Oracle Cloud Infrastructure Documentation

Oracle Linux Security

You can securely use Oracle Linux in your cloud environment by following these security best practices. Oracle Linux also provides several cloud services that perform automatic software updates, install bug fixes, and monitor your instances for critical events.

Security Best Practices

Follow these security best practices when using Oracle Linux in a cloud environment.

For more information, see Oracle Linux 9 Enhancing System Security and Oracle Linux 8 Enhancing System Security.

Security Best Practices

Oracle Linux Security Best Practices

Best Practice

Description

Minimize and secure the software footprint

Uninstall or disable components, services, and features that you don't need or use in your cloud environment.

As an option, consider installing only the base OS on Oracle Linux systems.

If you use the Oracle Cloud platform image, choose the best image type to meet your business needs:

  • Standard platform image: A minimal image with additional support tools and packages installed by default. The tools and packages are used by Oracle Support to address any open support tickets, if filed.
  • Minimal platform image: An image that has the minimum number of packages needed to boot and connect to an OCI instance from the SSH console.
  • Custom platform image: Your own, customized image that follows best practices for security by only installing what's necessary to support your cloud environment and your application stack.

Regularly review the packages that are part of your Oracle Cloud platform image to ensure the packages are actively being used. Remove packages that aren't used.

Keep software up-to-date

Evaluate the software installed on the Oracle Linux systems in your environment, and apply security updates on a weekly basis, at minimum. Regularly check for patch updates and install the latest patches. Determine when, and how often, to perform larger updates that include additional bug fixes and enhancements.

Use these Oracle Linux cloud services to help keep software up-to-date:

  • OS Management Hub: Manages the latest software packages on your Oracle Cloud Infrastructure (OCI) instances. See Using OS Management Hub.

  • Autonomous Linux image: Lets Autonomous Linux perform daily updates of, and monitor critical issues for, your OCI instances. See Oracle Autonomous Linux Image.

  • Ksplice: Automatically patches the running kernel and common userspace libraries on the Oracle Linux systems in your environment, without needing a reboot or downtime. See Using Oracle Ksplice.

Restrict access

Keep middle-tier applications and databases behind a firewall or restrict access by IP address. If using a firewall, make sure the firewall settings are controlled, and regularly review these settings. If using a virtual firewall, set up the proper security lists for your instances. See Ways to Secure Your Network and Security Lists.

Control authentication mechanisms and enforce strict password restrictions

Use strict password, key, certificate, and token-based authentication.

Grant minimal user privileges

Limit user privileges as much as possible. Give users only the access required to perform their work.

Monitor system activity

Audit and review system audit records.

Ksplice provides a known exploit detection feature for systems that have the Ksplice Enhanced client installed. For more information, see the Ksplice User Guide.

Keep up-to-date with the latest security information

Monitor the Oracle Linux Security mailing list for critical security announcements. See Subscribe to Oracle Security Alerts.

For government security standards and requirements, use the STIG image

Use the Oracle Linux STIG image to create Oracle Linux instances that follow certain security standards and requirements set by the Defense Information Systems Agency (DISA). These security standards are described in the Security Technical Implementation Guide (STIG).

For more information, see What's a STIG?.

There are additional services in Oracle Cloud that complement the security you can build with Oracle Linux. For example, to regularly check hosts and container images for potential security vulnerabilities, you can use the Oracle Cloud Infrastructure Vulnerability Scanning Service. For assistance with managing application stacks, including grouping resources based on defined criteria, you can use the Oracle Fleet Application Management Service.

See Vulnerability Scanning Overview and Overview of Fleet Application Management.

Oracle Linux Services for Security

Oracle Linux provides several services that help you to secure Oracle Linux instances in your cloud environment.

Oracle Autonomous Linux Service

Autonomous Linux performs automatic daily security updates on your Oracle Linux instances, and monitors the instances for critical events.

For more information, see Overview of Autonomous Linux.

Security Features

Oracle Autonomous Linux Security Features

Feature

Description

Automatic daily packages and updates

Instances that use the Oracle Autonomous Linux image are automatically updated daily with available packages and patches that address security vulnerabilities. Some of these updates can include zero-downtime Ksplice patches for kernel, OpenSSL, and glibc libraries. You can modify the execution time of these daily updates.

Security reports

View filterable reports that list security advisories for your instances and indicate whether your instances are up-to-date on security patches.

Monitoring of exploit detection events

If an exploit detection event occurs on an instance, review the event details, its log files, and stack trace information about the event.

Security event notifications

Choose to be notified when a security event occurs on an instance. You do so by setting the notification topic for the instance.

OS Management Hub Service

OS Management Hub lets you monitor and manage updates across the Oracle Linux instances in your cloud environment from a centralized management console.

For more information, see Overview of OS Management Hub.

Security Features

OS Management Hub Security Features

Feature

Description

IAM policies and groups

Use policies and groups to limit access to users and cloud resources.

Software sources and profiles

Control the number of software sources (repositories), and specify which software packages are available to the instances registered with OS Management Hub.

Jobs that schedule patching updates for a standalone instance or all standalone instances in a compartment

Create jobs that schedule recurring security updates for your instance, or instances. You can create jobs that apply Ksplice updates.

Mirror sync jobs that sync mirrored software sources

Designate an instance to be a management station. You can then create jobs that ensure the management station distributes the latest software and security packages to any instances using that station.

Security reports

Review reports that provide information about security updates, bug updates, and instance activity.

Oracle Ksplice Service

Oracle Ksplice provides automatic security patch and updates to your Oracle Linux instances without needing to shut down and restart the instances.

For more information about Ksplice, see Oracle Linux: Ksplice User's Guide.

Security Features

Oracle Ksplice Security Features

Feature

Description

Automatic Oracle Ksplice updates

Ksplice automatically installs the latest security patches and updates to Linux kernels on your instances, and with zero downtime.

Current patches

View the patches and updates currently installed on your instances.

Manual updates

If you don't want automatic updates, manually install the latest patches and updates to your instances on demand.

Kernels that are actively maintained

View which kernels are actively maintained by Ksplice.