Oracle Linux STIG

The Oracle Linux STIG Image is an implementation of Oracle Linux that follows the Security Technical Implementation Guide (STIG).

With this image, you can configure an Oracle Linux 7 instance in Oracle Cloud Infrastructure that follows certain security standards and requirements set by the Defense Information Systems Agency (DISA). The latest Oracle Linux STIG Image follows DISA security standards and is hardened to Oracle Linux 7 STIG Benchmark - Ver 2, Rel 4:

Note

Oracle updates the Oracle Linux STIG Image regularly with the latest security errata. Oracle updates this document whenever the STIG benchmark changes, or when changes in the security guidance require manual configuration of the image. See Revision History for Oracle Linux STIG Image for specific changes made in each release.
Important

Any changes that you make to an Oracle Linux STIG Image instance (such as installing other applications or modifying the configuration settings) might impact the SCC compliance score. After making any changes, rescan the instance to check for compliance. See Rescanning an Instance for Compliance.

Configuring an Instance

Additional configuration tasks might be required to meet security guidance for the Oracle Linux STIG Image instance.

aarch64

Considerations Before Applying Remediations

Changes to an Oracle Linux STIG Image instance might affect the instance's default Oracle Cloud Infrastructure account. Consider these implications before making changes.

The following rules impact the system accounts:

OL07-00-010260

Restricting existing passwords to a 60-day maximum lifetime can result in the OPC account being irretrievably locked after 60 days as a result of the account's passwordless setting.

OL07-00-010491

Implementing a GRUB 2 password would introduce a password prompt on instance boot.

OL07-00-021350

Adding fips=1 to the rescue kernel cmdline could result in the instance failing to boot with a Fatal Error.

OL07-00-030010

Setting the failure parameter to 2 would result in a system panic and shutdown when an audit processing failure occurs.

OL07-00-040710

Disabling remote X connections could result in failure to connect to the OCI instance's serial console.

Additional Configurations for Oracle Linux STIG Image Instances

The hardened Oracle Linux STIG Image cannot be configured for all the recommended guidance. You must manually finalize any configurations not included in the image.

Note

When scanned against the target DISA STIG SCAP benchmark for Oracle Linux - Ver 2, Rel 4 using the I - Mission Critical Classified profile, the image obtained a score of 89.44%.

For each security rule established by DISA, instructions to apply the appropriate security configuration are provided in the Oracle Linux 7 Security Technical Implementation Guide V2R4.

The following table describes the areas of guidance not included in the latest Oracle Linux STIG Image, which require additional configuration. To make configuration changes according to the guidance, see Applying Remediations.

STIG-ID

Rule Description

Reason for Exclusion

OL07-00-010230

The Oracle Linux operating system must be configured so that passwords for new users are restricted to a 24 hours/1 day minimum lifetime.

Affects default OPC user login account configured for the Oracle Cloud Infrastructure instance access.

OL07-00-010240

The Oracle Linux operating system must be configured so that passwords are restricted to a 24 hours/1 day minimum lifetime.

Affects default OPC user login account configured for the Oracle Cloud Infrastructure instance access.

OL07-00-010250

The Oracle Linux operating system must be configured so that passwords for new users are restricted to a 60-day maximum lifetime.

Affects default OPC user login account configured for the Oracle Cloud Infrastructure instance access.

OL07-00-010260

The Oracle Linux operating system must be configured so that existing passwords are restricted to a 60-day maximum lifetime.

Affects default OPC user login account configured for the Oracle Cloud Infrastructure instance access.

PAM password lifetime rules likewise affect SSH keys.

OL07-00-010340

The Oracle Linux operating system must be configured so that users must provide a password for privilege escalation.

According to Oracle Cloud Infrastructure default schema, NOPASSWD is set for OPC.

OL07-00-010342

The Oracle Linux operating system must use the invoking user's password for privilege escalation when using the sudo command.

Affects default OPC login account.

OL07-00-010491

The Oracle Linux operating systems version 7.2 or later by using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes.

Requires GRUB 2 password; not feasible for default image.

