Oracle^® SuperCluster M8 and SuperCluster M7 Security Guide

Index

A

access controlAccess Control

access restrictionsAccess Restrictions

activation keysSerial Numbers

algorithms

cryptographicData Protection

FIPS approvedFIPS-140-2 Level 1 Compliance

ASLR, enablingEnable ASLR

asymmetric keysFIPS-140-2 Level 1 Compliance

auditing

enablingEnable Auditing

for security complianceAuditing for Compliance

auditing and monitoring

Monitoring Security

Monitoring and Compliance Auditing

B

banners

Exadata storage serversConfigure a Login Warning Banner (Storage Server)

Oracle ILOMConfigure Login Warning Banners (Oracle ILOM)

browser inactivity timeout configurationConfigure Administrative Browser Interface Inactivity Timeout

C

certificates, self-signed

IB switchesReplace Default Self-Signed Certificates (IB Switch)

Oracle ILOMReplace Default Self-Signed Certificates (Oracle ILOM)

changing

Ethernet switch passwordsChange the Ethernet Switch Password

Exadata storage server passwordsChange Storage Server Passwords

IB switch passwords (Oracle ILOM)Change IB Switch Passwords (Oracle ILOM)

root and nmuser passwords on IB switchesChange root and nm2user Passwords

ZFS storage appliance root passwordChange the ZFS Storage Appliance root Password

client access networkSecure Isolation

community strings on

IB switchesConfigure SNMP Community Strings (IB Switch)

Oracle ILOMConfigure SNMP v1 and v2c Community Strings (Oracle ILOM)

ZFS storage applianceConfigure SNMP Community Strings

compliance auditing

Auditing for Compliance

Monitoring and Compliance Auditing

compliance reports

generating real-timeGenerate a Compliance Assessment

generating with a cron job(Optional) Run Compliance Reports with a cron Job

compliance commandGenerate a Compliance Assessment

compute servers

disabling unnecessary servicesDisable Unnecessary Services (Compute Servers)

exposed network servicesDefault Exposed Network Services (Compute Servers)

hardening the security configurationHardening the Compute Server Security Configuration

logging in toLog into a Compute Server

securingSecuring the Compute Servers

configuring

compute servers

immutable global zonesCreate Immutable Global Zones

immutable non-global zonesConfigure Immutable Non-Global Zones

secure shell serviceConfigure the Secure Shell Service

TCP connectionsConfigure TCP Connections

Exadata storage servers

account lockoutConfigure System Account Lockout

boot loader passwordsConfigure a System Boot Loader Password

failed authentication lock delaysConfigure a Failed Authentication Lock Delay

login shell inactivity timeoutsConfigure the Administrative Interface Inactivity Timeout (Login Shell)

login warning bannersConfigure a Login Warning Banner (Storage Server)

password agingConfigure Password Aging Control Policies

password complexity rulesConfigure Password Complexity Rules

password history policiesConfigure a Password History Policy

SSH interface inactivity timeoutsConfigure the Administrative Interface Inactivity Timeout (Secure Shell)

IB switches

CLI session timeoutsConfigure the Administrative CLI Session Timeout (IB Switch)

HTTP redirection to HTTPSConfigure HTTP Redirection to HTTPS (IB Switch)

SNMP community stringsConfigure SNMP Community Strings (IB Switch)

Oracle ILOM

browser inactivity timeoutConfigure Administrative Browser Interface Inactivity Timeout

CLI timeoutsConfigure the Administrative Interface Timeout (Oracle ILOM CLI)

HTTP redirection to HTTPSConfigure HTTP Redirection to HTTPS (Oracle ILOM)

login warning bannersConfigure Login Warning Banners (Oracle ILOM)

SNMP v1 and v2c community stringsConfigure SNMP v1 and v2c Community Strings (Oracle ILOM)

ZFS storage appliance

interface inactivity (HTTPS)Configure the Administrative Interface Inactivity Timeout (HTTPS)

