1. Security Guide
  2. Secure Deployments Checklist
  3. Post-Installation Configuration Security Checklists

Post-Installation Configuration Security Checklists

After installation of Oracle Private Cloud Appliance, secure the hardware by restricting access to the hardware and recording the serial numbers.

Hardware Security Checklist

In order to restrict access to the system hardware, Oracle recommends the following practices:

  • Install Oracle Private Cloud Appliance and related equipment in a locked, restricted-access room.

  • Lock the rack door unless service is required on components within the rack.

  • Restrict access to hot-pluggable or hot-swappable devices because the components are designed to be easily removed.

  • Store spare field-replaceable units (FRUs) or customer-replaceable units (CRUs) in a locked cabinet. Restrict access to the locked cabinet to authorized personnel.

  • Limit SSH listener ports to the management and private networks. Use SSH protocol 2 (SSH-2) and FIPS 140-2 approved ciphers.

  • Limit SSH allowed authentication mechanisms. Inherently insecure methods are disabled.

  • Label all significant items of computer hardware, such as FRUs.

  • Keep hardware activation keys and licenses in a secure location that is easily accessible to the system managers in the case of a system emergency.

Hardware Serial Number Checklist

You should record all serial numbers and keep them in a secure location. There are several techniques to obtaining the overall appliance serial number:

  • Use the Service Enclave console (Administrative Console)

  • Use the appropriate monitoring dashboard (Grafana)

  • Use the Admin Command Line Interface (CLI)

For information on how to get rack component serial numbers, see Retrieving the Serial Numbers for Hardware Components in the Rack

Software Security Checklist

In order to secure the software, after initial installation of Oracle Private Cloud Appliance, Oracle recommends the following practices to restrict system access:

  • Limit use of the root super-user account. Create and use individual user accounts because they ensure positive identification in audit trails, and require less maintenance when administrators leave the team or company.

  • Do not create new users on the management nodes.

  • Disable unnecessary protocols and modules for layers under customer control.

  • Restrict physical access to USB ports, network ports, and system consoles because physical severs and network switches have ports and console connections providing direct access to the system.

  • Restrict the capability to restart the system over the network.

  • For more information on how to enable other security features, see Security Features for Oracle Private Cloud Appliance in this guide.

Network Security Checklist

There are other steps that can be taken to control cloud network security and access to compute instances:

  • Use private subnets if instances do not require a public IP address.

  • Configure firewall rules on the instance to control traffic into and out of an instance at the packet level. However, Oracle-provided images that run Oracle Linux automatically include default rules that allow ingress on TCP port 22 for SSH traffic. In addition, the Microsoft Windows images include default rules that allow ingress on TCP port 3389 for Remote Desktop access.

  • Configure gateways and route tables to allow only required connectivity. This can control traffic flow to "outside" destinations such as your on-premises network or another VCN.

  • Use IAM policies to control access to Oracle Private Cloud Appliance interfaces. You can control which cloud resources can be accessed and which type of access is allowed. For example, you can control who can set up your network and subnets, or who can update route tables, network security groups, or security lists.

For more information on Oracle Private Cloud Appliance network security, see the Oracle Private Cloud Appliance User Guide and Oracle Private Cloud Appliance Administrator Guide .