This chapter describes the tasks to perform when hardening an Exalytics Machine.
Each Oracle Exalytics Release 2 base image comes preinstalled with the Exalytics Hardening script (STIGfix).
STIGs (Security Technical Implementation Guides) are security configuration standards defined by Defense Information Systems Agency (DISA), an agency of the United States Department of Defense (DoD).
You use the STIGfix script to harden an Exalytics Machine, thereby making it compliant with STIGs standards.
This chapter consists of the following sections:
To run the Exalytics Hardening script:
Log on as the root user.
Enter the following command:
# /opt/exalytics/stigfix/bin/stigfix
Next, check whether the Exalytics Machine is in compliance with STIG guidelines.
To check STIG compliance:
Navigate to the following link:
Depending on the Linux operating system, perform one of the following actions:
For Linux 5 operating system, perform the following actions:
Under the SCAP 1.1 Content section, click Red Hat 5 STIG Benchmark - Version 1, Release 11, and download the U_RedHat_5_V1R11_STIG_SCAP_1-1_Benchmark.zip file.
To run a scan of the system using the RHEL5 STIG policy, run the following commands:
# export PATH=/usr/bin:/usr/sbin:$PATH
# oscap xccdf eval --results results-xccdf.xml --oval-results --cpe U_RedHat_5_V1R11_STIG_SCAP_1-1_Benchmark-cpe-dictionary.xml U_RedHat_5_V1R11_STIG_SCAP_1-1_Benchmark-xccdf.xml
The "oscap" command generates an output file indicating whether specific tests passed or failed.
For Linux 6 operating system, perform the following actions:
Under the SCAP 1.1 Content section, click Red Hat 6 STIG Benchmark - Version 1, Release 7, and download the U_RedHat_6_V1R7_STIG_SCAP_1-1_Benchmark.zip file.
To run a scan of the system using the RHEL6 STIG policy, run the following commands:
# export PATH=/usr/bin:/usr/sbin:$PATH
# oscap xccdf eval --results results-xccdf.xml --oval-results --cpe U_RedHat_6_V1R7_STIG_SCAP_1-1_Benchmark-cpe-dictionary.xml U_RedHat_6_V1R7_STIG_SCAP_1-1_Benchmark-xccdf.xml
The "oscap" command generates an output file indicating whether specific tests passed or failed.
To get more details, enter the following command:
# oscap xccdf generate report --output results-xccdf.html results-xccdf.xml
The Scan report is displayed.
Review the Scan report to confirm that specific tests passed.
The output is similar to the following:
Scan Report Introduction Test Result Result ID Profile Start time End time Benchmark Benchmark version xccdf_org.open-scap_testresult_default-profile (Default profile) 2015-04-10 12:16 2015-02-10 12:16 embedded 1 Target info Targets <name of the Exalytics Machine> Addresses 127.0.x.xx 10.242.xxx.xxx 0:0:0:0:0:0:0:x 2606:b400:2010:504d:210:e0ff:fe46:xxx fe80:0:0:0:210:e0ff:fe46:xxx Applicable platforms cpe:/o:redhat:enterprise_linux:5 Score system score max % bar urn:xccdf:scoring:default 80.79 100.00 80.79% Results overview Rule Results Summary pass fixed fail error not selected not checked not applicable informational unknown total 286 0 68 0 0 0 0 0 0 354 Title Result The system must require authentication upon booting into single-user and maintenance modes. pass The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, console login prompts. fail The system must disable accounts after three consecutive unsuccessful login attempts. pass The root account must be the only account having a UID of 0. pass The root user's home directory must not be the root directory (/). pass The root account's home directory (other than /) must have mode 0700. pass
Table 9-1 lists the vulnerabilities fixed by running the STIGfix script.
