Security Guidelines

Minimizing the Software Footprint

On systems on which Oracle Linux has been installed, remove unneeded RPMs to minimize the software footprint. For example, you could uninstall the X Windows package (xorg-x11-server-Xorg) if it is not required on a server system.

To discover which package provides a given command or file, use the yum provides command, as shown in the following example:

yum provides /usr/sbin/sestatus

...
policycoreutils-2.0.83-19.24.0.1.el6.x86_64 : SELinux policy core utilities
Repo        : installed
Matched from: 
Other       : Provides-match: /usr/sbin/sestatus

To display the files that a package provides, use the repoquery utility, which is included in the yum-utils package. For example, the following command lists the files that the btrfs-progs package provides.

repoquery -l btrfs-progs

/sbin/btrfs
/sbin/btrfs-convert
/sbin/btrfs-debug-tree
.
.
.

To uninstall a package, use the yum remove command, as shown in this example:

sudo yum remove xinetd

Loaded plugins: refresh-packagekit, security
Setting up Remove Process
Resolving Dependencies
--> Running transaction check
---> Package xinetd.x86_64 2:2.3.14-35.el6_3 will be erased
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
 Package       Arch          Version                   Repository          Size
================================================================================
Removing:
 xinetd        x86_64        2:2.3.14-35.el6_3         @ol6_latest        259 k

Transaction Summary
================================================================================
Remove        1 Package(s)

Installed size: 259 k
Is this ok [y/N]: y
Downloading Packages:
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Erasing    : 2:xinetd-2.3.14-35.el6_3.x86_64                              1/1 
  Verifying  : 2:xinetd-2.3.14-35.el6_3.x86_64                              1/1 

Removed:
  xinetd.x86_64 2:2.3.14-35.el6_3                                               

Complete!

The following list contains packages that you should not install or that you should remove using the yum remove command if they are already installed.

krb5-appl-clients

Kerberos versions of ftp, rcp, rlogin, rsh and telnet. If possible, use SSH instead.
rsh, rsh-server

rcp, rlogin, and rsh use unencrypted communication that can be snooped. Use SSH instead.
samba

Network services used by Samba. Remove this package if the system is not acting as an Active Directory server, a domain controller, or as a domain member, and it does not provide Microsoft Windows file and print sharing functionality.
talk, talk-server

talk is considered obsolete.
telnet, telnet-server

telnet uses unencrypted communication that can be snooped. Use SSH instead.
tftp, tftp-server

TFTP uses unencrypted communication that can be snooped. Use only if required to support legacy hardware. If possible, use SSH or other secure protocol instead.
xinetd

The security model used by the Internet listener daemon is deprecated.
ypbind, ypserv

The security model used by NIS is inherently flawed. Use an alternative such as LDAP or Kerberos instead.

Configuring System Logging

Verify that the rsyslog logging service is running:

sudo systemctl is-active rsyslog

active

If the rsyslogd service is not running, start it and enable it to start when the system is rebooted:

sudo systemctl start rsyslog
sudo systemctl enable rsyslog

Ensure that each log file referenced in /etc/rsyslog.conf exists and is owned and only readable by root:

touch logfile
sudo chown root:root logfile
sudo chmod 0600 logfile

It is also recommended that you use a central log server and that you configure Logwatch on that server. See Configuring and Using System Logging.

Disabling Core Dumps

Core dumps can contain information that an attacker might be able to exploit and they take up a large amount of disk space. To prevent the system creating core dumps when the operating system terminates a program due to a segment violation or other unexpected error, add the following line to /etc/security/limits.conf:

*  hard  core  0

You can restrict access to core dumps to certain users or groups, as described in the limits.conf(5) manual page.

By default, the system prevents setuid and setgid programs, programs that have changed credentials, and programs whose binaries do not have read permission from dumping core. To ensure that the setting is permanently recorded, add the following lines to /etc/sysctl.conf:

# Disallow core dumping by setuid and setgid programs
fs.suid_dumpable = 0

Then, run the sysctl -p command.

Note:

A value of 1 permits core dumps that are readable by the owner of the dumping process. A value of 2 permits core dumps that are readable only by root for debugging purposes.

Minimizing Active Services

Restrict services to only those that a server requires. The default installation for an Oracle Linux server configures a minimal set of services:

cupsd and lpd (print services)
sendmail (email delivery service)
sshd (openSSH services)

If possible, configure one type of service per physical machine, virtual machine, or Linux Container. This technique limits exposure if a system is compromised.

If a service is not used, remove the software packages that are associated with the service. If it is not possible to remove a service because of software dependencies, use the chkconfig and service commands to disable the service.

