Oracle Cloud Infrastructure Documentation

Oracle Linux Security

You can securely use Oracle Linux in your cloud environment by following these security best practices. Oracle Linux also provides several cloud services that perform automatic software updates, install bug fixes, and monitor your instances for critical events.

Security Best Practices

Follow these security best practices when using Oracle Linux in a cloud environment.

For more information, see Oracle Linux 9 Enhancing System Security and Oracle Linux 8 Enhancing System Security.

Oracle Linux Security Best Practices

Best Practice

Description

Minimize and secure the software footprint

Uninstall or disable components, services, and features that you don't need or use in your cloud environment.

As an option, consider installing only the base OS on Oracle Linux systems.

If you use the Oracle Cloud platform image, choose the best image type to meet your business needs:

  • Standard platform image: A minimal image with additional support tools and packages installed by default. The tools and packages are used by Oracle Support to address any open support tickets, if filed.
  • Minimal platform image: An image that has the minimum number of packages needed to boot and connect to an OCI instance from the SSH console.
  • Custom platform image: Your own, customized image that follows best practices for security by only installing what's necessary to support your cloud environment and your application stack.

Regularly review the packages that are part of your Oracle Cloud platform image to ensure the packages are actively being used. Remove packages that aren't used.

Keep software up-to-date

Evaluate the software installed on the Oracle Linux systems in your environment, and apply security updates on a weekly basis, at minimum. Regularly check for patch updates and install the latest patches. Determine when, and how often, to perform larger updates that include additional bug fixes and enhancements.

Use these Oracle Linux cloud services to help keep software up-to-date:

  • OS Management Hub: Manages the latest software packages on your Oracle Cloud Infrastructure (OCI) instances. See Using OS Management Hub.

  • Autonomous Linux image: Lets Autonomous Linux perform daily updates of, and monitor critical issues for, your OCI instances. See Oracle Autonomous Linux Image.

  • Ksplice: Automatically patches the running kernel and common userspace libraries on the Oracle Linux systems in your environment, without needing a reboot or downtime. See Using Oracle Ksplice.

Restrict access

Keep middle-tier applications and databases behind a firewall or restrict access by IP address. If using a firewall, make sure the firewall settings are controlled, and regularly review these settings. If using a virtual firewall, set up the proper security lists for your instances. See Ways to Secure Your Network and Security Lists.

Control authentication mechanisms and enforce strict password restrictions

Use strict password, key, certificate, and token-based authentication.

Grant minimal user privileges

Limit user privileges as much as possible. Give users only the access required to perform their work.

Monitor system activity

Audit and review system audit records.

Ksplice provides a known exploit detection feature for systems that have the Ksplice Enhanced client installed. For more information, see the Ksplice User Guide.

Keep up-to-date with the latest security information

Monitor the Oracle Linux Security mailing list for critical security announcements. See Subscribe to Oracle Security Alerts.

For government security standards and requirements, use the STIG image

Use the Oracle Linux STIG image to create Oracle Linux instances that follow certain security standards and requirements set by the Defense Information Systems Agency (DISA). These security standards are described in the Security Technical Implementation Guide (STIG).

For more information, see What is STIG?.

There are additional services in Oracle Cloud that complement the security you can build with Oracle Linux. For example, to regularly check hosts and container images for potential security vulnerabilities, you can use the Oracle Cloud Infrastructure Vulnerability Scanning Service. For assistance with managing application stacks, including grouping resources based on defined criteria, you can use the Oracle Fleet Application Management Service.

See Vulnerability Scanning Overview and Overview of Fleet Application Management.

Oracle Linux Services for Security

Oracle Linux provides several services that help you to secure Oracle Linux instances in your cloud environment.

Oracle Autonomous Linux Service

Autonomous Linux performs automatic daily security updates on your Oracle Linux instances, and monitors the instances for critical events.

For more information, see Overview of Autonomous Linux.

Security Features

Oracle Autonomous Linux Security Features

Feature

Description

Automatic daily packages and updates

Instances that use the Oracle Autonomous Linux image are automatically updated daily with available packages and patches that address security vulnerabilities. Some of these updates can include zero-downtime Ksplice patches for kernel, OpenSSL, and glibc libraries. You can modify the execution time of these daily updates.

Security reports

View filterable reports that list security advisories for your instances and indicate whether your instances are up-to-date on security patches.

