Oracle Linux 7

[EXADATA ENGINEERING SYSTEM]

Hardening Standard

DOCUMENT RELEASE CONTROL

Version : 2.0
Viewing Security : Level 2 (Confidential)
Owner : Group IT Security
Creation Date : 05 Jan 2021
Publish Date : 19 Apr 2021
Effective Date : 19 Oct 2021
Document Author : Syasya Qistina Binti Shahzan

Endorsement
: Josh Woo Chin Wei
Department Head Name
RHB BANKING GROUP
Group IT Security Hardening Checklist: EXADATA

SUMMARY OF DOCUMENT CHANGES

Author Rel. Date Revision Descriptions Page

Somasundram 1.0 05/01/21 New manual -

Added
Somasundram 1.1 19/04/21 Appendix A, B – QA Sign Off, Exception Sign Off

Syasya 2.0 30/11/2022 Review

30 Nov 2022 2
Version 2.0
RHB BANKING GROUP
Group IT Security Hardening Standard: EXADATA

AUDIENCE

This document is intended for all staff of the Bank, in particular those who discharge their roles and
responsibilities as a System Administrator in RHB Banking Group – Group IT Infrastructure Services. Additional
information may be obtained by contacting the personnel listed below. The ‘Effective Date’ is a grace period
of six months from ‘Publish Date’ is applicable for review on existing settings to ensure the settings are up-
to-date as per latest hardening guideline.

DOCUMENT SUPPORT

Support
Name Department Contact
Level
Syasya Qistina Bt Shahzan Group IT Security Primary syasya.qistina.shahzan@rhbgroup.com
Darren Liew Jen Yang Group IT Security Primary liew.jen.yang@rhbgroup.com
Josh Woo Chin Wei Group IT Security Secondary woo.chin.wei@rhbgroup.com

30 Nov 2022 3
Version 2.0
RHB BANKING GROUP
Group IT Security Hardening Standard: EXADATA

CONTENTS
SUMMARY OF DOCUMENT CHANGES 2
AUDIENCE 3
DOCUMENT SUPPORT 3
1 OVERVIEW 5
1.1 Introduction 5
1.2 Scope 5
1.3 Reference 5
2 INITIAL SETUP 6
2.1 Filesystem Configuration 6
2.2 Configure Software Updates 6
2.3 Configuration of Security tools 7
2.4 Secure Boot Settings 7
2.5 Additional Process Hardening 7
2.6 Configure Sudo 7
2.7 Mandatory Access Control 7
2.8 Warning Banners 8
2.9 Services 9
3 NETWORK SECURITY CONFIGURATION 10
4 LOGGING AND AUDITING 11
4.1 Configure Logging 11
5 ACCESS, AUTHENTICATION AND AUTHORIZATION 11
5.1 Configure cron 11
5.2 SSH Server Configuration 12
5.3 Configure PAM 13
5.4 User Accounts and Environment 14
6 SYSTEM MAINTENANCE, FILE PERMISSIONS, USER & GROUP SETTING 14
6.1 System File Permissions 14
6.2 User and Group Settings 15
APPENDIX A 16
APPENDIX B 18

30 Nov 2022 4
Version 2.0
RHB BANKING GROUP
Group IT Security Hardening Standard: EXADATA

1 Overview

1.1 Introduction
This document defines the baseline security requirements that should be applied to Oracle Linux 7
EXADATA.

1.2 Scope
The following is the scope of security configuration for Oracle Linux 7 EXADATA:

a. Initial Setup
b. Services
c. Network Configuration
d. Logging and Auditing
e. Access, Authentication and Authorization
f. System Maintenance

1.3 Reference
“Compliance Level” refers to the assigned criticality level of each configuration setting and the corresponding
deviation requirement. This is necessary as each configuration setting has a different impact on system
security, hence, it would be inappropriate to standardize the deviation requirement across all settings
irrespective of the configuration setting.

