1. Security Guide
  2. Security Features of Oracle Database Appliance

2 Security Features of Oracle Database Appliance

Oracle Database Appliance uses hardware and software hardening processes to secure the system, and that assist in deploying a layered security strategy.

Topics:

About Oracle Database Appliance Security Features

Oracle Database Appliance includes hardening configuration and security capabilities to core components.

Your organization can use the security features of Oracle Database Appliance as part of a layered security strategy.

Hardening Configuration

Oracle Database Appliance includes the following recommended hardening configuration procedures:

  • Installed packages are trimmed to a minimum, so that unnecessary packages are not installed on the servers.

  • Essential services only are enabled on the Oracle Database Appliance nodes.

  • Operating system users are audited.

  • Secure configurations for chrony, SSH, and other services.

Oracle Database Appliance only enables essential and secure services that are required for system functionality. Among the set of RPMs that Oracle Database Appliance installs, the dependent services that are enabled by default during installation are disabled, if not required. Oracle Database Appliance runs regular security scans, identifies services that are not required, and shuts down these services during installation. For example, systemd services such as rhnsd, smartd, hwmgmtd, ibacm rpcidmapd, hmp-interconnect, hmp-ipmi, sssd, and abrt-vmcore. Services that are delivered with a default configuration, can be modified to be more secure. For example, disabling SNMPv1, SNMPv2, and public community on SNMP, or disabling weak ciphers for the sshd service, or disabling the ILOM interconnect network.

Security Capabilities

Oracle Database Appliance architecture provides security capabilities to the core components. The capabilities are grouped into the following categories:

  • Isolation policies

  • Controlled access to data

  • Cryptographic services

  • Monitoring and auditing

  • Oracle Integrated Lights Out Manager (ILOM)

Parent topic: Security Features of Oracle Database Appliance

Oracle Database Appliance and Common Vulnerabilities and Exposures (CVEs)

Oracle Database Appliance software for each release contains only necessary Oracle Linux RPMs, that is, approximately 20% of the total available Oracle Linux RPMs to minimize potential vulnerabilities and exposures.

Oracle Database Appliance also protects its RPMs through version lock so that you do not accidentally override these RPMs. To check if a specific CVE affects Oracle Database Appliance or when the CVE may be fixed, contact Oracle Support.

Parent topic: Security Features of Oracle Database Appliance

Identifying Security Issues and Picking up Security Updates

Oracle Database Appliance conducts regular, extensive security scans across the entire stack using industry leading security scanners.

Oracle Database Appliance runs the following scans to detect vulnerabilities in the software stack, in compliance with Oracle security standards.

  • The proprietary scans called Open Source Compliance Service (OSCS) scan and AppDep Vulnerability scan that Oracle owns, scans open source software that Oracle Database Appliance software uses, for open vulnerabilities. This scan also includes malware scan in open source software Oracle Database Appliance uses. All open-source and third-party software is built internally within Oracle.
  • Tenable Nessus vulnerability scan runs on bare metal and DB system to determine vulnerabilities.
  • Microfocus Webinspect scan is run against DCS software to determine REST API security.
  • Fortify is used for static code analysis.

Parent topic: Security Features of Oracle Database Appliance

About Multi-User Access for Oracle Database Appliance Security

Multi-user access can enhance security of the Oracle Database Appliance system and provide an efficient mechanism for role separation.

When multi-user access is not enabled, a single Oracle Database Appliance account with user name and password is used to connect to the appliance, run ODACLI commands, or log into the Browser User Interface (BUI). The root user performs all administration on an Oracle Database Appliance. When multi-user access is enabled, you have the option of providing separate access to database administrators to manage databases. Display of resources within the Browser User Interface is also filtered as per user role. Root access is restricted to the Oracle Database Appliance system administrator to access system logs or debug issues that require root access.

When you enable multi-user access, you create multiple users with different roles that restrict them from accessing resources created by other users and also restrict the set of operations they can perform using ODACLI commands or the BUI. The same user credentials that you set up, can be used for logging into the BUI and running ODACLI commands. The BUI also displays resources and information based on access to the set of resources. A separate Multi-User Access Management tab is available only to the odaadmin user to administer the users and resources in the system.

Enabling multi-user access requires that you specify the password to run ODACLI commands. A successful authentication generates a token with a validity of 120 minutes. Any ODACLI command that you run within that duration does not require a password and each successful run renews the token, extending its validity. If the token expires due to inactivity, then you are prompted for the password when you run an ODACLI command.

See Also:

Oracle Database Appliance Deployment and User's Guide for your hardware model.

Parent topic: Security Features of Oracle Database Appliance

Restricting the Binaries for Starting the System

Secure Boot is enabled by default on Oracle Database Appliance X10.

Parent topic: Security Features of Oracle Database Appliance

Understanding Secure Boot

Secure Boot is a method used to restrict which binaries can boot the system.

With Secure Boot, the system UEFI firmware allows boot loaders that carry the cryptographic signature of trusted entities. All processes that run in the UEFI firmware must be signed with a key that the system recognizes as trustworthy. With each restart of the server, every component in the boot sequence is verified. This prevents malware from hiding embedded code in the boot sequence.

