Database Reference
In-Depth Information
•
Is the Ctrl-Alt-Del combination available to shut down the system?
•
Is the RealVNC rpm installed on the server?
•
Is support for a USB device found in the kernel?
•
Category 2: This is DOD speak for “Document these and develop a plan to fix the issues.”
•
Is single user mode boot-enabled without a password?
•
Is the pam-tally account configuration and login failure management tool configured to
lock accounts after three consecutive login failures?
•
Does the system prohibit the use of past passwords?
•
How secure is the password strength? Is the password less than eight characters?
•
Is a delay configured to make users wait before trying to log in again after a login failure?
•
Do passwords have to be changed no less than every 60 days?
•
Can passwords changed be more than once every 24 hours?
•
Is
cron
access controlled?
Can you log into the system directly as root through
•
ssh
?
•
Is the
tcp dump
rpm installed on the system?
Do all of the file systems have the correct permissions?
•
•
Are there any unnecessary accounts present?
•
sendmail help
command enabled?
Category 3: This is DOD speak for “Document the risk and decide what you want to do about it.”
Is the
•
•
Are the UNIX
man
page permissions correct?
sendmail
version hidden?
There are some additional checks in the STIG scripts that even your seasoned sysadmins may need to look up
and figure out. The purpose of the STIG scripts is to check your security setup practices rather than the ODA out-
of-the-box security implementations. A search of “My Oracle Support (MOS)” only found STIG implementation
documents for ODAs and Exadatas. This security implementation check script is another value-added proposition
for ODAs.
The implementation of which STIG script fixes that you choose to implement will depend on your company's
security standards. Not every company has the same security requirements as the US Department of Defense.
However, security is an area where some companies choose to err on the side of caution. At the minimum, the STIG
process performs an ODA-specific DOD security analysis.
Oracle also publishes Oracle Linux security manuals and the Oracle Linux group publishes additional blogs for
steps to lock down your systems. While it isn't always easy to translate these steps directly to an ODA, they do serve
as valuable guides for security lockdowns on your systems. While a full coverage of server security implementation
is outside the scope of this chapter, additional steps can be taken to lock down your ODA systems, such as limiting
access to ODAs through jump servers.
•
Is the
