From 1a874b2b3511c7235626b9f7fcd5b413d12a0a50 Mon Sep 17 00:00:00 2001
From: Sebastien BLAISOT <sebastien@blaisot.org>
Date: Tue, 30 Nov 2021 18:47:19 +0100
Subject: [PATCH] Allow grub.cfg permission to be 600 (#121)

Co-authored-by: GoldenKiwi <thibault.dewailly@corp.ovh.com>
---
 bin/hardening/1.5.1_bootloader_ownership.sh | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/bin/hardening/1.5.1_bootloader_ownership.sh b/bin/hardening/1.5.1_bootloader_ownership.sh
index 80267e8..7aaf6d9 100755
--- a/bin/hardening/1.5.1_bootloader_ownership.sh
+++ b/bin/hardening/1.5.1_bootloader_ownership.sh
@@ -23,6 +23,7 @@ FILE='/boot/grub/grub.cfg'
 USER='root'
 GROUP='root'
 PERMISSIONS='400'
+PERMISSIONSOK='400 600'
 
 # This function will be called if the script status is on enabled / audit mode
 audit() {
@@ -33,7 +34,7 @@ audit() {
         crit "$FILE ownership was not set to $USER:$GROUP"
     fi
 
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
+    has_file_one_of_permissions "$FILE" "$PERMISSIONSOK"
     if [ "$FNRET" = 0 ]; then
         ok "$FILE has correct permissions"
     else
@@ -51,7 +52,7 @@ apply() {
         chown "$USER":"$GROUP" "$FILE"
     fi
 
-    has_file_correct_permissions "$FILE" "$PERMISSIONS"
+    has_file_one_of_permissions "$FILE" "$PERMISSIONSOK"
     if [ "$FNRET" = 0 ]; then
         ok "$FILE has correct permissions"
     else