SNMP authorized networksConfigure SNMP Authorized Networks

SNMP community stringsConfigure SNMP Community Strings

confirming home directory permissionsEnsure That User Home Directories Have Appropriate Permissions

core dumps, protectingProtect Core Dumps

creating encrypted ZFS data setsCreate Encrypted ZFS Data Sets

cryptographyData Protection

D

data link protection

featuresAccess Control

on global zonesEnable Data Link (Spoofing) Protection on Global Zones

on non-global zonesEnable Data Link (Spoofing) Protection on Non-Global Zones

data protectionData Protection

database activity monitoringDatabase Activity Monitoring and Auditing

default security configurationReviewing the Default Security Configuration

default security settingsDefault Security Settings

default user accounts and passwords on

all componentsDefault User Accounts and Passwords

determining

Exadata storage server software versionsDetermine the Exadata Storage Server Software Version

IB switch firmware versionsDetermine the IB Switch Firmware Version

Oracle ILOM versionsDetermine the Oracle ILOM Version

SuperCluster software versionsDetermine the SuperCluster Software Version

ZFS storage appliance software versionsDetermine the ZFS Storage Appliance Software Version

disabling

compute servers

GSSDisable GSS (Unless Using Kerberos)

unnecessary servicesDisable Unnecessary Services (Compute Servers)

Exadata storage servers

Oracle ILOM console accessDisable Oracle ILOM System Console Access

IB switches

unapproved SNMP protocolsDisable Unapproved SNMP Protocols (IB Switch)

unnecessary servicesDisable Unnecessary Services (IB Switch)

Oracle ILOM

SSL weak and medium-strength ciphers for HTTPSDisable SSL Weak and Medium-Strength Ciphers for HTTPS

SSLv2 protocol for HTTPSDisable the SSLv2 Protocol for HTTPS

SSLv3 protocol for HTTPSDisable the SSLv3 Protocol for HTTPS

unapproved SNMP protocolsDisable Unapproved SNMP Protocols (Oracle ILOM)

unapproved TLS protocols for HTTPSDisable Unapproved TLS Protocols for HTTPS

unnecessary servicesDisable Unnecessary Services (Oracle ILOM)

ZFS storage appliance

dynamic routingDisable Dynamic Routing

unapproved SNMP protocolsDisable Unapproved SNMP Protocols

unnecessary servicesDisable Unnecessary Services (ZFS Storage Appliance)

displaying Exadata storage server security configurationsDisplay Available Security Configurations With host_access_control

drivesDrives

E

enabling

ASLREnable ASLR

auditing on compute serversEnable Auditing

data link protection on global zonesEnable Data Link (Spoofing) Protection on Global Zones

data link protection on non-global zonesEnable Data Link (Spoofing) Protection on Non-Global Zones

encrypted swap spaceEnable Encrypted Swap Space

FIPS-140 compliant operation (Oracle ILOM)(If Required) Enable FIPS-140 Compliant Operation (Oracle ILOM)

IP filter firewallsEnable the IP Filter Firewall

NTP servicesEnable Sendmail and NTP Services

secure verified boot (Oracle ILOM CLI)Enable Secure Verified Boot (Oracle ILOM CLI)

secure verified boot (Oracle ILOM Web interface)Secure Verified Boot (Oracle ILOM Web Interface)

sendmail servicesEnable Sendmail and NTP Services

strict multi-homingEnable Strict Multi-homing

encrypted

swap space, enablingEnable Encrypted Swap Space

ZFS data sets, creatingCreate Encrypted ZFS Data Sets

encryption keysData Protection

enforcing nonexecutable stacksEnforce Nonexecutable Stacks

Ethernet switch

changing passwordsChange the Ethernet Switch Password

securingSecuring the IB and Ethernet Switches

Exadata storage servers

changing passwordsChange Storage Server Passwords

configuring

boot loader passwordsConfigure a System Boot Loader Password

failed authentication lock delaysConfigure a Failed Authentication Lock Delay

login warning bannersConfigure a Login Warning Banner (Storage Server)

password agingConfigure Password Aging Control Policies

password complexity rulesConfigure Password Complexity Rules

password history policiesConfigure a Password History Policy

system account lockoutsConfigure System Account Lockout

disabling Oracle ILOM console accessDisable Oracle ILOM System Console Access

displaying available security configurationsDisplay Available Security Configurations With host_access_control

Exadata storage serversLog into the Storage Server OS

exposed network servicesDefault Exposed Network Services (Storage Servers)

hardening the security configurationHardening the Storage Server Security Configuration

interface inactivity timeouts

login shellConfigure the Administrative Interface Inactivity Timeout (Login Shell)

