Enable FIPS, SE Linux, and STIG on the DB System Components
This article describes the procedure to add Federal Information Processing Standards (FIPS), Security Enhanced (SE) Linux, and Security Technical Implementation Guide (STIG) standards security enhancements to the DB system.
For more information, see:
Enable FIPS, SE Linux, and STIG
Perform the following steps on each system node.
- Open an SSH session to the DB system node and switch to the root user, then navigate to
/opt/oracle/dcs/bin
.sudo -s cd /opt/oracle/dcs/bin
- Run the following command.
dbcli secure-dbsystem -se -sd -fo -fd
Output:Job details ---------------------------------------------------------------- ID: <job_ID_number> Description: Secure DB System Status: Created Created: November 8, 2020 4:12:29 PM UTC Progress: 0% Message: Task Name Start Time End Time Status
- Verify the job details.
dbcli describe-job -i <job_ID_number>
The output provides information about the progress, status, and details of the job.Job details ---------------------------------------------------------------- ID: <job_ID_number> Description: Secure DB System Status: Success Created: November 8, 2020 4:12:29 PM UTC Progress: 100% Message: Task Name Start Time End Time Status ------------------------------------------------------------------------ ----------------------------------- ------- Enable SE Linux [<name>] November 8, 2020 4:12:31 PM UTC November 8, 2020 4:12:31 PM UTC Success Enable STIG for DOD [<name>] November 8, 2020 4:12:31 PM UTC November 8, 2020 4:12:49 PM UTC Success Enable FIPS for OS [<name>] November 8, 2020 4:12:49 PM UTC November 8, 2020 4:14:43 PM UTC Success Enable FIPS for DB Home [<DB_home_name_1>] November 8, 2020 4:14:43 PM UTC November 8, 2020 4:14:43 PM UTC Success Enable FIPS for DB[<DB_name_1>] November 8, 2020 4:14:43 PM UTC November 8, 2020 4:14:46 PM UTC Success Enable FIPS for DB Home [<DB_home_name_2>] November 8, 2020 4:14:46 PM UTC November 8, 2020 4:14:46 PM UTC Success Enable FIPS for DB[<DB_name_2>] November 8, 2020 4:14:46 PM UTC November 8, 2020 4:14:49 PM UTC Success
- After the job details output shows the Status as "Success", you must restart your DB system node using the Console. This is required because enabling FIPS and SE Linux updates the OS kernel. For instructions, see Reboot a DB System.
Checking a DB System Node for FIPS and SE Linux Configurations
To confirm that FIPS and SE Linux are enabled on your DB system node, use the following
dbcli
command.dbcli get-dbsystemsecurestatus
The system returns details as shown in the following example.
{
"isSELinuxEnabledForOS" : true,
"isFipsEnabledForOS" : true,
"fipsStatusForDBs" : [ {
"databaseResId" : "<DB_ID_number>",
"status" : true
} ]
}