This article provides tips and techniques for hardening an Oracle Linux server.

 Minimize software and services. Eliminating unnecessary software packages and services minimizes
possible avenues of attack.
 Tighten networking and user access. The network is a prime point of entry for malicious users and
applications. Fine-tuning the network configuration, along with all user access points, helps to prevent
unauthorized access.
 Protect applications and data. Setting up devices, mounts, and file systems appropriately (and in some
cases using encryption) helps to safeguard applications and data.
 Implement security features that enforce policies. In some cases, the security policy may dictate
additional mechanisms, such as TCP wrappers, Pluggable Authentication Modules (PAM), or the
implementation of Security-Enhanced Linux (SELinux).
 Follow appropriate operational procedures. In addition to maintaining systems' physical security, apply
support patches and security updates promptly. Monitor system logs and audit trails, implementing
procedures and tools that look for signs of compromise. Also, conduct security evaluations periodically to
review security-related practices and procedures.

Security for Oracle Linux

Minimizing the software footprint

On systems on which Oracle Linux is already installed, prune out unneeded RPMs to minimize the software
footprint. For example, the X-Windows system isn't needed on most servers and can be uninstalled.

Minimizing active services

or services that are in use, be sure to keep software packages up to date, applying the latest Oracle support
patches and security updates. To protect against unauthorized changes, secure the file /etc/services, making sure
it is owned by root, modifiable only by root, and links to it cannot be created.

Locking down network services

1/ port scanning
# netstat -tulp
# lsof -iTCP -sTCP:LISTEN
# nmap -sTU
2/ TCP wrappers
Editing the file /etc/hosts.deny and /etc/hosts.allow, you can restrict and permit service access for identifiled
hosts or networks.

3/ Netfilter and Iptables

netfilter perform three operations:
Packet filtering
Network Address Translation (NAT): hiding IP address behind a public IP address.
IP masquerading: altering IP header information for routed packets

4/ SSH
configuration by editing parameter in /etc/ssh/sshd_config
PubkeyAuthentication yes
PasswordAuthentication no
PermitRootLogin no
HostbasedAuthentication no
 StrictModes yes

Configuring mounts, file permissions, and ownerships

Some simple steps can help protect data and the integrity of the installed Oracle Linux operating system. First, use
separate disk partitions for operating system and user data (that is, separate partitions for /home, /tmp,
/var/tmp, /oracle, and so on). This strategy can prevent a "file system full" issue from impacting operations.
Establishing disk quotas can also prevent a user from accidentally or intentionally filling up a file system.

To prevent the operating system files and utilities from being altered if a breach occurs, mount the /usr file system
as read-only. When it's time to update operating system RPMs, simply remount /usr as read/write using the -o
remount,rw option (remount allows you to change mount flags without taking down the system). After performing
the update, don't forget to switch back to read-only mode.

To limit user access on certain non-root local file systems (such as /tmp or removable storage partitions), set the
noexec, nosuid, and nodev mount options. The noexec option prevents the execution of binaries (but not scripts),
nosuid prevents the setuid bit from taking effect, and nodev prevents the use of device files.

Managing user and authetication

When you install software that creates a default user account and password, be sure to change the vendor's
default password immediately. A centralized user authentication method (such as OpenLDAP or other LDAP
implementations) can help to simplify user authentication and management tasks, which might help to lower the
risk of unused accounts or accounts with null passwords.

To tell exactly who has performed a privileged administrative action, set up the system so it is not possible to log in
directly as root. Instead, all administrators should log in to the system first as a named user and then use the su or
sudo commands to perform tasks as root. To prevent users from logging in as root directly, edit the /etc/passwd
file, changing the shell from /bin/bash to /sbin/nologin. Modify the /etc/sudoers file using visudo to grant specific
users authority to perform administrative tasks.

Additional security Features and tools

. enable Selinux
# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 24
Policy from config file: targeted

. Linux Container and Control Groups

Available in Oracle Linux 6 with the Unbreakable Enterprise Kernel, Linux Containers (LXC) provide a way to isolate
a group of processes from others on a running Oracle Linux system. Linux Containers are a lightweight operating
system virtualization technology built on Linux resource management control group (cgroup) capabilities and
resource isolation that is implemented through namespaces
. Kernel Security Mechanisms
The Linux kernel features additional security mechanisms:

 Address Space Layout Randomization (ASLR). By randomly arranging the placement of the base, libraries,
heap, and stack in a process's address space, ASLR makes it difficult to predict the memory address of the
next instruction. This technique, built into the Linux kernel and controlled by the parameter
/proc/sys/kernel/randomize_va_space, can thwart certain types of buffer overflow attacks. (Make sure
that this kernel setting is compatible with your application stack.)
 Data Execution Prevention (DEP). Implemented in the Linux operating system, DEP prevents an
application or service from executing code from a non-executable memory region. Hardware-enforced
DEP works in conjunction with the NX (Never Execute) bit on compatible CPUs.
 Position Independent Executables (PIE). The kernel supports PIE technology, which means that
executable binaries can be loaded at random memory addresses. To generate binaries that are position-
independent, the compiler and linker require specific arguments.

. Compiler Protection
The gcc compiler features several buffer overflow protection features. Setting the FORTIFY_SOURCE option causes
the compiler to issue a warning when it detects a defect such as a potential buffer overflow. The compiler also
includes Stack-Smashing Protection in which the compiler puts a stack canary (a known value) before the stack
return pointer to discover whether the stack has been "smashed." Like a canary in a coal mine (used to detect air
quality problems), a stack canary detects a stack buffer overflow. The canary value is checked before the return,
and if it is invalid, then it's likely that malicious code has overwritten the canary value as well as the return pointer.

. Crytography

Data encryption can help to protect both data at rest as well as data in motion. Data at rest—such as data on
media and storage devices—can be at risk because of theft or device loss. Data in motion—such as data
transmitted over the local area networks and the internet—can be intercepted or altered, so encrypting
transmitted data provides protection.