Managing System Security

Understanding the Importance of Updates

Keeping system software up-to-date is an important principle of an overall security strategy as described in Overview of Security Principles. Updating Oracle Linux is important to avoid and protect against software vulnerabilities and known attack vectors that malicious hackers can exploit to gain unauthorized access to systems.

Oracle releases important updates to the Oracle Linux and Oracle VM software as individual package updates, known as errata.

How often Oracle Linux systems are updated depends on many factors that each system administrator must assess. One good security practice option to keep systems secure is accepting the latest available updates, because the more out-of-date a system is, the more potential vulnerabilities and attack vectors that could be exposed. The older the vulnerabilities are, the longer that malicious hackers can gather experience and expertise, and the more likely that systems with those vulnerabilities might be hacked or exploited.

Before you configure the frequency and type of updates that are installed, you must decide the level of exposure and risk that you consider to be acceptable and still meet security requirements.

Here are some examples of useful best practices to consider:

Monitor errata as they're published by Oracle, reviewing errata as they appear and paying careful attention to security errata. Security errata are listed by severity level from critical to low.
Schedule time to test and deploy security, bug, and enhancement errata. Testing and deploying security and bug errata as soon as possible is considered good security practice.
Pay attention to minor releases as they often contain a combination of security patches, bug fixes, and feature enhancements. As stated before, you must decide the frequency and timing for testing and deploying the larger set of updates.
Reduce the number of updates Oracle Linux requires by installing only the minimum software required to suit business needs. Minimizing the package footprint on systems can reduce the amount of time needed to perform updates for software while also reducing exposure to security attack vectors. For more information, see Minimize and Secure the Software Footprint.
For systems with mission critical applications where system reboots are disruptive, consider using tools such as Ksplice to help you prevent zero day attacks by applying security errata patches with zero downtime in memory without needing a reboot. For more information about Ksplice, see Oracle Linux: Ksplice User's Guide.
Also consider using software and automation management tools to apply software updates and deployments such as Oracle Linux Manager, Oracle Cloud Infrastructure OS Management, Oracle OS Management Hub, Oracle Linux Automation Manager, Chef, and Puppet.

Such tools can also run incremental updates to select groups of Oracle Linux systems, which can be useful when testing the impact of an update on real users in a staging environment before rolling out to production. Similarly, you can also use these tools to add RPM packages to base images so that you can tailor Oracle Linux systems and images to user roles rather than deploying the same configuration for everything.

For more recommendations that could suit highly complex production environments, see Oracle Linux: Managing Software on Oracle Linux.

Installing and Updating Errata RPM Packages

You can obtain errata information directly from Oracle Linux systems by using Yum or DNF from any Oracle Linux terminal or from ULN. After assessing the errata information, you can track, install, and update errata using these tools.

Oracle Linux 9 provides tools to help you update the system often and with minimum interference. Consider using the dnf-automatic package to download updates on a schedule, alert you to software upgrade options and even to apply them automatically.

Always use DNF to install, update, or remove RPM packages (don't use the rpm command). You can use the dnf update --security command to update in the following ways:

Update by CVE number,
Update by security errata advisory number,
Update all kernel packages to the latest kernel version that contains security errata,
Update all security errata by severity level: critical, important, moderate, and low,
Update all security errata to the latest release available. This option, from a security perspective, is often the best choice.

See Oracle Linux: Managing Software on Oracle Linux for more information on how to use these DNF commands.

Understanding RPM Errata Packages and Cumulative Updates

Oracle Linux is an RPM-based distribution. RPM packages are built cumulatively as Oracle releases updates consisting of security, bug, or enhancements errata. For example, release 2 for an RPM builds on release 1, and if release 1 is installed but you want to update to release 4, then the contents of releases 2 and 3 are also included in release 4.

Errata package RPM binaries include content that you can find by using the dnf info package command. For example:

dnf info bash

Last metadata expiration check: 0:00:13 ago on Thu 20 Jul 2023 06:44:39 PM GMT.
Installed Packages
Name         : bash
Version      : 5.1.8
Release      : 6.el9_1
Architecture : x86_64
Size         : 7.4 M
Source       : bash-5.1.8-6.el9_1.src.rpm
Repository   : @System
From repo    : anaconda
Summary      : The GNU Bourne Again shell
URL          : https://www.gnu.org/software/bash
License      : GPLv3+
Description  : The GNU Bourne Again shell (Bash) is a shell or command language
             : interpreter that is compatible with the Bourne shell (sh). Bash
             : incorporates useful features from the Korn shell (ksh) and the C shell
             : (csh). Most sh scripts can be run by bash without modification.