Category Description Deviation Requirement

Mandatory (M) Mandatory configuration based on IT
Security Policy or Regulatory requirements
Discretionary (D) Configuration settings that are based on
generally accepted security best practices
Optional (O) Configuration settings that deserve
mention but do not have significant
security implications.
Deviation requirement with IT
Management or designate to
approve
To be supported by relevant
documentary justification and risk
assessment, if necessary.
None

30 Nov 2022 5
Version 2.0
RHB BANKING GROUP
Group IT Security Hardening Standard: EXADATA

2 Initial Setup
This section describes the required settings for security-related value in Oracle Linux 7 EXADATA.

2.1 Filesystem Configuration

2.1.1 Disable unused filesystems

No Policy Setting Category

2.1.1.1 cramfs filesystems Disabled M
2.1.1.2 FAT filesystems Disabled M
2.1.1.3 squashfs filesystems Disabled M
2.1.1.4 udf filesystems Disabled M

2.1.2 Partition Configuration

No Policy Setting Category

2.1.2.1 separate partition exists for /tmp /tmp M
2.1.2.2 nodev option set on /tmp nodev M
2.1.2.3 separate partition exists for /var /var exists M
2.1.2.4 separate partition exists for /var/log /var/log M
2.1.2.5 separate partition exists for /var/log/audit M
/var/log/audit
2.1.2.6 separate partition exists for /home /home M
2.1.2.7 nodev option set on /home partition nodev M
2.1.2.8 nodev option set on removable media nodev M
partitions
2.1.2.9 nosuid option set on removable media nosuid M
partitions
2.1.2.10 noexec option set on removable media noexec M
partitions
2.1.2.11 sticky bit is set on all world-writable sticky bit M
directories
2.1.2.12 Disable Automounting Disable M
2.1.2.13 Disable USB Storage Disable M

2.2 Configure Software Updates

No Policy Setting Category

2.2.1 gpgcheck is globally activated activate M
2.2.2 GPG keys are configured GPG Key M
2.2.3 Ensure updates, patches, and Manual Verification M
additional security software are
installed

30 Nov 2022 6
Version 2.0
RHB BANKING GROUP
Group IT Security Hardening Standard: EXADATA

2.3 Configuration of Security tools

No Policy Setting Category

2.3.1 MasterSAM Agent Installed M
2.3.2 Deep Security Agent Installed M
2.3.3 Splunk Installed M

2.4 Secure Boot Settings

No Policy Setting Category

2.4.1 permissions on bootloader config are # stat /boot/grub2/grub.cfg 600 M
configured # stat /boot/grub2/user.cfg 600
2.4.2 authentication required for single user # grep /sbin/sulogin M
mode /usr/lib/systemd/system/rescue.service
ExecStart=-/bin/sh -c "/sbin/sulogin;
/usr/bin/systemctl --fail --no-block
default"

2.5 Additional Process Hardening

No Policy Setting Category

2.5.1 core dumps are restricted restrict M
2.5.2 XD/NX support is disabled disabled M
2.5.3 address space layout randomization enable M
(ASLR) is enabled

2.6 Configure Sudo

No Policy Setting Category

2.6.1 Ensure sudo is installed Installed M
2.6.2 Ensure sudo commands use pty Use pty M
2.6.3 Ensure sudo log file exists Sudo log M

2.7 Mandatory Access Control

No Policy Setting Category

2.6.1 no unconfined daemons exist None exist M
2.6.2 SETroubleshoot is not installed Not Installed M
2.6.3 MCS Translation Service is not installed Not Installed M