Monitoring of exploit detection events

If an exploit detection event occurs on an instance, review the event details, its log files, and stack trace information about the event.

Security event notifications

Choose to be notified when a security event occurs on an instance. You do so by setting the notification topic for the instance.

OS Management Hub Service

OS Management Hub lets you monitor and manage updates across the Oracle Linux instances in your cloud environment from a centralized management console.

For more information, see Overview of OS Management Hub.

Security Features

OS Management Hub Security Features

Feature

Description

IAM policies and groups

Use policies and groups to limit access to users and cloud resources.

Software sources and profiles

Control the number of software sources (repositories), and specify which software packages are available to the instances registered with OS Management Hub.

Jobs that schedule patching updates for a standalone instance or all standalone instances in a compartment

Create jobs that schedule recurring security updates for your instance, or instances. You can create jobs that apply Ksplice updates.

Mirror sync jobs that sync mirrored software sources

Designate an instance to be a management station. You can then create jobs that ensure the management station distributes the latest software and security packages to any instances using that station.

Security reports

Review reports that provide information about security updates, bug updates, and instance activity.

Oracle Ksplice Service

Oracle Ksplice provides automatic security patch and updates to your Oracle Linux instances without needing to shut down and restart the instances.

For more information about Ksplice, see Oracle Linux: Ksplice User's Guide.

Security Features

Oracle Ksplice Security Features

Feature

Description

Automatic Oracle Ksplice updates

Ksplice automatically installs the latest security patches and updates to Linux kernels on your instances, and with zero downtime.

Current patches

View the patches and updates currently installed on your instances.

Manual updates

If you don't want automatic updates, manually install the latest patches and updates to your instances on demand.

Kernels that are actively maintained

View which kernels are actively maintained by Ksplice.

Installing Security Updates Using DNF

Use DNF to only install security updates rather than applying all available package updates to an Oracle Linux instance on Oracle Cloud Infrastructure.

To view security updates
Complete the following steps to view security updates for an Oracle Linux instance.
  1. From a command line, using administrative privileges connect to the instance using SSH.
  2. List the available errata which includes security updates:
    sudo dnf updateinfo list

    The output shows advisories by type: security (ELSA), bug fixes (ELBA), and feature enhancements (ELEA). Security advisories are identified by a severity level followed by /Sec., where severity can be Critical, Important, Moderate, or Low. For example:

