Fix RPM Database finding for UEFI file types

I ran into an issue the other day when was hardening a server. I couldn't change the file permissions on a few files to what the RPM database says is the default. This was in regard to the /boot/efi files or UEFI file types.

This is the check: rpm -Va

The security rule: RHEL-07-010010 "The Red Hat Enterprise Linux operating system must be configured so that the file permissions, ownership, and group membership of system files and commands match the vendor values." Basically the the check is to ensure the files have the default file permissions or less.
 
Also works for Red Hat 6
RHEL-06-000516, RHEL-06-000517, RHEL-06-000518, RHEL-06-000519

The Fix

Add the line below to /etc/fstab

UUID=####       /boot/efi     vfat umask=0177,shortnames=winnt  0 0

Unmount and mount /boot/efi

root@earth> umount /boot/efi
root@earth> mount /boot/efi

Some other reference materials.
Could not change permission for /boot/efi/EFI/redhat/grub.conf
Why do /boot/efi content always show up in rpm -Va output in UEFI enabled system?

How to lookup UUIDs
https://liquidat.wordpress.com/2007/10/15/short-tip-get-uuid-of-hard-disks/
https://liquidat.wordpress.com/2013/03/13/uuids-and-linux-everything-you-ever-need-to-know/

Six Fee Computer Books

I like getting free stuff, so when I got and email from Jason Cannon and his website Linux Training Academy I had to share it. Jason Cannon is offering six of his books for free through Amazon.com until this Saturday. To get the books you need an Amazon account with the US or UK store. The books are in the kindle format, which can be read on your computer or tablet if you don't have a kindle.

These books are absolutely free! Just click on the book to download it from Amazon's US store. Use this link for Amazon's UK store.



Prices of the print versions
$24.99   Linux for Beginners
$24.99   Linux Administration
$14.99   Shell Scripting
$14.99   Command Line Kung Fu
$19.99   High Availability for the LAMP Stack
$24.99   Python Programming for Beginners
$124.94 Total savings

I found out about this because I'm on a mailing list that Jason Cannon and his site put out. Further instructions on how to get the free books can be found on his website.

If your looking for more free books checkout my other posts:
Free Python Books
Free Books

Remotely Login & Run Commands on ILOMs

Logging into Oracle's Integrated Lights Out Manager (ILOM) to get info can be a real pain, so I wrote this script to do it for me. Normally one would use use Simple Network Management Protocol (SNMP) or Intelligent Platform Management Interface (IPMI), but due to security concerns I was not able to use either of these options. Even with the latest firmware installed the ILOMs would not support modern security practices. So I was forced to find anther way. I needed to write a script that would wait for a prompt and then fill it in for me. Expect an extension to the Tcl scripting language is great for this kind of stuff, but I decided to use HERE which is even easier.

In order to make this work I created the user mancnt on the local system and on all the ILOMs. I also created a SSH key and setup an SSH agent on the local system and then I copied the key over to the ILOMs. If you don't know how to setup SSH keys check out my last post on how to do it  "A Better Way to Setup SSH Keys". You will also need a file containing the hostnames of the ILOMs you want access. In the example script below I use two such files, lsILOMb and lsILOMc, one for the blades and one for the chassis.

#!/bin/bash
#
# This section is for the ILOM blades
 HERE-ILOM(){
ssh $1 2>/dev/null <show /SP/network macaddress
HERE
}
# This section is for the ILOM Chassis
HERE-ILOMc(){
ssh $1 2>/dev/null <show /CMM/network macaddress
HERE
} 

# To get IP address from hostname
Ping-to-IP(){
ping -c1 $1 |grep PING|awk '{print $3}'|sed -e 's/(//' -e 's/)//'
}

# Main section
ps aux|grep manacnt|grep -v grep |grep agent &>/dev/null || echo "Need to have an agent running"

# Section for ILOMs on Oracle Blades
for s in $(cat lsILOMb)
do echo -e "$(Ping-to-IP $s),$(HERE-ILOM $s),Embedded Linux,$s"
done

# Section for ILOMs on Oracle Chassis
for s in $(cat lsILOMc)
do echo -e "$(Ping-to-IP $s),$(HERE-ILOMc $s),Embedded Linux,$s,FALSE,ILOM,N611"
done

So the script generates a comma-separated values (CVS) file, which contains the IP address, MAC address, OS, and hostname. I then give this file to the network security people.

Example output: 10.0.1.20,00:10:e0:40:c2,Embedded Linux,server-ilom

If you have any questions feel free to ask them below.