Loadable kernel modules must be signed with a trusted key or they cannot be loaded into the kernel. The following trusted keys are stored in UEFI NVRAM variables:
  • UEFI Secure Boot Database Key (DB): Signature database that contains well-known keys. Only binaries that can be verified against the DB are run by the BIOS.
  • Forbidden Signature Database Key (DBX): Keys that are blocked. Attempting to load an object with a key that matches an entry in the DBX will be denied. This is a list of keys that are bad.
  • Machine Owner Key (MOK): User-added keys for kernel modules that you want to install.
  • Platform Key (PK): The key installed by the hardware vendor. This key is installed by the vendor and is in the Oracle ILOM firmware. This key is not accessible from the host.
  • Key Exchange Key (KEK): The key required to update the signature database. The user must have physical access to the system console to add keys, modify keys, or enable and disable Secure Boot through the UEFI configuration menu. The default boot loader on most UEFI-enabled servers running Linux is grub2. With Secure Boot enabled, an additional shim boot loader is needed. When booting in Secure Boot mode, the shimloader is called first because it contains a trusted signature. The shimloader then loads grub2, which then loads the operating system kernel, which is also signed.

See Also:

Overview of Secure Boot in Oracle Linux Working With UEFI Secure Boot at https://docs.oracle.com/en/operating-systems/oracle-linux/secure-boot/#Oracle-Linux

Restrictions for Secure Boot Availability

Currently, Secure Boot is available with Oracle Database Appliance release 19.20.0.1 on Oracle Database Appliance X10 hardware model on bare metal database servers and KVM host systems. Secure Boot is not supported on DB systems and KVM guest machines.

Parent topic: Restricting the Binaries for Starting the System

Enabling and Disabling Secure Boot

You can change the Secure Boot setting by entering the Setup during the boot process.

See Also:

"Overview of Secure Boot" in Oracle Linux Working With UEFI Secure Boot at https://docs.oracle.com/en/operating-systems/oracle-linux/secure-boot/#Oracle-Linux

Disabling Secure Boot

Follow these steps:
  1. During the boot, Press F2 to run setup.
  2. Select Security, then select Secure Boot.
  3. Select Attempt Secure Boot.
  4. Select Disabled.
  5. Press F10 to save and exit.

Enabling Secure Boot

Follow these steps:
  1. During the boot, Press F2 to run setup.
  2. Select Security, then select Secure Boot.
  3. Select Attempt Secure Boot.
  4. Select Enabled.
  5. Press F10 to save and exit.

Verifying the Status of the Secure Boot Option

To verify the status of the secure boot option, run the command:
# mokutil --sb-state
SecureBoot enabled

Managing Keys and Certificates Used with Secure Boot

For information about managing keys and certificates used with secure boot, refer to the topic Signing Kernel Images and Kernel Modules for Use With Secure Boot in Oracle Linux Working With UEFI Secure Boot at https://docs.oracle.com/en/operating-systems/oracle-linux/secure-boot/#Oracle-Linux

Parent topic: Restricting the Binaries for Starting the System

Using Isolation Policies

Isolation policies provide more secure multitenant services.

If your organization wants to consolidate IT infrastructure, implement shared service architectures, and deliver secure multitenant services, then you should isolate services, users, data, communications, and storage. Oracle Database Appliance provides organizations the flexibility to implement the isolation policies and strategies, based on their needs.

Topics:

  • Isolating Network Traffic
    Oracle Database Appliance isolates client access from device management and inter-device communication at the physical network level.
  • Isolating Databases
    All Oracle Database security options are available for Oracle Database Appliance.

Parent topic: Security Features of Oracle Database Appliance

Isolating Network Traffic

Oracle Database Appliance isolates client access from device management and inter-device communication at the physical network level.

Oracle Database Appliance isolates client and management network traffic on separate networks. Clients access services on a redundant 10 Gbps Ethernet network that ensures reliable, high-speed access to services running on the system. Cluster management access is provided over a physically separate 1 Gbps Ethernet network. Providing physically separate networks ensures separation between operational and management network traffic.

Your organization can choose to further segregate network traffic over the client access Ethernet network by configuring virtual local area networks (VLANs). VLANs segregate network traffic based on your organization’s requirements. Oracle recommends the use of encrypted protocols over VLANs to assure the confidentiality and integrity of communications.

Parent topic: Using Isolation Policies

Isolating Databases

All Oracle Database security options are available for Oracle Database Appliance.

If your organization requires finer-grained database isolation, then you can use software such as Oracle Database Vault, Oracle Virtual Private Database, and Oracle Label Security. One of the best isolation methods is to create physical separation is to dedicate an entire environment to a single application or database. However, servers dedicated to one application or one database are expensive. A more cost-effective isolation strategy uses multiple databases within the same operating system image. You can obtain multiple database isolation through a combination of database and operating system-level controls, such as dedicated credentials for users, groups, and resource controls.

Oracle Database Vault includes a mandatory access control model, which enforces isolation by using logical realms within a single database. Logical realms form a protective boundary around existing application tables by blocking administrative accounts from having ad-hoc access to application data. Oracle Database Vault command rules enable policy-based controls that limit who, when, where, and how the database and application data is accessed. This creates a trusted path to application data. Oracle Database Vault can also be employed to restrict access based upon time, source IP address, and other criteria.

Oracle Virtual Private Database enables the creation of policies that enforce fine-grained access to database tables and views at the row and column levels. Oracle Virtual Private Database provides security portability because the policies are associated with database objects, and are automatically applied no matter how the data is accessed. Oracle Virtual Private Database can be used for fine-grained isolation within the database.

