rpm -Va shows /boot/efi mode different from vendor default

Support for security such as Firewalls and securing linux
Post Reply
nelm
Posts: 5
Joined: 2018/04/11 16:16:47

rpm -Va shows /boot/efi mode different from vendor default

Post by nelm » 2018/04/16 16:25:29

If you run

Code: Select all

rpm -Va | grep '^.M'
, it shows that the mode of the files is different than the vendor defaults. This is an issue for STIG requirements.

Code: Select all

.M.......    /boot/efi/EFI/BOOT/BOOTX64.EFI
.M.......    /boot/efi/EFI/BOOT/fbx64.efi
.M.......    /boot/efi/EFI/centos/BOOT.CSV
.M.......    /boot/efi/EFI/centos/BOOTX64.CSV
.M.......    /boot/efi/EFI/centos/mmx64.efi
.M.......    /boot/efi/EFI/centos/shim.efi
.M.......    /boot/efi/EFI/centos/shimx64-centos.efi
.M.......    /boot/efi/EFI/centos/shimx64.efi
Neither running

Code: Select all

rpm --setperms shim-x64-12-1.el7.x86_64
rpm --setperms shim-x64-12-1.el7.x86_64
nor reinstalling shim seems to fix this. Any idea how to do this?

I found this on redhat, https://access.redhat.com/solutions/3237921, but can't access it because I don't have a subscription.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: rpm -Va shows /boot/efi mode different from vendor default

Post by TrevorH » 2018/04/16 17:16:24

"FAT32 doesn't honour Linux File Permissions"
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

nelm
Posts: 5
Joined: 2018/04/11 16:16:47

Re: rpm -Va shows /boot/efi mode different from vendor default

Post by nelm » 2018/04/16 17:46:29

I guess I should have known that :oops: . Thanks Trevor!

Post Reply