You can choose to apply optional security hardening of the OS during deployment of a FlashGrid Cluster. The hardening is done using the SCAP Security Guide profiles maintained by Red Hat. Currently, the following hardening profiles are supported by FlashGrid:
- CIS Red Hat Enterprise Linux 8 Benchmark for Level 1 - Server
- CIS Red Hat Enterprise Linux 7 Benchmark for Level 1 - Server
Note that the same profiles can be applied to Oracle Linux as well. The profiles are tailored and tested by FlashGrid to make them compatible with FlashGrid and Oracle requirements.
Hardening reports are generated during the deployment process and can be referenced for audit purposes.
The following entry must be added to the FlashGrid cluster configuration file prior to launching a new cluster:
hardening = 'cis_server_l1'
During the deployment & setup process, the hardening script will be applied twice:
- To the base operating system image immediately after launch.
- At the end of deployment after installing and configuring FlashGrid and Oracle software.
Audit reports are generated and saved to the
/opt/hardening/reports folder on each server. You will find six reports following a cluster deployment - three reports each for the first & second application of the hardening script:
- timestamp-cis_server_l1_fg_before_hardening.html - this is generated prior to the application of hardening script, and reports against the FlashGrid-tailored hardening profile. This report is expected to show a large number of failed items that will be remediated by the hardening script.
- timestamp-cis_server_l1_fg.html - this is generated after the application of hardening script, and reports against the FlashGrid-tailored hardening profile. This report is expected to have no failed items.
- timestamp-cis_server_l1.html - this is generated after the application of hardening script, and reports against the full (non-tailored) profile. This report is expected to have some failed items - see the list of exceptions below.
The FlashGrid-tailored hardening profiles skip some of the hardening items that are known to be incompatible with Oracle or FlashGrid software. Below are explanations of the items that are expected to show as failed on the final benchmark report (i.e. timestamp-cis_server_l1.html)
|Severity||Rule||FlashGrid Recommended Action|
|low||Ensure /tmp Located On Separate Partition||Ignore. Not supported. Also, no benefit because stricter mount point permissions not supported by Oracle.|
|medium||Password Reuse: password-auth||Ignore. No passwords configured and password authentication disabled in /etc/ssh/sshd_config|
|medium||Limit Password Reuse: system-auth||Ignore. No passwords configured and password authentication disabled in /etc/ssh/sshd_config|
|medium||Modify the System Login Banner||Customer to set login banner as required|
|medium||Modify the System Message of the Day Banner||Customer to set login banner as required|
|high||Set the UEFI Boot Loader Password||Customer can set if required (we advise against doing this because it will make it harder to do recovery through serial console)|
|medium||Install firewalld Package||Ignore - firewalld incompatible with iptables, use security groups|
|medium||Verify firewalld Enabled||Ignore - firewalld not installed; refer note for "Install firewalld package"|
|medium||Set Default firewalld Zone for Incoming Packets||Ignore - firewalld not installed; refer note for "Install firewalld package"|
|medium||Ensure No World-Writable Files Exist||Ignore - the failing files are generated during OraChk execution.|
|low||Disable Mounting of udf||Ignore - Azure requirement|
|low||Add nodev Option to /dev/shm||Ignore - Oracle requirement|
|low||Add noexec Option to /dev/shm||Ignore - Oracle requirement|
|low||Add nosuid Option to /dev/shm||Ignore - Oracle requirement|
|unknown||Add nodev Option to /home||Ignore - /home is not a separately mounted partition|
|medium||Add nodev Option to /tmp||Ignore - /tmp is not a separate partition.|
|medium||Add noexec Option to /tmp||Ignore - Incompatible with Oracle patching/installation.|
|medium||Add nosuid Option to /tmp||Ignore - /tmp is not a separate partition.|
|medium||Add nodev Option to /var/tmp||Ignore - /var/tmp is not a separate partition.|
|medium||Add noexec Option to /var/tmp||Ignore - /var/tmp is not a separate partition.|
|medium||Add nosuid Option to /var/tmp||Ignore - /var/tmp is not a separate partition.|
|medium||Ensure SELinux State is Enforcing||Ignore - not supported for reliability reasons|
|medium||A remote time server for Chrony is configured||Ignore - Time synchronisation is configured with Azure provided clock source|