SecureDBA

Securing Oracle Enterprise Linux - Part 9 - Network Parameter Hardening

2010-10-31T20:51:17-04:00

This is the ninth in a series of posts that describe how to secure Oracle Enterprise Linux. These posts are based on the Center for Internet Security Secure Base Line for Red Hat Enterprise Linux 5 but have been verified against Oracle Enterprise Linux (OEL) 5.5. You can download OEL here.

In Part 1 we reviewed a secure partitioning strategy, in Part 2 we performed a minimal install, in Part 3 we performed some mandatory housekeeping before starting the hardening process, in Part 4 we secured ssh, in Part 5 we enabled system accounting, in Part 6 we minimized network services, in Part 7 we configured the firewall and in Part 8 we minimized boot services. In this post we harden the network parameters.

A Word of Caution

The actions outlined in these posts have been performed on a clean install of OEL 5.5 exactly as documented in these posts. If you are contemplating taking these actions on an existing server, please take appropriate precautions such as:

Backing up the server
Reviewing the content of all scripts before running them
Testing the actions on a non-production server

The hardening steps in these posts were performed in the order posted. Performing these steps in a different order my result in unpredictable behavior. Also, all these scripts MUST be run as root, not as sudo.

Network Parameters

net.ipv4.tcp_max_syn_backlog = 4096

This parameter controls the maximum number of incomplete tcp requests that will be remembered. The higher the number, the better the chance the server will survive a syn flood attack. The OEL 5.5 default is 1024.

net.ipv4.tcp_syncookies = 1

This parameter turns syn cookies on when set to one. With syn cookies on, if the above backlog (4096) is reached, typically only during a syn flood attack, the server responds to the request with a syn cookie and forgets the request. If it is a good request, the client will eventually send a third ACK request whereupon the server will recognize the syn cookie and rebuild the connection in memory. Since syn flood requests never send the third ACK, this allows the server to ignore the bad requests and respond to the good requests although at the loss of some performance but enabling the survival of the server during the attack.

net.ipv4.conf.all.rp_filter = 1

When set to 1, this parameter enables a check to see that packets arriving at the interface will be responded to via the same interface thus helping to prevent spoofing of source addresses. In the rare cases where asynchronous routing is intended, this check should not be turned on.

net.ipv4.conf.all.accept_source_route = 0

When set to 0, the default in OEL 5.5, disables IP source routing, typically only used in source spoofing attacks.

net.ipv4.conf.all.accept_redirects = 0

When set to zero, disables ICMP redirects. The default in OEL 5.5 is 1.

net.ipv4.conf.all.secure_redirects = 0

When set to 0, prevents redirect even from gateways in the local routing table since source addresses can be spoofed. The OEL 5.5 default is 1.

net.ipv4.conf.default.rp_filter = 1

net.ipv4.conf.default.accept_source_route = 0

net.ipv4.conf.default.accept_redirects = 0

net.ipv4.conf.default.secure_redirects = 0

The previous 'all' parameters impact the interfaces available at boot time. These 'default' parameters impact interfaces added later (USB or PCMCIA network card).

net.ipv4.icmp_echo_ignore_broadcasts = 1

When set to one, the OEL default, the server will not respond to broadcast pings.

Download the following script that hardens the network parameters and run as root:

cis_script10_network_parameters.sh (0.7K)

Additional Network Parameters

If the server is NOT going to function as a gateway or firewall then also download and run the following script as root:

cis_script11_addtl_network_parameters.sh (0.5K)

Securing Oracle Enterprise Linux - Part 7 - Configure Firewall

2010-10-03T22:06:06-04:00

This is the seventh in a series of posts that describe how to secure Oracle Enterprise Linux. These posts are based on the Center for Internet Security Secure Base Line for Red Hat Enterprise Linux 5 but have been verified against Oracle Enterprise Linux (OEL) 5.5. You can download OEL here.

In Part 1 we reviewed a secure partitioning strategy, in Part 2 we performed a minimal install, in Part 3 we performed some mandatory housekeeping before starting the hardening process, in Part 4 we secured ssh, in Part 5we enabled system accounting and in Part 6 we minimized network services. In this post we configure the Linux host-based firewall.

A Word of Caution

Backing up the server
Reviewing the content of all scripts before running them
Testing the actions on a non-production server

Configuring the Firewall

OEL (Red Hat) installs, enables and configures a firewall to allow the ssh service on port 22 by default.

Depending on the function of the server, it is likely that other ports need to be opened to allow the server to fulfill its mission.

The firewall is configured via the system-config-securitylevel tool. One of the ways to invoke the tool is through the system setup utility we mention in Part 2. Invoke the setup utility by entering:

/usr/bin/setup

and the following menu appears:

Select Firewall Configuration and then run tool and the system-config-securitylevel tool appears:

The settings above are the defaults which are also the appropriate security settings. Select the Customize button and the following screen appears:

The above screenshot shows the default setting. If additional services (ports):protocols need to be opened, they can be selected from the list or added in the Other ports field. Select OK to save the changes.

