This is the third in a series of posts that describe how to secure Oracle Enterprise Linux. These posts are based on the Center for Internet Security Secure Base Line for Red Hat Enterprise Linux 5 but have been verified against Oracle Enterprise Linux (OEL) 5.5. You can download OEL here.
In Part 1 we reviewed a secure partitioning strategy and in Part 2 we performed a minimal install. In Part 3 we will perform some housekeeping prior to beginning the hardening process.
A Word of Caution
The actions outlined in these posts have been performed on a clean install of OEL 5.5 exactly as documented in these posts. If you are contemplating taking these actions on an existing server, please take appropriate precautions such as:
- Backing up the server
- Reviewing the content of all scripts before running them
- Testing the actions on a non-production server
In order to prevent hard links within /var, remove /var/tmp and recreate it as a symbolic link to /tmp as follows as root:
rm -rf /var/tmp
ln -s /tmp /var/tmp
Create Restore Script
CIS provides a a script called do-backup.sh. When executed, this script will create backups of all the configuration files and directories it may change and then creates another script called do-restore.sh that, if needed, will restore all the files modified by the hardening procedures. Since this script simply creates another script and makes copies of files and directories it is very safe to run.
Copy do-backup-sh to /root as root and then execute:
Note: As of this writing, CIS is no longer supplying the do-backup.sh script. Perhaps this is due to an error in the script that caused the ssh_config and sshd_config files to NOT be backed up due to a missing blank space between these two file names in the "FILE in" loop. That error is corrected in this version.
Install oracle-validated (Optional)
Chances are that if you are using OEL then you intend to install Oracle software on the server. If so, you'll want to install the Oracle Validated RPM as it contains the base updates required for most Oracle software installs. There are two ways to do this. If you are not an Unbreakable Linux Network (ULN) customer (i.e., you do not have a ULN support contract), then you can get the Oracle Validated RPM from http://oss.oracle.com/el5/oracle-validated. If you are a ULN customer, take the following steps:
- Install the OEL public key by entering: rpm --import /usr/share/rhn/RPM-GPG-KEY
- Enter: up2date
- Select Next through the privacy statement.
- Enter your ULN credentials and select Next.
- After returning to the prompt, install the required prerequisite RPM, enter:up2date --install kernel-headers --force --verbose
- Then install Oracle Validated by entering: up2date --install oracle-validated --verbose
WARNING: If you install oracle-validated, a new user, oracle, is created with password equal to oracle. You should change the password of the oracle account immediately after installing oracle-validated.
Run a scan of the OS to determine if any of the packages are out of date with respect to security patches. Any number of tools can be used of this. For this exercise, I used Nessus which can be downloaded for free (for home use only) at Tenable Network Security.
Of course, depending on your distribution and the timing of your scan, your results may differ but for OEL 5.5 using Nessus 4.4.2 with plugins updated on 7/11/2010, the following packages were found to be vulnerable:
Install updates to all reported packages by running:
up2date --install <package_name> --verbose
Note that updates to the kernel may require specification of the --force option as well.
After applying all updates reboot the server and rescan to ensure no additional vulnerabilities are found. In my case a vulnerability in yelp was found on the second scan, updated, bounced and rescanned without issue.
Initial System Validation
Make sure the system is working properly before making any changes. CIS suggests running:
egrep -i "(crit|alert|error|warn)" * | less
and then resolving any issues before continuing.