Securing and HardeningOracle Enterprise Linux 5.1

This document providesinstructions on hardening security of a Oracle Enterprise Linux server.

Prerequisites:

·        Oracle Enterprise Linux is installed as instructed in Oracle EnterpriseLinux 5.1 Installation document.

Oracle EnterpriseLinux installer installs only required components for Oracle database and manyof the services such as ftp, telnet, rsh are disabled by default. This documentis not a comprehensive document for security a Linux environment but rather documentspost installation configuration that can be done to further harden the securityof Oracle Enterprise Linux.

Securing SSH

Each user in thesystem should have their own account to login to the server. If the user needsto perform tasks as root, then he/she can su to root account. This way therewill be audit trail of logins.

To disable root loginfrom ssh session, change the following line in /etc/ssh/sshd_config

PermitRootLoginno

Restartthe sshd daemon

/etc/init.d/sshdrestart

Enabling Password Aging

Password aging should only apply to user passport not to account used by Oracle.

The following files and parameters in the table are usedwhen a new account is created with the useradd command. These settingsare recorded for each user account in the /etc/shadow file. Therefore, makesure to configure the following parameters before you create any user accountsusing the useradd command:

Config File

Parameter

Value

Description

/etc/login.defs 

PASS_MAX_DAYS 

60 

Maximum number of days a password is valid. 

/etc/login.defs 

PASS_MIN_DAYS 

7 

Minimum number of days before a user can change the password since the last change. 

/etc/login.defs 

PASS_MIN_LEN 

n/a 

This parameter does not work. It is superseded by the PAM module 'pam_cracklib'. 

/etc/login.defs 

PASS_WARN_AGE 

7 

Number of days when the password change reminder starts. 

/etc/default/useradd 

INACTIVE 

14 

Number of days after password expiration that account is disabled. 

/etc/default/useradd 

EXPIRE 

Account expiration date in the format YYYY-MM-DD. 

Ensure that the aboveparameters are changed in the /etc/login.defs and /etc/default/useradd files.

When a user account is created using the useradd command, the parameterslisted in the above table are recorded in the /etc/shadow file in the followingfields:

:::PASS_MIN_DAYS:PASS_MAX_DAYS:PASS_WARN_AGE:INACTIVE:EXPIRE:

Enforcing Stronger Passwords

Thefollowing password complexity is set.

-        Minimum lengthof password must be 8

-        Minimum numberof digits must be 2

-        Maximum of 3password retries

-        Remember last26 passwords

To setupthese password restrictions, edit the /etc/pam.d/system-auth file andadd/change the following pam_cracklib arguments highlighted in blue:

auth        required      pam_env.so

auth        sufficient    pam_unix.so nullok try_first_pass

auth        requisite     pam_succeed_if.so uid >= 500 quiet

auth        required      pam_deny.so

account     required      pam_unix.so

account     sufficient    pam_succeed_if.so uid < 500 quiet

account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 minlen=8 dcredi                       t=-2

password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_autht                       ok remember=26

password    required      pam_deny.so

session     optional      pam_keyinit.so revoke

session     required      pam_limits.so

session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet                        use_uid

session     required      pam_unix.so

Locking User Accounts after TooMany Login Failures

System and shared account should not be locked automatically after too many failed login or su attempts. This could lead to outages if the application's account gets locked due to too many login failures. But direct access to these accounts will be disabled in next section.

However other useraccounts will be locked on failed login attempts.

Add the following two lines highlighted in blue to the /etc/pam.d/system-authfile as shown below:

auth        required      pam_env.so

auth        required      pam_tally.so onerr=fail no_magic_root

auth        sufficient    pam_unix.so nullok try_first_pass

auth        requisite     pam_succeed_if.so uid >= 500 quiet

auth        required      pam_deny.so

account     required      pam_unix.so

account     required      pam_tally.so per_user deny=5 no_magic_root reset

account     sufficient    pam_succeed_if.so uid < 500 quiet

account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 minlen=8 dcredi                       t=-2

password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_autht                       ok remember=26

password    required      pam_deny.so

session     optional      pam_keyinit.so revoke

session     required      pam_limits.so

session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet                        use_uid

session     required      pam_unix.so

The first added line counts failed login and failed su attempts for each user. The default location for attempted accesses is recorded in /var/log/faillog. 

The second added line specifies to lock accounts automatically after 5 failed login or su attempts (deny=5). The counter will be reset to 0 (reset) on successful entry if deny=n was not exceeded. But you don't want system or shared accounts to be locked after too many login failures (denial of service attack). 

