Secure Deployments Checklist

4 Secure Deployments Checklist

This section provides a checklist of steps used to install and configure the Oracle Private Cloud Appliance product in a secure manner for operational deployment. This checklist section contains items relating to all three layers of the Oracle Private Cloud Appliance.

The three layers of the Oracle Private Cloud Appliance are:

Infrastructure - This is the physical rack hardware installed on the customers premises. Some security-related tasks are performed at this basic level when the system is installed.
Service Enclave - This is the part of the system where the appliance infrastructure is controlled. Access to this enclave is closely monitored and restricted to privileged administrators. The Service Enclave runs on a cluster of three management nodes. Many security-related tasks are performed at this level.
Compute Enclave - The Compute Enclave is designed for compatibility with Oracle Cloud Infrastructure. The Compute Enclave is where resources such as compute instances, networks, and storage are controlled.

Pre-installation General Considerations

Before product installation, it is important that each of the following items are considered:

Networking: Virtual and physical interfaces, bridged and routed
User roles: Operator and administrator and others, view or modify or delete
Password rules: length and character requirements, other characteristics
Cryptographic algorithms: allowed or mandated, usage guidelines
Patch or update process security: limitations, roles allowed to execute procedures

This is not an exhaustive list. The more things that can be planned ahead of time, the better.

Post-installation General Considerations

After installation, make sure that you:

Keep software up-to-date. This includes the latest product release and any patches that apply to it.
Limit privileges wherever possible. Give users only the access necessary to perform their work. Review user privileges periodically to determine relevance to current work requirements.
Monitor system activity. Establish who has access to which system components, and how often, and monitor those components.
Learn about and use Oracle security features.
Use best practices for security.

Auditing Goals

Auditing should make it easy to detemrine:

Who made the change? (More than information that "root" made the alteration.)
When was the change made? (An adequate log retention period is important.)
What was the purpose of the change? (If not malicious, the change was made for a reason.)

Installation Security Checklist

Before product installation, create a document to outline the services provided by the product. Have it reviewed and updated to address any shortcomings.

For pre-installation site preparation, see the Oracle Private Cloud Appliance Installation Guide.

For more information on pre-installation security, see Pre-Installation Security Details

Post-Installation Configuration Security Checklists

After installation of Oracle Private Cloud Appliance, secure the hardware by restricting access to the hardware and recording the serial numbers.

Hardware Security Checklist

In order to restrict access to the system hardware, Oracle recommends the following practices:

Install Oracle Private Cloud Appliance and related equipment in a locked, restricted-access room.
Lock the rack door unless service is required on components within the rack.
Restrict access to hot-pluggable or hot-swappable devices because the components are designed to be easily removed.
Store spare field-replaceable units (FRUs) or customer-replaceable units (CRUs) in a locked cabinet. Restrict access to the locked cabinet to authorized personnel.
Limit SSH listener ports to the management and private networks. Use SSH protocol 2 (SSH-2) and FIPS 140-2 approved ciphers.
Limit SSH allowed authentication mechanisms. Inherently insecure methods are disabled.
Label all significant items of computer hardware, such as FRUs.
Keep hardware activation keys and licenses in a secure location that is easily accessible to the system managers in the case of a system emergency.

Hardware Serial Number Checklist

You should record all serial numbers and keep them in a secure location. There are several techniques to obtaining the overall appliance serial number:

Use the Service Enclave console (Administrative Console)
Use the appropriate monitoring dashboard (Grafana)
Use the Admin Command Line Interface (CLI)

For information on how to get rack component serial numbers, see Retrieving the Serial Numbers for Hardware Components in the Rack

Software Security Checklist

In order to secure the software, after initial installation of Oracle Private Cloud Appliance, Oracle recommends the following practices to restrict system access:

Limit use of the root super-user account. Create and use individual user accounts because they ensure positive identification in audit trails, and require less maintenance when administrators leave the team or company.
Do not create new users on the management nodes.
Disable unnecessary protocols and modules for layers under customer control.
Restrict physical access to USB ports, network ports, and system consoles because physical severs and network switches have ports and console connections providing direct access to the system.
Restrict the capability to restart the system over the network.
For more information on how to enable other security features, see Security Features for Oracle Private Cloud Appliance in this guide.

Network Security Checklist

There are other steps that can be taken to control cloud network security and access to compute instances:

Use private subnets if instances do not require a public IP address.
Configure firewall rules on the instance to control traffic into and out of an instance at the packet level. However, Oracle-provided images that run Oracle Linux automatically include default rules that allow ingress on TCP port 22 for SSH traffic. In addition, the Microsoft Windows images include default rules that allow ingress on TCP port 3389 for Remote Desktop access.
Configure gateways and route tables to allow only required connectivity. This can control traffic flow to "outside" destinations such as your on-premises network or another VCN.
Use IAM policies to control access to Oracle Private Cloud Appliance interfaces. You can control which cloud resources can be accessed and which type of access is allowed. For example, you can control who can set up your network and subnets, or who can update route tables, network security groups, or security lists.