30 Nov 2022 7
Version 2.0
RHB BANKING GROUP
Group IT Security Hardening Standard: EXADATA

2.8 Warning Banners

No Policy Setting Category

2.8.1 local login warning banner is configured Notice: “This system is a property of M
RHB Banking Group, Malaysia and is a
private system. All access is monitored
and logged. Unauthorized use is
prohibited and illegal access will be
prosecuted to the full extent of the
law.”
2.8.2 remote login warning banner is Notice: “This system is a property of M
configured RHB Banking Group, Malaysia and is a
private system. All access is monitored
and logged. Unauthorized use is
prohibited and illegal access will be
prosecuted to the full extent of the
law.”
2.8.3 permissions on /etc/motd are configured 644 M
2.8.4 permissions on /etc/issue are configured 644 M
2.8.5 permissions on /etc/issue.net are 644 M
configured

30 Nov 2022 8
Version 2.0
RHB BANKING GROUP
Group IT Security Hardening Standard: EXADATA

2.9 Services

No Policy Setting Category

2.9.1 tftp server is not enabled Disabled M
2.9.2 xinetd is not enabled Disabled M
2.9.3 time synchronization is in use ntp installed M
2.9.4 ntp is configured ntp installed M
2.9.5 X Window System is not installed - except Disabled M
for system requires graphical login access
via X Windows
2.9.6 Avahi Server is not enabled Disabled M
2.9.7 CUPS is not enabled Disabled M
2.9.8 DHCP Server is not enabled Disabled M
2.9.9 LDAP server is not enabled Disabled M
2.9.10 NFS and RPC are not enabled Disabled M
2.9.11 DNS Server is not enabled Disabled M
2.9.12 FTP Server is not enabled Disabled M
2.9.13 HTTP server is not enabled Disabled M
2.9.14 IMAP and POP3 server is not enabled Disabled M
2.9.15 Samba is not enabled Disabled M
2.9.16 HTTP Proxy Server is not enabled Disabled M
2.9.17 SNMP Server is not enabled Disabled M
2.9.18 mail transfer agent is configured for Disabled M
local-only mode
2.9.19 NIS Server is not enabled Disabled M
2.9.20 rsh server is not enabled Disabled M
2.9.21 talk server is not enabled Disabled M
2.9.22 telnet server is not enabled Disabled M
2.9.23 tftp server is not enabled Disabled M
2.9.24 rsync service is not enabled Disabled M
2.9.25 NIS Client is not installed Not Installed M
2.9.26 rsh client is not installed Not Installed M
2.9.27 talk client is not installed Not Installed M

30 Nov 2022 9
Version 2.0
RHB BANKING GROUP
Group IT Security Hardening Standard: EXADATA

3 Network Security Configuration

No Policy Setting Category
3.1 Ensure IP forwarding is disabled - sysctl Disabled ‘sysctl, sysctlc.conf sysctl.d’ M
Ensure packet redirect sending is 'net.ipv4.conf.all.send_redirects = 0' M
3.2
disabled 'net.ipv4.conf.default.send_redirects = 0'
'net.ipv4.conf.all.accept_source_route = 0' M
Ensure source routed packets are not
3.3 'net.ipv4.conf.default.accept_source_route
accepted
= 0'
'net.ipv4.conf.all.accept_redirects = 0' M
3.4 Ensure ICMP redirects are not accepted
'net.ipv4.conf.default.accept_redirects = 0'
Ensure secure ICMP redirects are not 'net.ipv4.conf.all.secure_redirects = 0' M
3.5
accepted ‘net.ipv4.conf.default.secure_redirects = 0'
'net.ipv4.conf.all.log_martians = 1' M
3.6 Ensure suspicious packets are logged
'net.ipv4.conf.default.log_martians = 1'
Ensure broadcast ICMP requests are ‘sysctl, sysctl.conf sysctl.d’ M
3.7
ignored
Ensure bogus ICMP responses are ‘sysctl, sysctl.conf sysctl.d’ M
3.8
ignored
net.ipv4.conf.eth0.rp_filter=1 M
3.9 Ensure Reverse Path Filtering is enabled
net.ipv4.conf.bondeth0.rp_filter=1
3.10 Ensure TCP SYN Cookies is enabled ‘sysctl, sysctl.conf sysctl.d’ M
Ensure IPv6 router advertisements are 'net.ipv6.conf.all.accept_ra = 0' M
3.11
not accepted 'net.ipv6.conf.default.accept_ra = 0'
'net.ipv6.conf.all.accept_redirects = 0' M
3.12 Ensure IPv6 redirects are not accepted
'net.ipv6.conf.default.accept_redirects = 0'
3.13 Ensure IPv6 is disabled Disabled M
Ensure permissions on /etc/hosts.allow 644 M
3.14
are configured
Ensure permissions on /etc/hosts.deny 644 M
3.15
are configured
3.16 Ensure wireless interfaces are disabled Disabled M