Securing Oracle Enterprise Linux - Part 8 - Minimize Boot Services

2010-09-13T01:37:41-04:00

This is the eighth in a series of posts that describe how to secure Oracle Enterprise Linux. These posts are based on the Center for Internet Security Secure Base Line for Red Hat Enterprise Linux 5 but have been verified against Oracle Enterprise Linux (OEL) 5.5. You can download OEL here.

In Part 1 we reviewed a secure partitioning strategy, in Part 2 we performed a minimal install, in Part 3 we performed some mandatory housekeeping before starting the hardening process, in Part 4 we secured ssh, in Part 5 we enabled system accounting, in Part 6 we minimized network services and in Part 7 we configured the firewall. In this post we minimize boot services.

A Word of Caution

Backing up the server
Reviewing the content of all scripts before running them
Testing the actions on a non-production server

User Defined Services

The following services are referred to as User Defined by CIS. This means they should only be started if they are critical to fulfilling the mission of the server.


User Defined Services
acpid - The daemon for the Advanced Configuration and Power Interface (ACPI).
ip6tables - Used to implement IP Filters when the server is configured for IPv6 network connectivity. If using IPv4, then disable this service and enable iptables.
anacron- anacron is a command scheduler similar to cron; however, unlike cron, it does not assume that the system is continuously up. Run anacron only on systems that are not up 24x7. anacron was specifically developed for laptops or servers that are brought down at non-peak hours.
apmd - The daemon for Advanced Power Management (APM), generally only used on laptops.
irqbalance - Used to distribute interrupts over the system's processors/cores. Optional for single processor/single core servers.
iscsi - Only required if the system uses SCSI devices (typically, storage arrays).
iscsid - Only required if the system uses SCSI devices (typically, storage arrays).
lmsensors - Linux monitoring sensors, an open-source tool for hardware monitoring.
lvm2-monitor - An application that monitors your LVM (Logical Volume Management) system. If you manually partition drives than this service can be disabled.
mcstrans - A translation daemon used with SELinux to translate SELinux categories to user-defined categories.
mdmonitor - Part of the mdadm package for administering software RAID configurations, mdmonitor monitors the health of the RAID configuration.
microcode_ctl - A utility for the IA32 processor (Pentium Pro, PII, Celeron, PIII, Xeon, Pentium 4 etc) microcode driver.
network - Technically user defined, but in practice nearly always required.
readahead_early - A hard disk read cache.
readahead_later - A hard disk read cache.
restorecond - An SELinux daemon that monitors file creation and sets the default SELinux context. Required if running SELinux.
rhnsd - A daemon that periodically queries the Red Hat network for updates.
sendmail - A mail transfer agent (MTA).
smartd- The SMART disk monitoring daemon. SMART is the Self-Monitoring And Reporting Technology built into many ATA, SCSI and IDE drives.

Boot Services

The following tables shows the state of all boot services after a minimal install of OEL as described in these posts. The CIS column shows the CIS recommended state for the service.

Notes:

An N/A in the State columns indicates the service is not installed when using the minimal install procedures described in these posts.
An N/A in the CIS column indicates that CIS has not made a recommendation with regards to this service.

