1. Security Guide
  2. ISR Security Overview
  3. Secure Installation

Secure Installation

Security begins during ISR installation and choosing appropriate settings during installation helps protect your systems and data. Ensure that the critical security services and settings (described below) are installed and enabled. Oracle strongly recommends using a non-root account for logins to setup, configure, and administer your ISR systems. Choose secure passwords during installation and do not remove secure file permissions settings unless absolutely necessary.

Critical Security Services and Settings

By default, Oracle Linux 7 comes with several security features enabled. To help ensure the security of your systems, Oracle recommends that you do not disable these features.

  • Firewalld—On Oracle Enterprise Linux 7, the firewalld services replaces the configuration elements of iptables from previous versions of Enterprise Linux. Keeping the firewalld service enabled and active provides an excellent defensive measure to secure your systems. For more information on the firewalld service, see http://docs.oracle.com/cd/E52668_01/E54669/E54669.pdf, section 26.3. By default, the ISR platform utilizes the zones detailed below, and our applications install firewalld service configurations to enable standard communications amongst the various zones. To change the zones on which an application is allowed to operate, see the section “Firewalld Optional Configuration” in this guide.
  • SELinux/seten force—Provides an enhanced level of control over the files, processes, and users of the Operating System. For more information on the SELinux/seten force, see http://docs.oracle.com/cd/E52668_01/E54669/E54669.pdf, section 26.2.

Creating and Using a Non-Root User Account

Oracle strongly recommends using a non-root account for logins to setup, configure, and administer your ISR systems. Instead, create a normal user account in the 'isr' group.

To create a new user in the 'isr' group:

  1. Add the new user by executing the following command: 
    [root@localhost ~]# useradd –g 9001 <username>
  2. Set the user's password by executing the following command: 
    [root@localhost ~]# passwd <password>
  3. Grant the user sudo permissions by adding them to the wheel group: 
    [root@localhost ~]# usermod -aG wheel <username>
  4. Verify you can use the new user account and the sudo permissions are configured correctly. 
    # logout
Localhost login: isradm
Password: **********
[isradm@localhost ~]$ touch /var/log/messages
touch: cannot touch ‘/var/log/messages’: Permission denied
[isradm@localhost ~]$ sudo touch /var/log/messages
[isradm@localhost ~]$

File Permissions

Do not unnecessarily remove file permission restrictions on files and directories. By default, ISR files are set to the most restrictive possible settings required for the system to operate.

Secure Passwords

Oracle recommends you use unique and complex passwords for ISR database accounts, as well as OS user accounts. The following Oracle MySQL password rules offer a good starting point:

  • At least 8 characters long
  • Contain at least 1 uppercase and 1 lowercase letter
  • Contain at least 1 number
  • Contain at least 1 special character