I'm working thru hardening a RHEL6 VM that is using EFI/UEFI for the boot loader.
The current permissions are the following:
Code:
[root@server redhat]# pwd ; ls -al
/boot/efi/EFI/redhat
total 264
drwx------. 2 root root 4096 May 7 11:05 .
drwx------. 3 root root 4096 Sep 18 2017 ..
-rwx------. 1 root root 1720 May 7 11:05 grub.conf
-rwx------. 1 root root 254317 Nov 9 2016 grub.efi
[root@server redhat]#
Following a STIG, stating that octal permission need to be 600, not 700.
I can't find any documentation from Red Hat, however I would think it would need to be read/write/execute as if a new kernel gets installed and this is the file that gets executed before going to run init.
I don't think its wise to change this, nor can I change this.
What do others think?
thanks
EDIT: Here is the STIG that I'm referencing:
https://www.stigviewer.com/stig/red_...inding/V-38583