Fix grub.cfg permissions (CIS 1.4.1)

* CIS 1.4.1 Ensure permissions on bootloader config are configured

Related-Prod: PROD-22655

Change-Id: Ia282baae0be5c038d42b672758662aaed9aae6f5
diff --git a/linux/system/grub.sls b/linux/system/grub.sls
index 74ea553..49277ff 100644
--- a/linux/system/grub.sls
+++ b/linux/system/grub.sls
@@ -7,6 +7,7 @@
     - makedirs: True
 
 {%- if grains['os_family'] == 'RedHat' %}
+  {%- set boot_grub_cfg = '/boot/grub2/grub.cfg' %}
 /etc/default/grub:
   file.append:
     - text:
@@ -14,14 +15,26 @@
 
 grub_update:
   cmd.wait:
-  - name: grub2-mkconfig -o /boot/grub2/grub.cfg
+  - name: grub2-mkconfig -o {{ boot_grub_cfg }}
 
 {%- else %}
+  {%- set boot_grub_cfg = '/boot/grub/grub.cfg' %}
 
-{%- if grains.get('virtual_subtype', None) not in ['Docker', 'LXC'] %}
 grub_update:
   cmd.wait:
   - name: update-grub
-{%- endif %}
+  {%- if grains.get('virtual_subtype') in ['Docker', 'LXC'] %}
+  - onlyif: /bin/false
+  {%- endif %}
 
 {%- endif %}
+
+grub_cfg_permissions:
+  file.managed:
+    - name: {{ boot_grub_cfg }}
+    - user: 'root'
+    - owner: 'root'
+    - mode: '400'
+    - onlyif: test -f {{ boot_grub_cfg }}
+    - require:
+      - cmd: grub_update