Oracle Label Security classifies data, and mediates access to that data based upon its classification. Your organization can define classification strategies, such as hierarchical or disjoint, that best support their needs. This capability allows information stored at different classification levels to be isolated at the row level within a single tablespace.

Parent topic: Using Isolation Policies

Controlling Access to Data

Controlling access to data, workloads and infrastructure helps to provide greater security.

To protect application data, workloads, and the underlying infrastructure on which it runs, Oracle Database Appliance offers comprehensive yet flexible access control capabilities for both users and administrators. The control capabilities include network access and database access.

Topics:

Parent topic: Security Features of Oracle Database Appliance

Controlling Network Access

Configure Network access to provide fine-grained access control.

Beyond simple network-level isolation, fine-grained access control policies can be instituted at the device level. All components in Oracle Database Appliance include the ability to limit network access to services either using architectural methods, such as network isolation, or using packet filtering and access control lists to limit communication to, from, and between components and services.

Parent topic: Controlling Access to Data

Controlling Database Access

Help to reduce the risk of collusive behavior and inadvertent errors by using separation of duties at every layer of database architecture using role-allocated operating system users and group system privileges.

For example, use different operating system user accounts and designate different physical groups to grant Oracle Database and Oracle Automatic Storage Management (Oracle ASM) system privileges to ensure role separation for database and storage administrators. Within Oracle Database, you can assign specific privileges and roles to ensure that users have access to only those data objects that they are authorized to access. Data cannot be shared unless it is explicitly permitted.

In addition to the password-based authentication available in Oracle Database, Oracle Advanced Security enables organizations to implement strong authentication using public key credentials, RADIUS, or a Kerberos infrastructure. Using Oracle Enterprise User Security, the database can be integrated with existing LDAP repositories for authentication and authorization. These capabilities provide higher assurance of the identity of users connecting to the database.

You can use Oracle Database Vault to manage administrative and privileged user access, controlling how, when and where application data can be accessed. Oracle Database Vault protects against misuse of stolen login credentials, application bypass, and unauthorized changes to applications and data, including attempts to make copies of application data. Oracle Database Vault is transparent to most applications, and day-to-day tasks. It supports multi-factor authorization policies, allowing for secure enforcement of policy without disrupting business operations.

Oracle Database Vault can enforce separation of duties to ensure that account management, security administration, resource management, and other functions are granted only to those users authorized to have those privileges.

Parent topic: Controlling Access to Data

About Managing Privileges and Security with SUDO

A SUDO policy helps to provide system auditing and access control for superuser (root) privileges on the operating system. Use these examples to help to implement a SUDO policy.

The Oracle Appliance Manager command-line utility requires root system privileges for most administrative actions. If you are not logged in as root, then you cannot carry out most actions on the appliance. For example, if you are not logged in as root, then you can view storage information, but you cannot modify the storage.

You should use SUDO, instead of su, to grant root privilege to administrative users. SUDO enables system administrators to grant certain users (or groups of users) the ability to run commands as root without the need for the root password, unlike su. It also logs all commands and arguments as part of your security and compliance protocol.

A SUDO security policy is configured by using the file /etc/sudoers. Within the sudoers file, you can configure groups of users and sets of commands to simplify and audit server administration with SUDO commands.

Parent topic: Controlling Access to Data

Configuring a SUDO Security Policy for the DCS Stack

Use these examples to help to implement a SUDO policy for Oracle Database Appliance models that are using the DCS stack (odacli).

A SUDO policy helps to provide system auditing and access control for superuser (root) privileges on the operating system.

Caution:

Configuring SUDO to allow a user to perform any operation is equivalent to giving that user root privileges. Consider carefully if this is appropriate for your security needs.

Example 2-1 SUDO Example 1: Allow a User to Perform Any ODACLI Operation

This example shows how to configure SUDO to enable a user to perform any ODACLI operation. You do this by adding lines to the commands section in the /etc/sudoers file: 

## The commands section may have other options added to it.
##
Cmnd_Alias ODACLI_CMDS=/opt/oracle/oak/bin/odacli *
jdoe ALL = ODACLI_CMDS

In this example, the user name is jdoe. The file parameter setting ALL= ODACLI_CMDS grants the user jdoe permission to run all odacli commands that are defined by the command alias ODACLI_CMDS. After configuration, you can copy one sudoers file to multiple hosts. You can also create different rules on each host.

Note:

Before database creation, you must set up user equivalency with SSH for the root user on each server. If you do not set up user equivalency and configure SSH on each server, then you are prompted to provide the root password for each server during database creation.

After you configure the sudoer file with the user, the user jdoe can run the set of odacli commands configured with the command alias ODACLI_CMDS. For example: 

$ sudo odacli create database -db newdb

Example 2-2 SUDO Example 2: Allow a User to Perform Only Selected ODACLI Operations

To configure SUDO to allow a user to perform only selected ODACLI operations, add lines to the commands section in the /etc/sudoers file as follows: 

## DCS commands for oracle user 
Cmnd_Alias DCSCMDS = /opt/oracle/dcs/bin/odacli describe-appliance
oracle  ALL=       DCSCMDS
$ sudo /opt/oracle/dcs/bin/odacli describe-appliance

Appliance Information
----------------------------------------------------------------
                     ID: a977bb04-6cf0-4c07-8e0c-91a8c7e7ebb8
               Platform: 
        Data Disk Count: 6
         CPU Core Count: 20
                Created: June 24, 2022 6:51:52 AM HDT

System Information
----------------------------------------------------------------
                   Name: odal001
            Domain Name: example.com
              Time Zone: America/Adak
             DB Edition: EE
            DNS Servers: 10.200.76.198 10.200.76.199 192.0.2.254
            NTP Servers: 10.200.0.1 10.200.0.2

Disk Group Information
----------------------------------------------------------------
DG Name                   Redundancy                Percentage
------------------------- ------------------------- ------------
Data                      Normal                    90
Reco                      Normal                    10

In this example, the user jdoe2 tries to run the sudo odacli list-databases command, which is not part of the set of commands that is configured for that user. SUDO prevents jdoe2 from running the command. 

