SecureDBA

A default install of Oracle Enterprise Linux (OEL) comes with a lot of packages you would not want on a secure production server. So how do you create a minimal install of OEL?  Turns out it's pretty easy.

It should be noted that once completed, the server will have very little capability and will need additional packages installed depending on what other software will be installed on the server. This is how it should be. Start with the minimum and then only add what is needed.

1. Boot the server from the OEL 5.5 ISO DVD and choose the GUI installation.
   
2. Select language and click Next.
3. Select keyboard and click Next.
4. Select Install Enterprise Linux and click Next.
5. Click the check box labeled "Review and modify partitioning layout" and click Next.
6. Click Yes on the warning box if prompted to overwrite existing partitions.
7. Add the partitions suggested in Securing Oracle Enterprise Linux - Part 1 - Partitioning Strategy using sizes appropriate for your environment and then click Next.
8. Select the boot loader options you want and then click Next.
9. Select your network settings and then click Next.
10. Select your time zone and then click Next.
11. Provide the root password, confirm it and then click Next.
12. On the install window that asks which additional functionality to install (Software Development, Web Server, Clustering and Storage Clustering), no not select any of the boxes.
13. On the same window, select the Customize Now radio button and select Next.
    
14. Select Base System in the left-hand column and then deselect everything in the right-hand column, except Base.
    
15. For each of the other entries in the left hand column (Desktop Environments, Applications, etc.) deselect everything in the right-hand column and then click Next.
16. One final click of Next will format the file systems and install the OS.
17. When complete, you are prompted to remove the install media and reboot.
18. On first boot, you are presented with the Setup Agent screen to configure Authentication, Firewall, Network, System Services and Timezone. For now, just exit out. If you need to run this later, you can run /usr/bin/setup.

After the install completes and the system reboots, you are left with an extremely minimal Linux install. The next step is to configure access to Unbreakable Linux Network (ULN) support (assuming you have a ULN support contract). If you are a ULN customer, take the following steps:

1. On your new, rebooted OEL server, install the OEL public key by entering: rpm --import /usr/share/rhn/RPM-GPG-KEY
   
2. Enter: up2date
   
3. Select Next through the privacy statement.
   
4. Enter your ULN credentials and select Next.

That's it! Is it secure? Heck no, we have not hardened the OS as yet. It is a good first step however.