Table of Contents

• Title and Copyright Information
• Preface
  • Conventions
  • Documentation Accessibility
  • Access to Oracle Support for Accessibility
  • Diversity and Inclusion
• 1 About System Security
  • Overview of System Security in Oracle Linux
  • Understanding the Oracle Linux Environment
  • Recommended Deployment Configurations
  • Component Security
  • Basic Security Considerations
    • Keep Software Up to Date
    • Restrict Network Access to Critical Services
    • Follow the Principle of Least Privilege
    • Monitor System Activity
    • Keep Up to Date on the Latest Security Information
  • Security Considerations for Developers
    • Design Principles for Secure Coding
    • General Guidelines for Secure Coding
    • General Guidelines for Network Programs
• 2 Security Guidelines
  • Minimizing the Software Footprint
  • Configuring System Logging
  • Disabling Core Dumps
  • Minimizing Active Services
  • Locking Down Network Services
  • Configuring a Packet-Filtering Firewall
  • Configuring TCP Wrappers
  • Configuring Kernel Parameters
  • Restricting Access to SSH Connections
  • Configuring File System Mounts, File Permissions, and File Ownership
  • Checking User Accounts and Privileges
• 3 Secure Installation and Configuration
  • Pre-Installation Tasks
  • Installing Oracle Linux
    • Shadow Passwords and Hashing Algorithms
    • Strong Passwords
    • Separate Disk Partitions
    • Encrypted Disk Partitions
    • Software Selection
    • Network Time Service
  • Post-Installation Tasks
• 4 Implementing Oracle Linux Security
  • Configuring Access to Network Services
  • Configuring Packet-filtering Firewalls
    • Controlling the firewalld Firewall Service
      • Configuring the firewalld Zone
      • Controlling Access to Services
      • Controlling Access to Ports
    • Controlling the iptables Firewall Service
      • About netfilter Tables Used by iptables and ip6tables
      • Listing Firewall Rules
      • Inserting and Replacing Rules in a Chain
      • Deleting Rules in a Chain
      • Saving Rules
  • Configuring OpenSSH
  • Configuring TCP Wrappers
  • Using chroot Jails to Protect the Root (/) Directory
    • Running DNS and FTP Services in a Chroot Jail
    • Creating a Chroot Jail
    • Using a Chroot Jail
  • Configuring and Using Software Management
    • Configuring Update and Patch Management
    • Installing and Using the Yum Security Plugin
  • Configuring and Using Data Encryption
  • Configuring and Using Certificate Management
  • Configuring and Using Authentication
  • Configuring and Using Pluggable Authentication Modules
  • Configuring and Using Access Control Lists
  • Configuring and Using SELinux
  • Configuring and Using Auditing
  • Configuring and Using System Logging
    • Configuring Logwatch
  • Configuring and Using Process Accounting
  • Configuring and Using Linux Containers
  • Configuring and Using Kernel Security Mechanisms
    • Address Space Layout Randomization
    • Data Execution Prevention
    • Position Independent Executables
• 5 Using OpenSCAP to Scan for Vulnerabilities
  • About SCAP
  • Installing the SCAP Packages
  • About the oscap Command
  • Displaying the Available SCAP Information
  • Displaying Information About a SCAP File
  • Displaying Available Profiles
  • Validating OVAL and XCCDF Files
  • Running a Scan Against a Profile
  • Generating a Full Security Guide
  • Running an OVAL Auditing Scan
  • Scanning Containers, Container Images and Offline File Systems
    • Scan Container Images and Containers
    • Scan Offline File Systems
• 6 FIPS 140-2 Compliance in Oracle Linux 7
  • Configuring FIPS Mode in Oracle Linux 7
    • Enabling FIPS Mode on Oracle Linux 7
  • FIPS 140-2 Validated Modules in Oracle Linux 7
    • Information About Modules That Have Received FIPS 140-2 Validation
    • Installing FIPS Validated Cryptographic Modules for Oracle Linux 7
    • Yum Repositories and ULN Channels for FIPS Validated Cryptographic Modules
• 7 Oracle Linux 7 Common Criteria Certification
• 8 Oracle Linux 7 KVM Common Criteria Certification