For more information on Oracle Private Cloud Appliance network security, see the Oracle Private Cloud Appliance User Guide and Oracle Private Cloud Appliance Administrator Guide .

Account and Password Security Checklists

When the Oracle Private Cloud Appliance system is first powered on, various tasks need to be performed in order to initially set up the system. The accounts and passwords established must be watched to make sure that no unexpected changes oocur.

Infrastructure Account and Password Security Checklist

Change any default passwords immediately after successful rack installation and configuration.

Passwords to be updated include:

Compute node passwords
Compute node Oracle Integrated Lights Out Manager (ILOM) passwords
Management node passwords
Management node ILOM passwords
Leaf switch password
Management switch password
Spine switch password
Oracle ZFS Storage Appliance password
Oracle ZFS Storage ApplianceILOM password

There is a tool available on the management nodes to check for default passwords in the infrastructure that must be changed. To run it:

Log into a management node using the default administrative user and password supplied to you by the installation team.
Run the following command: /var/lib/pca-foundation/scripts/healthcheck.py.

The output of the tool will show passwords to change from factory defaults.

Service Enclave Account and Password Security Checklist

At installation and configuration time, an initial user with the SuperAdmin Authorization Group and password is set up for the Service Enclave, refer to the Oracle Private Cloud Appliance Installation Guide.

The Service Enclave is a multi-user environment where users do not share credentials. Because actions in the Service Enclave affect all tenancies on the appliance, very few users are necessary in this space. General security guidelines are:

Do not share credentials.
Create a user for each individual that requires access to the Service Enclave administration tools. This practice enables better audit tracking and easier administration of individual needs.
Apply the rule of least privileges by choosing the authorization group most appropriate for the individual.
When creating a new user, do not use a common password and do not use a default initial password for new users.
Change passwords regularly. There are no proactive password change or timeout notifications in the Service Enclave.

There are 3 authorization groups in the Service Enclave:

Admin - Authorization for most operations except user management.
Monitor - A read-only role that can only manage their own profile or browse Service Enclave information without changing it.
SuperAdmin - Authorization for all capabilities, only a SuperAdmin can create new users for the Service Enclave and change roles for existing users.

In the Service Enclave, the list of authorization groups is static. Existing groups cannot be modified to change authorizations and new groups cannot be created with different authorizations.

Service Customer Account and Password Security Checklist

There are no default Customer Enclave users or tenancies immediately following a Oracle Private Cloud Appliance Installation Guide install and configuration.

When a Service Enclave administrator creates a tenancy, an initial user is created and a password is assigned.

Have the new tenancy administrator log into the account and change their password using the Compute Enclave console (https://adminconsole.<domain>).

Once logged in, use the Change Password drop down located in the top right of the console where the user name is displayed. The tenancy administrator is the only user account that cannot be reset by any user (including themselves). The only option available to the primary tenancy administrator created by the Service Enclave SuperAdmin is to store their password securely and use the Change Password action in the user interface after a successful login.

The password policy for the Compute Enclave is as follows:

Password has a minimum length of 12 characters
Password contains at least one uppercase letter
Password contains at least one lowercase letter
Password contains at least one symbol (@$!#%*?&)
Password contains at least one number

The password policy cannot be changed.

Monitoring and Logging Account and Password Security Checklist

The monitoring and logging facilities for Oracle Private Cloud Appliance are accessed via consoles at:

Grafana: https://grafana.<domain>
Prometheus: https://prometheus.<domain>

In Oracle Private Cloud Appliance, this tier has a single user for both platforms (admin) and is delivered with a default password. Change this password after installation and configuration. To change the password, log into one of the management nodes in the infrastructure layer using root and the password that was updated in Password Maintenance in the Infrastructure Layer.

Once logged in, update the password using the Python 3 runtime and this program:

python3 /lib/python3.6/site-packages/pca_foundation/secret_service/scripts/sauron_credential_update.py -username <username> -password <password>

The password policy requires that the password:

Must be 12-20 characters long
Must contain at least 1 uppercase, 1 lowercase and one digit
Can contain the symbols -_+=

The monitoring and logging tools in Oracle Private Cloud Appliance have the following restrictions

More users cannot be added
The credential update tool does not check the password or return information on success or failure of the request
The Grafana and Prometheus screens do not lock out users after invalid attempts