[jdoe2@servernode1 ~]$ sudo /opt/oracle/dcs/bin/odacli list-databases

Sorry, user jdoe2 is not allowed to execute '/opt/oracle/dcs/bin/odacli list-databases' as root on servernode1.

Parent topic: Controlling Access to Data

Using Cryptographic Services

Cryptographic services can help to protect and validate information at rest, in transit, and in use.

From encryption and decryption to digital fingerprint and certificate validation, cryptography is one of the most-widely deployed security controls in IT organizations.

Whenever possible, Oracle Database Appliance makes use of cryptographic engines provided by the hardware processors. Using hardware for cryptographic operations provides significant performance improvement over performing the operations in software.

Network cryptographic services protect the confidentiality and integrity of communications by using a cryptographically-secure protocol. For example, Secure Shell (SSH) access provides secure administrative access to systems and Oracle Integrated Lights Out Manager (Oracle ILOM). TLS enables secure communications between applications and other services.

Database cryptographic services are available from Oracle Advanced Security. Oracle Advanced Security encrypts information in the database using the transparent data encryption (TDE) functionality. TDE supports encryption of application table spaces, and encryption of individual columns within a table. Data stored in temporary table spaces, and redo logs are also encrypted. When the database is backed up, the data remains encrypted on destination media. This protects information at rest no matter where it is physically stored. Oracle Advanced Security should be considered for organizations concerned about the confidentiality of stored database content or database encryption, either at the table space level or column-level.

In addition, Oracle Advanced Security encrypts Oracle Net Services and JDBC traffic using either native encryption or TLS to protect information while in transit over a network. Both administrative and application connections can be protected to ensure that data in transit is protected. The TLS implementation supports the standard set of authentication methods including server-only authentication using X.509 certificates and mutual (client-server) authentication with X.509.

Parent topic: Security Features of Oracle Database Appliance

Monitoring and Auditing of Databases on Oracle Database Appliance

Oracle Database Appliance includes Oracle Database Fine Grained Auditing (FGA), Oracle Audit Vault, and Oracle Database Firewall Remote Monitor, which provide comprehensive monitoring and auditing features.

Whether for compliance reporting or incident response, monitoring and auditing are critical functions that organizations must use to gain increased visibility into their IT environment. The degree to which monitoring and auditing is employed is often based upon the risk or criticality of the environment. Oracle Database Appliance has been designed to offer comprehensive monitoring and auditing functionality at the server, network, database, and storage layers ensuring that information can be made available to organizations in support of their audit and compliance requirements.

Oracle Database Fine Grained Auditing (FGA) can help you to create create audit records at the level of individual tables and columns, reducing audit overhead. FGA enables organizations to establish policies that selectively determine when audit records are generated. This helps organizations to focus on other database activities, and to reduce the overhead that is often associated with audit activities.

Oracle Audit Vault centralizes the management of database audit settings and automates the consolidation of audit data into a secure repository. Oracle Audit Vault includes built-in reporting to monitor a wide range of activities including privileged user activity and changes to database structures. The reports generated by Oracle Audit Vault enable visibility into various application and administrative database activities, and provide detailed information to support accountability of actions.

Oracle Audit Vault enables the proactive detection and alerting of activities that may be indicative of unauthorized access attempts or abuse of system privileges. These alerts can include both system and user-defined events and conditions, such as the creation of privileged user accounts or the modification of tables containing sensitive information.

Oracle Database Firewall Remote Monitor can provide real-time database security monitoring. Oracle Database Firewall Remote Monitor queries database connections to detect malicious traffic, such as application bypass, unauthorized activity, SQL injection and other threats. Using an accurate SQL grammar-based approach, Oracle Database Firewall helps organizations quickly identify suspicious database activity.

Parent topic: Security Features of Oracle Database Appliance

About FIPS 140-2 Compliance on Oracle Database Appliance

Understand how FIPS 140-2 is implemented on Oracle Database Appliance.

Starting with Oracle Database Appliance release 19.11, the Linux kernel used by Oracle Database Appliance running on bare metal and KVM Database Systems is compliant with the United States Federal Information Processing Standard 140-2 (FIPS 140-2) Level 1. In accordance with the FIPS standard, the algorithms used by the secure shell (SSH) are limited to those permitted by the standard. FIPS 140-2 is supported in both newly provisioned systems and patched systems. When a system is updated, FIPS support is automatically enabled. No user intervention is needed.

Parent topic: Security Features of Oracle Database Appliance

About STIG Compliance on Oracle Database Appliance

Understand Security Technical Implementation Guidelines (STIG) and how to check Oracle Database Appliance for compliance with STIG.

Parent topic: Security Features of Oracle Database Appliance

Checking for STIG Compliance on Oracle Database Appliance

Understand how to check the Oracle Database Appliance for compliance with the Security Technical Implementation Guidelines (STIG).