To exempt system and shared accounts from the deny=n parameter, add the per_user parameter to the module. The per_user parameter instructs the module NOT to use the deny=n limit for accounts where the maximum number of login failures is set explicitly. 

Set the max number of login failures for oracle account

#faillog –u oracle –m -1

The faillog command with the option '-m -1' has the effect of not placing a limit on the number of failed logins.

Confirm the setting by running

#faillog –u oracle

Restricting Direct Login Accessfor System and Shared Accounts

To audit user logins in the server, direct login using system (root) and shared accounts (oracle) is disabled. All users should do a direct login using their own account and then switch to the system or shared account. 

However, for an Oracle RAC cluster direct ssh logins must be allowed for oracle account for RAC to function. But in such an environment we have to protect the whole cluster as a single entity against incoming ssh connection, i.e. direct oracle logins should not work if you come from a node that is not part of the cluster. 

The following types of logins will be restricted using following configuration files:

-  SSH                              (/etc/pam.d/sshd)

- Console Login                (/etc/pam.d/login)

- Graphical Gnome Login     (/etc/pam.d/gdm

- or for all logins               (/etc/pam.d/system-auth)

To accomplish this goal we need to add the pam_access module to the PAM configuration files listed above.

Modify the files to add settings in blue.

For SSH Logins add the pam_access module to /etc/pam.d/sshd as follows: 

auth       include      system-auth

account    required     pam_nologin.so

account    required     pam_access.so

account    include      system-auth

password   include      system-auth

session    optional     pam_keyinit.so force revoke

session    include      system-auth

session    required     pam_loginuid.so

For Console Logins add the pam_access module to /etc/pam.d/login as follows: 

auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so

auth       include      system-auth

account    required     pam_access.so

account    required     pam_nologin.so

account    include      system-auth

password   include      system-auth

# pam_selinux.so close should be the first session rule

session    required     pam_selinux.so close

session    include      system-auth

session    required     pam_loginuid.so

session    optional     pam_console.so

# pam_selinux.so open should only be followed by sessions to be executed in the user context

session    required     pam_selinux.so open

session    optional     pam_keyinit.so force revoke

session required /lib/security/pam_limits.so

For Graphical Gnome Logins add the pam_access module to /etc/pam.d/gdm as follows: 

auth       required    pam_env.so

auth       include     system-auth

account    required    pam_access.so

account    required    pam_nologin.so

account    include     system-auth

password   include     system-auth

session    optional    pam_keyinit.so force revoke

session    include     system-auth

session    required    pam_loginuid.so

session    optional    pam_console.so

Create groups dbas and sas for DBAs and SAs, users in these groups will be allowed access to the server directly. 

#groupadd dbas

#groupadd sas

Create sa and dba accounts as required. E.g.

#useradd -m -g dbas -G dba,sas -d /home/khanals -s /bin/bash khanals

#passwd khanals

Now add the following line to the /etc/security/access.conf configuration file (replace server names with correct server names):

-:ALL EXCEPT sas dbas users oracle:ALL

-:oracle:ALL EXCEPT nycdb01.gotodba.com twnycld01 nycdb02.gotodba.com twnycld02

The /etc/security/access.conf configuration file is read by the pam_access module. The first entry specifies that no users are accepted except users that are in the dbas or sas groups or oracle user. Since the pam_access module has been configured for 'Authorization' (account) in the above PAM configuration files, it denies direct logins for all other accounts. 

The second entry restricts direct ssh logins for oracle within the cluster from Oracle RAC nodes twnycld01 and twnycld02. 

NOTE: 

In Oracle Enterprise Linux pam_access is already configured for crond: 

#grep pam_access /etc/pam.d/*

/etc/pam.d/crond:account    required   pam_access.so 

This means that the above entries in /etc/security/access.conf will stop cron from working. 

To ensure that all users on the system can still run cron jobs you can add the following argument to pam_access in /etc/pam.d/crond: 

account    required   pam_access.so accessfile=/etc/security/access-cron.conf

This ensures that the /etc/security/access.conf configuration file is not invoked by crond. Since pam_cracklib does not grant permissions if the configuration file does not exist, execute the following command to create an empty file: 

#touch /etc/security/access-cron.conf

Restricting su Access to Systemand Shared Accounts

Su access will be gratned to oracle user and dbas and sas groups only. 