30 Nov 2022 10
Version 2.0
RHB BANKING GROUP
Group IT Security Hardening Standard: EXADATA

4 Logging and Auditing

4.1 Configure Logging

No Policy Setting Category

4.1.1 rsyslog is installed Installed M
4.1.2 logging is configured Logging Configured M
rsyslog default file permissions 640 M
4.1.3
configured
Remote rsyslog messages are only Configured M
4.1.4
accepted on designated log hosts
4.1.5 Ensure rsyslog Service is enabled Enabled M
4.1.6 Ensure logging is configured Logging Configured M
Ensure rsyslog default file permissions 640 M
4.1.7
configured
Ensure remote rsyslog messages are only InputTCPServerRun 514 M
4.1.8
accepted on designated log hosts.
Ensure remote rsyslog messages are only imtcp.so M
4.1.9
accepted on designated log hosts.
4.1.10 Ensure syslog-ng service is enabled Enabled M

5 Access, Authentication and Authorization

5.1 Configure cron

No Policy Setting Category

5.1.1 cron daemon is enabled Enabled M
5.1.2 permissions on /etc/crontab are 600 M
configured
5.1.3 permissions on /etc/cron.hourly 700 M
5.1.4 permissions on /etc/cron.daily 700 M
5.1.5 permissions on /etc/cron.weekly 700 M
5.1.6 permissions on /etc/cron.monthly 700 M
5.1.7 permissions on /etc/cron.d 700 M

30 Nov 2022 11
Version 2.0
RHB BANKING GROUP
Group IT Security Hardening Standard: EXADATA

5.2 SSH Server Configuration

No Policy Setting Category

5.2.1 permissions on /etc/ssh/sshd_config 600 M
5.2.2 SSH Protocol is set to 2 SSH 2 M
5.2.3 SSH LogLevel is set to INFO INFO M
5.2.4 SSH MaxAuthTries is set 3 M
5.2.5 SSH IgnoreRhosts is enabled Enabled M
5.2.6 SSH HostbasedAuthentication is disabled Disabled M
5.2.7 SSH PermitEmptyPasswords is disabled Disabled M
5.2.8 SSH PermitUserEnvironment is disabled Disabled M
5.2.9 approved MAC algorithms are used MACs hmac-sha2-512- M
etm@openssh.com,hmac-sha2-256-
etm@openssh.com,umac-128-
etm@openssh.com,hmac-sha2-512,hmac-
sha2-256,umac-128@openssh.com
5.2.10 SSH Idle Timeout Interval is configured ClientAliveInterval 300 M
ClientAliveCountMax 3
5.2.11 SSH LoginGraceTime is set LoginGraceTime 60 M
5.2.12 SSH warning banner is configured Banner /etc/issue.net M
5.2.13 Ensure SSH PAM is enabled Enabled M
5.2.14 Ensure SSH MaxStartups is configured 100 M

