Check: GEN008720
VMware ESX 3 Server:
GEN008720
(in version v1 r2)
Title
The system's boot loader configuration file(s) must have mode 0600 or less permissive. (Cat II impact)
Discussion
File permissions greater than 0600 on boot loader configuration files could allow an unauthorized user to view or modify sensitive information pertaining to system boot instructions.
Check Content
This check applies to the global zone only. Determine the type of zone that you are currently securing. # zonename If the command output is "global", this check applies. Check the permission of the menu.lst file. On systems that have a ZFS root, the menu.lst file is typically located at /pool-name/boot/grub/menu.lst where "pool-name" is the mount point for the top-level dataset. On systems that have a UFS root, the menu.lst file is typically located at /boot/grub/menu.lst . Procedure: # ls -lL /pool-name/boot/grub/menu.lst or # ls -lL /boot/grub/menu.lst If menu.lst has a mode more permissive than 0600, this is a finding.
Fix Text
Change the mode of the menu.lst file to 0600. # chmod 0600 /pool-name/boot/grub/menu.lst or # chmod 0600 /boot/grub/menu.lst
Additional Identifiers
Rule ID: SV-4250r3_rule
Vulnerability ID: V-4250
Group Title: GEN008720
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000225 |
The organization employs the concept of least privilege, allowing only authorized accesses for users (and processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions. |
Controls
| Number | Title |
|---|---|
| AC-6 |
Least Privilege |