Add the three authentication lines highlighted in blue to the /etc/pam.d/su file as shown below: 

auth            sufficient      pam_rootok.so

# Uncomment the following line to implicitly trust users in the 'wheel' group.

#auth           sufficient      pam_wheel.so trust use_uid

# Uncomment the following line to require a user to be in the 'wheel' group.

#auth           required        pam_wheel.so use_uid

auth            include         system-auth

auth            sufficient      pam_stack.so service=su-root-members

auth            sufficient      pam_stack.so service=su-other-members

auth            required        pam_deny.so

account         sufficient      pam_succeed_if.so uid = 0 use_uid quiet

account         include         system-auth

password        include         system-auth

session         include         system-auth

session         optional        pam_xauth.so

Theseadditional authentication lines specify that nobody should be able to su to anyaccount unless at least one of the PAM services, su-root-members orsu-other-members, returns Success.

Thecontrol flag sufficient means that a Success will bypass the remainingauthentication modules and overall Success is returned for the authenticationpart. Failure means that the failed authentication PAM service is ignored. Ifboth authentication PAM services fail, then the last authentication modulepam_deny is invoked which will deny all requests for any availableauthentication module. This will cause the authentication part to fail for thesu command.

Next the new authentication PAM service configuration files/etc/pam.d/su-root-members and /etc/pam.d/su-other-members need to be created.

Create /etc/pam.d/su-root-members file referenced in /etc/pam.d/su as:

auth    required        pam_wheel.so use_uid group=sas

auth    required        pam_listfile.so item=user sense=allow onerr=fail file=/etc/security/su-sas-access

Create /etc/security/su-sas-accessfile referenced in /etc/pam.d/su-root-members as:

root

oracle

Thecontrol flag required which is specified for both modules means that bothmodules have to return Success. Otherwise this PAM service will return Failureto the 'su' PAM service configured in /etc/pam.d/su. The first linereturns Success only if the user is in the sas groups.

Thesecond line allows only access (sense=allow) to those users specified in/etc/security/ su-sas-access, which is root and oracle - these are the onlyusers that will be accepted as a user argument to su. The item=user argumentinstructs pam_listfile that the entries in /etc/security/ su-sas-access areusernames. If an error occurs, such as an unreadable configuration file, accessis denied (onerr=fail).

NOTE: Once su access to root is working for users in the sas, do not make anychanges to the /etc/pam.d/su-root-members file in the future. Making a mistakein this file could revoke access to root for all users on the system.

/etc/pam.d/su-other-membersis used to add non root members including group for dbas.

Create /etc/pam.d/su-other-members file referenced in /etc/pam.d/su as:

auth       sufficient   pam_stack.so service=su-oracle-members

auth       required     pam_deny.so

If one ofthe two PAM services returns Success, it will return Success to the'su' PAM service configured in /etc/pam.d/su. Otherwise the lastmodule will be invoked which will deny all further requests and the authenticationfails.

Next the PAM services 'su-oracle-members have to be created.

The file /etc/pam.d/su-oracle-members referenced in /etc/pam.d/su-other-membersshould read like:

auth       required     pam_wheel.so use_uid group=dbas

auth       required     pam_listfile.so item=user sense=allow onerr=fail file=/etc/security/su-dbas-access

The file/etc/security/su-dbas-access referenced in /etc/pam.d/su-oracle-members shouldread like:

oracle

Now verify that a sas memeber can su to root and oracle. No one else should be able to su to root. No one else on the system should be able su to any of these accounts even if they know the password.

ConfigureScreensaver Locking

The default setup of /etc/pam.d/system-auth causes problem with screensaver. If you get locked out on console, you can’t get in even with correct password. The bug is documented in 

http://kbase.redhat.com/faq/FAQ_85_10737.shtm

The problem lies in pam_tally module which tries to write to /var/log/failog and it does not have permission to do so.

To get around this problem, create a new file /etc/pam.d/xscreensaver and copy auth section of  /etc/pam.d/system-auth file. Then comment out pam_tally line in auth section of /etc/pam.d/system-auth file.

