Oracle® Linux 7

Security Guide

Copyright © 2014, 2022, Oracle and/or its affiliates.

E54670-48

July 2022

Abstract

Oracle® Linux 7: Security Guide provides security guidelines for the Oracle Linux 7 operating system.

Document generated on: 2022-07-21 (revision: 13297)

---

Table of Contents

• Preface
• 1 About System Security
  • 1.1 Overview of System Security in Oracle Linux
  • 1.2 Understanding the Oracle Linux Environment
  • 1.3 Recommended Deployment Configurations
  • 1.4 Component Security
  • 1.5 Basic Security Considerations
    • 1.5.1 Keep Software Up to Date
    • 1.5.2 Restrict Network Access to Critical Services
    • 1.5.3 Follow the Principle of Least Privilege
    • 1.5.4 Monitor System Activity
    • 1.5.5 Keep Up to Date on the Latest Security Information
  • 1.6 Security Considerations for Developers
    • 1.6.1 Design Principles for Secure Coding
    • 1.6.2 General Guidelines for Secure Coding
    • 1.6.3 General Guidelines for Network Programs
• 2 Security Guidelines
  • 2.1 Minimizing the Software Footprint
  • 2.2 Configuring System Logging
  • 2.3 Disabling Core Dumps
  • 2.4 Minimizing Active Services
  • 2.5 Locking Down Network Services
  • 2.6 Configuring a Packet-Filtering Firewall
  • 2.7 Configuring TCP Wrappers
  • 2.8 Configuring Kernel Parameters
  • 2.9 Restricting Access to SSH Connections
  • 2.10 Configuring File System Mounts, File Permissions, and File Ownership
  • 2.11 Checking User Accounts and Privileges
• 3 Secure Installation and Configuration
  • 3.1 Pre-Installation Tasks
  • 3.2 Installing Oracle Linux
    • 3.2.1 Shadow Passwords and Hashing Algorithms
    • 3.2.2 Strong Passwords
    • 3.2.3 Separate Disk Partitions
    • 3.2.4 Encrypted Disk Partitions
    • 3.2.5 Software Selection
    • 3.2.6 Network Time Service
  • 3.3 Post-Installation Tasks
• 4 Implementing Oracle Linux Security
  • 4.1 Configuring Access to Network Services
  • 4.2 Configuring Packet-filtering Firewalls
    • 4.2.1 Controlling the firewalld Firewall Service
    • 4.2.2 Controlling the iptables Firewall Service
  • 4.3 Configuring OpenSSH
  • 4.4 Configuring TCP Wrappers
  • 4.5 Using chroot Jails to Protect the Root (/) Directory
    • 4.5.1 Running DNS and FTP Services in a Chroot Jail
    • 4.5.2 Creating a Chroot Jail
    • 4.5.3 Using a Chroot Jail
  • 4.6 Configuring and Using Software Management
    • 4.6.1 Configuring Update and Patch Management
    • 4.6.2 Installing and Using the Yum Security Plugin
  • 4.7 Configuring and Using Data Encryption
  • 4.8 Configuring and Using Certificate Management
  • 4.9 Configuring and Using Authentication
  • 4.10 Configuring and Using Pluggable Authentication Modules
  • 4.11 Configuring and Using Access Control Lists
  • 4.12 Configuring and Using SELinux
  • 4.13 Configuring and Using Auditing
  • 4.14 Configuring and Using System Logging
    • 4.14.1 Configuring Logwatch
  • 4.15 Configuring and Using Process Accounting
  • 4.16 Configuring and Using Linux Containers
  • 4.17 Configuring and Using Kernel Security Mechanisms
    • 4.17.1 Address Space Layout Randomization
    • 4.17.2 Data Execution Prevention
    • 4.17.3 Position Independent Executables
• 5 Using OpenSCAP to Scan for Vulnerabilities
  • 5.1 About SCAP
  • 5.2 Installing the SCAP Packages
  • 5.3 About the oscap Command
  • 5.4 Displaying the Available SCAP Information
  • 5.5 Displaying Information About a SCAP File
  • 5.6 Displaying Available Profiles
  • 5.7 Validating OVAL and XCCDF Files
  • 5.8 Running a Scan Against a Profile
  • 5.9 Generating a Full Security Guide
  • 5.10 Running an OVAL Auditing Scan
  • 5.11 Scanning Containers, Container Images and Offline File Systems
• 6 FIPS 140-2 Compliance in Oracle Linux 7
  • 6.1 FIPS Validated Cryptographic Modules for Oracle Linux 7.8
    • 6.1.1 Where Packages for FIPS Validated Cryptographic Modules for Oracle Linux 7.8 Are Located
    • 6.1.2 Changes to Requirements and Guidance for FIPS Validated Cryptographic Modules for Oracle Linux 7.8
  • 6.2 FIPS Validated Cryptographic Modules for Oracle Linux 7.5 and Oracle Linux 7.6
  • 6.3 FIPS Validated Cryptographic Modules for Oracle Linux 7.3
  • 6.4 More Information About Modules That Have Received FIPS 140-2 Validation
  • 6.5 Enabling FIPS Mode on Oracle Linux
  • 6.6 Installing FIPS Validated Cryptographic Modules for Oracle Linux
• 7 Oracle Linux 7 Common Criteria Certification

Copyright © 2014, 2022, Oracle and/or its affiliates.