Go to main content

Oracle^® SuperCluster M8 and SuperCluster M7 Security Guide

Exit Print View

» ...Documentation Home » Oracle SuperCluster M8 and SuperCluster M7 ... » Oracle^® SuperCluster M8 and ... » Securing the Compute Servers » Hardening the Compute Server Security ... » Enable Data Link (Spoofing) Protection on ...

Updated: June 2020

Oracle^® SuperCluster M8 and SuperCluster M7 Security Guide

Document Information

Using This Documentation

Understanding Security Principles

Reviewing the Default Security Configuration

Securing the Hardware

Securing Oracle ILOM

Securing the Compute Servers

Log into a Compute Server

Determine the SuperCluster Software Version

Configure the Secure Shell Service

Verify That root Is a Role

Default Exposed Network Services (Compute Servers)

Hardening the Compute Server Security Configuration

Disable Unnecessary Services (Compute Servers)

Enable Strict Multi-homing

Configure TCP Connections

Set Password History Logs and Password Policies for PCI Compliance

Ensure That User Home Directories Have Appropriate Permissions

Enable the IP Filter Firewall

Ensure That Name Services Only Use Local Files

Enable Sendmail and NTP Services

Disable GSS (Unless Using Kerberos)

Set the Sticky Bit for World-Writable Files

Protect Core Dumps

Enforce Nonexecutable Stacks

Enable Encrypted Swap Space

Enable Auditing

Enable Data Link (Spoofing) Protection on Global Zones

Enable Data Link (Spoofing) Protection on Non-Global Zones

Create Encrypted ZFS Data Sets

(Optional) Set a Passphrase for Key Store Access

Create Immutable Global Zones

Configure Immutable Non-Global Zones

Enable Secure Verified Boot (Oracle ILOM CLI)

Secure Verified Boot (Oracle ILOM Web Interface)

Additional Compute Server Resources

Securing the ZFS Storage Appliance

Securing the Exadata Storage Servers

Securing the IB and Ethernet Switches

Auditing for Compliance

Keeping SuperCluster M8 and SuperCluster M7 Systems Secure

Language:

Enable Data Link (Spoofing) Protection on Non-Global Zones

Oracle Solaris data link protection can also be applied individually to all Oracle Solaris non-global zones deployed within the SuperCluster environment.

Note - For more information about Oracle Solaris zones, refer to the Oracle Solaris zones documentation in the Oracle Solaris 11.4 Information Library at https://docs.oracle.com/cd/E37838_01/index.html and the Oracle Solaris 11.3 Information Library at http://docs.oracle.com/cd/E53394_01.

Log in to one of the compute servers and access the host console as superuser.
See Log into a Compute Server.

Enforce data link protection on a particular network interface using the zonecfg command.
Ensure that the list of allowed IP address is accurate and complete. The list must include any virtual IP addresses used by Oracle Solaris IPMP, Oracle Real Application Clusters, and so on. Also note that changes made to the SuperCluster non-global zone configuration do not take effect until after the non-global zone is restarted. For more information, refer to the Oracle Solaris zonecfg(1M) man page.
```
# zonecfg –z zonename
zonecfg:zonename> select anet linkname=network-link-name
zonecfg:zonename:anet> set allowed-address="list_of_allowed_IP_addresses"
zonecfg:zonename:anet>  set link-protection=mac-nospoof,ip-nospoof,restricted
zonecfg:zonename:anet>  set configure-allowed-address=false
zonecfg:zonename:anet>  end
zonecfg:zonename>  commit
zonecfg:zonename>  exit
```

Copyright © 2020, Oracle and/or its affiliates.