DisablingNonessential Services

Linux by default has a number of services available. You should run only those services that are really required. Running non-essential services is a security risk. The basic services that typically need to be enabled on a Linux machine are:

·         gpm [provides mouse support on virtual terminals]

[root@twnycld01 /]# chkconfig --list | grep ':on'

acpid           0:off   1:off   2:off   3:on    4:on    5:on    6:off

anacron         0:off   1:off   2:on    3:on    4:on    5:on    6:off

atd             0:off   1:off   2:off   3:on    4:on    5:on    6:off

auditd          0:off   1:off   2:on    3:on    4:on    5:on    6:off

autofs          0:off   1:off   2:off   3:on    4:on    5:on    6:off

avahi-daemon    0:off   1:off   2:off   3:on    4:on    5:on    6:off

bluetooth       0:off   1:off   2:on    3:on    4:on    5:on    6:off

cpuspeed        0:off   1:on    2:on    3:on    4:on    5:on    6:off

crond           0:off   1:off   2:on    3:on    4:on    5:on    6:off

cups            0:off   1:off   2:on    3:on    4:on    5:on    6:off

firstboot       0:off   1:off   2:off   3:on    4:off   5:on    6:off

gpm             0:off   1:off   2:on    3:on    4:on    5:on    6:off

haldaemon       0:off   1:off   2:off   3:on    4:on    5:on    6:off

hidd            0:off   1:off   2:on    3:on    4:on    5:on    6:off

hplip           0:off   1:off   2:on    3:on    4:on    5:on    6:off

ip6tables       0:off   1:off   2:on    3:on    4:on    5:on    6:off

iptables        0:off   1:off   2:on    3:on    4:on    5:on    6:off

irqbalance      0:off   1:off   2:on    3:on    4:on    5:on    6:off

isdn            0:off   1:off   2:on    3:on    4:on    5:on    6:off

kudzu           0:off   1:off   2:off   3:on    4:on    5:on    6:off

lvm2-monitor    0:off   1:on    2:on    3:on    4:on    5:on    6:off

mcstrans        0:off   1:off   2:on    3:on    4:on    5:on    6:off

mdmonitor       0:off   1:off   2:on    3:on    4:on    5:on    6:off

messagebus      0:off   1:off   2:off   3:on    4:on    5:on    6:off

netconsole      0:off   1:off   2:off   3:off   4:off   5:off   6:off

netfs           0:off   1:off   2:off   3:on    4:on    5:on    6:off

network         0:off   1:off   2:on    3:on    4:on    5:on    6:off

nfslock         0:off   1:off   2:off   3:on    4:on    5:on    6:off

nqmdaemon       0:off   1:off   2:on    3:on    4:on    5:on    6:off

pcscd           0:off   1:off   2:on    3:on    4:on    5:on    6:off

portmap         0:off   1:off   2:off   3:on    4:on    5:on    6:off

readahead_early 0:off   1:off   2:on    3:on    4:on    5:on    6:off

readahead_later 0:off   1:off   2:off   3:off   4:off   5:on    6:off

restorecond     0:off   1:off   2:on    3:on    4:on    5:on    6:off

rhnsd           0:off   1:off   2:on    3:on    4:on    5:on    6:off

rpcgssd         0:off   1:off   2:off   3:on    4:on    5:on    6:off

rpcidmapd       0:off   1:off   2:off   3:on    4:on    5:on    6:off

sendmail        0:off   1:off   2:on    3:on    4:on    5:on    6:off

setroubleshoot  0:off   1:off   2:off   3:on    4:on    5:on    6:off

smartd          0:off   1:off   2:on    3:on    4:on    5:on    6:off

sshd            0:off   1:off   2:on    3:on    4:on    5:on    6:off

syslog          0:off   1:off   2:on    3:on    4:on    5:on    6:off

sysstat         0:off   1:off   2:on    3:on    4:off   5:on    6:off

xfs             0:off   1:off   2:on    3:on    4:on    5:on    6:off

xinetd          0:off   1:off   2:off   3:on    4:on    5:on    6:off

yum-updatesd    0:off   1:off   2:off   3:on    4:on    5:on    6:off

        bpcd:           on

        bpjava-msvc:    on

        vnetd:          on

        vopied:         on

Disable services in red.

Service           Description                   

acpid             Advanced Configuration and Power Interface event daemon

atd               atd runs jobs queued by at

auditd            userspace component to the Linux Auditing System

autofs            control  the operation of the automount daemons

avahi-daemon      Avahi mDNS/DNS-SD daemon

bluetooth         The core of Bluetooth

crond             daemon to execute scheduled commands

cups              needed if CUPS is used for the printing system

firstboot         

gpm               mouse server for virtual consoles

hidd              Bluetooth HID daemon

ip6tables         IPv6 packet filter administration

iptables          administration tool for IPv4 packet filtering and NAT

isdn              needed if ISDN is being used

kudzu             detects and configures new and/or changed hardware on a system

lvm2-monitor

mcstrans

mdmonitor         needed only if software RAID is being used

netconsole

netfs             needed only if there are NFS shares that should be mounted at boot time

network           important for starting network interfaces

nfslock           needed if NFS shares are mounted

nqmdaemon

pcscd             PC/SC Smart Card Daemon

portmap           Portmap is a server that converts RPC program numbers into DARPA 

                  protocol port numbers.  It must be running in order to make RPC 

                  calls. It is also required by NFS client.