Table 9-1 List of Vulnerabilities Fixed by STIGfix Script
Vulnerability ID | Description |
---|---|
GEN000000_LNX00380 |
An Xserver must have none of the following options enabled: -ac, -core (except for debugging purposes), or -nolock. |
GEN000000-LNX00440 |
The /etc/security/access.conf file must have mode 0640 or less permissive. |
GEN000000-LNX00520 |
The /etc/sysctl.conf file must have mode 0600 or less permissive. |
GEN000000-LNX00580 |
The x86 CTRL-ALT-DELETE key sequence must be disabled. |
GEN000020 |
The system must require authentication upon booting into single-user and maintenance modes. (CCE-4241-6) |
GEN000252 |
The time synchronization configuration file (such as /etc/ntp.conf) must have mode 0640 or less permissive. |
GEN000290-2 |
The system must not have the unnecessary (news) account. |
GEN000290-3 |
The system must not have the unnecessary (gopher) account. |
GEN000290-4 |
The system must not have the unnecessary (ftp) account. |
GEN000460 |
The system must disable accounts after three consecutive unsuccessful login attempts. |
GEN000500_2 |
The graphical desktop environment must set the idle timeout to no more than 15 minutes. Note: This vulnerability is fixed only on a Linux 5 operating system. You can ignore the Fail status on the Linux 6 operating system. |
GEN000500_3 |
Graphical desktop environments provided by the system must have automatic lock enabled. |
GEN000540 |
Users must not be able to change passwords more than once every 24 hours. |
GEN000560 |
The system must not have accounts configured with blank or null passwords. |
GEN000580 |
The system must require passwords contain a minimum of 14 characters. |
GEN000590 |
The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes. |
GEN000600 |
The system must require passwords contain at least one uppercase alphabetic character. |
GEN000610 |
The system must require passwords contain at least one lowercase alphabetic character. |
GEN000620 |
The system must require passwords contain at least one numeric character. |
GEN000640 |
The system must require passwords contain at least one special character. |
GEN000680 |
The system must require passwords contain no more than three consecutive repeating characters. |
GEN000700 |
User passwords must be changed at least every 60 days. |
GEN000750 |
The system must require at least four characters be changed between the old and new passwords during a password change. |
GEN000800 |
The system must prohibit the reuse of passwords within five iterations. |
GEN000920 |
The root account's home directory (other than /) must have mode 0700. |
GEN000940 |
The root account's executable search path must be the vendor default and must contain only absolute paths. |
GEN000980 |
The system must prevent the root account from directly logging in except from the system console. |
GEN001120 |
The system must not permit root logins using remote access programs such as ssh. |
GEN001720 |
All global initialization files must have mode 0644 or less permissive. |
GEN002100 |
The rhosts file must not be supported in PAM. |
GEN002560 |
The system and user default umask must be 077. |
GEN003060 |
Default system accounts (with the exception of root) must not be listed in the cron.allow file or must be included in the cron.deny file if the cron.allow file does not exist. |
GEN003080 |
Crontab files must have mode 0600 or less permissive and files in cron script directories must have mode 0700 or less. |
GEN003080-2 |
Files in cron script directories must have mode 0700 or less permissive. |
GEN003200 |
The cron.deny file must have mode 0600 or less permissive. |
GEN003320 |
Default system accounts (with the exception of root) must not be listed in the at.allow file or must be included in the at.deny file if the at.allow file does not exist. |
GEN003609 |
The system must ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages. |
GEN003610 |
The system must not send IPv4 Internet Control Message Protocol (ICMP) redirects. |
GEN003740 |
The xinetd configuration files must have mode 0640 or less permissive. |
GEN003810 |
The portmap or rpcbind service must not be running unless needed. Note: This vulnerability is fixed only on a Linux 5 operating system. You can ignore the Fail status on the Linux 6 operating system. |
GEN004000 |
The traceroute file must have mode 0700 or less permissive. |
GEN004540 |
The SMTP service HELP command must not be enabled. |
GEN004580 |
The system must not use forward files. |
GEN005040 |
All FTP users must have a default umask of 077. Note: This vulnerability is fixed only on a Linux 5 operating system. You can ignore the Fail status on the Linux 6 operating system. |
GEN005320 |
The snmpd.conf file must have mode 0600 or less permissive. |
GEN005390 |
The /etc/syslog.conf file must have mode 0640 or less permissive. Note: This vulnerability is fixed only on a Linux 5 operating system. You can ignore the Fail status on the Linux 6 operating system. |
GEN005501 |
The SSH client must be configured to only use the SSHv2 protocol. |
GEN005505 |
The SSH daemon must be configured to only use FIPS 140-2 approved ciphers. |
GEN005507 |
The SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms. |
GEN005550 |
The SSH daemon must be configured with the Department of Defense (DoD) logon banner. This file contains the banner message which will be displayed to any user accessing the hardened system. Users should modify this file to add their company policy or banner message before applying STIGfix. |
GEN007020 |
The Stream Control Transmission Protocol (SCTP) must be disabled unless required. |
GEN007080 |
The Datagram Congestion Control Protocol (DCCP) must be disabled unless required. |
GEN007480 |
The Reliable Datagram Sockets (RDS) protocol must be disabled or not installed unless required. |
GEN007540 |
The Transparent Inter-Process Communication (TIPC) protocol must be disabled or uninstalled. |
GEN007660 |
The Bluetooth protocol handler must be disabled or not installed. |
GEN008040 |
If the system is using LDAP for authentication or account information, the system must verify that the LDAP server's certificate has not been revoked. |
GEN008700 |
The system boot loader must require authentication. |