30 Nov 2022 12
Version 2.0
RHB BANKING GROUP
Group IT Security Hardening Standard: EXADATA

5.3 Configure PAM

No Policy Setting Category

Ensure password creation requirements
are configured
5.3.1
Ensure lockout for failed password
attempts is configured - password-auth
5.3.2
Ensure lockout for failed password
attempts is configured - system-auth
5.3.3
Ensure password reuse is limited -
5.3.4
pam_pwhistory.so (password-auth)
Ensure password reuse is limited -
5.3.5
pam_pwhistory.so (system-auth)
Ensure password reuse is limited -
5.3.6
pam_unix.so (password-auth)
Ensure password reuse is limited -
5.3.7
pam_unix.so (system-auth)
Ensure password hashing algorithm is
5.3.8
SHA-512 - password-auth
Ensure password hashing algorithm is
5.3.9
SHA-512 - system-auth
lcredit = -1, dcredit = -1, minlen = 8, M
ocredit = -1, ucredit = -1, password-
auth retry=3, password-auth
try_first_pass, system-auth retry=3,
system-auth try_first_pass
'auth [default=die] pam_faillock.so' M
'auth [success=1 default=bad]
pam_unix.so'
'auth required pam_faillock.so'
'auth sufficient pam_faillock.so'
'auth [default=die] pam_faillock.so' M
'auth [success=1 default=bad]
pam_unix.so'
'auth required pam_faillock.so'
'auth sufficient pam_faillock.so'
‘password sufficient pam_unix.so M
remember=10’
‘password sufficient pam_unix.so M
remember=10’
‘password sufficient pam_unix.so M
remember=10’
‘password sufficient pam_unix.so M
remember=10’
‘password sufficient pam_unix.so M
sha512’
‘password sufficient pam_unix.so M
sha512’

30 Nov 2022 13
Version 2.0
RHB BANKING GROUP
Group IT Security Hardening Standard: EXADATA

5.4 User Accounts and Environment

No Policy Setting Category

5.4.1 Ensure password expiration is 30 PASS_MAX_DAYS 30 M
Ensure minimum days between password PASS_MIN_DAYS 7 M
5.4.2
changes is 7 days
Ensure password expiration warning days PASS_WARN_AGE 14 M
5.4.3
is 14
Ensure all users last password change # cat /etc/shadow | cut -d: -f1 <list of M
5.4.4 date is in the past users>
# chage --list <user> Last Change
Ensure system accounts are non-login awk -F: '($1!="root" && $1!="sync" && M
$1!="shutdown" && $1!="halt" && $1!~/^\+/ &&
$3<'"$(awk '/^\s*UID_MIN/{print $2}'
/etc/login.defs)"' && $7!="'"$(which nologin)"'" &&
$7!="/bin/false") {print}' /etc/passwd
5.4.5
awk -F: '($1!="root" && $1!~/^\+/ && $3<'"$(awk
'/^\s*UID_MIN/{print $2}' /etc/login.defs)"') {print
$1}' /etc/passwd | xargs -I '{}' passwd -S '{}' | awk
'($2!="L" && $2!="LK") {print $1}'
Ensure default group for the root account usermod -g 0 root M
5.4.6
is GID 0
Ensure default user umask is 022 /etc/bashrc M
5.4.7 /etc/profile /etc/profile.d/*.sh
‘umask 022’

6 System Maintenance, File Permissions, User & Group Setting

6.1 System File Permissions

No Policy Setting Category

Ensure permissions on /etc/passwd are 644 M
6.1.1
configured
Ensure permissions on /etc/shadow are 000 M
6.1.2
configured
Ensure permissions on /etc/group are 644 M
6.1.3
configured
Ensure permissions on /etc/gshadow are 000 M
6.1.4
configured
Ensure permissions on /etc/passwd- are 644 M
6.1.5
configured
Ensure permissions on /etc/shadow- are 000 M
6.1.6
configured
Ensure permissions on /etc/group- are 644 M
6.1.7
configured
Ensure permissions on /etc/gshadow- are 000 M
6.1.8
configured
6.1.9 Ensure no world writable files exist verify no results are returned M