OL07-00-020030

The Oracle Linux operating system must be configured so that a file integrity tool verifies the baseline operating system configuration at least weekly.

AIDE or other intrusion detects system expected to be configured on target image.

OL07-00-021350

The Oracle Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.

Rescue kernel cmdline exclusion of fips=1 parameter.

OL07-00-030010

The Oracle Linux operating system must shut down upon audit processing failure unless availability is an overriding concern. If availability is a concern, the system must alert the designated staff (System Administrator [SA] and Information System Security Officer [ISSO] at a minimum) if an audit processing failure occurs.

The default setting of the failure parameter is 1, which only sends information to the kernel log regarding the failure instead of shutting down the instance.

OL07-00-030201

The Oracle Linux operating system must be configured to off-load audit logs on to a different system or storage media from the system being audited.

au-remote plugin configuration presumes remote server details.

OL07-00-030300

The Oracle Linux operating system must off-load audit records onto a different system or media from the system being audited.

au-remote plugin configuration presumes remote server details.

OL07-00-030310

The Oracle Linux operating system must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited.

au-remote plugin configuration presumes remote server details.

OL07-00-030320

The Oracle Linux operating system must be configured so that the audit system takes appropriate action when the audit storage volume is full.

au-remote plugin configuration presumes remote server details.

OL07-00-030321

The Oracle Linux operating system must be configured so that the audit system takes appropriate action when an error occurs sending audit records to a remote system.

au-remote plugin configuration presumes remote server details.

OL07-00-040600

At least two name servers must be configured for the Oracle Linux operating systems using DNS resolution.

Oracle Cloud Infrastructure provides a highly available DNS server.

OL07-00-040710

The Oracle Linux operating system must be configured so that remote X connections are disabled, unless to fulfill documented and validated mission requirements

Affects instance serial console connectivity.

OL07-00-041002

The Oracle Linux operating system must implement multifactor authentication for access to privileged accounts through pluggable authentication modules (PAM).

Multifactor authentication is not configured on the default Oracle Cloud Infrastructure image.

OL07-00-041003

The Oracle Linux operating system must implement certificate status checking for PKI authentication.

Certificate status checking for PKI authentication not configured on default Oracle Cloud Infrastructure image.

Applying Remediations

Fix areas in the guidance that are not included in the Oracle Linux STIG Image instance.

Important

If you decide to enforce a rule, thoroughly study the information about each rule in the guide to fully understand the potential impact on the instance.

  1. Review Considerations Before Applying Remediations and ensure that you understand potential impacts to the instance.
  2. Download the Oracle Linux 7 Security Technical Implementation Guide from either of the following sites:
    1. Under the STIG Topics heading, select Operating Systems, then select UNIX/Linux.
    2. Select the document to download from the list.
  3. For every rule in the table that you want to fix, do the following:
    1. Search for the rule's STIG-ID in the guide to go to the appropriate section that explains the rule, the vulnerabilities, and the steps to comply with the rule.
    2. Perform the provided configuration steps.

x86_64

Considerations Before Applying Remediations

Changes to an Oracle Linux STIG Image instance might affect the instance's default Oracle Cloud Infrastructure account. Consider these implications before making changes.

The following rules impact the system accounts:

OL07-00-010260

Restricting existing passwords to a 60-day maximum lifetime can result in the OPC account being irretrievably locked after 60 days as a result of the account's passwordless setting.

OL07-00-010491

Implementing a GRUB 2 password would introduce a password prompt on instance boot.

OL07-00-021350

Adding fips=1 to the rescue kernel cmdline could result in the instance failing to boot with a Fatal Error.

OL07-00-030010

Setting the failure parameter to 2 would result in a system panic and shutdown when an audit processing failure occurs.

OL07-00-040710

Disabling remote X connections could result in failure to connect to the OCI instance's serial console.

Additional Configurations for Oracle Linux STIG Image Instances

The hardened Oracle Linux STIG Image cannot be configured for all the recommended guidance. You must manually finalize any configurations not included in the image.

