How Oracle Linux Differs and Why That Matters
Server hardening’s core principle is, “unnecessary functionality compromises security.”
Adopting Linux should greatly simplify the process of server hardening. No matter which flavor of Linux you choose to run, hardening your servers should be the same process; once you know one, you know them all. When it comes to Oracle Linux Server Hardening, what works for Red Hat or CentOS should continue to work. In theory, yes, but in practice, there are significant differences that could make or break your project.
To help you better understand Oracle Server hardening, we are publishing a series of three articles. This article will give an overview of Oracle Linux, explain Oracle’s approach to server hardening is, what this means for your organization, and how CalCom can help you.
What You Will Learn
- Linux’s role in enterprise computing
- What is Oracle Linux, and why was it created
- How it differs from other Linux releases
- An understanding of Oracle Linux policies towards CIS benchmarks
- The difference between OCI and Oracle Linux
What is Different About Oracle Linux?
Linux is a free and open source operating system that anyone can modify and distribute. For large enterprises, Linux offered a way to free themselves from the licensing and support fees they paid for Windows or UNIX. Unfortunately, when it came to supporting Linux, they would be on their own. To meet the needs of enterprise computing, companies like Red Hat created new enterprise Linux distributions backed by paid technical support.
Over time, Red Hat Enterprise Linux (RHEL) has become the de facto standard for enterprise computing. The problem is that different organizations have different needs, especially when it comes to cybersecurity.
Oracle Linux was created as a secure, high-performance alternative to RHEL. Oracle Linux is free to download without support. Support plans can be purchased directly from Oracle. Given Oracle’s dominance in databases, the platform has been optimized to support Oracle Databases and clusters. It is also the default Linux distribution offered by Oracle Cloud Infrastructure (OCI), Oracle’s cloud platform.
While Oracle Linux provides binary compatibility with RHEL and other legacy distributions, such as CentOS and Rocky Linux, it has a number of key differences. Oracle uses the Unbreakable Enterprise Kernel (UEK). This is designed as a high-performance and secure foundation that supports Oracle systems and software. To further increase security, Oracle supports its own mechanism for secure operating system updates called Ksplice. For the remainder of this article, we focus on Oracle’s distinctive approach to server hardening.
Oracle Linux Server Hardening
Oracle Linux is available in two different versions, each with its own approach to server hardening. These are:
- Oracle Linux: The version for downloading and installing locally
- Oracle Cloud Infrastructure (OCI): The version that runs on cloud-hosted compute instances
Oracle Linux
The Center for Internet Security (CIS) benchmarks is at the top of the list for server hardening standards. Along with its benchmarks for Windows Server and RHEL, CIS not only supports the most recent versions of Oracle Linux but also provides its own hardened images available for download.
It would make sense for Oracle Linux to reciprocate by offering support to CIS benchmarks and pictures. Oracle, it appears, has very different ideas.
Oracle’s policy regarding CIS benchmarks is spelled out in Support Information for CIS Benchmarks and CIS Hardened Images for Oracle Linux (Doc ID 2949651.1). Oracle states very clearly that:
“Oracle currently does not support CIS Benchmarks for Oracle Linux. Customers obtain support directly from CIS and its community.”
The post suggests that in some instances, Oracle may be willing to provide support; otherwise, if you experience any problems, you are on your own.
Oracle’s official policy on CIS Benchmarks doesn’t mean it doesn’t support any hardening frameworks. Oracle’s chosen alternative is the Defense Information Systems Agency (DISA), Security Technical Implementation Guide (STIG). STIG is a secure version of NIST 800-53, specifically designed for the US Department of Defense (DOD) and its contractors. We will be diving deeper into STIG in a future article.
Oracle Cloud Infrastructure (OCI)
When it comes to server hardening and CIS benchmark support, OCI approach is the complete opposite of Oracle Linux. Unlike its sibling, OCI openly supports CIS Oracle Linux benchmarks, as stated in this Cloud Infrastructure Security blog post on Oracle’s website. The post not only praises CIS benchmarks but states that OCI supports all of the CIS Oracle-related benchmarks, including OCI Foundation, Oracle Linux, and, of course, Oracle Database.
To further emphasize OCI’s distinct approach to all things CIS, it offers open-source tools for generating benchmarking reports. These tools are publicly available on GitHub. Even more surprising is that OCI directly integrates its control console with OCI. This enables running host scans and viewing the results directly from the command line. We will also be taking a closer look at OCI hardening support in a future article.
From Theory to Practice
We started this article with a brief introduction to Oracle Linux. Next, we examined the differences between Oracle’s take on Linux and other popular enterprise Linux distributions, such as RHEL. Finally, we discussed Oracle Linux and OCI’s various approaches to supporting and implementing CIS benchmarks. To learn more, see our Oracle Linux Practical Guide. This will delve deeper into what sets Oracle Linux apart from other distributions and how this impacts the server hardening process, particularly when implementing CIS Oracle Linux benchmarks.
Key Takeaways
- Oracle Linux’s feature set makes it attractive to large enterprises.
- Security is embedded into the OS’s core components
- Oracle Linux Users wishing to implement CIS Benchmarks locally are on their own
- Oracle recommends DISA’s STIG hardening framework, a secure version of NIST 800-53
- CIS benchmarks are only supported for Oracle’s cloud (OCI) variants
How CalCom Can Help You
Oracle Linux is a secure Linux distribution that many organizations rely on. Hardening your servers builds on the foundations provided by Oracy. Manual hardening of your system across the organization can be error-prone and time-consuming. An automated hardening solution will help you achieve better results more quickly.
CalCom’s Hardening Suite (CHS) is a baseline hardening solution designed to address the needs of IT operations and security teams. CHS significantly reduces operational costs and eliminates service downtime by indicating the impact of a security baseline change directly on the production environment. CHS’s automated process simulates the effect of a change in a production environment, thus saving the need for testing changes in a lab environment. CHS enables you to:
- Deploy security baselines without affecting the production services.
- Reduce the costs and resources for implementing compliance.
- Manage hardening baselines for your entire infrastructure from a single point.
- Avoid configuration drifts and repeated hardening processes