The United States Defense Information Systems Agency (DISA) recommends (or requires in some cases) the Security Technical Implementation Guidelines (STIG) for deployment and management of software, hardware, and system components. For more information about STIG standards, see https://public.cyber.mil/stigs/downloads/.

Oracle Database Appliance installs Oracle Linux Security Scripts (OLSS) scripts for Oracle Linux 8 to assist with documenting and aligning with the DISA Oracle Linux 8 STIG. OLSS enables you to verify your existing environment for STIG standards and secure your system against STIG settings that are not set to DISA standards.

Oracle Database Appliance bundles OLSS with the product for Oracle Database Appliance in the directory /opt/oracle/dcs/stig.

OLSS has two modes of operation: Verify and Secure. When you run OLSS, the information is displayed on the screen and also saved to a log file. In the Verify mode, the script examines the current compliance status of your system, but it does not change any settings. In the Secure mode, the script examines the current compliance status of your system, and makes changes to the system when the settings or compliance are not adequate, or flags the item as Manual, so that the administrators can make the change.

Running the STIG Command

Follow these steps to run OLSS:

  1. Log in as root user.
  2. Run the command from the /opt/oracle/dcs/stig directory:
    [root@oda1 stig]# ./RunSTIG

The summary and detailed logs are in the /opt/oracle/dcs/stig/logs directory. When you run the STIG command in the secure or verify mode, the log files are STIG.Secure.timestamp or STIG.Verify.timestamp respectively.

An example log when running the STIG command in secure mode is as follows. The log contains the order of running the script, documents the user inputs, the rule description, what was seen on the system, and the changes made. 

The file has description of whether a rule PASSED/Manual/FAILED : file name is : Summary.Secure.08_06_2021_05:21 
===========================================================
Tests run: 252: CAT1 = 27, CAT2 = 213, CAT3 = 12
CAT1     results: Pass: 24      Fail: 0         Manual: 3
         results: Pass: 88.88%  Fail: 0%        Manual: 11.11%
CAT2     results: Pass: 182     Fail: 3         Manual: 28
         results: Pass: 85.44%  Fail: 1.40%     Manual: 13.14%
CAT3     results: Pass: 6       Fail: 0         Manual: 6
         results: Pass: 50.00%  Fail: 0%        Manual: 50.00%
Total by results: Pass: 212     Fail: 3         Manual: 37 
Weighted results: Pass: 84.12%  Fail: 1.19%     Manual: 14.68% 
==========================================================
Both secure and verify modes of STIG classify the severity of the STIG rules as follows:
  • SEV1 - Severity-1 STIG rules
  • SEV2 - Severity-2 STIG rules
  • SEV3 - Severity-3 STIG rules
To verify and secure your Oracle Database Appliance system with STIG-compliant rules based on severity, specify the options as follows:
  • Option 1 for verifying SEV1 - Severity-1 STIG rules
  • Option 2 for verifying SEV2 - Severity-2 STIG rules
  • Option 3 for verifying SEV3 - Severity-3 STIG rules
  • Option A for verifying STIG rules of all severities

Following are examples of running the STIG scripts in the Verify and Secure modes. To verify and secure your Oracle Database Appliance system or a KVM DB system with STIG compliance, select the option 3 when you run the STIG command in both Verify and Secure modes.

Example 2-3 Running STIG Scripts in the Verify Mode



[root@host]# /opt/oracle/dcs/stig/RunSTIG -v

                   Oracle Linux 8 Security Scripts
The Oracle Linux Security Scripts (OLSS) are a tool designed to assist in
creation and deployment of secured Oracle Linux 8 Operating Environment systems.
The OLSS is comprised of a set of scripts and directories.

DISCLAIMER OF WARRANTIES:  THE OLSS IS OFFERED  "AS IS" AND "WITH ALL
FAULTS" AND WITHOUT WARRANTY OF ANY KIND WHATSOEVER. ORACLE DISCLAIMS,
AND USERS OF THE OLSS WAIVE, ANY AND ALL EXPRESS OR IMPLIED WARRANTIES
AND REPRESENTATIONS, INCLUDING BUT NOT LIMITED TO ANY IMPLIED WARRANTY
OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT.
THE OLSS IS TO BE USED AT YOUR OWN RISK.

NO LIABILITY:  IN NO EVENT SHALL ORACLE BE LIABLE FOR ANY DIRECT, INDIRECT,
PUNITIVE, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGE IN CONNECTION WITH
OR ARISING OUT OF THE USE OF THE OLSS (INCLUDING, BUT NOT LIMITED TO, LOSS
OF BUSINESS, REVENUE, PROFITS, USE, DATA, OR OTHER ECONOMIC ADVANTAGE)
HOWEVER IT ARISES, WHETHER FOR BREACH OR IN TORT, EVEN IF ORACLE HAS BEEN
PREVIOUSLY ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

I Have read and agree with the above Warning [y n] y
Are you sure (y/n)? y


             **** Welcome to the Oracle Linux 8 STIG tool ****

This tool has two primary modes: Secure and Verify
Throughout this tool the answers in [] are the expected responses

OLSS will be running in Verify mode - via command line switch

We are running in this environment: oda

Example 2-4 Running STIG Scripts without specifying any option

[root@host]# /opt/oracle/dcs/stig/RunSTIG

                   Oracle Linux 8 Security Scripts
The Oracle Linux Security Scripts (OLSS) are a tool designed to assist in
creation and deployment of secured Oracle Linux 8 Operating Environment systems.
The OLSS is comprised of a set of scripts and directories.