SSHConfigure the Administrative Interface Inactivity Timeout (Secure Shell)

limiting remote network accessLimiting Remote Network Access

management network isolationStorage Server Management Network Isolation

restricting remote SSH root accessRestrict Remote root Access Using SSH

securingSecuring the Exadata Storage Servers

security configuration restrictionsSecurity Configuration Restrictions

exposed network services on

compute serversDefault Exposed Network Services (Compute Servers)

Exadata storage serversDefault Exposed Network Services (Storage Servers)

IB switchesDefault Exposed Network Services (IB Switch)

Oracle ILOMDefault Exposed Network Services (Oracle ILOM)

ZFS storage applianceDefault Exposed Network Services (ZFS Storage Appliance)

F

FIPS-140

approved algorithmsFIPS-140-2 Level 1 Compliance

compliant operation (Oracle ILOM), enabling(If Required) Enable FIPS-140 Compliant Operation (Oracle ILOM)

Level 1 complianceFIPS-140-2 Level 1 Compliance

firewallAccess Control

firmware updatingSoftware and Firmware Updating

G

generating compliance reportsGenerate a Compliance Assessment

with a cron job(Optional) Run Compliance Reports with a cron Job

GSS, disablingDisable GSS (Unless Using Kerberos)

H

hardening

compute server security configurationHardening the Compute Server Security Configuration

Exadata storage servers security configurationHardening the Storage Server Security Configuration

IB switch security configurationHardening the IB Switch Configuration

Oracle ILOM security configurationHardening the Oracle ILOM Security Configuration

ZFS storage appliance security configurationHardening the ZFS Storage Appliance Security Configuration

hash-based message authenticationFIPS-140-2 Level 1 Compliance

home directories, ensuring appropriate permissionsEnsure That User Home Directories Have Appropriate Permissions

HTTP redirection to HTTPS on

IB switchesConfigure HTTP Redirection to HTTPS (IB Switch)

Oracle ILOMConfigure HTTP Redirection to HTTPS (Oracle ILOM)

I

IB service networkSecure Isolation

IB switches

changing

root and nmuser passwordsChange root and nm2user Passwords

the Oracle ILOM passwordChange IB Switch Passwords (Oracle ILOM)

configuring

CLI session timeoutsConfigure the Administrative CLI Session Timeout (IB Switch)

HTTP redirection to HTTPSConfigure HTTP Redirection to HTTPS (IB Switch)

SNMP community stringsConfigure SNMP Community Strings (IB Switch)

determining the firmware versionDetermine the IB Switch Firmware Version

disabling

unapproved SNMP protocolsDisable Unapproved SNMP Protocols (IB Switch)

unnecessary servicesDisable Unnecessary Services (IB Switch)

exposed network servicesDefault Exposed Network Services (IB Switch)

hardening the security configurationHardening the IB Switch Configuration

logging in toLog Into an IB Switch

network isolationIB Switch Network Isolation

replacing default self-signed certificatesReplace Default Self-Signed Certificates (IB Switch)

securingSecuring the IB and Ethernet Switches

immutable global zones, configuringCreate Immutable Global Zones

immutable non-global zones, configuringConfigure Immutable Non-Global Zones

IP Filter firewall

Enable the IP Filter Firewall

Access Control

isolation, secureSecure Isolation

K

keeping the system secureKeeping SuperCluster M8 and SuperCluster M7 Systems Secure

key store access, setting a passphrase for(Optional) Set a Passphrase for Key Store Access

L

limiting remote network access on Exadata storage serversLimiting Remote Network Access

logging in to

compute server PDomainsLog into a Compute Server

Exadata storage servers OSLog into the Storage Server OS

IB switchesLog Into an IB Switch

Oracle ILOM CLILog in to the Oracle ILOM CLI

the ZFS storage applianceLog into the ZFS Storage Appliance

login warning banners

Exadata storage serversConfigure a Login Warning Banner (Storage Server)

Oracle ILOMConfigure Login Warning Banners (Oracle ILOM)

