2.2 Installing Oracle Linux

2.2.1 Shadow Passwords and Hashing Algorithms
2.2.2 Strong Passwords
2.2.3 Separate Disk Partitions
2.2.4 Encrypted Disk Partitions
2.2.5 Software Selection
2.2.6 Network Time Service

When you install Oracle Linux, you can reduce the attack surface by installing only the software packages that are required for operation. Software packages are a potential source of setuid programs, network services, and libraries that an attacker can potentially use to gain access illegitimately and compromise a system.

You can use a pretested Kickstart profile to provide consistent and precise control over what is installed. Automated installation using a Kickstart profile reduces both security risk and administrative effort.

Alternatively, you can use Oracle Enterprise Manager Ops Center, which supports the import of OS images and explicit provisioning profiles. For more information, refer to the Oracle Enterprise Manager Ops Center documentation.

2.2.1 Shadow Passwords and Hashing Algorithms

By default, an Oracle Linux system is configured to use password hashes that are stored in the /etc/shadow file rather than in the world-readable /etc/passwd file. If shadow passwords were not used, an attacker is much more likely to be able to discover a password by applying cracking software to the hashes. Similarly, using a password-hashing algorithm that is weaker than SHA-512 would make it much easier to find likely candidates that match a hash value.

2.2.2 Strong Passwords

During installation, you are prompted to enter passwords for root and one additional user, if you choose the user to be authenticated locally rather than over the network. The passwords that you enter should be strong in that they should be extremely difficult to deduce by guesswork or by other means, such as automated FTP or SSH logins. By default, the installation process rejects null passwords and warns about weak passwords, but it does not enforce strong passwords. It is your responsibility to ensure that passwords are sufficiently strong.

Some general guidelines for creating a strong password are:

  • Make the password at least eight characters long.

  • Use a mixture of lower and upper case letters, numbers, and other characters.

  • Do not include whole words from English, LEET speak, or any other language or technology, even if you spell the words in reverse order. Password cracking programs are more sophisticated that one might naively assume.

  • Do not include personal information such as names, dates, addresses, email addresses, or telephone numbers.

  • Do not use well-known acronyms, abbreviations, or character sequences such as QWERTY.

  • Do not use a password that is the same as or very similar to a password that you used previously on the system.

  • Use a password for root that is different from the password for any other user.

2.2.3 Separate Disk Partitions

The National Security Agency (NSA) recommendations state that you should set up user-writable file systems such as /home, /tmp, and /var/tmp on partitions that are separate from /. In addition, /boot must be a dedicated file system if you encrypt the root file system.

For more information, see http://www.nsa.gov/ia/_files/factsheets/rhel5-pamphlet-i731.pdf.

2.2.4 Encrypted Disk Partitions

When choosing a disk layout, you have the option of encrypting disk partitions with the Linux Unified Key Setup (LUKS) format. As for any other password, ensure that you enter a strong passphrase if you choose to encrypt any partitions.

Note

The /boot file system cannot be encrypted.

2.2.5 Software Selection

If you choose to customize the software to be installed on a system, you can select or deselect packages from the default set. For example, the basic server configuration does not install the Gnome and KDE desktop software and the X Windows System packages from the Desktops section. Additional packages that you might want to install on a server system are available under the Servers, Web Services, Databases, and other section headings.

2.2.6 Network Time Service

If you select to synchronize the data and time over the network, the system is configured as an NTP client that uses the [012].rhel.pool.ntp.org public servers by default. If your systems rely on Kerberos authentication, which requires close synchronization of the clocks on each participating system, you might prefer to configure your systems to use a local NTP server instead.