Scribd Logo
Upload

Welcome to Scribd!

  • 230 views

    Hardening Oracle Linux Server

    Uploaded by

    Tran Hieu
    This document provides tips for hardening an Oracle Linux server security, including minimizing unnecessary software and services, tightening network access and user permissions, implementing security features like SELinux, and using tools like encryption and Linux containers to enhance security. Key steps include pruning software packages, locking down network ports and services, configuring file system mounts and permissions restrictively, and enabling security mechanisms in the Linux kernel.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd

    Hardening Oracle Linux Server

    Uploaded by

    Tran Hieu
    230 views4 pages
    This document provides tips for hardening an Oracle Linux server security, including minimizing unnecessary software and services, tightening network access and user permissions, implementing security features like SELinux, and using tools like encryption and Linux containers to enhance security. Key steps include pruning software packages, locking down network ports and services, configuring file system mounts and permissions restrictively, and enabling security mechanisms in the Linux kernel.

    Original Title

    Hardening oracle linux server

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    This document provides tips for hardening an Oracle Linux server security, including minimizing unnecessary software and services, tightening network access and user permissions, implementing security features like SELinux, and using tools like encryption and Linux containers to enhance security. Key steps include pruning software packages, locking down network ports and services, configuring file system mounts and permissions restrictively, and enabling security mechanisms in the Linux kernel.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Download as docx, pdf, or txt
    230 views4 pages

    Hardening Oracle Linux Server

    Uploaded by

    Tran Hieu
    This document provides tips for hardening an Oracle Linux server security, including minimizing unnecessary software and services, tightening network access and user permissions, implementing security features like SELinux, and using tools like encryption and Linux containers to enhance security. Key steps include pruning software packages, locking down network ports and services, configuring file system mounts and permissions restrictively, and enabling security mechanisms in the Linux kernel.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Download as docx, pdf, or txt
    of 4
    At a glance
    Powered by AI
    The key takeaways are to minimize software and services, tighten networking and user access, protect applications and data, implement security policies and features, and follow appropriate operational procedures.

    Some techniques mentioned are minimizing unnecessary software packages and services, tightening the network configuration and user access points, setting up devices, mounts and file systems appropriately, and implementing security features like SELinux.

    Some ways mentioned are using separate partitions, establishing disk quotas, mounting /usr as read-only, setting mount options like noexec, nosuid and nodev, and managing user authentication through a centralized method.

    This article provides tips and techniques for hardening an Oracle Linux server.

     Minimize software and services. Eliminating unnecessary software packages and services minimizes
    possible avenues of attack.
     Tighten networking and user access. The network is a prime point of entry for malicious users and
    applications. Fine-tuning the network configuration, along with all user access points, helps to prevent
    unauthorized access.
     Protect applications and data. Setting up devices, mounts, and file systems appropriately (and in some
    cases using encryption) helps to safeguard applications and data.
     Implement security features that enforce policies. In some cases, the security policy may dictate
    additional mechanisms, such as TCP wrappers, Pluggable Authentication Modules (PAM), or the
    implementation of Security-Enhanced Linux (SELinux).
     Follow appropriate operational procedures. In addition to maintaining systems' physical security, apply
    support patches and security updates promptly. Monitor system logs and audit trails, implementing
    procedures and tools that look for signs of compromise. Also, conduct security evaluations periodically to
    review security-related practices and procedures.

    Security for Oracle Linux

    Minimizing the software footprint


    On systems on which Oracle Linux is already installed, prune out unneeded RPMs to minimize the software
    footprint. For example, the X-Windows system isn't needed on most servers and can be uninstalled.

    Minimizing active services


    or services that are in use, be sure to keep software packages up to date, applying the latest Oracle support
    patches and security updates. To protect against unauthorized changes, secure the file /etc/services, making sure
    it is owned by root, modifiable only by root, and links to it cannot be created.

    Locking down network services


    1/ port scanning
    # netstat -tulp
    # lsof -iTCP -sTCP:LISTEN
    # nmap -sTU
    2/ TCP wrappers
    Editing the file /etc/hosts.deny and /etc/hosts.allow, you can restrict and permit service access for identifiled
    hosts or networks.