Service	State After Minimal Install Described in this Post							CIS	Disabled by CIS Script	Disabled by SecureDBA Script
NetworkManager	0:off	1:off	2:off	3:off	4:off	5:off	6:off	off	yes	yes
NetworkManagerDispatcher	N/A	N/A	N/A	N/A	N/A	N/A	N/A	on	no	no
acpid	0:off	1:off	2:on	3:on	4:on	5:on	6:off	UD	yes	yesⁱ
amd	N/A	N/A	N/A	N/A	N/A	N/A	N/A	off	yes	yes
anacron	0:off	1:off	2:on	3:on	4:on	5:on	6:off	UD	yes	yes[i]
apmd	N/A	N/A	N/A	N/A	N/A	N/A	N/A	UD	yes	yesⁱ
arptables_if	N/A	N/A	N/A	N/A	N/A	N/A	N/A	off	yes	yes
arpwatch	N/A	N/A	N/A	N/A	N/A	N/A	N/A	off	yes	yes
atd	0:off	1:off	2:off	3:on	4:on	5:on	6:off	off	yes	yes
auditd	0:off	1:off	2:on	3:on	4:on	5:on	6:off	on	no	no
autofs	0:off	1:off	2:off	3:on	4:on	5:on	6:off	off	yes	yes
avahi-daemon	0:off	1:off	2:off	3:on	4:on	5:on	6:off	off	yes	yes
avahi-dnsconfd	0:off	1:off	2:off	3:off	4:off	5:off	6:off	off	yes	yes
bgpd	N/A	N/A	N/A	N/A	N/A	N/A	N/A	off	yes	yes
bluetooth	0:off	1:off	2:on	3:on	4:on	5:on	6:off	off	yes	yes
bootparamd	N/A	N/A	N/A	N/A	N/A	N/A	N/A	off	yes	yes
capi	N/A	N/A	N/A	N/A	N/A	N/A	N/A	off	yes	yes
conman	0:off	1:off	2:off	3:off	4:off	5:off	6:off	off	yes	yes
cpuspeed	0:off	1:on	2:on	3:on	4:on	5:on	6:off	off	no	yes[ii]
crond	0:off	1:off	2:on	3:on	4:on	5:on	6:off	on	no	no
cups	0:off	1:off	2:on	3:on	4:on	5:on	6:off	off	yes	yes
cyrus-imapd	N/A	N/A	N/A	N/A	N/A	N/A	N/A	off	yes	yes
dc_client	N/A	N/A	N/A	N/A	N/A	N/A	N/A	off	yes	yes
dc_server	N/A	N/A	N/A	N/A	N/A	N/A	N/A	off	yes	yes
dhcdbd	N/A	N/A	N/A	N/A	N/A	N/A	N/A	off	yes	yes
dhcp6s	N/A	N/A	N/A	N/A	N/A	N/A	N/A	off	yes	yes
dhcpd	N/A	N/A	N/A	N/A	N/A	N/A	N/A	off	yes	yes
dhcrelay	N/A	N/A	N/A	N/A	N/A	N/A	N/A	off	yes	yes
dovecot	N/A	N/A	N/A	N/A	N/A	N/A	N/A	off	yes	yes
dnsmasq	0:off	1:off	2:off	3:off	4:off	5:off	6:off	N/A	no	yes[iii]
dund	0:off	1:off	2:off	3:off	4:off	5:off	6:off	off	yes	yes
firstboot	0:off	1:off	2:off	3:on	4:off	5:on	6:off	on	yes	yes[iv]
gpm	0:off	1:off	2:on	3:on	4:on	5:on	6:off	off	yes	yes
haldaemon	0:off	1:off	2:off	3:on	4:on	5:on	6:off	off	yes	yes
hidd	0:off	1:off	2:on	3:on	4:on	5:on	6:off	off	yes	yes
hplip	N/A	N/A	N/A	N/A	N/A	N/A	N/A	off	yes	yes
httpd	N/A	N/A	N/A	N/A	N/A	N/A	N/A	off	yes	yes
ibmasm	N/A	N/A	N/A	N/A	N/A	N/A	N/A	off	yes	yes
innd	N/A	N/A	N/A	N/A	N/A	N/A	N/A	off	no	yesⁱⁱ
ip6tables	0:off	1:off	2:on	3:on	4:on	5:on	6:off	UD	yes	yesⁱ
ipmi	0:off	1:off	2:off	3:off	4:off	5:off	6:off	off	yes	yes
iptables	0:off	1:off	2:on	3:on	4:on	5:on	6:off	on	no	noⁱ
irda	0:off	1:off	2:off	3:off	4:off	5:off	6:off	off	yes	yes
irqbalance	0:off	1:off	2:on	3:on	4:on	5:on	6:off	UD	no	noⁱ
iscsi	[v]	^v	^v	^v	^v	^v	^v	UD	yes	yesⁱ
iscsid	^v	^v	^v	^v	^v	^v	^v	UD	yes	yesⁱ
isdn	N/A	N/A	N/A	N/A	N/A	N/A	N/A	off	yes	yes
kadmin	N/A	N/A	N/A	N/A	N/A	N/A	N/A	off	yes	yes
kdump	N/A	N/A	N/A	N/A	N/A	N/A	N/A	off	yes	yes
kprop	N/A	N/A	N/A	N/A	N/A	N/A	N/A	off	yes	yes
krb524	N/A	N/A	N/A	N/A	N/A	N/A	N/A	off	yes	yes
krb5kdc	N/A	N/A	N/A	N/A	N/A	N/A	N/A	off	yes	yes
kudzu	0:off	1:off	2:off	3:on	4:on	5:on	6:off	off	yes	yes
ldap	N/A	N/A	N/A	N/A	N/A	N/A	N/A	off	yes	yes
lisa	N/A	N/A	N/A	N/A	N/A	N/A	N/A	off	yes	yes
lm_sensors	N/A	N/A	N/A	N/A	N/A	N/A	N/A	UD	yes	yes
lvm2-monitor	0:off	1:on	2:on	3:on	4:on	5:on	6:off	N/A	no	no^i,[vi]
mailman	N/A	N/A	N/A	N/A	N/A	N/A	N/A	off	yes	yes
mcstrans	0:off	1:off	2:on	3:on	4:on	5:on	6:off	UD	yes	no^i,[vii]
mdmonitor	0:off	1:off	2:on	3:on	4:on	5:on	6:off	UD	yes	yesⁱ
mdmpd	0:off	1:off	2:off	3:off	4:off	5:off	6:off	off	yes	yes
messagebus	0:off	1:off	2:off	3:on	4:on	5:on	6:off	on	no	no
microcode_ctl	N/A	N/A	N/A	N/A	N/A	N/A	N/A	UD	yes	yesⁱ
multipathd	0:off	1:off	2:off	3:off	4:off	5:off	6:off	off	yes	yes
