This is the third in a series of posts that describe how to secure Oracle Enterprise Linux. These posts are based on the Center for Internet Security Secure Base Line for Red Hat Enterprise Linux 5 but have been verified against Oracle Enterprise Linux (OEL) 5.5. You can download OEL here.

In Part 1 we reviewed a secure partitioning strategy and in Part 2 we performed a  minimal install. In Part 3 we will perform some housekeeping prior to beginning the hardening process.

 

A Word of Caution

The actions outlined in these posts have been performed on a clean install of OEL 5.5 exactly as documented in these posts. If you are contemplating taking these actions on an existing server, please take appropriate precautions such as:

 

• Backing up the server
• Reviewing the content of all scripts before running them
• Testing the actions on a non-production server

 

Secure /tmp

In order to prevent hard links within /var, remove /var/tmp and recreate it as a symbolic link to /tmp as follows as root:

rm -rf /var/tmp

ln -s /tmp /var/tmp

 

Create Restore Script

CIS provides a a script called do-backup.sh. When executed, this script will create backups of all the configuration files and directories it may change and then creates another script called do-restore.sh that, if needed, will restore all the files modified by the hardening procedures. Since this script simply creates another script and makes copies of files and directories it is very safe to run.

Copy do-backup-sh to /root as root and then execute:

./do-backup.sh

Note: As of this writing, CIS is no longer supplying the do-backup.sh script. Perhaps this is due to an error in the script that caused the ssh_config and sshd_config files to NOT be backed up due to a missing blank space between these two file names in the "FILE in" loop. That error is corrected in this version.

 

Install oracle-validated (Optional)

Chances are that if you are using OEL then you intend to install Oracle software on the server. If so, you'll want to install the Oracle Validated RPM as it contains the base updates required for most Oracle software installs. There are two ways to do this. If you are not an Unbreakable Linux Network (ULN) customer (i.e., you do not have a ULN support contract), then you can get the Oracle Validated RPM from http://oss.oracle.com/el5/oracle-validated. If you are a ULN customer, take the following steps:

1. Install the OEL public key by entering: rpm --import /usr/share/rhn/RPM-GPG-KEY
   
2. Enter: up2date
   
3. Select Next through the privacy statement.
   
4. Enter your ULN credentials and select Next.
   
5. After returning to the prompt, install the required prerequisite RPM, enter:up2date --install kernel-headers --force --verbose
   
6. Then install Oracle Validated by entering: up2date --install oracle-validated --verbose

WARNING: If you install oracle-validated, a new user, oracle, is created with password equal to oracle. You should change the password of the oracle account immediately after installing oracle-validated.

Patch Current

Run a scan of the OS to determine if any of the packages are out of date with respect to security patches. Any number of tools can be used of this. For this exercise, I used Nessus which can be downloaded for free (for home use only) at Tenable Network Security.

Of course, depending on your distribution and the timing of your scan, your results may differ but for OEL 5.5 using Nessus 4.4.2 with plugins updated on 7/11/2010, the following packages were found to be vulnerable:

• xulrunner
• perl
• kernel
• nspr
• krb5-libs
  
• sudo
  
• cups
  
• gnutls
  
• pango
  

Install updates to all reported packages by running:

up2date --install <package_name> --verbose

Note that updates to the kernel may require specification of the --force option as well.

After applying all updates reboot the server and rescan to ensure no additional vulnerabilities are found. In my case a vulnerability in yelp was found on the second scan, updated, bounced and rescanned without issue.

Initial System Validation

Make sure the system is working properly before making any changes. CIS suggests running:

cd /var/log

egrep -i "(crit|alert|error|warn)" * | less

and then resolving any issues before continuing.

 

A default install of Oracle Enterprise Linux (OEL) comes with a lot of packages you would not want on a secure production server. So how do you create a minimal install of OEL?  Turns out it's pretty easy.

It should be noted that once completed, the server will have very little capability and will need additional packages installed depending on what other software will be installed on the server. This is how it should be. Start with the minimum and then only add what is needed.

1. Boot the server from the OEL 5.5 ISO DVD and choose the GUI installation.
   
2. Select language and click Next.
3. Select keyboard and click Next.
4. Select Install Enterprise Linux and click Next.
5. Click the check box labeled "Review and modify partitioning layout" and click Next.
6. Click Yes on the warning box if prompted to overwrite existing partitions.
7. Add the partitions suggested in Securing Oracle Enterprise Linux - Part 1 - Partitioning Strategy using sizes appropriate for your environment and then click Next.
8. Select the boot loader options you want and then click Next.
9. Select your network settings and then click Next.
10. Select your time zone and then click Next.
11. Provide the root password, confirm it and then click Next.
12. On the install window that asks which additional functionality to install (Software Development, Web Server, Clustering and Storage Clustering), no not select any of the boxes.
13. On the same window, select the Customize Now radio button and select Next.
    
14. Select Base System in the left-hand column and then deselect everything in the right-hand column, except Base.
    
15. For each of the other entries in the left hand column (Desktop Environments, Applications, etc.) deselect everything in the right-hand column and then click Next.
16. One final click of Next will format the file systems and install the OS.
17. When complete, you are prompted to remove the install media and reboot.
18. On first boot, you are presented with the Setup Agent screen to configure Authentication, Firewall, Network, System Services and Timezone. For now, just exit out. If you need to run this later, you can run /usr/bin/setup.

After the install completes and the system reboots, you are left with an extremely minimal Linux install. The next step is to configure access to Unbreakable Linux Network (ULN) support (assuming you have a ULN support contract). If you are a ULN customer, take the following steps:

1. On your new, rebooted OEL server, install the OEL public key by entering: rpm --import /usr/share/rhn/RPM-GPG-KEY
   
2. Enter: up2date
   
3. Select Next through the privacy statement.
   
4. Enter your ULN credentials and select Next.

That's it! Is it secure? Heck no, we have not hardened the OS as yet. It is a good first step however.

This is the first in a series of posts that describe how to secure Oracle Enterprise Linux. These posts are based on the Center for Internet Security Secure Base Line for Red Hat Enterprise Linux 5 but have been verified against Oracle Enterprise Linux (OEL) 5.5. You can download OEL here.

How you implement a disk partitioning strategy is largely based on how the server will be used. In this post we'ere not going to cover every possible use case but rather focus only on the security aspects of the base OS install instead.

A default install of OEL, you get two mount points (plus of course shared memory /dev/shm):

• /         -> The root directory
• /boot -> The boot partition

This means that by default all OS-related directories fall under the root directory. Remember that availability is part of security and therefore it is better to establish separate partitions for the following so that running out of space in one does not impact the other partitions:

• /home            -> Container for all non-root user home directories
• /tmp                -> Container for temporary storage
• /var                  -> Container for application logs
• /var/log/audit -> Container for audit logs
• <swap>         -> Container for virtual memory

As separate partitions, mount options can be used to limit permissions and for /home to impose quota. While swap can be implemented as a file, a partition is recommended for performance reasons.