Note

When scanned against the target DISA STIG SCAP benchmark for Oracle Linux - Ver 2, Rel 4 using the I - Mission Critical Classified profile, the image obtained a score of 89.44%.

For each security rule established by DISA, instructions to apply the appropriate security configuration are provided in the Oracle Linux 7 Security Technical Implementation Guide V2R4.

The following table describes the areas of guidance not included in the latest Oracle Linux STIG Image, which require additional configuration. To make configuration changes according to the guidance, see Applying Remediations.

STIG-ID

Rule Description

Reason for Exclusion

OL07-00-010230

The Oracle Linux operating system must be configured so that passwords for new users are restricted to a 24 hours/1 day minimum lifetime.

Affects default OPC user login account configured for the Oracle Cloud Infrastructure instance access.

OL07-00-010240

The Oracle Linux operating system must be configured so that passwords are restricted to a 24 hours/1 day minimum lifetime.

Affects default OPC user login account configured for the Oracle Cloud Infrastructure instance access.

OL07-00-010250

The Oracle Linux operating system must be configured so that passwords for new users are restricted to a 60-day maximum lifetime.

Affects default OPC user login account configured for the Oracle Cloud Infrastructure instance access.

OL07-00-010260

The Oracle Linux operating system must be configured so that existing passwords are restricted to a 60-day maximum lifetime.

Affects default OPC user login account configured for the Oracle Cloud Infrastructure instance access.

PAM password lifetime rules likewise affect SSH keys.

OL07-00-010340

The Oracle Linux operating system must be configured so that users must provide a password for privilege escalation.

According to Oracle Cloud Infrastructure default schema, NOPASSWD is set for OPC.

OL07-00-010342

The Oracle Linux operating system must use the invoking user's password for privilege escalation when using the sudo command.

Affects default OPC login account.

OL07-00-010491

The Oracle Linux operating systems version 7.2 or later by using Unified Extensible Firmware Interface (UEFI) must require authentication upon booting into single-user and maintenance modes.

Requires GRUB 2 password; not feasible for default image.

OL07-00-020030

The Oracle Linux operating system must be configured so that a file integrity tool verifies the baseline operating system configuration at least weekly.

AIDE or other intrusion detects system expected to be configured on target image.

OL07-00-021350

The Oracle Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.

Rescue kernel cmdline exclusion of fips=1 parameter.

OL07-00-030010

The Oracle Linux operating system must shut down upon audit processing failure unless availability is an overriding concern. If availability is a concern, the system must alert the designated staff (System Administrator [SA] and Information System Security Officer [ISSO] at a minimum) if an audit processing failure occurs.

The default setting of the failure parameter is 1, which only sends information to the kernel log regarding the failure instead of shutting down the instance.

OL07-00-030201

The Oracle Linux operating system must be configured to off-load audit logs on to a different system or storage media from the system being audited.

au-remote plugin configuration presumes remote server details.

OL07-00-030300

The Oracle Linux operating system must off-load audit records onto a different system or media from the system being audited.

au-remote plugin configuration presumes remote server details.

OL07-00-030310

The Oracle Linux operating system must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited.

au-remote plugin configuration presumes remote server details.

OL07-00-030320

The Oracle Linux operating system must be configured so that the audit system takes appropriate action when the audit storage volume is full.

au-remote plugin configuration presumes remote server details.

OL07-00-030321

The Oracle Linux operating system must be configured so that the audit system takes appropriate action when an error occurs sending audit records to a remote system.

au-remote plugin configuration presumes remote server details.

OL07-00-040600

At least two name servers must be configured for the Oracle Linux operating systems using DNS resolution.

Oracle Cloud Infrastructure provides a highly available DNS server.

OL07-00-040710

The Oracle Linux operating system must be configured so that remote X connections are disabled, unless to fulfill documented and validated mission requirements

Affects instance serial console connectivity.

OL07-00-041002

The Oracle Linux operating system must implement multifactor authentication for access to privileged accounts through pluggable authentication modules (PAM).

