RHEL 9 /boot/grub2/grub.cfg file must be group-owned by root.

STIG ID: RHEL-09-212025  |  SRG: SRG-OS-000480-GPOS-00227 |  Severity: medium |  CCI: CCI-000366 |  Vulnerability Id: V-257790

Vulnerability Discussion

The "root" group is a highly privileged group. Furthermore, the group-owner of this file should not have any access privileges anyway.

Check

Verify the group ownership of the "/boot/grub2/grub.cfg" file with the following command:

$ sudo stat -c "%G %n" /boot/grub2/grub.cfg

root /boot/grub2/grub.cfg

If "/boot/grub2/grub.cfg" file does not have a group owner of "root", this is a finding.

Fix

Change the group of the file /boot/grub2/grub.cfg to root by running the following command:

$ sudo chgrp root /boot/grub2/grub.cfg