2.5 Setting the Security Policy

You can optionally set security policy at installation time by configuring settings in the Security Policy screen.

Note

Because security policy is not required on all systems, only use the Security Policy screen if you need to enforce a specific security policy, per what is mandated by your organization or government regulations.

By default, no security policies are enforced and no checks are performed during or after an installation, unless you specifically configure settings in this screen at installation time.

As shown in Figure 2.14, there are several pre-defined policies (profiles) that are available in the Security Policy screen. These security policies follow the recommendations and guidelines that are defined by the Security Content Automation Protocol (SCAP) standard. See https://docs.oracle.com/cd/E52668_01/E54670/html/ol7-scap-sec.html for more details about SCAP.

You can also add custom security policies that you download from an HTTP, HTTPS, or FTP server. You use the Change content option in the Security Policy screen to configure custom policies.


To set security policy in the Security Policy screen, begin by toggling the Apply security policy switch to On. This switch is located at the top of the screen.

Note

If the Apply security policy switch is set to Off, you cannot configure any of the settings in this screen. The switch can be set to Off if you are not setting security policy during the installation.

Select a profile from the list of profiles that is displayed in the top window of the screen. Click the Select profile button. A message confirming the selection is displayed in the Changes that were done or need to be done: field that is located in the bottom window of the screen. A checkmark is displayed next to the selected profile on the right of the window.

Click Done to save the changes and return to the Installation Summary screen.

You use the same screen to configure custom security settings. You can download the custom profile from an HTTP, HTTPS, or FTP server. Note that you must have an active network connection so that you can download the custom profile prior to using this option. You also might need to perform certain pre-installation tasks.

To use a custom profile, click the Change content button that is located in the top left corner of the screen. Clicking this button opens another window, where you type the URL to the download location of the custom profile.

Note

You must use the complete address, including the protocol, for the location of the custom profile, for example, http://.

Click Fetch to download the custom security profile. Alternately, click Use SCAP Security Guide to return to the default policy selection window.

Check that the Changes that were done or need to be done: field shows the changes to be made. Then, click Done to save the changes.

During the installation, the security policy that you applied is installed according to the restrictions and recommendations that are defined in the specified profile. In addition, the openscap-scanner package is added to the packages that are installed. This package provides a tool for compliance and vulnerability scanning.

When the installation has completed, the system is automatically scanned to verify compliance, and the results are saved to the /root/openscap_data directory on the system.