Multifactor authentication is not configured on the default Oracle Cloud Infrastructure image.

OL07-00-041003

The Oracle Linux operating system must implement certificate status checking for PKI authentication.

Certificate status checking for PKI authentication not configured on default Oracle Cloud Infrastructure image.

Applying Remediations

Fix areas in the guidance that are not included in the Oracle Linux STIG Image instance.

Important

If you decide to enforce a rule, thoroughly study the information about each rule in the guide to fully understand the potential impact on the instance.

  1. Review Considerations Before Applying Remediations and ensure that you understand potential impacts to the instance.
  2. Download the Oracle Linux 7 Security Technical Implementation Guide from either of the following sites:
    1. Under the STIG Topics heading, select Operating Systems, then select UNIX/Linux.
    2. Select the document to download from the list.
  3. For every rule in the table that you want to fix, do the following:
    1. Search for the rule's STIG-ID in the guide to go to the appropriate section that explains the rule, the vulnerabilities, and the steps to comply with the rule.
    2. Perform the provided configuration steps.

Rescanning an Instance for Compliance

Use the SCC or OpenSCAP tool to scan the instance to verify it remains compliant.

The Oracle Linux STIG Image was scanned and hardened by using DISA STIG Benchmark V2R4. Changes to an Oracle Linux STIG Image instance (such as installing other applications or adding new configuration settings) can affect compliance. Oracle recommends scanning to check that the instance is compliant after any changes. In addition, you might need to perform subsequent scans to check for regular, quarterly DISA STIG updates.

Using the OpenSCAP Tool

The OpenSCAP tool is available in Oracle Linux and certified by the National Institute of Standards and Technologies (NIST).

  1. Log in to your Oracle Linux STIG Image instance.
  2. Install the openscap-scanner package.
    $ sudo yum install openscap-scanner
  3. Download the latest DISA Oracle Linux 7 STIG Benchmark version from STIGs Document Library at https://public.cyber.mil/stigs/downloads/".
    1. Under the STIG Topics heading, select Operating Systems or search for Oracle Linux using the search box.
    2. From the list of documents, select the Oracle Linux 7 STIG Benchmark document to download.
      A direct link to file is also available for download from the STIGs Document Library page. For example, the latest Oracle Linux 7 STIG Benchmark version (V2R5) is: https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Oracle_Linux_7_V2R5_STIG.zip.
  4. If necessary, unzip the file after downloading it.
  5. To perform a scan, run the following command:
    $ sudo oscap xccdf eval --profile xccdf_mil.disa.stig_profile_MAC-1_Classified \
    --results=path-to-results.xml --oval-results \
    --report=path-to-report.html \
    --check-engine-results path-to-the-benchmark-document

    For other options that you can use with the oscap command, see Using OpenSCAP to Scan for Vulnerabilities in Oracle® Linux 7: Security Guide .

  6. Check the path-to-report.html file for the evaluation results.
Using the SCC Tool

The SCC tool is the official tool for checking government compliance and can be used to scan an Oracle Linux STIG Image instance.

Important

The SCC tool does not support the Arm architecture (aarch64). Use the OpenSCAP tool to scan Oracle Linux STIG aarch64 instances.

For instructions on using the SCC tool, see the SCAP Tools table at https://public.cyber.mil/stigs/scap/.

Revision History for Oracle Linux STIG Image

Oracle updates the Oracle Linux STIG Image regularly to address security issues.

If you are deploying an older Oracle Linux STIG Image, you might want to perform a subsequent scan to check for regular, quarterly DISA STIG updates. See Rescanning an Instance for Compliance for additional information.

aarch64

Oracle-Linux-7.9-aarch64-2021.10.08-STIG

The Oracle Linux STIG Image Oracle-Linux-7.9-aarch64-2021.10.08-STIG was released 12/16/2021.

Image Information

  • 5.4.17-2102.205.7.3.el7uek.aarch64 UEK R6 kernel version.

  • First release of the Oracle Linux STIG image based on the Arm architecture (aarch64).