Available Packages
Name         : bash
Version      : 5.1.8
Release      : 6.el9_1
Architecture : src
Size         : 10 M
Source       : None
Repository   : ol9_baseos_latest
Summary      : The GNU Bourne Again shell
URL          : https://www.gnu.org/software/bash
License      : GPLv3+
Description  : The GNU Bourne Again shell (Bash) is a shell or command language
             : interpreter that is compatible with the Bourne shell (sh). Bash
             : incorporates useful features from the Korn shell (ksh) and the C shell
             : (csh). Most sh scripts can be run by bash without modification.

Name, version, and release information: When you update a package, the release number of the RPM changes and the version number can change if the RPM is rebased (this happens infrequently).

You can use the dnf updateinfo --list --installed package command to see a list of installed RPMs for a specific package with their version, release, and associated errata introduced. For example, this command lists all the errata applied to the bash package that also lists the name, version, release, and architecture of the package:
```
dnf updateinfo --list --installed bash
```
```
Last metadata expiration check: 0:04:52 ago on Thu 20 Jul 2023 06:44:39 PM GMT.
ELBA-2022-4055 bugfix        bash-5.1.8-4.el9.x86_64
ELBA-2022-8403 bugfix        bash-5.1.8-5.el9.x86_64
ELSA-2023-0340 Moderate/Sec. bash-5.1.8-6.el9_1.x86_64
```
Informational metadata: This metadata includes information such as a summary, description, license, and so on.
Cryptographic signature: All Oracle Linux RPM packages are signed and customers can use this signature to verify the provenance and authenticity of an RPM as it's being downloaded. The person and company who builds the binary provides this signature. Enabling gpgcheck=1 as a global default in the /etc/dnf/dnf.conf file ensures that all RPMs are authentic and have a valid GPG signature before the dnf command downloads or installs them. This is an important way to ensure that RPMs come from a trusted source and haven't been changed. All Oracle Linux images have the Oracle GPG keys installed and the gpgcheck option enabled by default.

Ensuring RPM package security is one aspect of an overall data encryption strategy. For more information, see About Data Encryption.
Dependency information: This provides details about RPMs and versions of other packages that an RPM depend upon. For example, you can use the following command to list the direct dependencies for the bash RPM package:
```
dnf deplist bash
```
A series of scripts that can be run at various stages during update or installation.

About Security Errata and CVEs

A security errata is a corrective action intended to address security vulnerabilities identified in one or more Common Vulnerabilities and Exposures (CVEs).

CVE numbers are unique, common identifiers for publicly known information about security vulnerabilities. Oracle uses CVE numbers to identify and track corrective actions driven by a reported security vulnerability. The CVE program is co-sponsored by the office of Cybersecurity and Communications at the US Department of Homeland Security and is managed by the MITRE corporation.

About Bug and Enhancement Errata

A bug is a corrective action generated from an issue discovered by a customer or a vendor. Oracle normally provides the bug ID involved in the event in the errata notification. Including bug updates in a maintenance policy is considered good security practice because they can prevent issues that haven't already been planned for or affected the system yet. For example, a bug errata might prevent a problem that isn't exposed until a combination of events occur that destabilizes a system. Therefore it's important to keep Oracle Linux systems updated with bug errata.

Enhancements are incremental new features or updates provided by Oracle.

Obtaining Errata and CVE Notices

To be notified when Oracle releases new errata packages, you can subscribe to the Oracle Linux and Oracle VM errata mailing lists at https://oss.oracle.com/mailman/listinfo/el-errata and https://oss.oracle.com/mailman/listinfo/oraclevm-errata.

If you're logged in to ULN, you can also subscribe to these mailing lists by following the Subscribe to Enterprise Linux Errata mailing list and Subscribe to Oracle VM Errata mailing list links that are provided in the Errata tab.

Oracle publishes a complete list of errata made available on ULN at https://linux.oracle.com/errata. You can also see a published listing of Common Vulnerabilities and Exposures (CVEs) and explore their details and status at https://linux.oracle.com/cve.

You can also track updates to Oracle Linux yum server repositories by visiting https://yum.oracle.com/whatsnew.html, where you can see which packages were updated within each repository for the previous six months.

About Certificate Management

Public key cryptography provides secure communication on an insecure public network and verification of the identity of the entity at the other end of a network connection. Public key cryptography is based on establishing asymmetric pairs of secret and public keys.

OpenSSL includes an open source implementation of the TLS and SSL protocols. If a hierarchy of trust is confined to an organization's intranet, you can use OpenSSL to generate a root certificate and set up a Certificate Authority (CA) for that domain. Alternately, you can use OpenSSL to generate a certificate signing request that can be provided to a recognized CA to obtain a signed certificate that you can use in an application configuration. Low-cost domain validation certificate signing is now more obtainable if you use the IETF standardized Automatic Certificate Management Environment (ACME) protocol as described in RFC 8555, reducing the requirement for costly expenditure around certificate signing and running a self-hosted CA.

For more detailed information, see Oracle Linux: Managing Certificates and Public Key Infrastructure.

