⭐ check file permissions for loader.conf (systemd-boot) (#130)

Signed-off-by: Patrick Münch <patrick.muench1111@gmail.com>
mondoohq · Feb 25, 2023 · a4b6e5b · a4b6e5b
1 parent 57322c2
commit a4b6e5b
Showing 1 changed file with 22 additions and 1 deletion.
diff --git a/core/mondoo-linux-workstation-security.mql.yaml b/core/mondoo-linux-workstation-security.mql.yaml
@@ -135,6 +135,13 @@ queries:
         # chmod og-rwx /boot/grub2/user.cfg
         ```
 
+        Run the following commands to set ownership and permissions on your systemd-boot loader configuration file:
+
+        ```
+        chown root:root /boot/loader/loader.conf
+        chmod og-rwx /boot/loader/loader.conf
+        ```
+
         \*\*OR If the system uses UEFI, edit `/etc/fstab` and add the `fmask=0077` , `uid=0` , and `gid=0` options:
 
         _Example:_
@@ -208,7 +215,21 @@ queries:
           permissions.other_writeable == false
           permissions.other_executable == false
          }
-       }
+      }
+
+      if ( file("/boot/loader/loader.conf").exists ) {
+        file("/boot/loader/loader.conf") {
+          user.name == 'root'
+          group.name == 'root'
+          permissions.group_readable == false
+          permissions.group_writeable == false
+          permissions.group_executable == false
+          permissions.other_readable == false
+          permissions.other_writeable == false
+          permissions.other_executable == false
+        }
+      }
+
       if(mount.list.where( fstype == 'vfat' && path == /boot/) != []) {
         mount.list.where( fstype == 'vfat' && path == /boot/) {
           options['fmask'] == "0077"