For services that are in use, apply the latest Oracle support patches and security updates to keep software packages up to date. To protect against unauthorized changes, ensure that the /etc/services file is owned by root and writable only by root.

ls -Z /etc/services

-rw-r--r--. root root system_u:object_r:etc_t:SystemLow /etc/services

Unless specifically stated otherwise, consider disabling the services that are described in the following list, if they are not used on your system.

anacron: Executes commands periodically. Primarily intended for use on laptop and user desktop machines that do not run continuously.
automount: Manages mount points for the automatic file-system mounter. Disable this service on servers that do not require automounter functionality.
bluetooth: Supports the connections of Bluetooth devices. Primarily intended for use on laptop and user desktop machines. Bluetooth provides an additional potential attack surface. Disable this service on servers that do not require Bluetooth functionality.
gpm: (General Purpose Mouse) Provides support for the mouse pointer in a text console.
hidd: (Bluetooth Human Interface Device daemon) Provides support for Bluetooth input devices such as a keyboard or mouse. Primarily intended for use on laptop and user desktop machines. Bluetooth provides an additional potential attack surface. Disable this service on servers that do not require Bluetooth functionality.
irqbalance: Distributes hardware interrupts across processors on a multiprocessor system. Disable this service on servers that do not require this functionality.
iscsi: Controls logging in to iSCSI targets and scanning of iSCSI devices. Disable this service on servers that do not access iSCSI devices.
iscsid: Implements control and management for the iSCSI protocol. Disable this service on servers that do not access iSCSI devices.
kdump: Enables a kdump kernel to be loaded into memory at boot time or a kernel dump to be saved if the system panics. Disable this service on servers that you do not use for debugging or testing.
mcstrans: Controls the SELinux Context Translation System service.
mdmonitor: Checks the status of all software RAID arrays on the system. Disable this service on servers that do not use software RAID.
pcscd: (PC/SC Smart Card Daemon) Supports communication with smart-card readers. Primarily intended for use on laptop and user desktop machines to support smart-card authentication. Disable this service on servers that do not use smart-card authentication.
sandbox: Sets up /tmp, /var/tmp, and home directories to be used with the pam_namespace, sandbox, and xguest application confinement utilities. Disable this service if you do not use these programs.
setroubleshoot: Controls the SELinux Troubleshooting service, which provides information about SELinux Access Vector Cache (AVC) denials to the sealert tool.
smartd: Communicates with the Self-Monitoring, Analysis and Reporting Technology (SMART) systems that are integrated into many ATA-3 and later, and SCSI-3 disk drives. SMART systems monitor disk drives to measure reliability, predict disk degradation and failure, and perform drive testing.
xfs: Caches fonts in memory to improve the performance of X Window System applications.

Consider disabling the network services that are described in the following table, if they are not used on your system.

avahi-daemon: Implements Apple's Zero configuration networking (also known as Rendezvous or Bonjour). Primarily intended for use on laptop and user desktop machines to support music and file sharing. Disable this service on servers that do not require this functionality.
cups: Implements the Common UNIX Printing System. Disable this service on servers that do not need to provide this functionality.
hplip: Implements HP Linux Imaging and Printing to support faxing, printing, and scanning operations on HP inkjet and laser printers. Disable this service on servers that do not require this functionality.
isdn: (Integrated Services Digital Network) Provides support for network connections over ISDN devices. Disable this service on servers that do not directly control ISDN devices.
netfs: Mounts and unmounts network file systems, including NCP, NFS, and SMB. Disable this service on servers that do not require this functionality.
network: Activates all network interfaces that are configured to start at boot time.
NetworkManager: Switches network connections automatically to use the best connection that is available.
nfslock: Implements the Network Status Monitor (NSM) used by NFS. Disable this service on servers that do not require this functionality.
nmb: Provides NetBIOS name services used by Samba. Disable this service and remove the samba package if the system is not acting as an Active Directory server, a domain controller, or as a domain member, and it does not provide Microsoft Windows file and print sharing functionality.
portmap: Implements Remote Procedure Call (RPC) support for NFS. Disable this service on servers that do not require this functionality.
rhnsd: Queries the Unbreakable Linux Network (ULN) for updates and information.
rpcgssd: Used by NFS. Disable this service on servers that do not require this functionality.
rpcidmapd: Used by NFS. Disable this service on servers that do not require this functionality.
smb: Provides SMB network services used by Samba. Disable this service and remove the samba package if the system is not acting as an Active Directory server, a domain controller, or as a domain member, and it does not provide Microsoft Windows file and print sharing functionality.