mysqld	N/A	N/A	N/A	N/A	N/A	N/A	N/A	off	yes	yes
named	N/A	N/A	N/A	N/A	N/A	N/A	N/A	off	yes	yes
netconsole	0:off	1:off	2:off	3:off	4:off	5:off	6:off	N/A	no	yesⁱⁱⁱ
netfs	0:off	1:off	2:off	3:on	4:on	5:on	6:off	off	yes	yes
netplugd	0:off	1:off	2:off	3:off	4:off	5:off	6:off	off	yes	yes
network	0:off	1:off	2:on	3:on	4:on	5:on	6:off	UD	no	noⁱ
nfs	0:off	1:off	2:off	3:off	4:off	5:off	6:off	off	yes	yes
nfslock	0:off	1:off	2:off	3:on	4:on	5:on	6:off	off	yes	yes
nscd	0:off	1:off	2:off	3:off	4:off	5:off	6:off	off	yes	yes
ntpd	0:off	1:off	2:off	3:off	4:off	5:off	6:off	on	yes	no[viii]
openibd	N/A	N/A	N/A	N/A	N/A	N/A	N/A	off	yes	yes
ospf6d	N/A	N/A	N/A	N/A	N/A	N/A	N/A	off	yes	yes
ospfd	N/A	N/A	N/A	N/A	N/A	N/A	N/A	off	yes	yes
pand	0:off	1:off	2:off	3:off	4:off	5:off	6:off	off	yes	yes
pcscd	0:off	1:off	2:on	3:on	4:on	5:on	6:off	off	yes	yes
portmap	0:off	1:off	2:off	3:on	4:on	5:on	6:off	off	yes	yes
postfix	N/A	N/A	N/A	N/A	N/A	N/A	N/A	off	no	yesⁱⁱ
postgresql	N/A	N/A	N/A	N/A	N/A	N/A	N/A	off	yes	yes
privoxy	N/A	N/A	N/A	N/A	N/A	N/A	N/A	off	yes	yes
psacct	0:off	1:off	2:off	3:off	4:off	5:off	6:off	off	yes	yes
radiusd	N/A	N/A	N/A	N/A	N/A	N/A	N/A	off	no	yesⁱⁱ
radvd	N/A	N/A	N/A	N/A	N/A	N/A	N/A	off	yes	yes
rarpd	N/A	N/A	N/A	N/A	N/A	N/A	N/A	off	yes	yes
rawdevices	0:off	1:off	2:off	3:on	4:on	5:on	6:off	N/A	no	yesⁱⁱ
rdisc	0:off	1:off	2:off	3:off	4:off	5:off	6:off	off	yes	yes
readahead_early	0:off	1:off	2:on	3:on	4:on	5:on	6:off	UD	yes	yesⁱ
readahead_later	0:off	1:off	2:off	3:off	4:off	5:on	6:off	UD	yes	yesⁱ
restorecond	0:off	1:off	2:on	3:on	4:on	5:on	6:off	on	no	no
rhnsd	0:off	1:off	2:on	3:on	4:on	5:on	6:off	UD	yes	yesⁱ
ripd	N/A	N/A	N/A	N/A	N/A	N/A	N/A	off	yes	yes
ripngd	N/A	N/A	N/A	N/A	N/A	N/A	N/A	off	yes	yes
rpcgssd	0:off	1:off	2:off	3:on	4:on	5:on	6:off	off	yes	yes
rpcidmapd	0:off	1:off	2:off	3:on	4:on	5:on	6:off	off	yes	yes
rpcsvcgssd	0:off	1:off	2:off	3:off	4:off	5:off	6:off	off	yes	yes
rstatd	N/A	N/A	N/A	N/A	N/A	N/A	N/A	off	yes	yes
rusersd	N/A	N/A	N/A	N/A	N/A	N/A	N/A	off	yes	yes
rwhod	N/A	N/A	N/A	N/A	N/A	N/A	N/A	off	yes	yes
saslauthd	0:off	1:off	2:off	3:off	4:off	5:off	6:off	off	yes	yes
sendmail	0:off	1:off	2:on	3:on	4:on	5:on	6:off	UD	no	no^i,xi
setoubleshoot	N/A	N/A	N/A	N/A	N/A	N/A	N/A	off	yes	yes
smartd	0:off	1:off	2:on	3:on	4:on	5:on	6:off	UD	yes	yes
smb	N/A	N/A	N/A	N/A	N/A	N/A	N/A	off	yes	yes
snmpd	N/A	N/A	N/A	N/A	N/A	N/A	N/A	off	yes	yes
snmptrapd	N/A	N/A	N/A	N/A	N/A	N/A	N/A	off	yes	yes
spamassassin	N/A	N/A	N/A	N/A	N/A	N/A	N/A	off	yes	yes
squid	N/A	N/A	N/A	N/A	N/A	N/A	N/A	off	yes	yes
sshd	0:off	1:off	2:on	3:on	4:on	5:on	6:off	on	no	no
No	0:off	1:off	2:on	3:on	4:on	5:on	6:off	on	no	no
sysstat	0:off	1:off	2:on	3:on	4:off	5:on	6:off	on	no	no
tog-pegasus	N/A	N/A	N/A	N/A	N/A	N/A	N/A	off	yes	yes
tomcat5	N/A	N/A	N/A	N/A	N/A	N/A	N/A	off	yes	yes
tux	N/A	N/A	N/A	N/A	N/A	N/A	N/A	off	yes	yes
vncserver	N/A	N/A	N/A	N/A	N/A	N/A	N/A	off	no	yesⁱⁱ
vsftpd	N/A	N/A	N/A	N/A	N/A	N/A	N/A	off	no	yesⁱⁱ
winbind	N/A	N/A	N/A	N/A	N/A	N/A	N/A	off	yes	yes
wine	N/A	N/A	N/A	N/A	N/A	N/A	N/A	N/A	yes	yes[ix]
wpa_supplicant	0:off	1:off	2:off	3:off	4:off	5:off	6:off	off	yes	yes
xend	N/A	N/A	N/A	N/A	N/A	N/A	N/A	off	yes	yes
xendomains	N/A	N/A	N/A	N/A	N/A	N/A	N/A	off	yes	yes
xfs	0:off	1:off	2:on	3:on	4:on	5:on	6:off	off	no	yes[x]
xinetd	N/A	N/A	N/A	N/A	N/A	N/A	N/A	off	no	no[xi]
ypbind	0:off	1:off	2:off	3:off	4:off	5:off	6:off	off	yes	yes
yppasswdd	N/A	N/A	N/A	N/A	N/A	N/A	N/A	off	yes	yes
ypserv	N/A	N/A	N/A	N/A	N/A	N/A	N/A	off	yes	yes
ypxfrd	N/A	N/A	N/A	N/A	N/A	N/A	N/A	off	yes	yes
yum-updatesd	0:off	1:off	2:on	3:on	4:on	5:on	6:off	on	no	no

