Asset ID: |
1-71-1461102.1 |
Update Date: | 2012-07-13 |
Keywords: | |
Solution Type
Technical Instruction Sure
Solution
1461102.1
:
STIG Implementation Script for Oracle Database Appliance
Related Items |
- Oracle Database Appliance
- Oracle Appliance Kit
|
Related Categories |
- PLA-Support>Database Technology>Engineered Systems>Oracle Database Appliance>DB: ODA_EST
- .Old GCS Categories>ST>Server>Engineered Systems>Oracle Database Appliance>OAK - Appliance Toolkit
|
Placeholder Note for STIG -- Security Technical Implementation Guidelines --- Version 1.0
Applies to:
Oracle Database Appliance - Version: Not Applicable to Not Applicable
Oracle Appliance Kit - Version: 2.2.0.0 to 2.2.0.0]
Linux x86-64
Goal
*Goal
Enter the goal of the document. What does the customer want to accomplish?
The Security Technical Implementation Guides (STIGs) and the NSA Guides are the configuration standards for DOD IA and IA-enabled devices/systems. This note contains an attached script that can be used to enable the guidelines on Oracle Database Appliance.
The goal of this document is to help automate the implementation of the Security guidelines on Oracle Database Appliance.
Solution
- Supported OAK releases
The stig script is only supported on OAK release 2.2 and higher. Hint: Use "oakcli show version" to check OAK version
- Check the version of script to ensure it is the latest one available.
stig.sh -version
[INFO]: stig script version : 1.0
- Ensure Chksum match to ensure script is not modified
#cksum stig.sh
1501438940 56111 stig.sh
Usage
- Download the script and execute it as root. Sample usage scenarios are documented below
- The script logs its actions in the "/opt/oracle/oak/log//hostname/stig/" directory
- The option -check is used to check the system for any violation of the guidelines
- The option -force is used to re-run the script even if there are no violations
- The option -fix is used to implement the guidelines
- The lock and unlock option can be used to enable or disable direct ssh logging as root. Direct ssh login as root is required for Patching and therefore before patching, the unlock needs to be executed.
Sample usage
#./stig.sh -h
Usage:
./stig.sh arg1 arg2
arg1: -h | -? | -help| -check | -fix | -enable | -disable
arg2: -force
arguments info:
-? | -h | -help : Display informative help message on the stig script
-enable : Enable direct ssh root login on system
-disable : Disable direct ssh root login on system
-check : Check and list presence of stig violations on system
-fix : Fix stig violations reported by check option on system
-force : Enables rerunning of script even if it had already ran
on the system. This option can be used only with fix
option
./stig.sh -check
2012-06-15 10:14:20 : Running stig script version: '1.0'
2012-06-15 10:14:20 : Executing script : ./stig.sh -check
2012-06-15 10:14:20 : Checking for stig violations on system 'rac04box1'
2012-06-15 10:14:20 : Below details can be also found in log file: /opt/oracle/oak/log/rac04box1/stig/check-2012-06-15-10:14:20.log
2012-06-15 10:14:20 : List of Category-1 stig violation found by script
2012-06-15 10:14:20 : [STIG ID : LNX00140] : [CHECK] : password for GRUB not enabled : FOUND
2012-06-15 10:14:20 : [STIG ID : GEN004640] : [CHECK] : decode is not commented in /etc/aliases : FOUND
2012-06-15 10:14:20 : [STIG ID : LNX00320] : [CHECK] : Privilege ACCOUNT_NAME shutdown is present : FOUND
2012-06-15 10:14:20 : [STIG ID : LNX00320] : [CHECK] : Privilege ACCOUNT_NAME halt is present : FOUND
2012-06-15 10:14:20 : [STIG ID : LNX00580] : [CHECK] : Ctrl-Alt-Del combination to shutdown system is enabled : FOUND
2012-06-15 10:14:20 : [STIG ID : 2006-T-0013] : [CHECK] : RealVNC rpm is installed on system : FOUND
2012-06-15 10:14:20 : [STIG ID : LNX00040] : [CHECK] : Support for usb device found in kernel : FOUND
2012-06-15 10:14:20 : List of Category-2 stig violation found by script
2012-06-15 10:14:20 : [STIG ID : GEN000020] : [CHECK] : Single user mode boot is enabled without a password : FOUND
2012-06-15 10:14:20 : [STIG ID : GEN000340] : [CHECK] : Non privileged account oprofile found on system : FOUND
...
...
# ./stig.sh -fix
*** Following is the list of stig violation fixed by script. ***
*** Below details can be found in log file: /opt/oracle/oak/log/stig/fix.log.06.06.12.00.20.30
*** Category : 1 ***
STIG-ID : Filename : Message : Status
----------- --------------- -------------- ---------
LNX00140 : /boot/grub/menu.lst : Enable password for GRUB : SUCCESSFUL
# ./stig.sh -fix -force
*** Following is the list of stig violation fixed by script. ***
*** Below details can be found in log file: /opt/oracle/oak/log/stig/fix.log.06.06.12.02.41.49
*** Category : 1 ***
STIG-ID : Filename : Message : Status
----------- --------------- -------------- ---------
LNX00140 : /boot/grub/menu.lst : Enable password for GRUB : ALREADY DONE
……….
References
<NOTE:1456609.1> - Oracle Database Appliance DoD C&A STIG<br/><NOTE:1450387.1> - Responses to common Oracle Database Appliance security scan findings<br/>
Attachments
This solution has no attachment