 file_groupowner_etc_security_opasswd_old
 file_groupowner_etc_shadow
 file_groupowner_etc_shells
-file_groupowner_grub2_cfg
 file_groupowner_sshd_config
 file_groupowner_sshd_drop_in_config
-file_groupowner_user_cfg
 file_groupownership_sshd_private_key
 file_groupownership_sshd_pub_key
 file_owner_at_allow
 file_owner_backup_etc_group
 file_owner_backup_etc_gshadow
 file_owner_backup_etc_passwd
 file_owner_backup_etc_shadow
+file_owner_boot_grub2
 file_owner_cron_allow
 file_owner_cron_d
 file_owner_cron_daily
@@ -125,10 +125,8 @@ file_owner_etc_security_opasswd
 file_owner_etc_security_opasswd_old
 file_owner_etc_shadow
 file_owner_etc_shells
-file_owner_grub2_cfg
 file_owner_sshd_config
 file_owner_sshd_drop_in_config
-file_owner_user_cfg
 file_ownership_home_directories
 file_ownership_sshd_private_key
 file_ownership_sshd_pub_key
@@ -139,6 +137,7 @@ file_permissions_backup_etc_group
 file_permissions_backup_etc_gshadow
 file_permissions_backup_etc_passwd
 file_permissions_backup_etc_shadow
+file_permissions_boot_grub2
 file_permissions_cron_allow
 file_permissions_cron_d
 file_permissions_cron_daily
@@ -157,7 +156,6 @@ file_permissions_etc_security_opasswd
 file_permissions_etc_security_opasswd_old
 file_permissions_etc_shadow
 file_permissions_etc_shells
-file_permissions_grub2_cfg
 file_permissions_home_directories
 file_permissions_sshd_config
 file_permissions_sshd_drop_in_config

@@ -160,6 +160,7 @@ file_groupowner_backup_etc_group
 file_groupowner_backup_etc_gshadow
 file_groupowner_backup_etc_passwd
 file_groupowner_backup_etc_shadow
+file_groupowner_boot_grub2
 file_groupowner_cron_allow
 file_groupowner_cron_d
 file_groupowner_cron_daily
@@ -178,10 +179,8 @@ file_groupowner_etc_security_opasswd
 file_groupowner_etc_security_opasswd_old
 file_groupowner_etc_shadow
 file_groupowner_etc_shells
-file_groupowner_grub2_cfg
 file_groupowner_sshd_config
 file_groupowner_sshd_drop_in_config
-file_groupowner_user_cfg
 file_groupownership_audit_binaries
 file_groupownership_audit_configuration
 file_groupownership_sshd_private_key
@@ -191,6 +190,7 @@ file_owner_backup_etc_group
 file_owner_backup_etc_gshadow
 file_owner_backup_etc_passwd
 file_owner_backup_etc_shadow
+file_owner_boot_grub2
 file_owner_cron_allow
 file_owner_cron_d
 file_owner_cron_daily
@@ -209,10 +209,8 @@ file_owner_etc_security_opasswd
 file_owner_etc_security_opasswd_old
 file_owner_etc_shadow
 file_owner_etc_shells
-file_owner_grub2_cfg
 file_owner_sshd_config
 file_owner_sshd_drop_in_config
-file_owner_user_cfg
 file_ownership_audit_binaries
 file_ownership_audit_configuration
 file_ownership_home_directories
@@ -228,6 +226,7 @@ file_permissions_backup_etc_group
 file_permissions_backup_etc_gshadow
 file_permissions_backup_etc_passwd
 file_permissions_backup_etc_shadow
+file_permissions_boot_grub2
 file_permissions_cron_allow
 file_permissions_cron_d
 file_permissions_cron_daily
@@ -246,14 +245,12 @@ file_permissions_etc_security_opasswd
 file_permissions_etc_security_opasswd_old
 file_permissions_etc_shadow
 file_permissions_etc_shells
-file_permissions_grub2_cfg
 file_permissions_home_directories
 file_permissions_sshd_config
 file_permissions_sshd_drop_in_config
 file_permissions_sshd_private_key
 file_permissions_sshd_pub_key
 file_permissions_unauthorized_world_writable
-file_permissions_user_cfg
 file_permissions_var_log_audit
 firewalld-backend
 firewalld_loopback_traffic_trusted