Securing and HardeningOracle Enterprise Linux 5.1
This document providesinstructions on hardening security of a Oracle Enterprise Linux server.
Prerequisites:
· Oracle Enterprise Linux is installed as instructed in Oracle EnterpriseLinux 5.1 Installation document.
Oracle EnterpriseLinux installer installs only required components for Oracle database and manyof the services such as ftp, telnet, rsh are disabled by default. This documentis not a comprehensive document for security a Linux environment but rather documentspost installation configuration that can be done to further harden the securityof Oracle Enterprise Linux.
Each user in thesystem should have their own account to login to the server. If the user needsto perform tasks as root, then he/she can su to root account. This way therewill be audit trail of logins.
To disable root loginfrom ssh session, change the following line in /etc/ssh/sshd_config
PermitRootLoginno
Restartthe sshd daemon
/etc/init.d/sshdrestart
Password aging should only apply to user passport not to account used by Oracle.
The following files and parameters in the table are usedwhen a new account is created with the useradd command. These settingsare recorded for each user account in the /etc/shadow file. Therefore, makesure to configure the following parameters before you create any user accountsusing the useradd command:
Config File | Parameter | Value | Description |
/etc/login.defs | PASS_MAX_DAYS | 60 | Maximum number of days a password is valid. |
/etc/login.defs | PASS_MIN_DAYS | 7 | Minimum number of days before a user can change the password since the last change. |
/etc/login.defs | PASS_MIN_LEN | n/a | This parameter does not work. It is superseded by the PAM module 'pam_cracklib'. |
/etc/login.defs | PASS_WARN_AGE | 7 | Number of days when the password change reminder starts. |
/etc/default/useradd | INACTIVE | 14 | Number of days after password expiration that account is disabled. |
/etc/default/useradd | EXPIRE | | Account expiration date in the format YYYY-MM-DD. |
Ensure that the aboveparameters are changed in the /etc/login.defs and /etc/default/useradd files.
When a user account is created using the useradd command, the parameterslisted in the above table are recorded in the /etc/shadow file in the followingfields:
Thefollowing password complexity is set.
To setupthese password restrictions, edit the /etc/pam.d/system-auth file andadd/change the following pam_cracklib arguments highlighted in blue:
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3minlen=8 dcredi t=-2
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_autht okremember=26
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
System and shared account should not be locked automatically after too many failed login or su attempts. This could lead to outages if the application's account gets locked due to too many login failures. But direct access to these accounts will be disabled in next section.
However other useraccounts will be locked on failed login attempts.
Add the following two lines highlighted in blue to the /etc/pam.d/system-authfile as shown below:
auth required pam_env.so
auth required pam_tally.so onerr=fail no_magic_root
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
account required pam_unix.so
account required pam_tally.so per_user deny=5 no_magic_root reset
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 minlen=8 dcredi t=-2
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_autht ok remember=26
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
The first added line counts failed login and failed su attempts for each user. The default location for attempted accesses is recorded in /var/log/faillog.
The second added line specifies to lock accounts automatically after 5 failed login or su attempts (deny=5). The counter will be reset to 0 (reset) on successful entry if deny=n was not exceeded. But you don't want system or shared accounts to be locked after too many login failures (denial of service attack).
To exempt system and shared accounts from the deny=n parameter, add the per_user parameter to the module. The per_user parameter instructs the module NOT to use the deny=n limit for accounts where the maximum number of login failures is set explicitly.
Set the max number of login failures for oracle account
#faillog –u oracle –m -1
The faillog command with the option '-m -1' has the effect of not placing a limit on the number of failed logins.
Confirm the setting by running
#faillog –u oracle
To audit user logins in the server, direct login using system (root) and shared accounts (oracle) is disabled. All users should do a direct login using their own account and then switch to the system or shared account.