[i] See note in User Defined Services table above.

[ii] It is not clear why CIS recommends that this service be disabled but then does not disable it in their script. The SecureDBA version of the script disables the service.

[iii] It is unclear why CIS does not address this service. It should be disabled and the SecureDBA version of the script does so.

[iv] It is unclear why CIS says this service should be enabled but then disables it in their script. We presume this is because the service is no longer needed after the initial boot.

[v] This service should only be installed if the system uses SCSI devices, typically storage arrays.

[vi] It is unclear why CIS does not address this service. lvm2-monitor is an application that monitors your LVM (Logical Volume Management) system. If you manually partition drives than this service can be disabled.

[vii] Though User Defined, should be enabled on a secure OEL install as SELinux is enabled by default.

[viii] It is unclear why CIS recommends this service be on and then disables it in the script. The SecureDBA version of the script does not disable this service.

[ix] It is unclear why CIS does not address this service but then correctly recommends disabling it.

[x] CIS handles this service separately. The SecureDBA version of the script disables this service.

[xi] This service is handled separately below and not disabled by this script.

Secure umask

As with Red Hat, the default umask of the OEL server is set to 022 and should be at least 027. If you run services that require a less restrictive mask, then modify their startup scripts to set the umask appropriately.

Download the following script to secure the umask and run as root:

Download cis_script6_umask.sh (0.3K)

If possible, disable xinetd

If you performed a minimal install of OEL as per these posts, then the xinetd service is not installed as per the above table and no further action is needed.

Otherwise run the following command to see if xinetd is configured to start:

chkconfig --list xinetd

If it is not, then no further action is needed.

If it is, then you'll need to check if there are any remaining services enabled by xinetd. Remember, we disabled many xinetd services in Part 6. Take the following steps to make this determination:

cd /etc/xinetd.d
For each service listed here, run chkconfig --list

If any are enabled, then you need to determine if these services are required. If they are not simply run the following for each service:

chkconfig --level off

If all the services have been disabled, then you can disable xnetd by running the following:

chkconfig --level xinetd

chkconfig -- level 12345 xinetd off

chkconfig --level xinetd

Secure sendmail

The CIS baseline does not provide hardening information for email servers. If the OEL server is acting as an email server, CIS recommends researching other documentation for assistance is securing the email server.

If not an email server, then make sure that the sendmail daemon is only listening on local host. This is called local-only mode and is the default configuration if OEL was installed according to these posts.

To check, run:

grep MTA /etc/mail/sendmail.cf | grep "Addr=127.0.0.1, " | wc -l

This should return 1 because MTA should only be bound to localhost based on the following entry:

O DaemonPortOptions=Port=smtp,Addr=127.0.0.1, Name=MTA

Other MTA entries should be commented out if found.

Further, sendmail should be disabled and configured not to run as a daemon by downloading and running the following script as root: (Note that the email server need not be running to send outgoing mail.)

Download cis_script7_sendmail.sh (0.4K)

Disable GUI Login

If you have performed a minimal install according to these posts, then the GUI login has already been disabled. This is controlled by the run level specified in /etc/inittab.

Specifically, run level 3 (desired) is specified by the following line in /etc/inittab:

id:3:initdefault:

Run level 5 (GUI) is specified by the following line in /etc/inittab:

id:5:initdefault:

Download the following script and run as root to set a default run level of 3 and set the proper permissions on /etc/inittab:

Download cis_script8_run_level.sh (0.4K)

Disable Appropriate Boot Services

Run the following command to determine the boot state of services on the target server:

chkconfig --list

Compare the output to the table above. Pay particular attention to services that are recommended to be off that are on. Determine which services you can safely turn off for your particular environment.

Download the following script for disabling boot services:

Download cis_script9_boot_services.sh (3.9K)

Modify the script as needed to remove services that the OEL server requires and possibly add additional services that can be disabled. Then run the script as root.

