The software described in this documentation is either in Extended Support or Sustaining Support. See https://www.oracle.com/us/support/library/enterprise-linux-support-policies-069172.pdf for more information.
Oracle recommends that you upgrade the software described by this documentation as soon as possible.

Oracle® Linux 6

Security Guide

Oracle Legal Notices

Oracle Documentation License

E36387-24

March 2021

Table of Contents

1 Oracle Linux Security Overview

1.1 Basic Security Considerations

1.1.1 Keep Software up to Date
1.1.2 Restrict Network Access to Critical Services
1.1.3 Follow the Principle of Least Privilege
1.1.4 Monitor System Activity
1.1.5 Keep up to Date on the Latest Security Information

1.2 The Oracle Linux Security Model

1.3 Overview of Oracle Linux Security

1.4 Understanding the Oracle Linux Environment

1.5 Recommended Deployment Configurations

1.6 Component Security

1.7 References

2 Secure Installation and Configuration

2.1 Pre-Installation Tasks

2.2 Installing Oracle Linux

2.2.1 Shadow Passwords and Hashing Algorithms
2.2.2 Strong Passwords
2.2.3 Separate Disk Partitions
2.2.4 Encrypted Disk Partitions
2.2.5 Software Selection
2.2.6 Network Time Service

2.3 Post-Installation Tasks

3 Implementing Oracle Linux Security

3.1 Configuring and Using Data Encryption

3.2 Configuring a GRUB Password

3.3 Configuring and Using Certificate Management

3.3.1 About the openssl Command
3.3.2 About the keytool Command

3.4 Configuring and Using Authentication

3.4.1 About Local Oracle Linux Authentication
3.4.2 About IPA
3.4.3 About LDAP Authentication
3.4.4 About NIS Authentication
3.4.5 About Winbind Authentication
3.4.6 About Kerberos Authentication

3.5 Configuring and Using Pluggable Authentication Modules

3.6 Configuring and Using Access Control Lists

3.7 Configuring and Using SELinux

3.7.1 About SELinux Administration
3.7.2 About SELinux Modes
3.7.3 Setting SELinux Modes
3.7.4 About SELinux Policies
3.7.5 About SELinux Context
3.7.6 About SELinux Users

3.8 Configuring and Using Auditing

3.9 Configuring and Using System Logging

3.10 Configuring and Using Process Accounting

3.11 Configuring and Using Software Management

3.11.1 Configuring Update and Patch Management
3.11.2 Installing and Using the Yum Security Plugin

3.12 Configuring Access to Network Services

3.12.1 Configuring and Using Packet-filtering Firewalls
3.12.2 Configuring and Using TCP Wrappers

3.13 Configuring and Using Chroot Jails

3.13.1 Running DNS and FTP Services in a Chroot Jail
3.13.2 Creating a Chroot Jail
3.13.3 Using a Chroot Jail

3.14 Configuring and Using Linux Containers

3.15 Configuring and Using Kernel Security Mechanisms

3.15.1 Address Space Layout Randomization
3.15.2 Data Execution Prevention
3.15.3 Position Independent Executables

4 Security Considerations for Developers

4.1 Design Principles for Secure Coding
4.2 General Guidelines for Secure Coding
4.3 General Guidelines for Network Programs

5 Secure Deployment Checklist

5.1 Minimizing the Software Footprint
5.2 Configuring System Logging
5.3 Disabling Core Dumps
5.4 Minimizing Active Services
5.5 Locking Down Network Services
5.6 Configuring a Packet-filtering Firewall
5.7 Configuring TCP Wrappers
5.8 Configuring Kernel Parameters
5.9 Restricting Access to SSH Connections
5.10 Configuring File System Mounts, File Permissions, and File Ownerships
5.11 Checking User Accounts and Privileges

6 Using OpenSCAP to Scan for Vulnerabilities

6.1 About SCAP
6.2 Installing the SCAP Packages
6.3 About the oscap Command
6.4 Displaying the Available SCAP Information
6.5 Displaying Information About a SCAP File
6.6 Displaying Available Profiles
6.7 Validating OVAL and XCCDF Files
6.8 Running a Scan Against a Profile
6.9 Generating a Full Security Guide
6.10 Running an OVAL Auditing Scan

7 FIPS 140-2 Compliance in Oracle Linux

7.1 FIPS Validated Cryptographic Modules for Oracle Linux

7.2 Enabling FIPS Mode on Oracle Linux

7.3 Installing FIPS Validated Cryptographic Modules for Oracle Linux

7.4 Installing and Using the OpenSSL FIPS Object Module

7.4.1 Installing the OpenSSL FIPS Object Module
7.4.2 Using the OpenSSL FIPS Object Module