Minimize and Secure the Software Footprint
Planning an Oracle Linux system's purpose, deployment configuration, and software
requirements in advance is essential to minimizing attack vectors. During the design phase of
a deployment you can uninstall or disable any components and services that aren't needed or
used in a particular configuration or deployment scenario, including any peripheral
functionality or components. Because deployment requirements can vary over time, you also need
processes in place to uninstall and disable any features that aren't needed or used in
specific configuration or deployment scenarios. You might also consider using the minimal
install base environment that only installs the essential components of the OS by default. If
you're using a kickstart configuration file to install Oracle Linux, the minimal install
includes the @base and @core packages.
For more information about these installation options, see Oracle Linux 9: Installing Oracle Linux.
Find more information about the various base environments available by running the
dnf group list -v command. This command displays the same list of base
environments available on the Software Selection screen of the Oracle Linux GUI installer. For
example:
dnf group list -v
Last metadata expiration check: 0:55:03 ago on Tue 18 Jul 2023 12:19:06 PM GMT. Available Environment Groups: Server with GUI (graphical-server-environment) Server (server-product-environment) Minimal Install (minimal-environment) ... Installed Environment Groups: Server with GUI (graphical-server-environment) Installed Groups: Container Management (container-management) ... Available Groups: Legacy UNIX Compatibility (legacy-unix) ...
To review what the minimal-environment group includes, run the dnf group
info command. For example:
dnf group info minimal-environment
Last metadata expiration check: 0:04:29 ago on Tue 18 Jul 2023 12:55:49 PM GMT. Environment Group: Minimal Install Description: Basic functionality. Mandatory Groups: Core Optional Groups: Guest Agents Standard
Use the same command to find out what packages are included in the core group. For example:
dnf info core
Last metadata expiration check: 0:04:39 ago on Tue 18 Jul 2023 12:19:06 PM GMT. Group: Core Description: Minimal host installation Mandatory Packages: audit basesystem bash ... Default Packages: NetworkManager-team NetworkManager-tui ... Optional Packages: dracut-config-generic ...
To review more information about the individual packages, run the dnf info command on the packages. For example:
dnf info bash
Last metadata expiration check: 0:47:06 ago on Tue 18 Jul 2023 12:19:06 PM GMT.
Installed Packages
Name : bash
Version : 5.1.8
Release : 6.el9_1
Architecture : x86_64
Size : 7.4 M
Source : bash-5.1.8-6.el9_1.src.rpm
Repository : @System
From repo : anaconda
Summary : The GNU Bourne Again shell
URL : https://www.gnu.org/software/bash
License : GPLv3+
Description : The GNU Bourne Again shell (Bash) is a shell or command language
: interpreter that is compatible with the Bourne shell (sh). Bash
: incorporates useful features from the Korn shell (ksh) and the C shell
: (csh). Most sh scripts can be run by bash without modification.Another important way to ensure that Oracle Linux systems are secure is to only install those software packages that are essential for performing necessary functions. Extra functions and components can increase the security risk, so they can be removed or uninstalled as needed.
Installing software from secure, known, and trusted sources is considered good security practice. Oracle signs packages with GPG keys so that administrators can confirm the provenance and authenticity of software packages. Oracle also uses TLS to secure the networking actions of the software installation and update tools provided with Oracle Linux.