DISCLAIMER OF WARRANTIES:  THE OLSS IS OFFERED  "AS IS" AND "WITH ALL
FAULTS" AND WITHOUT WARRANTY OF ANY KIND WHATSOEVER. ORACLE DISCLAIMS,
AND USERS OF THE OLSS WAIVE, ANY AND ALL EXPRESS OR IMPLIED WARRANTIES
AND REPRESENTATIONS, INCLUDING BUT NOT LIMITED TO ANY IMPLIED WARRANTY
OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT.
THE OLSS IS TO BE USED AT YOUR OWN RISK.

NO LIABILITY:  IN NO EVENT SHALL ORACLE BE LIABLE FOR ANY DIRECT, INDIRECT,
PUNITIVE, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGE IN CONNECTION WITH
OR ARISING OUT OF THE USE OF THE OLSS (INCLUDING, BUT NOT LIMITED TO, LOSS
OF BUSINESS, REVENUE, PROFITS, USE, DATA, OR OTHER ECONOMIC ADVANTAGE)
HOWEVER IT ARISES, WHETHER FOR BREACH OR IN TORT, EVEN IF ORACLE HAS BEEN
PREVIOUSLY ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

I Have read and agree with the above Warning [y n] y
Are you sure (y/n)? y


             **** Welcome to the Oracle Linux 8 STIG tool ****

This tool has two primary modes: Secure and Verify
Throughout this tool the answers in [] are the expected responses

Do you want to Secure or Verify? [Secure Verify] Verify
Are you sure (y/n)?

Example 2-5 Location of Logs

The list of files in the /opt/oracle/dcs/stig/ directory are as follows: 

[root@host stig]# pwd
/opt/oracle/dcs/stig

[root@scaoda10ha02c1n1 stig]# ls -l
total 88
-rw------- 1 root root 34300 Sep 13 10:27 auto_answer
-rw------- 1 root root  1794 Sep 13 10:27 LICENSE
drwx------ 2 root root  4096 Oct  3 11:31 logs
drwx------ 3 root root  4096 Sep 13 10:27 meta
-rwx------ 1 root root 25498 Sep 13 10:27 RunSTIG
drwx------ 2 root root 12288 Sep 13 10:27 scripts

Example 2-6 Secure and Verify Logs Summary

The file names for secure, verify, and the corresponding summary file names are given below. The Summary.Secure.timestamp file provides the status of compliance after hardening. The Summary.Verify.timestamp file provides the status of compliance before hardening. 

[root@oda1 stig]# pwd
/opt/oracle/dcs/stig/04_Logs
[root@scaoda813c1n2 04_Logs]# ls -la
total 48
drwx------. 2 3878 900 4096 Aug 31 07:47 .
drwx------. 9 3878 900 4096 Aug 31 07:47 ..
-rw------- 1 root root 14716 Aug 31 07:47 STIG.Secure.08_31_2021_07:47
-rw------- 1 root root 12884 Aug 31 07:47 STIG.Verify.08_31_2021_07:46
-rw------- 1 root root 1186 Aug 31 07:47 Summary.Secure.08_31_2021_07:47
-rw------- 1 root root 1186 Aug 31 07:47 Summary.Verify.08_31_2021_07:47

Parent topic: About STIG Compliance on Oracle Database Appliance

About Oracle Linux Security Scripts auto_answer File

Understand how you can use the auto_answer file at /opt/oracle/dcs/stig/auto_answer to store responses to queries when you run Oracle Linux Security Scripts (OLSS).

There are some STIG rules that cannot be evaluated programmatically and require you to provide values.

When you run OLSS, either in the verify or secure mode, the main script prompts for a response for these STIG rules. You can store answers for the questions and acknowledgements encountered when you run OLSS in the auto_answer file at /opt/oracle/dcs/stig/auto_answer. A NULL answer in this file means that OLSS will prompt for an answer.

For example, when you run the main OLSS script (RunSTIG), you are prompted with the following two questions, that require y to be specified for each question, to continue the process. 

[root@oak0 stig]# ./RunSTIG -v


                   Oracle Linux 8 Security Scripts
The Oracle Linux Security Scripts (OLSS) are a tool designed to assist in
creation and deployment of secured Oracle Linux 8 Operating Environment systems.
The OLSS is comprised of a set of scripts and directories.

DISCLAIMER OF WARRANTIES:  THE OLSS IS OFFERED  "AS IS" AND "WITH ALL
FAULTS" AND WITHOUT WARRANTY OF ANY KIND WHATSOEVER. ORACLE DISCLAIMS,
AND USERS OF THE OLSS WAIVE, ANY AND ALL EXPRESS OR IMPLIED WARRANTIES
AND REPRESENTATIONS, INCLUDING BUT NOT LIMITED TO ANY IMPLIED WARRANTY
OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT.
THE OLSS IS TO BE USED AT YOUR OWN RISK.