    ...
ELSA-2025-9080  Important/Sec. kernel-5.14.0-570.22.1.0.1.el9_6.x86_64
ELSA-2025-9302  Moderate/Sec.  kernel-5.14.0-570.23.1.0.1.el9_6.x86_64
...
ELSA-2025-9080  Important/Sec. kernel-modules-5.14.0-570.22.1.0.1.el9_6.x86_64
ELSA-2025-9302  Moderate/Sec.  kernel-modules-5.14.0-570.23.1.0.1.el9_6.x86_64
...                          
ELBA-2025-9428  bugfix         kpartx-0.8.7-35.el9_6.1.x86_64
ELEA-2025-7281  enhancement    mysql-8.4.4-1.module+el9.6.0+90539+da437dfb.x86_64
...
ELSA-2025-9327  Important/Sec. libblockdev-loop-2.28-14.0.1.el9_6.x86_64
ELSA-2025-9327  Important/Sec. libblockdev-mdraid-2.28-14.0.1.el9_6.x86_64
ELSA-2025-9327  Important/Sec. libblockdev-part-2.28-14.0.1.el9_6.x86_64
...
  3. Use the security argument to list only the security errata, for example: 
    sudo dnf updateinfo list security
    ...
ELSA-2025-9080  Important/Sec. kernel-5.14.0-570.22.1.0.1.el9_6.x86_64
ELSA-2025-9302  Moderate/Sec.  kernel-5.14.0-570.23.1.0.1.el9_6.x86_64
...
ELSA-2025-9080  Important/Sec. kernel-modules-5.14.0-570.22.1.0.1.el9_6.x86_64
ELSA-2025-9302  Moderate/Sec.  kernel-modules-5.14.0-570.23.1.0.1.el9_6.x86_64
...                          
ELSA-2025-9327  Important/Sec. libblockdev-loop-2.28-14.0.1.el9_6.x86_64
ELSA-2025-9327  Important/Sec. libblockdev-mdraid-2.28-14.0.1.el9_6.x86_64
ELSA-2025-9327  Important/Sec. libblockdev-part-2.28-14.0.1.el9_6.x86_64
...
  4. Filter the list in any of the following ways:
    • Use the --sec-severity=Severity option to filter the security errata by severity, for example: 
      sudo dnf updateinfo list --sec-severity=Important
      ...
ELSA-2025-9080  Important/Sec. kernel-5.14.0-570.22.1.0.1.el9_6.x86_64
...
ELSA-2025-9080  Important/Sec. kernel-modules-5.14.0-570.22.1.0.1.el9_6.x86_64
...                          
ELSA-2025-9327  Important/Sec. libblockdev-loop-2.28-14.0.1.el9_6.x86_64
ELSA-2025-9327  Important/Sec. libblockdev-mdraid-2.28-14.0.1.el9_6.x86_64
ELSA-2025-9327  Important/Sec. libblockdev-part-2.28-14.0.1.el9_6.x86_64
...
    • Use the cves argument to list the security errata by their Common Vulnerabilities and Exposures (CVE) IDs, for example: 
      sudo dnf updateinfo list cves
      ...
CVE-2024-57801 Important/Sec. kernel-uek-modules-wireless-6.12.0-101.33.4.3.el9uek.x86_64
CVE-2024-57839 Important/Sec. kernel-uek-modules-wireless-6.12.0-101.33.4.3.el9uek.x86_64
CVE-2024-57841 Important/Sec. kernel-uek-modules-wireless-6.12.0-101.33.4.3.el9uek.x86_64
...
CVE-2025-22126 Important/Sec. perf-5.14.0-570.22.1.0.1.el9_6.x86_64
CVE-2025-21979 Important/Sec. perf-5.14.0-570.22.1.0.1.el9_6.x86_64
CVE-2025-21963 Important/Sec. perf-5.14.0-570.22.1.0.1.el9_6.x86_64
...
CVE-2025-21919 Moderate/Sec.  python3-perf-5.14.0-570.23.1.0.1.el9_6.x86_64
CVE-2025-21883 Moderate/Sec.  python3-perf-5.14.0-570.23.1.0.1.el9_6.x86_64
CVE-2025-23150 Moderate/Sec.  python3-perf-5.14.0-570.23.1.0.1.el9_6.x86_64
CVE-2025-22104 Moderate/Sec.  python3-perf-5.14.0-570.23.1.0.1.el9_6.x86_64
...

    • Use the --cve CVE-ID option to view the security errata that corresponds to a specific CVE ID, for example: 

      sudo dnf updateinfo list --cve CVE-2025-32462
      ELSA-2025-9978 Important/Sec. sudo-1.9.5p2-10.el9_6.1.x86_64

    • Use the info argument and the --cve CVE-ID option to view details about a CVE, for example: 

      sudo dnf updateinfo info --cve CVE-2025-32462
      ===============================================================================
   sudo security update
===============================================================================
  Update ID: ELSA-2025-9978
       Type: security
    Updated: 2025-06-30 00:00:00
       CVEs: CVE-2025-32462
Description: [1.9.5p2-10.1]
           : RHEL 9.6.0.Z ERRATUM
           : - CVE-2025-32462 sudo: LPE via host option
           : Resolves: RHEL-100016
   Severity: Important
To install security updates
Use any of the following options to install security updates on an Oracle Linux instance.
  • Update all packages that have security errata available using upgrade --security. All packages are updated to their latest versions, and the latest versions might include bug fixes or new features and not security errata. 
    sudo dnf upgrade --security
  • Update all packages to the latest versions that contain security errata using upgrade-minimal --security. If there are newer packages that don't contain security errata, they are ignored. 
    sudo dnf upgrade-minimal --security
  • Update specific packages to the latest versions that contain security errata using upgrade-minimal package* --security. For example, to only update kernel packages, run:
    sudo dnf upgrade-minimal kernel* --security
  • Update only those packages that correspond to a CVE using upgrade --cve. 
    sudo dnf upgrade --cve CVE-ID
  • Update a specific ELSA using upgrade --advisory. 
    sudo dnf upgrade --advisory ELSA-ID
Note

Some updates might require that you reboot the system. By default, the boot manager automatically enables the most recent kernel version.