However, for an Oracle RAC cluster direct ssh logins must be allowed for oracle account for RAC to function. But in such an environment we have to protect the whole cluster as a single entity against incoming ssh connection, i.e. direct oracle logins should not work if you come from a node that is not part of the cluster.
The following types of logins will be restricted using following configuration files:
- SSH (/etc/pam.d/sshd)
- Console Login (/etc/pam.d/login)
- Graphical Gnome Login (/etc/pam.d/gdm
- or for all logins (/etc/pam.d/system-auth)
To accomplish this goal we need to add the pam_access module to the PAM configuration files listed above.
Modify the files to add settings in blue.
For SSH Logins add the pam_access module to /etc/pam.d/sshd as follows:
auth include system-auth
account required pam_nologin.so
account required pam_access.so
account include system-auth
password include system-auth
session optional pam_keyinit.so force revoke
session include system-auth
session required pam_loginuid.so
For Console Logins add the pam_access module to /etc/pam.d/login as follows:
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth include system-auth
account required pam_access.so
account required pam_nologin.so
account include system-auth
password include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session include system-auth
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open
session optional pam_keyinit.so force revoke
session required /lib/security/pam_limits.so
For Graphical Gnome Logins add the pam_access module to /etc/pam.d/gdm as follows:
auth required pam_env.so
auth include system-auth
account required pam_access.so
account required pam_nologin.so
account include system-auth
password include system-auth
session optional pam_keyinit.so force revoke
session include system-auth
session required pam_loginuid.so
session optional pam_console.so
Create groups dbas and sas for DBAs and SAs, users in these groups will be allowed access to the server directly.
#groupadd dbas
#groupadd sas
Create sa and dba accounts as required. E.g.
#useradd -m -g dbas -G dba,sas -d /home/khanals -s /bin/bash khanals
#passwd khanals
Now add the following line to the /etc/security/access.conf configuration file (replace server names with correct server names):
-:ALL EXCEPT sas dbas users oracle:ALL
-:oracle:ALL EXCEPT nycdb01.gotodba.com twnycld01 nycdb02.gotodba.com twnycld02
The /etc/security/access.conf configuration file is read by the pam_access module. The first entry specifies that no users are accepted except users that are in the dbas or sas groups or oracle user. Since the pam_access module has been configured for 'Authorization' (account) in the above PAM configuration files, it denies direct logins for all other accounts.
The second entry restricts direct ssh logins for oracle within the cluster from Oracle RAC nodes twnycld01 and twnycld02.
NOTE:
In Oracle Enterprise Linux pam_access is already configured for crond:
#grep pam_access /etc/pam.d/*
/etc/pam.d/crond:account required pam_access.so
This means that the above entries in /etc/security/access.conf will stop cron from working.
To ensure that all users on the system can still run cron jobs you can add the following argument to pam_access in /etc/pam.d/crond:
account required pam_access.soaccessfile=/etc/security/access-cron.conf
This ensures that the /etc/security/access.conf configuration file is not invoked by crond. Since pam_cracklib does not grant permissions if the configuration file does not exist, execute the following command to create an empty file:
#touch /etc/security/access-cron.conf
Su access will be gratned to oracle user and dbas and sas groups only.
Add the three authentication lines highlighted in blue to the /etc/pam.d/su file as shown below:
auth sufficient pam_rootok.so
# Uncomment the following line to implicitly trust users in the 'wheel' group.
#auth sufficient pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the 'wheel' group.
#auth required pam_wheel.so use_uid
auth include system-auth
auth sufficient pam_stack.so service=su-root-members
auth sufficient pam_stack.so service=su-other-members
auth required pam_deny.so
account sufficient pam_succeed_if.so uid = 0 use_uid quiet
account include system-auth
password include system-auth
session include system-auth
session optional pam_xauth.so
Theseadditional authentication lines specify that nobody should be able to su to anyaccount unless at least one of the PAM services, su-root-members orsu-other-members, returns Success.