NO LIABILITY:  IN NO EVENT SHALL ORACLE BE LIABLE FOR ANY DIRECT, INDIRECT,
PUNITIVE, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGE IN CONNECTION WITH
OR ARISING OUT OF THE USE OF THE OLSS (INCLUDING, BUT NOT LIMITED TO, LOSS
OF BUSINESS, REVENUE, PROFITS, USE, DATA, OR OTHER ECONOMIC ADVANTAGE)
HOWEVER IT ARISES, WHETHER FOR BREACH OR IN TORT, EVEN IF ORACLE HAS BEEN
PREVIOUSLY ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

I Have read and agree with the above Warning [y n] y

Are you sure (y/n)? y

You have the option to complete the auto_answer file and update the following entry with the name of the user who modified the file.

Replace:

AA_ACK="NULL"
with:
AA_ACK="Jane Doe"

When you run the OLSS script, you are not prompted with the above questions. 

[root@oak0 stig]# ./RunSTIG -v


                   Oracle Linux 8 Security Scripts
The Oracle Linux Security Scripts (OLSS) are a tool designed to assist in
creation and deployment of secured Oracle Linux 8 Operating Environment systems.
The OLSS is comprised of a set of scripts and directories.

DISCLAIMER OF WARRANTIES:  THE OLSS IS OFFERED  "AS IS" AND "WITH ALL
FAULTS" AND WITHOUT WARRANTY OF ANY KIND WHATSOEVER. ORACLE DISCLAIMS,
AND USERS OF THE OLSS WAIVE, ANY AND ALL EXPRESS OR IMPLIED WARRANTIES
AND REPRESENTATIONS, INCLUDING BUT NOT LIMITED TO ANY IMPLIED WARRANTY
OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT.
THE OLSS IS TO BE USED AT YOUR OWN RISK.

NO LIABILITY:  IN NO EVENT SHALL ORACLE BE LIABLE FOR ANY DIRECT, INDIRECT,
PUNITIVE, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGE IN CONNECTION WITH
OR ARISING OUT OF THE USE OF THE OLSS (INCLUDING, BUT NOT LIMITED TO, LOSS
OF BUSINESS, REVENUE, PROFITS, USE, DATA, OR OTHER ECONOMIC ADVANTAGE)
HOWEVER IT ARISES, WHETHER FOR BREACH OR IN TORT, EVEN IF ORACLE HAS BEEN
PREVIOUSLY ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Acknowledged by Jane Doe


             **** Welcome to the Oracle Linux 8 STIG tool ****

This tool has two primary modes: Secure and Verify
Throughout this tool the answers in [] are the expected responses

OLSS will be running in Verify mode - via command line switch

We are running in this environment: oda

Parent topic: About STIG Compliance on Oracle Database Appliance

About STIG Exceptions on Oracle Database Appliance

Understand the reasons for Security Technical Implementation Guidelines (STIG) exceptions.

Some failures found by OLSS cannot be fixed. Some of the reasons are:
  • The requested fix may remove required functionality.
  • Fixing the issue may lead to system errors.
  • The architecture of Oracle Database Appliance may not support the requested change.

These types of failures are called exceptions.

Following are the Security Technical Implementation Guidelines (STIG) exceptions in this release and the reason for the specific Oracle Linux 8 STIG ID not being fixed on Oracle Database Appliance:

Table 2-1 STIG exceptions

STIG ID Severity Reason for Exemption
OL8-00-010010 Medium Oracle Database Appliance is an appliance and Oracle releases updates every quarter for the Oracle Database Appliance software. This includes the latest security updates. The server patches that Oracle Database Appliance provides ensures smooth patching of the appliance. Any additional RPMs installed or RPMs updated out of order can cause an error in the Oracle Database Appliance patching process.
OL8-00-010010 Medium The users created, when an Oracle Database Appliance system is configured, do not use certificate-based authentication. These accounts must not be configured so. If they are modified as such, it may result in failures on the system.
OL8-00-010340 Medium Directories under /usr/lib64/.build-id are links to shared libraries of installed software. The application of this rule can cause Oracle Database Appliance-installed software to fail, for example, MySQL. The correct working of this component is crucial for the Oracle Database Appliance stack.
OL8-00-010380 Medium The application of this rule can cause failures on the appliance. One example is Oracle HAMI which runs commands through privilege escalation.
OL8-00-010472 Low The RPM rng-tools package is not installed on Oracle Database Appliance, as it is not required. If you install the RPM, you must uninstall it before patching Oracle Database Appliance to a later release because it can cause an error in the Oracle Database Appliance patching process.
OL8-00-010541 Low Any change in any current file system size may result in an out-of-space error on Oracle Database Appliance.
OL8-00-010543 Medium Any change in any current file system size may result in an out-of-space error on Oracle Database Appliance.
OL8-00-010550 Medium Oracle Database Appliance systems are configured for direct login as root. If this is not allowed, it can cause the system to function incorrectly.
OL8-00-010700 Medium Modifying the ownership of any Oracle Database Appliance installed software directory results in one or more software components to stop working.
OL8-00-010731 Medium The Oracle Database Appliance user hamictl_oda_dcs may fail if this rule is applied and can be ignored.
OL8-00-010800 Medium Any change in any current file system size may result in an out-of-space error on the Oracle Database Appliance.
OL8-00-020320 Medium The system administrator must check the Oracle Database Appliance system for any accounts that were created manually. They must not delete any of the accounts created when the Oracle Database Appliance system is setup.
OL8-00-020351 Medium It can cause the Oracle Grid Infrastructure and Oracle Database software to be installed with incorrect permissions, which can result in patching failures.
OL8-00-020352 Medium It can cause the Oracle Grid Infrastructure and Oracle Database software to be installed with incorrect permissions, which can result in patching failures.
OL8-00-020353 Medium It can cause the Oracle Grid Infrastructure and Oracle Database software to be installed with incorrect permissions, which can result in patching failures.
OL8-00-040030 Medium

firewalld is installed on Oracle Database Appliance but has not been configured. Configuring the same may result in the malfunction of Oracle Database Appliance.