M

management networkSecure Isolation

managing SuperCluster securityManaging SuperCluster Security

monitoringMonitoring Security

database activityDatabase Activity Monitoring and Auditing

networksNetwork Monitoring

workloadsWorkload Monitoring

monitoring and auditingMonitoring and Compliance Auditing

multi-homing, strictEnable Strict Multi-homing

N

name services using only local filesEnsure That Name Services Only Use Local Files

network isolation on IB switchesIB Switch Network Isolation

network monitoringNetwork Monitoring

network services exposed on

compute serversDefault Exposed Network Services (Compute Servers)

Exadata storage serversDefault Exposed Network Services (Storage Servers)

IB switchesDefault Exposed Network Services (IB Switch)

Oracle ILOMDefault Exposed Network Services (Oracle ILOM)

ZFS storage applianceDefault Exposed Network Services (ZFS Storage Appliance)

networks in SuperClusterSecure Isolation

non-executable stacks, enforcingEnforce Nonexecutable Stacks

NTP services, enablingEnable Sendmail and NTP Services

O

OpenBoot, securingOpenBoot

Oracle Engineered Systems Hardware Manager

Oracle Engineered Systems Hardware Manager

Passwords Known by Oracle Engineered Systems Hardware Manager

default accounts and passwordsDefault User Accounts and Passwords

Oracle Enterprise ManagerOracle Enterprise Manager

Oracle Enterprise Manager Ops CenterOracle Enterprise Manager Ops Center (Optional)

Oracle Identity Management SuiteOracle Identity Management Suite

Oracle ILOM

configuring

browser inactivity timeoutsConfigure Administrative Browser Interface Inactivity Timeout

CLI timeoutsConfigure the Administrative Interface Timeout (Oracle ILOM CLI)

login warning bannersConfigure Login Warning Banners (Oracle ILOM)

SNMP community stringsConfigure SNMP v1 and v2c Community Strings (Oracle ILOM)

determining the versionDetermine the Oracle ILOM Version

disabling

SSL ciphers for HTTPSDisable SSL Weak and Medium-Strength Ciphers for HTTPS

the SSLv2 protocol for HTTPSDisable the SSLv2 Protocol for HTTPS

the SSLv3 protocol for HTTPSDisable the SSLv3 Protocol for HTTPS

unapproved TLS protocols for HTTPSDisable Unapproved TLS Protocols for HTTPS

unnecessary servicesDisable Unnecessary Services (Oracle ILOM)

disabling unapproved SNMP protocolsDisable Unapproved SNMP Protocols (Oracle ILOM)

exposed network servicesDefault Exposed Network Services (Oracle ILOM)

hardening the security configurationHardening the Oracle ILOM Security Configuration

HTTP redirection to HTTPSConfigure HTTP Redirection to HTTPS (Oracle ILOM)

logging into the CLILog in to the Oracle ILOM CLI

replacing default self-signed certificatesReplace Default Self-Signed Certificates (Oracle ILOM)

secure managementOracle ILOM for Secure Management

securingSecuring Oracle ILOM

security on the ZFS storage applianceImplement Oracle ILOM Security Configuration Hardening

Oracle Key Manager

Oracle Key Manager

Data Protection

P

passphrase for key store access, setting(Optional) Set a Passphrase for Key Store Access

password aging on Exadata storage serversConfigure Password Aging Control Policies

password logs and policies, settingSet Password History Logs and Password Policies for PCI Compliance

passwords, changing

Exadata storage serversChange Storage Server Passwords

IB switchesChange root and nm2user Passwords

passwords, default

all componentsDefault User Accounts and Passwords

PDU firmware updatingSoftware and Firmware Updating

physical restrictionsAccess Restrictions

principles, securityUnderstanding Security Principles

protecting core dumpsProtect Core Dumps

Python versionMonitoring and Compliance Auditing

R

random number generatorsFIPS-140-2 Level 1 Compliance

replacing default self-signed certificates on

IB switchesReplace Default Self-Signed Certificates (IB Switch)