About Data Encryption

Cryptographic libraries included with Oracle Linux can be used by software to provide data encryption facilities. You can use data encryption to protect data that's stored or being transmitted. Data on storage devices and media can be at risk of theft or device loss. Data being transmitted over local area networks and the Internet can be intercepted or altered. By encrypting data, you can help protect it while it's in storage or in transmission, thereby providing a safer infrastructure. In addition, data encryption to protect privacy and personal data is increasingly being made a mandatory requirement in corporate security policies and by governmental regulations (for example, HIPAA, GLBA, SOX, and PCI DSS).

Oracle Linux systems provide the following strategies for protecting data:

When installing systems and application software, only accept RPM packages that have been digitally signed by a trusted source.

To ensure that downloaded software packages are signed, set gpgcheck=1 in the repository configuration file and import the GPG key provided by the software supplier. Oracle Linux images normally have this setting enabled as a global default in the /etc/dnf/dnf.conf file. You can also install RPMs using the Secure Sockets Layer (SSL) protocol, which uses encryption to protect the communications channel.

For more information, see Oracle Linux: Managing Software on Oracle Linux.
To protect against data theft, consider using full-disk encryption, especially on laptops, external hard drives, or removable devices such as USB memory sticks. Oracle Linux provides block device encryption by using the dm-crypt kernel module and the Linux Unified Key Setup (LUKS) format. The cryptsetup administration command is available in the cryptsetup package.

These technologies encrypt device partitions so that the data is inaccessible when a system is turned off. When the system boots and you supply the appropriate passphrase, the device is decrypted and its data is accessible. See Oracle Linux 9: Managing Storage Devices for more information about encrypting block devices. Also see the cryptsetup(8) manual page for general usage instructions.
Oracle Linux uses encryption to support Virtual Private Networks (VPNs) and Secure Shell (SSH). You can use these tools to encrypt network traffic end-to-end, thereby ensuring that data is kept safe during transmission. For more information, see Oracle Linux: Connecting to Remote Systems With OpenSSH and Configuring Virtual Private Networks in Oracle Linux: Configuring Virtual Private Networks.
Oracle Linux uses encryption to store system passwords. By default, Oracle Linux uses a strong password hashing algorithm (SHA-512) and stores hashed passwords in the /etc/shadow file.
Oracle Linux takes advantage of hardware-accelerated encryption on Intel CPUs that use the Advanced Encryption Standard New Instructions (AES-NI) instruction set, which speeds up the execution of AES and RC4 algorithms on the x86_64 architecture.

About the Packet Filtering Firewall

Firewalls filter incoming and outgoing network packets based on their packet header information. You can create packet filter rules that decide whether packets are accepted or rejected. If you create a rule to block a port, any request to that port is automatically rejected by the firewall and the request is ignored. Any service that's listening on a blocked port no longer processes network traffic because it doesn't receive any new packets from that port.

You can configure the Netfilter feature to act as a packet-filtering firewall that uses rules to decide whether network packets are received, dropped, or forwarded. In addition, Netfilter provides Network Address Translation (NAT) and IP masquerading to alter IP header information for routed packets. You can also set rule-based packet logging and define a dedicated log file by changing /etc/syslog.conf.

The nftables framework is the default stateful network packet filtering framework in Oracle Linux, replacing the iptables framework. The nftables framework provides improved performance over the iptables framework. The nftables framework uses components of the Netfilter infrastructure, such as the existing hooks into the networking stack, connection tracking system, the user-space queueing component, and the logging subsystem. In addition nftables can also classify packets.

For more information, see Oracle Linux 9: Configuring the Firewall.

About SELinux

By default, SELinux is enabled automatically on new Oracle Linux installations.

Linux security has historically been based on a Discretionary Access Control (DAC) policy, which provides minimal protection from broken software or from malware that's running as a normal user or as root. Access to files and devices is based solely on user identity and ownership. Malware or misconfigured software can do anything with files and resources that the user that started the process can do. If the user is root or the application is setuid or setgid to root, the process can have root-access control over the entire file system.

The National Security Agency created Security Enhanced Linux (SELinux) to provide a finer-grained level of control over files, processes, users, and applications on Linux. The SELinux enhancement to the Linux kernel implements the Mandatory Access Control (MAC) policy, which can be used to define a security policy that provides granular permissions for all users, programs, processes, files, and devices. The kernel's access control decisions are based on all the security relevant information available, and not solely on the authenticated user identity.

When security-relevant access occurs, such as when a process tries to open a file, SELinux intercepts the operation at the kernel level. The operation only continues if a MAC policy rule allows it, otherwise SELinux blocks the operation and returns an error to the process. The kernel checks and enforces DAC policy rules before MAC rules, so it doesn't check SELinux policy rules if DAC rules have already denied access to a resource.

For more details about SELinux, including task-related information, see Oracle Linux: Administering SELinux.

See also the SELinux Project Wiki and the selinux(8) manual page.