If the system administrator remediates this STIG, they must be ready to roll back any changes made.
OL8-00-040124 Medium Creating a separate file system may result in an error because of lack of space on Oracle Database Appliance. Any change in any current file system size may result in an out-of-space error on Oracle Database Appliance.
OL8-00-040127 Medium Creating a separate file system may result in an error because of lack of space on Oracle Database Appliance. Any change in any current file system size may result in an out-of-space error on Oracle Database Appliance.
OL8-00-040130 Medium Creating a separate file system may result in an error because of lack of space on Oracle Database Appliance. Any change in any current file system size may result in an out-of-space error on Oracle Database Appliance.
OL8-00-040135 Medium The RPM fapolicy package is not installed on Oracle Database Appliance, as it is not required. If you install the RPM, you must uninstall it before patching Oracle Database Appliance to a later release.
OL8-00-040370 Medium Removal of the gssproy package deletes dependant packages such as NFS which are required for the working of the Oracle Database Appliance software.
OL8-00-010020 High

Earlier releases of the Oracle Database Appliance software did not create a required Linux configuration parameter when creating or patching a DB system.

This is being tracked by Oracle Database Appliance bugs 36999977 and 37058085.
OL8-00-010170 Medium It is not recommended to remediate this STIG. Enabling SELinux on Oracle Database Appliance system results in performance degradation of the system.
OL8-00-010358 Medium The RPM mailx package is not installed on Oracle Database Appliance, as it was not required. If the customer installs the rpm, they will be required to uninstall it, before patching the Oracle Database Appliance to a higher version,
OL8-00-010410 Medium The RPM opensc package is not installed on Oracle Database Appliance, as it was not required. If the customer installs the rpm, they will be required to uninstall it, before patching the Oracle Database Appliance to a higher version,
OL8-00-010450 Medium It is not recommended to remediate this STIG. Enabling selinux on an Oracle Database Appliance system will result in performance degradation of the system.
OL8-00-010540 Low You must not try to create a separate file system. Any change in any current file system size may result in an out-of-space error on Oracle Database Appliance.
OL8-00-010542 Low You must not try to create a separate file system. Any change in any current file system size may result in an out-of-space error on Oracle Database Appliance.
OL8-00-010544 Medium You must not try to create a separate file system. Any change in any current file system size may result in an out-of-space error on Oracle Database Appliance.
OL8-00-010690 Medium The Oracle Database Appliance created users on the system have few setting in the bash profiles setup. Remediating this STIG can result in the PATH variable to be modified. To run commands, you must then provide the full path to the script.
OL8-00-010710 Medium Modifying the ownership of any Oracle Database Appliance installed software directory, will result in one or more software components to stop working.
OL8-00-010770 Medium The Oracle Database Appliance user hamictl_oda_dcs may fail for this STIG and can be ignored.
OL8-00-020039 Medium The RPM tmux package is not installed on Oracle Database Appliance, as it was not required. If you install the RPM, you must uninstall it before patching Oracle Database Appliance to a later release.
OL8-00-040123 Medium You must not try to create a separate file system. Any change in any current file system size, may result in an out-of-space error on Oracle Database Appliance.
OL8-00-040126 Medium You must not try to create a separate file system. Any change in any current file system size, may result in an out-of-space error on Oracle Database Appliance.
OL8-00-040129 Medium You must not try to create a separate file system. Any change in any current file system size, may result in an out-of-space error on Oracle Database Appliance.
OL8-00-040131 Medium You must not try to create a separate file system. Any change in any current file system size, may result in an out-of-space error on Oracle Database Appliance.
OL8-00-040320 Medium The system administrator must not uninstall the graphical display manager software/RPMs. This is required for the correct functioning of Oracle Database Appliance.
OL8-00-040400 Medium The system administrator must not prevent Oracle Database Appliance created users from running privileged functions. This is required for the correct functioning of Oracle Database Appliance.

Parent topic: About STIG Compliance on Oracle Database Appliance

Using Oracle ILOM for Secure Management

Oracle Integrated Lights-Out Management (Oracle ILOM) enables full out-of-band management, providing remote management capability for Oracle Database Appliance.

IPMI v2.0 and Collections of security controls and capabilities are necessary to properly secure individual applications and services. It is equally important to have comprehensive management capabilities to sustain the security of the deployed services and systems. Oracle Database Appliance uses the security management capabilities of Oracle ILOM.

Oracle ILOM is a service processor embedded in many Oracle Database Appliance components to perform out-of-band management activities. Oracle ILOM provides the following features:

  • Secure access to perform secure lights-out management of the database and storage servers. Access includes web-based access protected by Transport Layer Security (TLS), command-line access using Secure Shell, and SNMPv3 protocols.

  • Separate duty requirements using a role-based access control model. Individual users are assigned to specific roles that limit the functions that can be performed.

  • An audit record of all logins and configuration changes. Each audit log entry lists the user performing the action, and a timestamp. This allows organizations to detect unauthorized activity or changes, and attribute those actions back to specific users.

Parent topic: Security Features of Oracle Database Appliance