Oracle ILOMReplace Default Self-Signed Certificates (Oracle ILOM)

resources, additional

compute serversAdditional Compute Server Resources

Exadata storage serversAdditional Storage Server Resources

hardwareAdditional Hardware Resources

IB switchesAdditional IB Switch Resources

Oracle ILOMAdditional Oracle ILOM Resources

ZFS storage applianceAdditional ZFS Storage Appliance Resources

restricting

remote SSH root access on Exadata storage serversRestrict Remote root Access Using SSH

root as a roleVerify That root Is a Role

S

sanitation of drivesDrives

secure hashing standardFIPS-140-2 Level 1 Compliance

secure isolationSecure Isolation

secure management

Oracle Identity Management SuiteOracle Identity Management Suite

Oracle ILOMOracle ILOM for Secure Management

secure shell service, configuringConfigure the Secure Shell Service

secure verified boot, enabling

Secure Verified Boot (Oracle ILOM Web Interface)

Enable Secure Verified Boot (Oracle ILOM CLI)

securing

compute serversSecuring the Compute Servers

Ethernet switchSecuring the IB and Ethernet Switches

Exadata storage serversSecuring the Exadata Storage Servers

hardware, theSecuring the Hardware

IB switchesSecuring the IB and Ethernet Switches

OpenBoot, theOpenBoot

Oracle ILOMSecuring Oracle ILOM

ZFS storage applianceSecuring the ZFS Storage Appliance

security

configuration restrictions for storage serversSecurity Configuration Restrictions

default settingsDefault Security Settings

managingManaging SuperCluster Security

principlesUnderstanding Security Principles

self-signed certificates on

IB switchesReplace Default Self-Signed Certificates (IB Switch)

Oracle ILOMReplace Default Self-Signed Certificates (Oracle ILOM)

sendmail services, enablingEnable Sendmail and NTP Services

serial numbersSerial Numbers

setting

passphrases for key store access(Optional) Set a Passphrase for Key Store Access

password logs and policiesSet Password History Logs and Password Policies for PCI Compliance

sticky bitsSet the Sticky Bit for World-Writable Files

Silicon Secured MemoryData Protection

SNMP protocols, disablingDisable Unapproved SNMP Protocols (Oracle ILOM)

SNMP v1 and v2c community strings, disablingConfigure SNMP v1 and v2c Community Strings (Oracle ILOM)

software updatingSoftware and Firmware Updating

SPARC M7 processorData Protection

SPARC M8 processorData Protection

SSL ciphers for HTTPS, disablingDisable SSL Weak and Medium-Strength Ciphers for HTTPS

SSLv2 protocol, disabling for HTTPSDisable the SSLv2 Protocol for HTTPS

SSLv3 protocol, disablingDisable the SSLv3 Protocol for HTTPS

sticky bit, settingSet the Sticky Bit for World-Writable Files

strategies, securitySecure Isolation

SuperCluster software version, determining theDetermine the SuperCluster Software Version

swap space, encryptedEnable Encrypted Swap Space

symmetric keysFIPS-140-2 Level 1 Compliance

T

TCP connections, configuringConfigure TCP Connections

TLS protocols for HTTPS, unapprovedDisable Unapproved TLS Protocols for HTTPS

U

user accounts and passwordsDefault User Accounts and Passwords

V

verifying that root is a roleVerify That root Is a Role

version of

IB switch firmwareDetermine the IB Switch Firmware Version

Oracle ILOMDetermine the Oracle ILOM Version

SuperCluster softwareDetermine the SuperCluster Software Version

ZFS storage appliance softwareDetermine the ZFS Storage Appliance Software Version

W

workload monitoringWorkload Monitoring

Z

ZFS data sets, encryptingCreate Encrypted ZFS Data Sets

ZFS storage appliance

configuring

interface inactivity timeouts (HTTPS)Configure the Administrative Interface Inactivity Timeout (HTTPS)

SNMP authorized networksConfigure SNMP Authorized Networks

SNMP community stringsConfigure SNMP Community Strings

disabling

dynamic routingDisable Dynamic Routing

unapproved SNMP protocolsDisable Unapproved SNMP Protocols

unnecessary servicesDisable Unnecessary Services (ZFS Storage Appliance)

exposed network servicesDefault Exposed Network Services (ZFS Storage Appliance)

hardening the security configurationHardening the ZFS Storage Appliance Security Configuration

implementing Oracle ILOM securityImplement Oracle ILOM Security Configuration Hardening

logging in to theLog into the ZFS Storage Appliance

root password, changingChange the ZFS Storage Appliance root Password

securingSecuring the ZFS Storage Appliance

software versions, determiningDetermine the ZFS Storage Appliance Software Version