To stop a service and prevent it from starting when you reboot the system, used the following commands:

sudo systemctl stop service_name
sudo systemctl disable service_name

Locking Down Network Services

Note:

It is recommended that you do not install the xinetd Internet listener daemon. If you do not need this service, remove the package altogether by using the yum remove xinetd command.

If you must enable xinetd on your system, minimize the network services that xinetd can launch by disabling those services that are defined in the configuration files in /etc/xinetd.d and which are not needed.

To counter potential Denial of Service (DoS) attacks, you can configure the resource limits for such services by editing /etc/xinetd.conf and related configuration files. For example, you can set limits for the connection rate, the number of connection instances to a service, and the number of connections from an IP address:

# Maximum number of connections per second and
# number of seconds for which a service is disabled
# if the maximum number of connections is exceeded
cps             = 50 10

# Maximum number of connections to a service
instances       = 50

# Maximum number of connections from an IP address
per_source      = 10

For more information, see the xinetd(8) and xinetd.conf(5) manual pages.

Configuring a Packet-Filtering Firewall

You can configure the Netfilter feature to act as a packet-filtering firewall that uses rules to determine whether network packets are received, dropped, or forwarded.

The primary interfaces for configuring the packet-filter rules are the firewall-cmd command and the Firewall Configuration GUI (firewall-config) or the iptables and ip6tables utilities. By default, the rules should drop any packets that are not destined for a service that the server hosts or that originate from networks other than those to which you want to allow access.

In addition, you can use Network Address Translation (NAT) to hide IP addresses behind a public IP address, and IP masquerading to alter IP header information for routed packets. You can also set rule-based packet logging and define a dedicated log file in /etc/syslog.conf.

For more information, see Configuring Packet-filtering Firewalls.

Configuring TCP Wrappers

The TCP wrappers feature mediates requests from clients to services, and control access based on rules that you define in the /etc/hosts.deny and /etc/hosts.allow files. You can restrict and permit service access for specific hosts or whole networks. A common way of using TCP wrappers is to detect intrusion attempts. For example, if a known malicious host or network attempts to access a service, you can deny access and send a warning message about the event to a log file or to the system console.

For more information, see Configuring TCP Wrappers.

Configuring Kernel Parameters

You can use several kernel parameters to counteract various kinds of attack.

kernel.randomize_va_space: Controls Address Space Layout Randomization (ASLR), which can help defeat certain types of buffer overflow attacks. A value of 0 disables ASLR, 1 randomizes the positions of the stack, virtual dynamic shared object (VDSO) page, and shared memory regions, and 2 randomizes the positions of the stack, VDSO page, shared memory regions, and the data segment. The default and recommended setting is 2.
net.ipv4.conf.all.accept_source_route: Controls the handling of source-routed packets, which might have been generated outside the local network. A value of 0 rejects such packets, and 1 accepts them. The default and recommended setting is 0.
net.ipv4.conf.all.rp_filter: Controls reversed-path filtering of received packets to counter IP address spoofing. A value of 0 disables source validation, 1 causes packets to be dropped if the routing table entry for their source address does not match the network interface on which they arrive, and 2 causes packets to be dropped if source validation by reversed path fails (see RFC 1812). The default setting is 0. A value of 2 can cause otherwise valid packets to be dropped if the local network topology is complex and RIP or static routes are used.
net.ipv4.icmp_echo_ignore_broadcasts: Controls whether ICMP broadcasts are ignored to protect against Smurf DoS attacks. A value of 1 ignores such broadcasts, and 0 accepts them. The default and recommended setting is 1.
net.ipv4.icmp_ignore_bogus_error_message: Controls whether ICMP bogus error message responses are ignored. A value of 1 ignores such messages, and 0 accepts them. The default and recommended setting is 1.

To change the value of a kernel parameter, add the setting to /etc/sysctl.conf, for example:

kernel.randomize_va_space = 1

Then, run the sysctl -p command.

For additional security configurations on the kernel, see Configuring and Using Kernel Security Mechanisms.

Restricting Access to SSH Connections

The Secure Shell (SSH) allows protected, encrypted communication with other systems. As SSH is an entry point into the system, disable it if it is not required, or alternatively, edit the /etc/ssh/sshd_config file to restrict its use.

