3 Secure Installation and Configuration
This chapter outlines the planning process for a secure installation and describes how the choices that you make during installation affect system security.
Pre-Installation Tasks
An important consideration is the security of the physical system on which you will install Oracle Linux. If possible, keep server systems in a locked data center and limit access to authorized personnel. Such personnel should also receive appropriate administrative training as human error is often the cause of a security breach. For more information about the available Oracle Linux coursework and certification options, see https://education.oracle.com.
Aside from the risks of theft and data compromise, physical security is critical because it prevents an unauthorized user from possibly modifying the system BIOS, altering the boot device, and booting from an alternate medium. If a system is not kept in a locked data center, consider password-protecting the BIOS. Consult the system manufacturer's documentation for information about setting a BIOS password. Edit the BIOS settings to disable booting from the CD-ROM drive, floppy disk drive, USB ports, and other external devices. In addition, you can configure disk encryption during installation, or password-protect the GRUB boot loader after installation.
Note:
Setting a BIOS, encrypted disk, or boot-loader password requires you to enter the password whenever you reboot the system. Only disk encryption can prevent access to the data on disk when an attacker uses techniques such as resetting the BIOS, accessing the disk by booting an operating system from a memory stick, or simply removing the hard drive to read its contents on another system.
Installing Oracle Linux
When you install Oracle Linux, you can reduce the attack surface
by installing only the software packages that are required for
operation. Software packages are a potential source of
setuid programs, network services, and
libraries that an attacker can potentially use to gain access
illegitimately and compromise a system.
You can use a pretested kickstart profile to provide consistent and precise control over what is installed. Automated installation using a kickstart profile reduces both security risk and administrative effort.
Alternatively, you can use Oracle Enterprise Manager Ops Center, which supports the import of OS images and explicit provisioning profiles. For more information, refer to the Oracle Enterprise Manager Ops Center documentation.
Shadow Passwords and Hashing Algorithms
By default, an Oracle Linux system is configured to use password
hashes that are stored in the /etc/shadow
file rather than in the world-readable
/etc/passwd file. If shadow passwords were
not used, an attacker is much more likely to be able to discover
a password by applying cracking software to the hashes.
Similarly, using a password-hashing algorithm that is weaker
than SHA-512 would make it much easier to find likely candidates
that match a hash value.
Strong Passwords
During installation, you are prompted to enter passwords for
root and one additional user, if you choose
the user to be authenticated locally rather than over the
network. The passwords that you enter should be strong in that
they should be extremely difficult to deduce by guesswork or by
other means, such as automated FTP or SSH logins. By default,
the installation process rejects null passwords and warns about
weak passwords, but it does not enforce strong passwords. It is
your responsibility to ensure that passwords are sufficiently
strong.
Some general guidelines for creating a strong password are:
-
Make the password at least eight characters long.
-
Use a mixture of lower and upper case letters, numbers, and other characters.
-
Do not include whole words from English, LEET speak, or any other language or technology, even if you spell the words in reverse order.
-
Do not include personal information such as names, dates, addresses, email addresses, or telephone numbers.
-
Do not use well-known acronyms, abbreviations, or character sequences such as QWERTY.
-
Do not use a password that is the same as or very similar to a password that you used previously on the system.
-
Use a password for
rootthat is different from the password for any other user.
Separate Disk Partitions
The National Security Agency (NSA) recommendations state that
you should set up user-writable file systems such as
/home, /tmp, and
/var/tmp on partitions that are separate from
/. In addition, /boot must
be a dedicated file system if you encrypt the
root file system.
Encrypted Disk Partitions
When choosing a disk layout, you have the option of encrypting disk partitions with the Linux Unified Key Setup (LUKS) format. As for any other password, ensure that you enter a strong passphrase if you choose to encrypt any partitions.
Note:
The /boot file system cannot be encrypted.
Software Selection
If you choose to customize the software to be installed on a system, you can select or deselect packages from the default set. For example, the basic server configuration does not install the Gnome and KDE desktop software and the X Windows System packages from the Desktops section. Additional packages that you might want to install on a server system are available under the Servers, Web Services, Databases, and other section headings.
Network Time Service
If you choose to synchronize the data and time over the network,
the system is configured as an NTP client that uses the
[012].rhel.pool.ntp.org public servers by
default. If your systems rely on Kerberos authentication, which
requires close synchronization of the clocks on each
participating system, you might prefer to configure your systems
to use a local NTP server instead.
Post-Installation Tasks
For information about the way that you can configure the security of an Oracle Linux system, see Implementing Oracle Linux Security.
For guidelines about hardening an Oracle Linux system, see Security Guidelines.