readahead_early

readahead_later

rpcgssd

rpcidmapd

sendmail          an electronic mail transport agent

setroubleshoot

smartd            smartd  is  a  daemon that monitors the Self-Monitoring, Analysis and Reporting Technology (SMART) system built into many ATA-3 and later ATA, IDE  and  SCSI-3 hard  drives.  The  purpose  of SMART is to monitor the reliability of the hard drive and predict drive failures, and to carry out  different  types  of  drive self-tests.

sshd              OpenSSH SSH daemon

syslog            important for syslog services

sysstat           needed to reset system statistics logs

Xinetd            starts programs that provide Internet services.

   bpcd:          Used by Veritas Netbackup

   bpjava-msvc:   Used by Veritas Netbackup

   vnetd:         Used by Veritas Netbackup

   vopied:        Used by Veritas Netbackup

Run these commands to disable services.

The server sends out email to administrators using SMTP. To use this feature we do not need a full feature sendmail server, it is not necessary to process incoming mail. 

1.      Configure sendmail client to use mail submission agent.

Edit /etc/mail/submit.mc file to define Mail Submission Agent server

FEATURE(`msp', `smtp.gotodba.com')dnl

2.      Make submit.cf file by running

   Daemon=no

Appendix A

Reference: Securing and Hardening Red Hat Linux Production Systems

Mounting Partitions Securely 

This is for reference only and is not implemented for Data warehouse environment. 

Linux allows multiple options while mounting the file system. The correct option while mounting helps increase the system security manifold. The various options that are available while mounting are:

·         nosuid: Do not set SUID/SGID access on this partition. 

·         noexec: Do not allow execution of any binaries on this partition. 

·         ro: Allow read-only access to the partition. 

·         rw: Allow read–write access to the partition. 

The options for mounting the file systems are defined in the /etc/fstab file. On a production server, directories such as /home, /tmp, /var, and /boot should be mounted with nosuid and noexec bit. Once the system is properly installed, you probably won’t be writing to the / and the /usr directories. Therefore, the / and /usr directories should be mounted read-only to increase the security. A sample /etc/fstab file is shown below: 

/dev/hda1           /           ext3      defaults,ro 0 2 

/dev/hda4           /usr       ext3      defaults,ro 0 2 

/dev/hda2           /home    ext3      defaults,nosuid,noexec0 2 

/dev/hda3           /tmp      ext3      defaults,nosuid,noexec0 2

Securing Various Servers 

For reference only.

Although it is not possible to go into the details of securing various servers such as Apache, DNS, Samba, wu-ftpd or proftpd, and Sendmail, I will briefly outline certain generic guidelines that will help you increase the security of these servers and your production system: 

·         Run these servers in a chroot environment. 

·         If possible, run these servers as specific user instead of root. For example, run Apache as user nobody instead of user root. This limits the damage in case the Apache server is compromised by some buffer overflow attack. 

·         Quite a few of these servers allow users to define access control lists (ACLs). Use ACLs to increase the security of your server. 

·         Enable logging. 

Security tools

This article concludes with a list of security tools systems administrators will find useful to increase the security of their systems. One of the most important tools is Bastille Linux, a set of Perl scripts, which attempts to carry out automated hardening of a Linux system. It is comprehensive, instructive, and user friendly. Download and install the correct version for your system from the URL: http://www.bastille-linux.org/ . Bastille runs in an interactive mode and covers various aspects of Linux hardening, such as: 

·         Configuring the firewall and setting proper file permissions (including setting the SUID bit). 

·         Setting up account security, including disabling the dangerous r-protocols (rlogin, rsh, rexec, etc.) and enabling password aging. 

·         Restricting and deactivating superfluous services as well as configuring various aspects of boot security.

·         Disabling certain user tools, configuring PAM (pluggable authentication module), and enabling additional logging. 

·         Downloading latest security patches.

Securing various services, such as SSH (Secure Shell), Sendmail, Apache, Line Printer, FTP, and DNS.