Sun Microsystems, Inc.  Sun System Handbook - ISO 4.1 October 2012 Internal/Partner Edition
   Home | Current Systems | Former STK Products | EOL Systems | Components | General Info | Search | Feedback

Asset ID: 1-71-1461102.1
Update Date:2012-07-13
Keywords:

Solution Type  Technical Instruction Sure

Solution  1461102.1 :   STIG Implementation Script for Oracle Database Appliance  


Related Items
  • Oracle Database Appliance
  •  
  • Oracle Appliance Kit
  •  
Related Categories
  • PLA-Support>Database Technology>Engineered Systems>Oracle Database Appliance>DB: ODA_EST
  •  
  • .Old GCS Categories>ST>Server>Engineered Systems>Oracle Database Appliance>OAK - Appliance Toolkit
  •  


Placeholder Note for STIG -- Security Technical Implementation Guidelines --- Version 1.0

Applies to:

Oracle Database Appliance - Version: Not Applicable to Not Applicable
Oracle Appliance Kit - Version: 2.2.0.0 to 2.2.0.0]
Linux x86-64

Goal

*Goal
Enter the goal of the document. What does the customer want to accomplish?

The Security Technical Implementation Guides (STIGs) and the NSA Guides are the configuration standards for DOD IA and IA-enabled devices/systems. This note contains an attached script that can be used to enable the guidelines on Oracle Database Appliance.

The goal of this document is to help automate the implementation of the Security guidelines on Oracle Database Appliance.

For more information Please contact [email protected]

 


Solution

  • Supported OAK releases
    The stig script is only supported on OAK release 2.2 and higher.    Hint: Use "oakcli show version" to check OAK version
  • Check the version of script to ensure it is the latest one available.
    stig.sh -version
    [INFO]: stig script version : 1.0
  • Ensure Chksum match to ensure script is not modified
    #cksum stig.sh
    1501438940 56111 stig.sh
     

Usage 

  • Download the script and execute it as root. Sample usage scenarios are documented below
  • The script logs its actions in the "/opt/oracle/oak/log//hostname/stig/" directory
  • The option -check is used to check the system for any violation of the guidelines
  • The option -force  is used to re-run the script even if there are no violations
  • The option -fix  is used to implement the guidelines
  • The lock and unlock option can be used to enable or disable direct ssh logging as root. Direct ssh login as root is required for Patching and therefore before patching, the unlock needs to be executed.

Sample usage

#./stig.sh -h

Usage:

      ./stig.sh arg1 arg2
      arg1: -h | -? | -help| -check | -fix | -enable | -disable
      arg2: -force
      arguments info:
      -? | -h | -help : Display informative help message on the stig script
      -enable         : Enable direct ssh root login on system
      -disable        : Disable direct ssh root login on system
      -check          : Check and list presence of stig violations on system
      -fix            : Fix stig violations reported by check option on system
      -force          : Enables rerunning of script even if it had already ran
                        on the system. This option can be used only with fix
                        option


 


 

./stig.sh -check

2012-06-15 10:14:20 : Running stig script version: '1.0'
2012-06-15 10:14:20 : Executing script : ./stig.sh -check
2012-06-15 10:14:20 : Checking for stig violations on system 'rac04box1'
2012-06-15 10:14:20 : Below details can be also found in log file: /opt/oracle/oak/log/rac04box1/stig/check-2012-06-15-10:14:20.log
2012-06-15 10:14:20 : List of Category-1 stig violation found by script

2012-06-15 10:14:20 : [STIG ID : LNX00140]    : [CHECK] : password for GRUB not enabled                                : FOUND
2012-06-15 10:14:20 : [STIG ID : GEN004640]   : [CHECK] : decode is not commented in /etc/aliases                      : FOUND
2012-06-15 10:14:20 : [STIG ID : LNX00320]    : [CHECK] : Privilege ACCOUNT_NAME shutdown is present                   : FOUND
2012-06-15 10:14:20 : [STIG ID : LNX00320]    : [CHECK] : Privilege ACCOUNT_NAME halt is present                       : FOUND
2012-06-15 10:14:20 : [STIG ID : LNX00580]    : [CHECK] : Ctrl-Alt-Del combination to shutdown system is enabled       : FOUND
2012-06-15 10:14:20 : [STIG ID : 2006-T-0013] : [CHECK] : RealVNC rpm is installed on system                           : FOUND
2012-06-15 10:14:20 : [STIG ID : LNX00040]    : [CHECK] : Support for usb device found in kernel                       : FOUND

2012-06-15 10:14:20 : List of Category-2 stig violation found by script

2012-06-15 10:14:20 : [STIG ID : GEN000020]   : [CHECK] : Single user mode boot is enabled without a password          : FOUND
2012-06-15 10:14:20 : [STIG ID : GEN000340]   : [CHECK] : Non privileged account oprofile found on system              : FOUND
...
...

 


 

 

# ./stig.sh -fix

*** Following is the list of stig violation fixed by script. ***
*** Below details can be found in log file: /opt/oracle/oak/log/stig/fix.log.06.06.12.00.20.30

*** Category : 1 ***

 STIG-ID     : Filename                            : Message                                                    : Status     
 -----------    ---------------                        --------------                                                  ---------

LNX00140     : /boot/grub/menu.lst            : Enable password for GRUB                          : SUCCESSFUL

 


 

# ./stig.sh -fix -force

*** Following is the list of stig violation fixed by script. ***
*** Below details can be found in log file: /opt/oracle/oak/log/stig/fix.log.06.06.12.02.41.49

*** Category : 1 ***

 STIG-ID     : Filename                            : Message                                                    : Status     
 -----------     ---------------                        --------------                                               ---------

LNX00140    : /boot/grub/menu.lst            : Enable password for GRUB                           : ALREADY DONE
……….


References

<NOTE:1456609.1> - Oracle Database Appliance DoD C&A STIG<br/><NOTE:1450387.1> - Responses to common Oracle Database Appliance security scan findings<br/>

Attachments
This solution has no attachment
  Copyright © 2012 Sun Microsystems, Inc.  All rights reserved.
 Feedback