Thecontrol flag sufficient means that a Success will bypass the remainingauthentication modules and overall Success is returned for the authenticationpart. Failure means that the failed authentication PAM service is ignored. Ifboth authentication PAM services fail, then the last authentication modulepam_deny is invoked which will deny all requests for any availableauthentication module. This will cause the authentication part to fail for thesu command.
Next the new authentication PAM service configuration files/etc/pam.d/su-root-members and /etc/pam.d/su-other-members need to be created.
Create /etc/pam.d/su-root-members file referenced in /etc/pam.d/su as:
auth required pam_wheel.so use_uid group=sas
auth required pam_listfile.so item=user sense=allow onerr=fail file=/etc/security/su-sas-access
Create /etc/security/su-sas-accessfile referenced in /etc/pam.d/su-root-members as:
root
oracle
Thecontrol flag required which is specified for both modules means that bothmodules have to return Success. Otherwise this PAM service will return Failureto the 'su' PAM service configured in /etc/pam.d/su. The first linereturns Success only if the user is in the sas groups.
Thesecond line allows only access (sense=allow) to those users specified in/etc/security/ su-sas-access, which is root and oracle - these are the onlyusers that will be accepted as a user argument to su. The item=user argumentinstructs pam_listfile that the entries in /etc/security/ su-sas-access areusernames. If an error occurs, such as an unreadable configuration file, accessis denied (onerr=fail).
NOTE: Once su access to root is working for users in the sas, do not make anychanges to the /etc/pam.d/su-root-members file in the future. Making a mistakein this file could revoke access to root for all users on the system.
/etc/pam.d/su-other-membersis used to add non root members including group for dbas.
Create /etc/pam.d/su-other-members file referenced in /etc/pam.d/su as:
auth sufficient pam_stack.so service=su-oracle-members
auth required pam_deny.so
If one ofthe two PAM services returns Success, it will return Success to the'su' PAM service configured in /etc/pam.d/su. Otherwise the lastmodule will be invoked which will deny all further requests and the authenticationfails.
Next the PAM services 'su-oracle-members have to be created.
The file /etc/pam.d/su-oracle-members referenced in /etc/pam.d/su-other-membersshould read like:
auth required pam_wheel.so use_uid group=dbas
auth required pam_listfile.so item=user sense=allow onerr=fail file=/etc/security/su-dbas-access
The file/etc/security/su-dbas-access referenced in /etc/pam.d/su-oracle-members shouldread like:
oracle
Now verify that a sas memeber can su to root and oracle. No one else should be able to su to root. No one else on the system should be able su to any of these accounts even if they know the password.
ConfigureScreensaver Locking
The default setup of /etc/pam.d/system-auth causes problem with screensaver. If you get locked out on console, you can’t get in even with correct password. The bug is documented in
http://kbase.redhat.com/faq/FAQ_85_10737.shtm
The problem lies in pam_tally module which tries to write to /var/log/failog and it does not have permission to do so.
To get around this problem, create a new file /etc/pam.d/xscreensaver and copy auth section of /etc/pam.d/system-auth file. Then comment out pam_tally line in auth section of /etc/pam.d/system-auth file.