Securing Oracle Enterprise Linux - Part 6 - Minimize Network Services

2010-08-17T21:49:01-04:00

This is the sixth in a series of posts that describe how to secure Oracle Enterprise Linux. These posts are based on the Center for Internet Security Secure Base Line for Red Hat Enterprise Linux 5 but have been verified against Oracle Enterprise Linux (OEL) 5.5. You can download OEL here.

In Part 1 we reviewed a secure partitioning strategy, in Part 2 we performed a minimal install, in Part 3 we performed some mandatory housekeeping before starting the hardening process, in Part 4 we secured ssh and in Part 5 we enabled system accounting. In this post we minimize network services.

A Word of Caution

Backing up the server
Reviewing the content of all scripts before running them
Testing the actions on a non-production server

Disable Standard Services

If any of the following services are configured in /etc/xinetd.d, then the script below will disable them using chkconfig. For services that do not exist, the script prints an OK message:

amanda
chargen
chargen-udp
cups
cups-lpd
daytime
daytime-udp
echo
echo-udp
eklogin
ekrb5-telnet
finger
gssftp
imap
imaps
ipop2
ipop3
klogin
krb5-telnet
kshell
ktalk
ntalk
rexec
rlogin
rsh
rsync
talk
tcpmux-server
telnet
tftp
time-dgram
time-stream
uucp

Administrators that determine some of these services are needed can either modify the script or re-enable them after the script completes.

If you installed OEL according to these posts then the following services will be disabled:

eklogin
ekrb5-telnet
gssftp
klogin
krb5-telnet
kshell
rsync

You can download the script here: cis_script2_xinetd.sh (1.0K)

Implement TCP Wrappers

TCP Wrappers are implemented by configuring the /etc/hosts.allow and /etc/hosts.deny files. TCP Wrappers rules work by first checking hosts.allow and then checking hosts.deny and stopping on the first match. If hosts.deny is configured before host.allow then the server will block all traffic from network hosts.

Configure /etc/hosts.allow

The following script will loop through the output of ifconfig and create a single hosts.allow entry which will allow all services from all local networks.

For example, on a simple configuration with a single IP address in the 192.168.1.0 / 255.255.255.0 range (plus a local loopback), the script adds the following entry to hosts.allow:

ALL: localhost, 192.168.1

The script assumes IPv4 and a subnet mask of 255.255.255.0. IPv6 configurations are beyond the scope of this post. See the CIS documentation referenced at the top of this post for additional information. If the server is configured for other subnet masks, the hosts.allow file will need to be manually modified after running this script.

Download cis_script3_hosts.allow.sh (0.4K)

Configure /etc/hosts.deny

Warning: Do not proceed with this section until you have configured hosts.allow as above.

The following script will insert a single line in /etc/hosts.deny as follows:

ALL: ALL

Download cis_script4_hosts.deny.sh (0.3K)

Enable These Services Only If Mission Critical

The services described in this section all have security risks and/or flaws. Enable them only if they are mission critical and there are not other alternatives available.

telnet

Enable by running the following:

chkconfig telnet on

ftp

Enable by running the following:

chkconfig --levels 35 vsftpd on

rlogin/rsh/rcp

Enable by running the following:

chkconfig login on

chkconfig rlogin on

chkconfig rsh on

chkconfig shell on

tftp

tftp is not installed by default, so first install the tftp package.

Next run the following script which uses chkconfig to turn on tfpt, then sets the permissions on /tftpboot or creates it with the proper permissions if it does not exist.

Download cis_script5_tftp.sh (0.2K)

Securing Oracle Enterprise Linux - Part 5 - Enable System Accounting

2010-08-17T18:27:32-04:00

This is the fifth in a series of posts that describe how to secure Oracle Enterprise Linux. These posts are based on the Center for Internet Security Secure Base Line for Red Hat Enterprise Linux 5 but have been verified against Oracle Enterprise Linux (OEL) 5.5. You can download OEL here.

A Word of Caution

Backing up the server
Reviewing the content of all scripts before running them
Testing the actions on a non-production server

Enable System Accounting

The system accounting function is enabled by the sysstat package. If you have performed a clean install of OEL as outlined in this series of posts than this package is already installed. Otherwise, install it if it does not exist.

System accounting provides for the regular collection of performance data and enables such commands as sar and iostat to report on this data.

Regular review of performance data provides a monitoring security control because it may be used to identify suspicious activity.

Securing Oracle Enterprise Linux - Part 4 - Hardening ssh

2010-08-17T17:54:35-04:00

This is the fourth in a series of posts that describe how to secure Oracle Enterprise Linux. These posts are based on the Center for Internet Security Secure Base Line for Red Hat Enterprise Linux 5 but have been verified against Oracle Enterprise Linux (OEL) 5.5. You can download OEL here.

In Part 1 we reviewed a secure partitioning strategy, in Part 2 we performed a minimal install and in Part 3 we performed some mandatory housekeeping before starting the hardening process. In this post we will begin the hardening process by securing ssh.

A Word of Caution

Backing up the server
Reviewing the content of all scripts before running them
Testing the actions on a non-production server

Create Non-root User(s)

Part of hardening ssh will be disabling remote login as root. Therefore, it is critical that you have at least one non-root user on the server (especially if you are hardening from a remote ssh session, or you will be locked out of the server and will need to directly access the server console to login.

