You can choose to apply optional security hardening of the OS during the deployment of a FlashGrid Cluster. The hardening is done using the SCAP Security Guide profiles maintained by Red Hat. Currently, the following hardening profiles are supported by FlashGrid:
- CIS Red Hat Enterprise Linux 8 Benchmark for Level 1 - Server
- CIS Red Hat Enterprise Linux 7 Benchmark for Level 1 - Server
Note that the same profiles can be applied to Oracle Linux as well. The profiles are tailored and tested by FlashGrid to make them compatible with FlashGrid and Oracle requirements.
Hardening reports are generated during the deployment process and can be referenced for audit purposes.
Usage
The following entry must be added to the FlashGrid cluster configuration file prior to launching a new cluster:
[nodes]
hardening = 'cis_server_l1'
During the deployment & setup process, the hardening script will be applied twice:
- To the base operating system image immediately after launch.
- At the end of deployment, after installing and configuring FlashGrid and Oracle software.
Limit Users' SSH Access (Optional, Azure/AWS only)
To pass the "Limit Users' SSH Access" hardening check you may choose to restrict SSH connections to a limited set of users by adding the additional parameter in the cluster configuration file:
[nodes]
hardening = 'cis_server_l1'
add_ssh_users_to_allowusers = True
Note: If you create new OS users after deploying the cluster then those new users will be blocked from access via SSH until you also add them to the AllowUsers list in /etc/ssh/sshd_config
.
Note: this option is not available for Google Cloud.
Audit Reports
Audit reports are generated and saved to the /opt/hardening/reports
folder on each server. You will find six reports following a cluster deployment - three reports each for the first & second application of the hardening script:
- timestamp-cis_server_l1_fg_before_hardening.html - this is generated prior to the application of hardening script, and reports against the FlashGrid-tailored hardening profile. This report is expected to show a large number of failed items that will be remediated by the hardening script.
- timestamp-cis_server_l1_fg.html - this is generated after the application of hardening script, and reports against the FlashGrid-tailored hardening profile. This report is expected to have no failed items (except for 'Limit Users' SSH Access' and the items related to /tmp and /home if they are not on separate partitions).
- timestamp-cis_server_l1.html - this is generated after the application of hardening script, and reports against the full (non-tailored) profile. This report is expected to have some failed items - see the list of exceptions below.
Exceptions
The FlashGrid-tailored hardening profiles skip some of the hardening items that are known to be incompatible with Oracle or FlashGrid software. Below are explanations of the items that are expected to show as failed on the final benchmark report (i.e. timestamp-cis_server_l1.html)
Severity | Rule | FlashGrid Recommended Action |
low | Ensure /tmp Located On Separate Partition | Ignore. Not supported. Also, no benefit because stricter mount point permissions not supported by Oracle |
medium | Limit Password Reuse: password-auth | Ignore. No passwords configured and password authentication is disabled in /etc/ssh/sshd_config |
medium | Limit Password Reuse: system-auth | Ignore. No passwords configured and password authentication is disabled in /etc/ssh/sshd_config |
medium | Modify the System Login Banner | Customer can set login banner as required |
medium | Modify the System Login Banner for Remote Connections | Customer can set login banner as required |
medium | Modify the System Message of the Day Banner | Customer can set login banner as required |
medium | Ensure PAM Enforces Password Requirements - Authentication Retry Prompts Permitted Per-Session | Ignore - No password is configured for all users |
medium | Ensure all users last password change date is in the past | Ignore - No password is configured for all users |
medium | Ensure Authentication Required for Single User Mode | Ignore - No password is configured for root user |
medium | All Interactive User Home Directories Must Be Group-Owned By The Primary Group | Ignore - oracle and grid user home directories have oinstall as the primary group |
high | Set the UEFI Boot Loader Password | Customer can set if required (we advise against doing this because it will make it harder to do recovery through serial console) |
medium | Verify /boot/grub2/grub.cfg Permissions | Customer can set if required |
high | Set Boot Loader Password in grub2 | Customer can set if required (we advise against doing this because it will make it harder to do recovery through serial console) |
medium | Install firewalld Package | Ignore - firewalld incompatible with iptables, use security groups |
medium | Verify firewalld Enabled | Ignore - firewalld not installed; refer note for "Install firewalld package" |
medium | Configure Firewalld to Restrict Loopback Traffic | Ignore - firewalld not installed; refer note for "Install firewalld package" |
medium | Configure Firewalld to Trust Loopback Traffic | Ignore - firewalld not installed; refer note for "Install firewalld package" |
medium | Set Default firewalld Zone for Incoming Packets | Ignore - firewalld not installed; refer note for "Install firewalld package" |
medium | Ensure No World-Writable Files Exist | Ignore - the failing files are generated during OraChk execution |
low | Disable Mounting of udf | Ignore - Azure requirement |
low | Add nodev Option to /dev/shm | Ignore - Oracle requirement |
low | Add noexec Option to /dev/shm | Ignore - Oracle requirement |
low | Add nosuid Option to /dev/shm | Ignore - Oracle requirement |
unknown | Add nodev Option to /home | Ignore - /home is not a separately mounted partition |
medium | Add nodev Option to /tmp | Ignore - /tmp is not a separate partition |
medium | Add noexec Option to /tmp | Ignore - Incompatible with Oracle patching/installation |
medium | Add nosuid Option to /tmp | Ignore - /tmp is not a separate partition |
medium | Add nodev Option to /var/tmp | Ignore - /var/tmp is not a separate partition |
medium | Add noexec Option to /var/tmp | Ignore - /var/tmp is not a separate partition |
medium | Add nosuid Option to /var/tmp | Ignore - /var/tmp is not a separate partition |
medium | Ensure SELinux State is Enforcing | Ignore - not supported for reliability reasons |
medium | Ensure No Daemons are Unconfined by SELinux | Ignore - SELinux is disabled |
low | Uninstall dnsmasq Package | Ignore - dnsmasq package is required |
medium | A remote time server for Chrony is configured | Ignore - Time synchronisation is configured with Azure provided clock source |
medium | Enable SSH Warning Banner | Manually remediate if necessary |
unknown | Limit Users' SSH Access |
|