DisablingNonessential Services
Linux by default has a number of services available. You should run only those services that are really required. Running non-essential services is a security risk. The basic services that typically need to be enabled on a Linux machine are:
·gpm [provides mouse support on virtual terminals]
[root@twnycld01 /]# chkconfig --list | grep ':on'
acpid 0:off 1:off 2:off 3:on 4:on 5:on 6:off
anacron 0:off 1:off 2:on 3:on 4:on 5:on 6:off
atd 0:off 1:off 2:off 3:on 4:on 5:on 6:off
auditd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
autofs 0:off 1:off 2:off 3:on 4:on 5:on 6:off
avahi-daemon 0:off 1:off 2:off 3:on 4:on 5:on 6:off
bluetooth 0:off 1:off 2:on 3:on 4:on 5:on 6:off
cpuspeed 0:off 1:on 2:on 3:on 4:on 5:on 6:off
crond 0:off 1:off 2:on 3:on 4:on 5:on 6:off
cups 0:off 1:off 2:on 3:on 4:on 5:on 6:off
firstboot 0:off 1:off 2:off 3:on 4:off 5:on 6:off
gpm 0:off 1:off 2:on 3:on 4:on 5:on 6:off
haldaemon 0:off 1:off 2:off 3:on 4:on 5:on 6:off
hidd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
hplip 0:off 1:off 2:on 3:on 4:on 5:on 6:off
ip6tables 0:off 1:off 2:on 3:on 4:on 5:on 6:off
iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off
irqbalance 0:off 1:off 2:on 3:on 4:on 5:on 6:off
isdn 0:off 1:off 2:on 3:on 4:on 5:on 6:off
kudzu 0:off 1:off 2:off 3:on 4:on 5:on 6:off
lvm2-monitor 0:off 1:on 2:on 3:on 4:on 5:on 6:off
mcstrans 0:off 1:off 2:on 3:on 4:on 5:on 6:off
mdmonitor 0:off 1:off 2:on 3:on 4:on 5:on 6:off
messagebus 0:off 1:off 2:off 3:on 4:on 5:on 6:off
netconsole 0:off 1:off 2:off 3:off 4:off 5:off 6:off
netfs 0:off 1:off 2:off 3:on 4:on 5:on 6:off
network 0:off 1:off 2:on 3:on 4:on 5:on 6:off
nfslock 0:off 1:off 2:off 3:on 4:on 5:on 6:off
nqmdaemon 0:off 1:off 2:on 3:on 4:on 5:on 6:off
pcscd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
portmap 0:off 1:off 2:off 3:on 4:on 5:on 6:off
readahead_early 0:off 1:off 2:on 3:on 4:on 5:on 6:off
readahead_later 0:off 1:off 2:off 3:off 4:off 5:on 6:off
restorecond 0:off 1:off 2:on 3:on 4:on 5:on 6:off
rhnsd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
rpcgssd 0:off 1:off 2:off 3:on 4:on 5:on 6:off
rpcidmapd 0:off 1:off 2:off 3:on 4:on 5:on 6:off
sendmail 0:off 1:off 2:on 3:on 4:on 5:on 6:off
setroubleshoot 0:off 1:off 2:off 3:on 4:on 5:on 6:off
smartd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
syslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off
sysstat 0:off 1:off 2:on 3:on 4:off 5:on 6:off
xfs 0:off 1:off 2:on 3:on 4:on 5:on 6:off
xinetd 0:off 1:off 2:off 3:on 4:on 5:on 6:off
yum-updatesd 0:off 1:off 2:off 3:on 4:on 5:on 6:off
bpcd: on
bpjava-msvc: on
vnetd: on
vopied: on
Disable services in red.
Service Description
acpid Advanced Configuration and Power Interface event daemon
atd atd runs jobs queued by at
auditd userspace component to the Linux Auditing System
autofs control the operation of the automount daemons
avahi-daemon Avahi mDNS/DNS-SD daemon
bluetooth The core of Bluetooth
crond daemon to execute scheduled commands
cups needed if CUPS is used for the printing system
firstboot
gpm mouse server for virtual consoles
hidd Bluetooth HID daemon
ip6tables IPv6 packet filter administration
iptables administration tool for IPv4 packet filtering and NAT
isdn needed if ISDN is being used
kudzu detects and configures new and/or changed hardware on a system
lvm2-monitor
mcstrans
mdmonitor needed only if software RAID is being used
netconsole
netfs needed only if there are NFS shares that should be mounted at boot time
network important for starting network interfaces
nfslock needed if NFS shares are mounted
nqmdaemon
pcscd PC/SC Smart Card Daemon
portmap Portmap is a server that converts RPC program numbers into DARPA
protocol port numbers. It must be running in order to make RPC
calls. It is also required by NFS client.
