Chapter 3 Secure Installation and Configuration

This chapter outlines the planning process for a secure installation and describes how the choices that you make during installation affect system security.

3.1 Pre-Installation Tasks

An important consideration is the security of the physical system on which you will install Oracle Linux. If possible, keep server systems in a locked data center and limit access to authorized personnel. Such personnel should also receive appropriate administrative training as human error is often the cause of a security breach. For more information about the available Oracle Linux coursework and certification options, see https://education.oracle.com.

Aside from the risks of theft and data compromise, physical security is critical because it prevents an unauthorized user from possibly modifying the system BIOS, altering the boot device, and booting from an alternate medium. If a system is not kept in a locked data center, consider password-protecting the BIOS. Consult the system manufacturer's documentation for information about setting a BIOS password. Edit the BIOS settings to disable booting from the CD-ROM drive, floppy disk drive, USB ports, and other external devices. In addition, you can configure disk encryption during installation, or password-protect the GRUB boot loader after installation.

Note

Setting a BIOS, encrypted disk, or boot-loader password requires you to enter the password whenever you reboot the system. Only disk encryption can prevent access to the data on disk when an attacker uses techniques such as resetting the BIOS, accessing the disk by booting an operating system from a memory stick, or simply removing the hard drive to read its contents on another system.

3.2 Installing Oracle Linux

When you install Oracle Linux, you can reduce the attack surface by installing only the software packages that are required for operation. Software packages are a potential source of setuid programs, network services, and libraries that an attacker can potentially use to gain access illegitimately and compromise a system.

You can use a pretested kickstart profile to provide consistent and precise control over what is installed. Automated installation using a kickstart profile reduces both security risk and administrative effort.

Alternatively, you can use Oracle Enterprise Manager Ops Center, which supports the import of OS images and explicit provisioning profiles. For more information, refer to the Oracle Enterprise Manager Ops Center documentation.

3.2.1 Shadow Passwords and Hashing Algorithms

By default, an Oracle Linux system is configured to use password hashes that are stored in the /etc/shadow file rather than in the world-readable /etc/passwd file. If shadow passwords were not used, an attacker is much more likely to be able to discover a password by applying cracking software to the hashes. Similarly, using a password-hashing algorithm that is weaker than SHA-512 would make it much easier to find likely candidates that match a hash value.

3.2.2 Strong Passwords

During installation, you are prompted to enter passwords for root and one additional user, if you choose the user to be authenticated locally rather than over the network. The passwords that you enter should be strong in that they should be extremely difficult to deduce by guesswork or by other means, such as automated FTP or SSH logins. By default, the installation process rejects null passwords and warns about weak passwords, but it does not enforce strong passwords. It is your responsibility to ensure that passwords are sufficiently strong.

Some general guidelines for creating a strong password are:

  • Make the password at least eight characters long.

  • Use a mixture of lower and upper case letters, numbers, and other characters.

  • Do not include whole words from English, LEET speak, or any other language or technology, even if you spell the words in reverse order.

  • Do not include personal information such as names, dates, addresses, email addresses, or telephone numbers.

  • Do not use well-known acronyms, abbreviations, or character sequences such as QWERTY.

  • Do not use a password that is the same as or very similar to a password that you used previously on the system.

  • Use a password for root that is different from the password for any other user.

3.2.3 Separate Disk Partitions

The National Security Agency (NSA) recommendations state that you should set up user-writable file systems such as /home, /tmp, and /var/tmp on partitions that are separate from /. In addition, /boot must be a dedicated file system if you encrypt the root file system.

For more information, see https://www.nsa.gov/ia/_files/factsheets/rhel5-pamphlet-i731.pdf.

3.2.4 Encrypted Disk Partitions

When choosing a disk layout, you have the option of encrypting disk partitions with the Linux Unified Key Setup (LUKS) format. As for any other password, ensure that you enter a strong passphrase if you choose to encrypt any partitions.

Note

The /boot file system cannot be encrypted.

3.2.5 Software Selection

If you choose to customize the software to be installed on a system, you can select or deselect packages from the default set. For example, the basic server configuration does not install the Gnome and KDE desktop software and the X Windows System packages from the Desktops section. Additional packages that you might want to install on a server system are available under the Servers, Web Services, Databases, and other section headings.

3.2.6 Network Time Service

If you choose to synchronize the data and time over the network, the system is configured as an NTP client that uses the [012].rhel.pool.ntp.org public servers by default. If your systems rely on Kerberos authentication, which requires close synchronization of the clocks on each participating system, you might prefer to configure your systems to use a local NTP server instead.

3.3 Post-Installation Tasks

For information about the way that you can configure the security of an Oracle Linux system, see Chapter 4, Implementing Oracle Linux Security.

For guidelines about hardening an Oracle Linux system, see Chapter 2, Security Guidelines.