The SCAP CIS-L1 check of scap 0.1.69

SCAP requires only 0600 in xccdf_org.ssgproject.content_rule_file_permissions_grub2_cfg
~~~
~~~

RPM has 700
~~~
[cb/AWS] ec2-user@ip-10-215-229-191:~$ rpm -q grub2-pc
grub2-pc-2.02-148.el8_8.1.x86_64
[cb/AWS] ec2-user@ip-10-215-229-191:~$ rpm -qlv grub2-pc
rwx----- 1 root root 0 Jun 20 13:13 /boot/grub2/grub.cfg
drwx------ 2 root root 0 Jun 20 13:13 /boot/loader/entries
lrwxrwxrwx 1 root root 22 Jun 20 13:13 /etc/grub2.cfg -> ../boot/grub2/grub.cfg
[cb/AWS] ec2-user@ip-10-215-229-191:~$
~~~

I cannot change the permssion to 600 because then the RPM verify will fail with a permsision failure and that is for such a critiical boot file also not what you want.

I can see 2 solutions:

• rpm provides the file as 600
• scap check xccdf_org.ssgproject.content_rule_file_permissions_grub2_cfg (and xccdf_org.ssgproject.content_rule_file_permissions_user_cfg) allows also 0700 or stricter like the EFI (use oval:ssg-state_file_permissions_efi_grub2_cfg_0_mode_0700or_stricter_:ste:1 instead of oval:ssg-state_file_permissions_user_cfg_0_mode_0600or_stricter_:ste:1)

Define the value or impact to you or the business
SCAP Checks are failing or RPM verify (also by some SCAP checks used) is failing