For example, the following setting does not allow root to log in using SSH:

PermitRootLogin no

You can restrict remote access to certain users and groups by specifying the AllowUsers, AllowGroups, DenyUsers, and DenyGroups settings, for example:

DenyUsers carol dan
AllowUsers alice bob

The ClientAliveInterval and ClientAliveCountMax settings cause the SSH client to time out automatically after a period of inactivity, for example:

# Disconnect client after 300 seconds of inactivity
ClientAliveCountMax 0
ClientAliveInterval 300

After changing the configuration file, restart the sshd service for the changes to take effect.

For more information, see the sshd_config(5) manual page.

Configuring File System Mounts, File Permissions, and File Ownership

Use separate disk partitions for operating system and user data to prevent a file system full issue from impacting the operation of a server. For example, you might create separate partitions for /home, /tmp, p, /oracle, and so on.

Establish disk quotas to prevent a user from accidentally or intentionally filling up a file system and denying access to other users.

To prevent the operating system files and utilities from being altered during an attack, mount the /usr file system read-only. If you need to update any RPMs on the file system, use the -o remount,rw option with the mount command to remount /usr for both read and write access. After performing the update, use the -o remount,ro option to return the /usr file system to read-only mode.

To limit user access to non-root local file systems such as /tmp or removable storage partitions, specify the -o noexec, nosuid, nodev options to mount. These option prevent the execution of binaries (but not scripts), prevent the setuid bit from having any effect, and prevent the use of device files.

Use the find command to check for unowned files and directories on each file system, for example:

find mount_point -mount -type f -nouser -o -nogroup -exec ls -l {} \;
find mount_point -mount -type d -nouser -o -nogroup -exec ls -l {} \;

Unowned files and directories might be associated with a deleted user account, they might indicate an error with software installation or deleting, or they might a sign of an intrusion on the system. Correct the permissions and ownership of the files and directories that you find, or remove them. If possible, investigate and correct the problem that led to their creation.

Use the find command to check for world-writable directories on each file system, for example:

find mount_point -mount -type d -perm /o+w -exec ls -l {} \;

Investigate any world-writable directory that is owned by a user other than a system user. The user can remove or change any file that other users write to the directory. Correct the permissions and ownership of the directories that you find, or remove them.

You can also use find to check for setuid and setgid executables.

find path -type f \( -perm -4000 -o -perm -2000 \) -exec ls -l {} \;

If the setuid and setgid bits are set, an executable can perform a task that requires other rights, such as root privileges. However, buffer overrun attacks can exploit such executables to run unauthorized code with the rights of the exploited process.

If you want to stop a setuid and setgid executable from being used by non-root users, you can use the following commands to unset the setuid or setgid bit:

sudo chmod u-s file 
sudo chmod g-s file

The following table lists programs for which you might want to consider unsetting the setuid and setgid.

Note:

The list is not exhaustive, as many optional packages contain setuid and setgid programs.

Program File	Bit Set	Description of Usage
`/usr/bin/chage`	`setuid`	Determines password aging information (via the `-l` option).
`/usr/bin/chfn`	`setuid`	Changes `finger` information.
`/usr/bin/chsh`	`setuid`	Changes the login shell.
`/usr/bin/crontab`	`setuid`	Edits, lists, or removes a `crontab` file.
`/usr/bin/wall`	`setgid`	Sends a system-wide message.
`/usr/bin/write`	`setgid`	Sends a message to another user.
`/usr/bin/Xorg`	`setuid`	Invokes the X Windows server.
`/usr/libexec/openssh/ssh-keysign`	`setuid`	Runs the SSH helper program for host-based authentication.
`/usr/sbin/mount.nfs`	`setuid`	Mounts an NFS file system. Note: `/sbin/mount.nfs4`, `/sbin/umount.nfs`, and `/sbin/umount.nfs4` are symbolic links to this file.
`/usr/sbin/netreport`	`setgid`	Requests notification of changes to network interfaces.
`/usr/sbin/usernetctl`	`setuid`	Controls network interfaces. Permission for a user to alter the state of a network interface also requires `USERCTL=yes` to be set in the interface file. You can also grant users and groups the privilege to run the `ip` command by creating a suitable entry in the `/etc/sudoers` file.

Checking User Accounts and Privileges

Check the system for unlocked user accounts on a regular basis by using a command similar to the following:

for u in `cat /etc/passwd | cut -d: -f1 | sort`; do passwd -S $u; done

abrt LK 2012-06-28 0 99999 7 -1 (Password locked.)
adm LK 2011-10-13 0 99999 7 -1 (Alternate authentication scheme in use.)
apache LK 2012-06-28 0 99999 7 -1 (Password locked.)
avahi LK 2012-06-28 0 99999 7 -1 (Password locked.)
avahi-autoipd LK 2012-06-28 0 99999 7 -1 (Password locked.)
bin LK 2011-10-13 0 99999 7 -1 (Alternate authentication scheme in use.)
...