Users should always log into the server using their own account and then use either sudo or su to execute administrative functions. The preferred method is sudo.

Setting Up Basic sudo for Administrators

First of all the sudo package must be installed. If you have installed the OS according to these posts then it will already be installed.

sudo is configured using the /etc/sudoers file; however, it cannot be directly edited using your favorite editor. You must use the visudo command to edit the file. visudo uses the VISUAL environment variable to set the appropriate editor. If vi is your editor of choice, then run:

export VISUAL="vi"

You will probably want to put this line in .bash_profile of root.

Once this is completed you can simply enter"

visudo

and it will open up /etc/sudoers in the editor specified by the VISUAL environment variable.

Once opened, you will likely see an lines such as the following:

## Allow root to run any commands anywhere

root ALL=(ALL) ALL

You should also find a lines like:

## Allows people in group wheel to run all commands

# %wheel ALL=(ALL) ALL

Uncomment the line that starts with %wheel and save the file.

Now all users in the wheel group will be able to run all commands. Please note that this is a very simple implementation meant for administrator access only.

The next step will be to create a user or users in the wheel group for all administrators as follows:

useradd

passwd

usermod -G wheel

These users can log into the server as themselves. If they need to run privileged commands they can simply enter:

sudo

and they will be prompted to reenter their password.

Alternatively, the users, assuming they know the root password, can enter:

and then the password for root.

Securing SSH

The following script secures ssh by:

Ensuring the ssh client configuration in /etc/ssh/ssh_config enforces Protocol 2 and Port 22 and by setting permissions of the config file to 0644
Ensuring the ssh server configuration in /etc/ssh/sshd_config enforces Protocol 2, Port 22, VERBOSE logging, turning off RSA and host based authentication, requires passwords and a banner page and setting permissions of the config file to 0600

Warning: The second to the last line in this script changes permissions of the temp files it writes out to 0400 by referencing $tmpcis/*. If $tmpcis is not properly set, it will change permissions on the wrong files/directories recursively. Worse case would be not having $tmpcis set in which case your server will become unusable. You might want to remove this line and set the permissions manually to be safe.

You can download the shell script that makes these changes here: cis_script1_ssh.sh (2.6K).

Note: The default (and non-secure) warning banner was enabled by this step. We'll address modifying the banner in a future post.

The changes made here for the ssh server will not take effect until sshd is bounced. This is accomplished by running:

/etc/init.d/sshd stop

/etc/init.d/sshd start

Kevin Sheehan's Podcast on Secure Application Infrastructure & Federal Data Center Migration

2010-07-29T16:50:57-04:00

"The Federal Data Center Consolidation Initiative calls upon agencies to develop and implement plans for consolidating, streamlining and modernizing their datacenter operations. Based on his experience migrating mission-critical applications to new, state-of-the-art facilities, Agilex’ Kevin Sheehan shares important lessons learned for meeting this mandate by creating a more agile and secure infrastructure. A key focus is in the use of standard configurations and common platforms to streamline the certification & accreditation process while improving application security and reliability. He also weighs the pros and cons of emerging technologies, such as virtualization and Oracle Exadata." ¹

You can find the Agilex Podcast here.

¹ Agilex Technologies Podcast (July 26, 2010), viewed July 29, 2010, http://agilex.podbean.com/2010/07/26/migrating-to-more-secure-and-agile-application-infrastructure-with-agilex’-kevin-sheehan/

Securing Oracle Enterprise Linux - Part 3 - Preparation

2010-07-11T17:51:55-04:00

This is the third in a series of posts that describe how to secure Oracle Enterprise Linux. These posts are based on the Center for Internet Security Secure Base Line for Red Hat Enterprise Linux 5 but have been verified against Oracle Enterprise Linux (OEL) 5.5. You can download OEL here.

In Part 1 we reviewed a secure partitioning strategy and in Part 2 we performed a minimal install. In Part 3 we will perform some housekeeping prior to beginning the hardening process.

A Word of Caution

Backing up the server
Reviewing the content of all scripts before running them
Testing the actions on a non-production server

Secure /tmp

In order to prevent hard links within /var, remove /var/tmp and recreate it as a symbolic link to /tmp as follows as root:

rm -rf /var/tmp

ln -s /tmp /var/tmp

Create Restore Script

CIS provides a a script called do-backup.sh. When executed, this script will create backups of all the configuration files and directories it may change and then creates another script called do-restore.sh that, if needed, will restore all the files modified by the hardening procedures. Since this script simply creates another script and makes copies of files and directories it is very safe to run.

Copy do-backup-sh to /root as root and then execute:

./do-backup.sh

Note: As of this writing, CIS is no longer supplying the do-backup.sh script. Perhaps this is due to an error in the script that caused the ssh_config and sshd_config files to NOT be backed up due to a missing blank space between these two file names in the "FILE in" loop. That error is corrected in this version.

