Oracle® Linux

Security Guide for Release 6

Oracle Legal Notices
Oracle Documentation License


June 2017

Table of Contents

1 Oracle Linux Security Overview
1.1 Basic Security Considerations
1.1.1 Keep Software up to Date
1.1.2 Restrict Network Access to Critical Services
1.1.3 Follow the Principle of Least Privilege
1.1.4 Monitor System Activity
1.1.5 Keep up to Date on the Latest Security Information
1.2 The Oracle Linux Security Model
1.3 Overview of Oracle Linux Security
1.4 Understanding the Oracle Linux Environment
1.5 Recommended Deployment Configurations
1.6 Component Security
1.7 References
2 Secure Installation and Configuration
2.1 Pre-Installation Tasks
2.2 Installing Oracle Linux
2.2.1 Shadow Passwords and Hashing Algorithms
2.2.2 Strong Passwords
2.2.3 Separate Disk Partitions
2.2.4 Encrypted Disk Partitions
2.2.5 Software Selection
2.2.6 Network Time Service
2.3 Post-Installation Tasks
3 Implementing Oracle Linux Security
3.1 Configuring and Using Data Encryption
3.2 Configuring a GRUB Password
3.3 Configuring and Using Certificate Management
3.3.1 About the openssl Command
3.3.2 About the keytool Command
3.4 Configuring and Using Authentication
3.4.1 About Local Oracle Linux Authentication
3.4.2 About IPA
3.4.3 About LDAP Authentication
3.4.4 About NIS Authentication
3.4.5 About Winbind Authentication
3.4.6 About Kerberos Authentication
3.5 Configuring and Using Pluggable Authentication Modules
3.6 Configuring and Using Access Control Lists
3.7 Configuring and Using SELinux
3.7.1 About SELinux Administration
3.7.2 About SELinux Modes
3.7.3 Setting SELinux Modes
3.7.4 About SELinux Policies
3.7.5 About SELinux Context
3.7.6 About SELinux Users
3.8 Configuring and Using Auditing
3.9 Configuring and Using System Logging
3.10 Configuring and Using Process Accounting
3.11 Configuring and Using Software Management
3.11.1 Configuring Update and Patch Management
3.11.2 Installing and Using the Yum Security Plugin
3.12 Configuring Access to Network Services
3.12.1 Configuring and Using Packet-filtering Firewalls
3.12.2 Configuring and Using TCP Wrappers
3.13 Configuring and Using Chroot Jails
3.13.1 Running DNS and FTP Services in a Chroot Jail
3.13.2 Creating a Chroot Jail
3.13.3 Using a Chroot Jail
3.14 Configuring and Using Linux Containers
3.15 Configuring and Using Kernel Security Mechanisms
3.15.1 Address Space Layout Randomization
3.15.2 Data Execution Prevention
3.15.3 Position Independent Executables
4 Security Considerations for Developers
4.1 Design Principles for Secure Coding
4.2 General Guidelines for Secure Coding
4.3 General Guidelines for Network Programs
5 Secure Deployment Checklist
5.1 Minimizing the Software Footprint
5.2 Configuring System Logging
5.3 Disabling Core Dumps
5.4 Minimizing Active Services
5.5 Locking Down Network Services
5.6 Configuring a Packet-filtering Firewall
5.7 Configuring TCP Wrappers
5.8 Configuring Kernel Parameters
5.9 Restricting Access to SSH Connections
5.10 Configuring File System Mounts, File Permissions, and File Ownerships
5.11 Checking User Accounts and Privileges
6 Using OpenSCAP to Scan for Vulnerabilities
6.1 About SCAP
6.2 Installing the SCAP Packages
6.3 About the oscap Command
6.4 Displaying the Available SCAP Information
6.5 Displaying Information About a SCAP File
6.6 Displaying Available Profiles
6.7 Validating OVAL and XCCDF Files
6.8 Running a Scan Against a Profile
6.9 Generating a Full Security Guide
6.10 Running an OVAL Auditing Scan
7 Enabling FIPS Mode for OpenSSL
7.1 About the FIPS 140-2 OpenSSL Library Modules
7.2 Configuring a System for FIPS Mode
7.3 Using the FIPS-Compliant OpenSSL Library