In the output that is shown in this example, the second field indicates whether a user account is locked (LK), does not have a password (NP), or has a valid password (PS). The third field shows the date on which the user last changed their password. The remaining fields show the minimum age, maximum age, warning period, and inactivity period for the password and additional information about the password's status. The unit of time is days.

Use the passwd command to set passwords on any accounts that are not protected.

Use the passwd -l command to lock unused accounts. Alternatively, use userdel to remove the accounts entirely.

For more information, see the passwd(1) and userdel(8) manual pages.

To specify how user passwords are aged, edit the settings in the /etc/login.defs file. These settings are described in the following list.

PASS_MAX_DAYS: Maximum number of days for which a password can be used before it must be changed. The default value is 99,999 days.
PASS_MIN_DAYS: Minimum number of days that is allowed between password changes. The default value is 0 days.
PASS_WARN_AGE: Number of days warning that is given before a password expires. The default value is 7 days.

For more information, see the login.defs(5) manual page.

To change how long a user's account can be inactive before it is locked, use the usermod command. For example, to set the inactivity period to 30 days:

sudo usermod -f 30 username

To change the default inactivity period for new user accounts, use the useradd command:

sudo useradd -D -f 30

A value of -1 specifies that user accounts are not locked due to inactivity.

For more information, see the useradd(8) and usermod(8) manual pages.

Verify that no user accounts other than root have a user ID of 0.

awk -F":" '$3 == 0 { print $1 }' /etc/passwd

root

If you install software that creates a default user account and password, change the vendor's default password immediately. Centralized user authentication using an LDAP implementation such as OpenLDAP can help to simplify user authentication and management tasks, and also reduces the risk arising from unused accounts or accounts without a password.

By default, an Oracle Linux system is configured so that you cannot log in directly as root. You must log in as a named user before using either su or sudo to perform tasks as root. This configuration allows system accounting to trace the original login name of any user who performs a privileged administrative action. If you want to grant certain users authority to be able to perform specific administrative tasks via sudo, use the visudo command to modify the /etc/sudoers file. For example, the following entry grants the user erin the same privileges as root when using sudo, but defines a limited set of privileges to frank so that he can run commands such as rpm and yum:

erin           ALL=(ALL)       ALL
frank          ALL=SOFTWARE

Oracle Linux supports the pluggable authentication modules (PAM) feature, which makes it easier to enforce strong user authentication and password policies, including rules for password complexity, length, age, expiration and the reuse of previous passwords. You can configure PAM to block user access after too many failed login attempts, after normal working hours, or if too many concurrent sessions are opened.

PAM is highly customizable by its use of different modules with customisable parameters. For example, the default password integrity checking module pam_pwquality.so tests password strength. The PAM configuration file (/etc/pam.d/system-auth) contains the following default entries for testing a password's strength:

password  requisite   pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password  sufficient  pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password  required    pam_deny.so

The line for pam_pwquality.so defines that a user gets three attempts to choose a good password. From the module's default settings, the password length must a minimum of six characters, of which three characters must be different from the previous password. The module only tests the quality of passwords for users who are defined in /etc/passwd.

The line for pam_unix.so specifies that the module tests the password previously specified in the stack before prompting for a password if necessary (pam_pwquality will already have performed such checks for users defined in /etc/passwd), uses SHA-512 password hashing and the /etc/shadow file, and allows access if the existing password is null.

You can modify the control flags and module parameters to change the checking that is performed when a user changes his or her password, for example:

password  required  pam_pwquality.so retry=3 minlen=8 difok=5 minclass=-1
password  required  pam_unix.so use_authtok sha512 shadow remember=5
password  required  pam_deny.so

The line for pam_pwquality.so defines that a user gets three attempts to choose a good password with a minimum of eight characters, of which five characters must be different from the previous password, and which must contain at least one upper case letter, one lower case letter, one numeric digit, and one non-alphanumeric character.

The line for pam_unix.so specifies that the module does not perform password checking, uses SHA-512 password hashing and the /etc/shadow file, and saves information about the previous five passwords for each user in the /etc/security/opasswd file. As nullok is not specified, a user cannot change his or her password if the existing password is null.

The omission of the try_first_pass keyword means that the user is always asked for their existing password, even if he or she entered it for the same module or for a previous module in the stack.

For more information, see Configuring and Using Pluggable Authentication Modules and the pam_deny(8), pam_pwquality(8), and pam_unix(8) manual pages.