Install oracle-validated (Optional)

Chances are that if you are using OEL then you intend to install Oracle software on the server. If so, you'll want to install the Oracle Validated RPM as it contains the base updates required for most Oracle software installs. There are two ways to do this. If you are not an Unbreakable Linux Network (ULN) customer (i.e., you do not have a ULN support contract), then you can get the Oracle Validated RPM from http://oss.oracle.com/el5/oracle-validated. If you are a ULN customer, take the following steps:

Install the OEL public key by entering: rpm --import /usr/share/rhn/RPM-GPG-KEY
Enter: up2date
Select Next through the privacy statement.
Enter your ULN credentials and select Next.
After returning to the prompt, install the required prerequisite RPM, enter:up2date --install kernel-headers --force --verbose
Then install Oracle Validated by entering: up2date --install oracle-validated --verbose

WARNING: If you install oracle-validated, a new user, oracle, is created with password equal to oracle. You should change the password of the oracle account immediately after installing oracle-validated.

Patch Current

Run a scan of the OS to determine if any of the packages are out of date with respect to security patches. Any number of tools can be used of this. For this exercise, I used Nessus which can be downloaded for free (for home use only) at Tenable Network Security.

Of course, depending on your distribution and the timing of your scan, your results may differ but for OEL 5.5 using Nessus 4.4.2 with plugins updated on 7/11/2010, the following packages were found to be vulnerable:

xulrunner
perl
kernel
nspr
krb5-libs
sudo
cups
gnutls
pango

Install updates to all reported packages by running:

up2date --install <package_name> --verbose

Note that updates to the kernel may require specification of the --force option as well.

After applying all updates reboot the server and rescan to ensure no additional vulnerabilities are found. In my case a vulnerability in yelp was found on the second scan, updated, bounced and rescanned without issue.

Initial System Validation

Make sure the system is working properly before making any changes. CIS suggests running:

cd /var/log

egrep -i "(crit|alert|error|warn)" * | less

and then resolving any issues before continuing.

Securing Oracle Enterprise Linux - Part 2 - Minimal Install

2010-07-05T23:47:46-04:00

A default install of Oracle Enterprise Linux (OEL) comes with a lot of packages you would not want on a secure production server. So how do you create a minimal install of OEL? Turns out it's pretty easy.

It should be noted that once completed, the server will have very little capability and will need additional packages installed depending on what other software will be installed on the server. This is how it should be. Start with the minimum and then only add what is needed.

Boot the server from the OEL 5.5 ISO DVD and choose the GUI installation.
Select language and click Next.
Select keyboard and click Next.
Select Install Enterprise Linux and click Next.
Click the check box labeled "Review and modify partitioning layout" and click Next.
Click Yes on the warning box if prompted to overwrite existing partitions.
Add the partitions suggested in Securing Oracle Enterprise Linux - Part 1 - Partitioning Strategy using sizes appropriate for your environment and then click Next.
Select the boot loader options you want and then click Next.
Select your network settings and then click Next.
Select your time zone and then click Next.
Provide the root password, confirm it and then click Next.
On the install window that asks which additional functionality to install (Software Development, Web Server, Clustering and Storage Clustering), no not select any of the boxes.
On the same window, select the Customize Now radio button and select Next.
Select Base System in the left-hand column and then deselect everything in the right-hand column, except Base.
For each of the other entries in the left hand column (Desktop Environments, Applications, etc.) deselect everything in the right-hand column and then click Next.
One final click of Next will format the file systems and install the OS.
When complete, you are prompted to remove the install media and reboot.
On first boot, you are presented with the Setup Agent screen to configure Authentication, Firewall, Network, System Services and Timezone. For now, just exit out. If you need to run this later, you can run /usr/bin/setup.

After the install completes and the system reboots, you are left with an extremely minimal Linux install. The next step is to configure access to Unbreakable Linux Network (ULN) support (assuming you have a ULN support contract). If you are a ULN customer, take the following steps:

On your new, rebooted OEL server, install the OEL public key by entering: rpm --import /usr/share/rhn/RPM-GPG-KEY
Enter: up2date
Select Next through the privacy statement.
Enter your ULN credentials and select Next.

That's it! Is it secure? Heck no, we have not hardened the OS as yet. It is a good first step however.

Securing Oracle Enterprise Linux - Part 1 - Partitioning Strategy

2010-07-05T16:52:50-04:00

This is the first in a series of posts that describe how to secure Oracle Enterprise Linux. These posts are based on the Center for Internet Security Secure Base Line for Red Hat Enterprise Linux 5 but have been verified against Oracle Enterprise Linux (OEL) 5.5. You can download OEL here.

How you implement a disk partitioning strategy is largely based on how the server will be used. In this post we'ere not going to cover every possible use case but rather focus only on the security aspects of the base OS install instead.

A default install of OEL, you get two mount points (plus of course shared memory /dev/shm):

/ -> The root directory
/boot -> The boot partition

This means that by default all OS-related directories fall under the root directory. Remember that availability is part of security and therefore it is better to establish separate partitions for the following so that running out of space in one does not impact the other partitions:

/home -> Container for all non-root user home directories
/tmp -> Container for temporary storage
/var -> Container for application logs
/var/log/audit -> Container for audit logs
-> Container for virtual memory

As separate partitions, mount options can be used to limit permissions and for /home to impose quota. While swap can be implemented as a file, a partition is recommended for performance reasons.