Oracle Database Appliance
 
Oracle Appliance Kit
 

PLA-Support>Database Technology>Engineered Systems>Oracle Database Appliance>DB: ODA_EST
 
.Old GCS Categories>ST>Server>Engineered Systems>Oracle Database Appliance>OAK - Appliance Toolkit
 

Placeholder Note for STIG -- Security Technical Implementation Guidelines --- Version 1.0

Applies to:

Goal

*Goal
Enter the goal of the document. What does the customer want to accomplish?

The Security Technical Implementation Guides (STIGs) and the NSA Guides are the configuration standards for DOD IA and IA-enabled devices/systems. This note contains an attached script that can be used to enable the guidelines on Oracle Database Appliance.

The goal of this document is to help automate the implementation of the Security guidelines on Oracle Database Appliance.

Solution

• Supported OAK releases
  
  The stig script is only supported on OAK release 2.2 and higher.    Hint: Use "oakcli show version" to check OAK version
• Check the version of script to ensure it is the latest one available.
  
  stig.sh -version
  [INFO]: stig script version : 1.0
• Ensure Chksum match to ensure script is not modified
  
  #cksum stig.sh
  1501438940 56111 stig.sh
   

Usage 

• Download the script and execute it as root. Sample usage scenarios are documented below
• The script logs its actions in the "/opt/oracle/oak/log//hostname/stig/" directory
• The option -check is used to check the system for any violation of the guidelines
• The option -force  is used to re-run the script even if there are no violations
• The option -fix  is used to implement the guidelines
• The lock and unlock option can be used to enable or disable direct ssh logging as root. Direct ssh login as root is required for Patching and therefore before patching, the unlock needs to be executed.

Sample usage

#./stig.sh -h

Usage:

      ./stig.sh arg1 arg2
      arg1: -h | -? | -help| -check | -fix | -enable | -disable
      arg2: -force
      arguments info:
      -? | -h | -help : Display informative help message on the stig script
      -enable         : Enable direct ssh root login on system
      -disable        : Disable direct ssh root login on system
      -check          : Check and list presence of stig violations on system
      -fix            : Fix stig violations reported by check option on system
      -force          : Enables rerunning of script even if it had already ran
                        on the system. This option can be used only with fix
                        option

./stig.sh -check

2012-06-15 10:14:20 : Running stig script version: '1.0'
2012-06-15 10:14:20 : Executing script : ./stig.sh -check
2012-06-15 10:14:20 : Checking for stig violations on system 'rac04box1'
2012-06-15 10:14:20 : Below details can be also found in log file: /opt/oracle/oak/log/rac04box1/stig/check-2012-06-15-10:14:20.log
2012-06-15 10:14:20 : List of Category-1 stig violation found by script

2012-06-15 10:14:20 : [STIG ID : LNX00140]    : [CHECK] : password for GRUB not enabled                                : FOUND
2012-06-15 10:14:20 : [STIG ID : GEN004640]   : [CHECK] : decode is not commented in /etc/aliases                      : FOUND
2012-06-15 10:14:20 : [STIG ID : LNX00320]    : [CHECK] : Privilege ACCOUNT_NAME shutdown is present                   : FOUND
2012-06-15 10:14:20 : [STIG ID : LNX00320]    : [CHECK] : Privilege ACCOUNT_NAME halt is present                       : FOUND
2012-06-15 10:14:20 : [STIG ID : LNX00580]    : [CHECK] : Ctrl-Alt-Del combination to shutdown system is enabled       : FOUND
2012-06-15 10:14:20 : [STIG ID : 2006-T-0013] : [CHECK] : RealVNC rpm is installed on system                           : FOUND
2012-06-15 10:14:20 : [STIG ID : LNX00040]    : [CHECK] : Support for usb device found in kernel                       : FOUND

2012-06-15 10:14:20 : List of Category-2 stig violation found by script

2012-06-15 10:14:20 : [STIG ID : GEN000020]   : [CHECK] : Single user mode boot is enabled without a password          : FOUND
2012-06-15 10:14:20 : [STIG ID : GEN000340]   : [CHECK] : Non privileged account oprofile found on system              : FOUND
...
...

# ./stig.sh -fix

*** Following is the list of stig violation fixed by script. ***
*** Below details can be found in log file: /opt/oracle/oak/log/stig/fix.log.06.06.12.00.20.30

*** Category : 1 ***

 STIG-ID     : Filename                            : Message                                                    : Status     
 -----------    ---------------                        --------------                                                  ---------

LNX00140     : /boot/grub/menu.lst            : Enable password for GRUB                          : SUCCESSFUL

# ./stig.sh -fix -force

*** Following is the list of stig violation fixed by script. ***
*** Below details can be found in log file: /opt/oracle/oak/log/stig/fix.log.06.06.12.02.41.49

*** Category : 1 ***

 STIG-ID     : Filename                            : Message                                                    : Status     
 -----------     ---------------                        --------------                                               ---------

LNX00140    : /boot/grub/menu.lst            : Enable password for GRUB                           : ALREADY DONE
……….

References

This solution has no attachment