Oracle® Linux 7

Security Guide

Oracle Legal Notices
Oracle Documentation License

E54670-17

September 2019

Table of Contents

Preface
1 Oracle Linux Security Overview
1.1 Basic Security Considerations
1.1.1 Keep Software Up to Date
1.1.2 Restrict Network Access to Critical Services
1.1.3 Follow the Principle of Least Privilege
1.1.4 Monitor System Activity
1.1.5 Keep Up to Date on the Latest Security Information
1.2 About the Oracle Linux Security Model
1.3 Overview of Oracle Linux Security
1.4 Understanding the Oracle Linux Environment
1.5 Recommended Deployment Configurations
1.6 Component Security
1.7 References
2 Secure Installation and Configuration
2.1 Pre-Installation Tasks
2.2 Installing Oracle Linux
2.2.1 Shadow Passwords and Hashing Algorithms
2.2.2 Strong Passwords
2.2.3 Separate Disk Partitions
2.2.4 Encrypted Disk Partitions
2.2.5 Software Selection
2.2.6 Network Time Service
2.3 Post-Installation Tasks
3 Implementing Oracle Linux Security
3.1 Configuring and Using Data Encryption
3.2 Configuring and Using Certificate Management
3.2.1 About the openssl Command
3.2.2 About the keytool Command
3.3 Configuring and Using Authentication
3.3.1 About Local Oracle Linux Authentication
3.3.2 About IPA
3.3.3 About LDAP Authentication
3.3.4 About NIS Authentication
3.3.5 About Winbind Authentication
3.3.6 About Kerberos Authentication
3.4 Configuring and Using Pluggable Authentication Modules
3.5 Configuring and Using Access Control Lists
3.6 Configuring and Using SELinux
3.6.1 About SELinux Administration
3.6.2 About SELinux Modes
3.6.3 Setting SELinux Modes
3.6.4 About SELinux Policies
3.6.5 About SELinux Context
3.6.6 About SELinux Users
3.6.7 Troubleshooting Access-Denial Messages
3.7 Configuring and Using Auditing
3.8 Configuring and Using System Logging
3.8.1 Configuring Logwatch
3.9 Configuring and Using Process Accounting
3.10 Configuring and Using Software Management
3.10.1 Configuring Update and Patch Management
3.10.2 Installing and Using the Yum Security Plugin
3.11 Configuring Access to Network Services
3.11.1 Configuring and Using Packet-Filtering Firewalls
3.11.2 Controlling the firewalld Service
3.11.3 Controlling the iptables Firewall Service
3.11.4 Configuring and Using TCP Wrappers
3.12 Configuring and Using chroot Jails
3.12.1 Running DNS and FTP Services in a Chroot Jail
3.12.2 Creating a Chroot Jail
3.12.3 Using a Chroot Jail
3.13 Configuring and Using Linux Containers
3.14 Configuring and Using Kernel Security Mechanisms
3.14.1 Address Space Layout Randomization
3.14.2 Data Execution Prevention
3.14.3 Position Independent Executables
4 Security Considerations for Developers
4.1 Design Principles for Secure Coding
4.2 General Guidelines for Secure Coding
4.3 General Guidelines for Network Programs
5 Secure Deployment Checklist
5.1 Minimizing the Software Footprint
5.2 Configuring System Logging
5.3 Disabling Core Dumps
5.4 Minimizing Active Services
5.5 Locking Down Network Services
5.6 Configuring a Packet-Filtering Firewall
5.7 Configuring TCP Wrappers
5.8 Configuring Kernel Parameters
5.9 Restricting Access to SSH Connections
5.10 Configuring File System Mounts, File Permissions, and File Ownership
5.11 Checking User Accounts and Privileges
6 Using OpenSCAP to Scan for Vulnerabilities
6.1 About SCAP
6.2 Installing the SCAP Packages
6.3 About the oscap Command
6.4 Displaying the Available SCAP Information
6.5 Displaying Information About a SCAP File
6.6 Displaying Available Profiles
6.7 Validating OVAL and XCCDF Files
6.8 Running a Scan Against a Profile
6.9 Generating a Full Security Guide
6.10 Running an OVAL Auditing Scan
7 FIPS 140-2 Compliance in Oracle Linux
7.1 FIPS Validated Cryptographic Modules for Oracle Linux
7.2 Enabling FIPS Mode on Oracle Linux
7.3 Installing FIPS Validated Cryptographic Modules for Oracle Linux
8 Oracle Linux 7 Common Criteria Certification

Copyright © 2013, 2019, Oracle and/or its affiliates. All rights reserved. Legal Notices