readahead_early
readahead_later
rpcgssd
rpcidmapd
sendmail an electronic mail transport agent
setroubleshoot
smartd smartd is a daemon that monitors the Self-Monitoring, Analysis and Reporting Technology (SMART) system built into many ATA-3 and later ATA, IDE and SCSI-3 hard drives. The purpose of SMART is to monitor the reliability of the hard drive and predict drive failures, and to carry out different types of drive self-tests.
sshd OpenSSH SSH daemon
syslog important for syslog services
sysstat needed to reset system statistics logs
Xinetd starts programs that provide Internet services.
bpcd: Used by Veritas Netbackup
bpjava-msvc: Used by Veritas Netbackup
vnetd: Used by Veritas Netbackup
vopied: Used by Veritas Netbackup
Run these commands to disable services.
Securesendmail
The server sends out email to administrators using SMTP. To use this feature we do not need a full feature sendmail server, it is not necessary to process incoming mail.
1.Configure sendmail client to use mail submission agent.
Edit /etc/mail/submit.mc file to define Mail Submission Agent server
FEATURE(`msp', `smtp.gotodba.com')dnl
2.Make submit.cf file by running
# make submit.cf
Daemon=no
# service sendmail restart
Appendix A
Reference: Securing and Hardening Red Hat Linux Production Systems
Mounting Partitions Securely
This is for reference only and is not implemented for Data warehouse environment.
Linux allows multiple options while mounting the file system. The correct option while mounting helps increase the system security manifold. The various options that are available while mounting are:
· nosuid: Do not set SUID/SGID access on this partition.
· noexec: Do not allow execution of any binaries on this partition.
· ro: Allow read-only access to the partition.
· rw: Allow read–write access to the partition.
The options for mounting the file systems are defined in the /etc/fstab file. On a production server, directories such as /home, /tmp, /var, and /boot should be mounted with nosuid and noexec bit. Once the system is properly installed, you probably won’t be writing to the / and the /usr directories. Therefore, the / and /usr directories should be mounted read-only to increase the security. A sample /etc/fstab file is shown below:
/dev/hda1 / ext3 defaults,ro 0 2
/dev/hda4 /usr ext3 defaults,ro 0 2
/dev/hda2 /home ext3 defaults,nosuid,noexec0 2
/dev/hda3 /tmp ext3 defaults,nosuid,noexec0 2
Securing Various Servers
For reference only.
Although it is not possible to go into the details of securing various servers such as Apache, DNS, Samba, wu-ftpd or proftpd, and Sendmail, I will briefly outline certain generic guidelines that will help you increase the security of these servers and your production system:
· Run these servers in a chroot environment.
· If possible, run these servers as specific user instead of root. For example, run Apache as user nobody instead of user root. This limits the damage in case the Apache server is compromised by some buffer overflow attack.
· Quite a few of these servers allow users to define access control lists (ACLs). Use ACLs to increase the security of your server.
· Enable logging.
Security tools
This article concludes with a list of security tools systems administrators will find useful to increase the security of their systems. One of the most important tools is Bastille Linux, a set of Perl scripts, which attempts to carry out automated hardening of a Linux system. It is comprehensive, instructive, and user friendly. Download and install the correct version for your system from the URL: http://www.bastille-linux.org/ . Bastille runs in an interactive mode and covers various aspects of Linux hardening, such as:
· Configuring the firewall and setting proper file permissions (including setting the SUID bit).
· Setting up account security, including disabling the dangerous r-protocols (rlogin, rsh, rexec, etc.) and enabling password aging.
· Restricting and deactivating superfluous services as well as configuring various aspects of boot security.
· Disabling certain user tools, configuring PAM (pluggable authentication module), and enabling additional logging.
· Downloading latest security patches.
Securing various services, such as SSH (Secure Shell), Sendmail, Apache, Line Printer, FTP, and DNS.