  • Latest versions of Oracle Linux 7.9 system packages, with security fixes.

Compliance Information

  • Target: Benchmark version Oracle Linux 7 DISA STIG Benchmark - Ver 2, Rel 4.

  • OpenSCAP compliance score: 89.44%.

x86_64

Oracle-Linux-7.9-2021.07.27-STIG

The Oracle Linux STIG Image Oracle-Linux-7.9-2021.07.27-STIG was released 8/10/2021.

The following notes about the update are in comparison to the previous Oracle-Linux-7.9-2021.03.02-STIG release.

Image Updates

  • kernel-uek: 5.4.17-2102.203.6.el7uek.x86_64 Unbreakable Enterprise Kernel Release 6 (UEK R6) kernel version, with a fix for CVE-2021-33909.

  • Updated Oracle Linux 7.9 system packages to the latest versions that are available, with security fixes.

Compliance Updates

  • Target: Benchmark version Oracle Linux 7 DISA STIG Benchmark - Ver 2, Rel 4.

  • SCC compliance score: 89.44%.

  • Changes made to the latest STIG image.

    The following table describes the changes that were made in the Oracle-Linux-7.9-2021.07.27-STIG release.

    Note

    Updates for this release are also reflected in Additional Configurations for Oracle Linux STIG Image Instances, which describes areas in the latest image that require manual configuration. See this section for important information that might apply to the rules listed in the following table.

    STIG-ID

    Rule Description

    Reason for Exclusion

    Status

    Comments

    OL07-00-010090

    The Oracle Linux operating system must have the screen package installed.

    Affects default Oracle Public Cloud (OPC) user login account configured for the Oracle Cloud Infrastructure instance access.

    Removed

    Rule removed in V2R4.

    OL07-00-021350

    The Oracle Linux operating system must implement NIST FIPS-validated cryptography for the following: to provision digital signatures, to generate cryptographic hashes, and to protect data requiring data-at-rest protections in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.

    Rescue kernel cmdline exclusion of fips=1 parameter.

    Added

    Rule added in V2R4.

    Important

    Adding fips=1 to the rescue kernel cmdline could result in the instance failing to boot with a Fatal Error.

    OL07-00-030200

    The Oracle Linux operating system must be configured to use the au-remote plugin.

    au-remote plugin configuration presumes remote server details.

    Removed

    Rule removed in V2R4.

    OL07-00-030201

    The Oracle Linux operating system must be configured to off-load audit logs a different system or storage media from the system being audited.

    au-remote plugin configuration presumes remote server details.

    Updated

    Rule title changed in V2R4.

    OL07-00-040600

    For Oracle Linux operating systems that are using DNS resolution, at least two name servers must be configured.

    Oracle National Security Regions (ONSR) image provides just one reliable DNS host.

    Updated

    Rule title changed in V2R4.

    OL07-00-041001

    The Oracle Linux operating system must have the required packages for multifactor authentication installed.

    Multifactor authentication is not configured on the default Oracle Cloud Infrastructure image.

    Removed

    Fixed on the image: Installed pam_pkcs11 package on the instance.

    OL07-00-040710

    The Oracle Linux operating system must be configured so that remote X connections are disabled, unless to fulfill documented and validated mission requirements

    Affects instance serial console connectivity.

    Added

    Rule added in V2R4.

    OL07-00-010342

    The Oracle Linux operating system must use the invoking user's password for privilege escalation when using the sudo command.

    Affects default OPC login account.

    Added

    Rule added in V2R4.

Oracle-Linux-7.9-2021.03.02-STIG

The Oracle Linux STIG Image Oracle-Linux-7.9-2021.03.02-STIG was released 3/10/2021.

Image Information

  • 5.4.17-2036.103.3.1.el7uek.x86_64 UEK R6 kernel version.

  • Latest versions of Oracle Linux 7.9 system packages, with security fixes.

Compliance Information

  • Target: Benchmark version Oracle Linux 7 DISA STIG Benchmark - Ver 1, Rel 2.

  • SCC compliance score: 89.44%.