A Practical Guide to Hardening Oracle Linux Servers

Local Oracle Linux installations do not support CIS Oracle Linux benchmarks or hardened images. When you implement CIS Benchmarks on an Oracle server, you are on your own. We wrote this post to help you.

What you Learn

• Key differences between Oracle Linux and its competitors
• Understand Oracle Linux’s key security components
• How to implement Oracle’s server hardening guidelines
• What are the steps to implement Oracle’s recommendations
• How to link Oracle’s recommendations to CIS Benchmarks

Oracle Linux – Under the Hood

Oracle Linux is a highly secure Linux distribution tailored to large-scale, distributed enterprise computing environments. Oracle does not support CIS Oracle Linux benchmarks or hardened images. To understand Oracle Linux’s deep commitment to cybersecurity, let’s examine three key components.

Embedded Security

Oracle rewrote core Linux core functionality for maximum security to create the Unbreakable Enterprise Kernel (UEK). UEK runs on the most popular enterprise hardware platforms, including Intel, AMD, and ARM. At the application level, it is 100% binary–compatible with RHEL, CentOS, and many other enterprise Linux distributions. Let’s examine three key UEK security features:

• Secure memory controls
• Cryptography module
• KSplice update management

Secure Memory Controls

UEK prevents common attack vectors using these methods:

• Address Space Layout Randomization (ASLR): Prevents attacks by randomizing locations where system data is stored in memory. By making it harder to locate system libraries, heaps, and stacks, it prevents buffer overflow attacks.
• Data Execution Prevention (No Execute): Prohibits running code in non-executable memory regions and provides additional protection against buffer overflow attacks.
• Position Independent Executables (PIE): Reduces the ability of hackers to predict the location of running code by randomizing the memory addresses.

Cryptography Module

UEK’s cryptography module provides cryptographic functionality via an application programming interface (API). Internal processes and external applications use the API. It supports FIPS 140-3 compliant crypto modules. FIPS is a program managed by the US government’s National Institute of Standards and Technology (NIST) that validates the effectiveness of cryptographic software. It supports common cryptographic standards and ciphers, such as AES, SHA, TLS, etc.

KSplice Update Management

Hackers frequently try to infect Linux servers through software updates. To protect against these attacks, Oracle created KSplice. Ksplice downloads and deploys critical software updates without rebooting. Once a new vulnerability is detected, Oracle Linux downloads and installs the fix without any downtime. KSplice utilizes UEK’s secure memory management and cryptography module for enhanced security.

Oracle Server Hardening in Practice

In light of Oracle’s lack of support for the CIS Oracle Linux Benchmarks, let’s look at Oracle’s Enhancing System Security (ESS). Here are ESS’s top three Oracle Linux hardening recommendations mapped to relevant CIS Oracle Linux benchmarks.

1. Minimize and Secure the Software Footprint
2. Keep Software Up-to-date
3. Follow the Least Privilege Model

Minimize and Secure the Software Footprint

ESS reiterates the foundational principle of server hardening: Unnecessary functionality compromises security. In other words, the best way to reduce your system’s attack surface is to remove software and services you don’t need. To review this information, run the following CLI commands:

• Base environments: dnf group list -v command
• Minimal-environment group: dnf group info minimal-environment
• Core Packages: dnf group info core

Restrict access to troubleshooting messages stored in the kernel ring buffer. To verify access is restricted, run:

sudo sysctl kernel.dmesg_restrict

A return value of 1 shows access was restricted. Otherwise, run:

sudo sysctl -p /etc/sysctl.d/dmesg-restrict

CIS Benchmarks: 1.1.1 Configure Filesystem Kernel Modules, 1.1.2.1Configure Filesystem Partitions, 2.1 Configure Server Services, 2.2 Configure Client Services

Keep Software Up-to-date

A key weapon in the war against hackers is to keep system software current. Installing and deploying the latest patches ensures that malicious actors can’t use recently discovered vulnerabilities and exploits against your network and connected devices. Oracle created KSplice for this purpose. Furthermore, KSplice has the added benefit of running continually in the background without rebooting its host.

To install KSplice, run this CLI command:

yum install ksplice uptrack

Once installed, check that KSplice is running with:

systemctl enable --now ksplice

Ensure updates are configured:

/etc/uptrack/uptrack.conf → autoinstall = yes;

CIS Benchmarks: 1.2 Package Management, 1.4 Configure Bootloader

Follow the Principle of Least Privilege

The least privilege principle grants system access and privileges only to those people who require them. It assigns users to groups according their role within the organization. Each group is granted the minimum privileges to perform their job description. A least privilege model is accompanied by restricting network access to critical services, deploying system-wide authentication, and enforcing password restrictions.

Oracle recommends displaying and reviewing a list of unlocked user accounts. To generate the list, run this CLI command:

for u in $(awk -F: '{print $1}' /etc/passwd;); do sudo passwd -S "$u"; done | sort

Each locked account is indicated with the letters LK.

adm LK 2023-03-31 0 99999 7 -1

To lock unused accounts, use:

passwd -l 

CIS Benchmarks: 5.1 Configure SSH Server, 5.2 Configure privilege escalation, 5.4 User Accounts and Environment, 7.1 System File Permissions, 7.2 Local and Group Settings

Key Takeaways

• Oracle Linux’s advantages as a secure OS
• Understanding its secure architecture 
• How this architecture simplifies server hardening
• Oracle’s server hardening roadmap
• Implementing Oracle’s server hardening practices

How CalCom Can Help You

Oracle Linux is a secure Linux distribution that many organizations rely on. Hardening your servers builds on the foundations provided by Oracle. Manual hardening of your system across the organization can be error-prone and time-consuming.

CalCom’s Hardening Suite (CHS) is a baseline hardening solution designed to address the needs of IT operations and security teams. It significantly reduces operational costs and eliminates service downtime. CHS indicates the how security configuration changes impact the production environment. The tool simulates the effect of a change in a production environment, and saves the need for testing changes in a lab environment.