Pages

Wednesday, November 21, 2018

Fix RPM Database finding for UEFI file types

I ran into an issue the other day when was hardening a server. I couldn't change the file permissions on a few files to what the RPM database says is the default. This was in regard to the /boot/efi files or UEFI file types.

This is the check: rpm -Va

The security rule: RHEL-07-010010 "The Red Hat Enterprise Linux operating system must be configured so that the file permissions, ownership, and group membership of system files and commands match the vendor values." Basically the the check is to ensure the files have the default file permissions or less.
 
Also works for Red Hat 6
RHEL-06-000516, RHEL-06-000517, RHEL-06-000518, RHEL-06-000519

The Fix

Add the line below to /etc/fstab
UUID=####       /boot/efi     vfat umask=0177,shortnames=winnt  0 0

Unmount and mount /boot/efi
root@earth> umount /boot/efi
root@earth> mount /boot/efi


Some other reference materials.
Could not change permission for /boot/efi/EFI/redhat/grub.conf
Why do /boot/efi content always show up in rpm -Va output in UEFI enabled system?

How to lookup UUIDs
https://liquidat.wordpress.com/2007/10/15/short-tip-get-uuid-of-hard-disks/
https://liquidat.wordpress.com/2013/03/13/uuids-and-linux-everything-you-ever-need-to-know/
at
Labels: , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)