30 Nov 2022 14
Version 2.0
RHB BANKING GROUP
Group IT Security Hardening Standard: EXADATA

Ensure no unowned files or directories verify no results are returned M

6.1.10
exist
Ensure no ungrouped files or directories verify no results are returned M
6.1.11
exist
Audit SUID executables # df --local -P | awk {'if (NR!=1) print M
6.1.12 $6'} | xargs -I '{}' find '{}' -xdev -type f -
perm -4000
Audit SGID executables # df --local -P | awk {'if (NR!=1) print M
6.1.13 $6'} | xargs -I '{}' find '{}' -xdev -type f -
perm -2000

6.2 User and Group Settings

No Policy Setting Category

Ensure password fields are not empty # cat /etc/shadow | awk -F: '($2 == "" ) M
6.2.1 { print $1 " does not have a password
"}'
Ensure no legacy '+' entries exist in # grep '^\+:' /etc/passwd M
6.2.2
/etc/passwd
Ensure no legacy '+' entries exist in # grep '^\+:' /etc/shadow M
6.2.3
/etc/shadow
Ensure no legacy '+' entries exist in # grep '^\+:' /etc/group M
6.2.4
/etc/group
Ensure root is the only UID 0 account # cat /etc/passwd | awk -F: '($3 == 0) { M
6.2.5
print $1 }' root
6.2.6 Ensure root PATH Integrity verify no results are returned M
6.2.7 Ensure all users' home directories exist verify no results are returned M
Ensure users' home directories 750 M
6.2.8
permissions are 750
6.2.9 Ensure users own their home directories verify no results are returned M
Ensure users' dot files are not group or verify no results are returned M
6.2.10
world writable
6.2.11 Ensure no users have .forward files verify no results are returned M
6.2.12 Ensure no users have .netrc files verify no results are returned M
Ensure users' .netrc Files are not group or verify no results are returned M
6.2.13
world accessible
6.2.14 Ensure no users have .rhosts files verify no results are returned M
Ensure all groups in /etc/passwd exist in verify no results are returned M
6.2.15
/etc/group
6.2.16 Ensure no duplicate UIDs exist verify no results are returned M
6.2.17 Ensure no duplicate GIDs exist verify no results are returned M
6.2.18 Ensure no duplicate user names exist verify no results are returned M
6.2.19 Ensure no duplicate group names exist verify no results are returned M

30 Nov 2022 15
Version 2.0
RHB BANKING GROUP
Group IT Security Hardening Standard: EXADATA

Appendix A

OS HARDENING QUALITY ASSURANCE SIGN-OFF

Section 1: Details

SYSTEM NAME Diamond Prod DB

OS VERSION Oracle Linux Server release 7.9
EXCEPTION REQUIRED
(YES/NO) NO

Section 2: List of Server(s)

No IP Address Hostname QA Status

1 10.188.204.69 exadbrac2p1-mgt.rhbgroup.com Passed

30 Nov 2022 16
Version 2.0
RHB BANKING GROUP
Group IT Security Hardening Standard: EXADATA

Section 3: QA Sign-Off
HARDENING PERFORMED BY (IT Infra): QA PERFORMED BY (IT Sec):

NAME : Muthu Raman NAME :

DATE : 20-03-2023 DATE :

Section 4: Exception Sign-Off (Only applicable if exception is required)

Refer to Appendix B for the detail(s) of exceptions

APPROVED BY: APPROVED BY:

POSITION: Head, Grp IT Infrastructure Services POSITION: Head, Group IT Security

NAME : NAME :
DATE : DATE :
APPROVED BY:

POSITION: Head, Security Governance

NAME :
DATE :

30 Nov 2022 17
Version 2.0
RHB BANKING GROUP
Group IT Security Hardening Standard: EXADATA

Appendix B

DETAIL OF EXCEPTIONS

Ref No Policy Name Policy Setting Required Setting Justification IP Address

30 Nov 2022 18
Version 2.0