    3/ Netfilter and Iptables


    netfilter perform three operations:
    Packet filtering
    Network Address Translation (NAT): hiding IP address behind a public IP address.
    IP masquerading: altering IP header information for routed packets

    4/ SSH
    configuration by editing parameter in /etc/ssh/sshd_config
    PubkeyAuthentication yes
    PasswordAuthentication no
    PermitRootLogin no
    HostbasedAuthentication no
    StrictModes yes

    Configuring mounts, file permissions, and ownerships


    Some simple steps can help protect data and the integrity of the installed Oracle Linux operating system. First, use
    separate disk partitions for operating system and user data (that is, separate partitions for /home, /tmp,
    /var/tmp, /oracle, and so on). This strategy can prevent a "file system full" issue from impacting operations.
    Establishing disk quotas can also prevent a user from accidentally or intentionally filling up a file system.

    To prevent the operating system files and utilities from being altered if a breach occurs, mount the /usr file system
    as read-only. When it's time to update operating system RPMs, simply remount /usr as read/write using the -o
    remount,rw option (remount allows you to change mount flags without taking down the system). After performing
    the update, don't forget to switch back to read-only mode.

    To limit user access on certain non-root local file systems (such as /tmp or removable storage partitions), set the
    noexec, nosuid, and nodev mount options. The noexec option prevents the execution of binaries (but not scripts),
    nosuid prevents the setuid bit from taking effect, and nodev prevents the use of device files.

    Managing user and authetication


    When you install software that creates a default user account and password, be sure to change the vendor's
    default password immediately. A centralized user authentication method (such as OpenLDAP or other LDAP
    implementations) can help to simplify user authentication and management tasks, which might help to lower the
    risk of unused accounts or accounts with null passwords.

    To tell exactly who has performed a privileged administrative action, set up the system so it is not possible to log in
    directly as root. Instead, all administrators should log in to the system first as a named user and then use the su or
    sudo commands to perform tasks as root. To prevent users from logging in as root directly, edit the /etc/passwd
    file, changing the shell from /bin/bash to /sbin/nologin. Modify the /etc/sudoers file using visudo to grant specific
    users authority to perform administrative tasks.

    Additional security Features and tools


    . enable Selinux
    # sestatus
    SELinux status: enabled
    SELinuxfs mount: /selinux
    Current mode: enforcing
    Mode from config file: enforcing
    Policy version: 24
    Policy from config file: targeted

    . Linux Container and Control Groups


    Available in Oracle Linux 6 with the Unbreakable Enterprise Kernel, Linux Containers (LXC) provide a way to isolate
    a group of processes from others on a running Oracle Linux system. Linux Containers are a lightweight operating
    system virtualization technology built on Linux resource management control group (cgroup) capabilities and
    resource isolation that is implemented through namespaces
    . Kernel Security Mechanisms
    The Linux kernel features additional security mechanisms:

     Address Space Layout Randomization (ASLR). By randomly arranging the placement of the base, libraries,
    heap, and stack in a process's address space, ASLR makes it difficult to predict the memory address of the
    next instruction. This technique, built into the Linux kernel and controlled by the parameter
    /proc/sys/kernel/randomize_va_space, can thwart certain types of buffer overflow attacks. (Make sure
    that this kernel setting is compatible with your application stack.)
     Data Execution Prevention (DEP). Implemented in the Linux operating system, DEP prevents an
    application or service from executing code from a non-executable memory region. Hardware-enforced
    DEP works in conjunction with the NX (Never Execute) bit on compatible CPUs.
     Position Independent Executables (PIE). The kernel supports PIE technology, which means that
    executable binaries can be loaded at random memory addresses. To generate binaries that are position-
    independent, the compiler and linker require specific arguments.

    . Compiler Protection
    The gcc compiler features several buffer overflow protection features. Setting the FORTIFY_SOURCE option causes
    the compiler to issue a warning when it detects a defect such as a potential buffer overflow. The compiler also
    includes Stack-Smashing Protection in which the compiler puts a stack canary (a known value) before the stack
    return pointer to discover whether the stack has been "smashed." Like a canary in a coal mine (used to detect air
    quality problems), a stack canary detects a stack buffer overflow. The canary value is checked before the return,
    and if it is invalid, then it's likely that malicious code has overwritten the canary value as well as the return pointer.

    . Crytography

    Data encryption can help to protect both data at rest as well as data in motion. Data at rest—such as data on
    media and storage devices—can be at risk because of theft or device loss. Data in motion—such as data
    transmitted over the local area networks and the internet—can be intercepted or altered, so encrypting
    transmitted data provides protection.

    You might also like