在資料庫系統元件上啟用 FIPS、SE Linux 與 STIG

本文將說明新增 Federal Information Processing Standards (FIPS)、Security Enhanced (SE) Linux 與 Security Technical Implementation Guide (STIG) 標準安全性增強功能的程序。

啟用 FIPS、SE Linux 與 STIG

在每個系統節點上執行下列步驟。

  1. 開啟資料庫系統節點的 SSH 階段作業並切換至 root 使用者,然後瀏覽至 /opt/oracle/dcs/bin
    sudo -s
    cd /opt/oracle/dcs/bin
  2. 執行下列命令。
    dbcli secure-dbsystem -se -sd -fo -fd
    輸出:
    Job details
    ----------------------------------------------------------------
    ID: <job_ID_number>
    Description: Secure DB System
    Status: Created
    Created: November 8, 2020 4:12:29 PM UTC
    Progress: 0%
    Message:
    
    Task Name Start Time End Time Status
  3. 請確認工作詳細資訊。
    dbcli describe-job -i <job_ID_number>
    輸出提供有關工作進度、狀態和詳細資訊的資訊。
    Job details
    ----------------------------------------------------------------
    ID: <job_ID_number>
    Description: Secure DB System
    Status: Success
    Created: November 8, 2020 4:12:29 PM UTC
    Progress: 100%
    Message:
    
    Task Name Start Time End Time Status
    ------------------------------------------------------------------------ ----------------------------------- -------
    Enable SE Linux [<name>] November 8, 2020 4:12:31 PM UTC November 8, 2020 4:12:31 PM UTC Success
    Enable STIG for DOD [<name>] November 8, 2020 4:12:31 PM UTC November 8, 2020 4:12:49 PM UTC Success
    Enable FIPS for OS [<name>] November 8, 2020 4:12:49 PM UTC November 8, 2020 4:14:43 PM UTC Success
    Enable FIPS for DB Home [<DB_home_name_1>] November 8, 2020 4:14:43 PM UTC November 8, 2020 4:14:43 PM UTC Success
    Enable FIPS for DB[<DB_name_1>] November 8, 2020 4:14:43 PM UTC November 8, 2020 4:14:46 PM UTC Success
    Enable FIPS for DB Home [<DB_home_name_2>] November 8, 2020 4:14:46 PM UTC November 8, 2020 4:14:46 PM UTC Success
    Enable FIPS for DB[<DB_name_2>] November 8, 2020 4:14:46 PM UTC November 8, 2020 4:14:49 PM UTC Success
  4. 工作詳細資訊輸出顯示狀態為「成功」之後,您必須使用主控台重新啟動資料庫系統節點。這是必要的,因為啟用 FIPS 和 SE Linux 會更新作業系統核心。如需相關指示,請參閱 Reboot a DB System

檢查資料庫系統節點的 FIPS 和 SE Linux 組態

若要確認您的資料庫系統節點上已啟用 FIPS 和 SE Linux,請使用下列 dbcli 命令。
dbcli get-dbsystemsecurestatus
系統會傳回詳細資料,如下列範例所示。
{
  "isSELinuxEnabledForOS" : true,
  "isFipsEnabledForOS" : true,
  "fipsStatusForDBs" : [ {
    "databaseResId" : "<DB_ID_number>",
    "status" : true
  } ]
}