Oracle Database Appliance
 
Oracle Database Appliance Software
 

PLA-Support>Eng Systems>Exadata/ODA/SSC>Oracle Database Appliance>DB: ODA_EST
 
Proactive>Communications>Proactive.Communications
 

STIG -- (Security Technical Implementation Guidelines) script for the Oracle Database Appliance

Applies to:

Goal

The Department of Defense(DoD) DISA Information Assurance Process includes Certification and Accreditation(C&A) including the Security Technical Implementation Guides(STIGs). These are guidelines and scripts that are run to advise on securing and locking down database, operating system, application servers, and other system components. Currently, DoD customers are running various Oracle products that go through the DoD C&A process including the STIG process. General STIG Information is available at: - http://iase.disa.mil/stigs/

The Oracle Database Appliance(ODA) is a fully integrated system of software, servers, storage, and networking in a single box that delivers high-availability database services. Oracle engineered Oracle Database Appliance for simplicity. Accordingly, Oracle aims to provide a more simplified configuration and patching process.

Because the DoD C&A STIG process requires vulnerability assessment and remediation, Oracle will make commercially reasonable efforts to work with the customer through the Oracle Support service request process to meet the DoD C&A STIG remediation requirement or to enable customers to make the necessary changes to the Oracle Database Appliance in order to do so, provided that the customer is officially supported by Oracle Database Appliance product development organization. If there is a problem with an Oracle Database Appliance patch due to the DoD C&A STIG Remediation then we ask customers to work with Oracle Support to determine the appropriate course of action to potentially rollback remediation steps, re-run the patch, and then re-apply DoD C&A STIG process and required remediation steps.

Please note that Oracle Database Appliance is an engineered system and is pre-configured for optimal usage. There are out-of-the-box configuration settings that may not be modified. For example, the Disk Group composition and configuration may not be altered beyond the recommended configurations. However, certain qualified and supported changes may be allowed after review. Oracle also allows various third party agents to run on the Oracle Database Appliance. These include, Anti-Virus software, HBSS software, SCAP Compliant agents, Retina Scan software etc.

Please note that if you are using the ODA-EM Plug-In, the root password must be welcome1 (default) during the discovery process. This is being reviewed.

Solution

• Download the latest STIG script>
  STIG script can be downloaded from the ATTACHMENT section to your Oracle Database Appliance and place it in the /opt/oracle/oak directory on each node. The script can be run on Bare Metal or the ODA Virtualized platform. On the ODA Virtualized Platform, the stig.py script must be run in ODA_BASE. You must run this script on both nodes of the Oracle Database Appliance to fix violations found on each server.
• Supported OAK releases
  
  STIG script is supported on OAK release 2.2 and higher.    Hint: Use "oakcli show version" to check OAK version
• Check the version of script to ensure it is the latest one available.
  
  /opt/oracle/oak/stig.py -version
  INFO: STIG Version is -> 12.1.2.10
• Logging
  
  The output of all Checks and Fixes can be found /opt/oracle/oak/log/<HOSTNAME>/stig/stig.log. The log is appended to for each run of the check/fix/enable/disable commands. If you would like to have an individual log for each execution, then move the stig.log file to a new name. A new stig.log file will be created if it does not exist; otherwise the output is appended to the end. 

Features

• Works on Oracle Database Appliance Bare Metal and Virtualized platform(Execution of the script from ODA_BASE only)
• Works onX6-2 (all models), X5-2, X4-2, X3-2 & V1 platforms 

Usage 

• Download the script and execute it as root. Sample usage scenarios are documented below
• The script logs its actions in the "/opt/oracle/oak/log/<hostname>/stig/stig.log" file
• The option -check is used to check the system for any violation of the guidelines
• The option -force  is used to re-run the script even if there are no violations
• The option -fix  is used to implement the guidelines
• The enable and disable option can be used to enable or disable direct ssh logging as root. Direct ssh login as root is required for Patching and therefore before patching, the unlock needs to be executed.
• Once a violation has been fixed, it cannot be automatically rolled back to a previous state.

Sample usage

First Parameter

-h | -? | -help : Provides information regarding STIG scripts 

-v | -V | -version :  Version of the ODA STIG script

enable: Enables direct ssh root login on the system

disable: Disables direct ssh root login on the system

check: Checks and lists the STIG violations on the system

check -h: Provides options help available with check

fix: Fixes or Corrects the STIG violations reported on the system

fix -h  : Provides options help  available with fix

Second Parameter 

all : Check/Fix and informs the security vulnerability for all

perm    : Check/Fix and informs the security vulnerability for all permissions classification deployed 

conf    : Check/Fix and informs the security vulnerability for all configuration parameters classification deployed 

audit : Check/Fix and informs the security vulnerability for all auditing classifications deployed

account : Check/Fix and informs the security vulnerability for all accounts classification deployed

fs : Checks/Fix and informs the security vulnerability for all file systems classification deployed

grub    : Checks/Fix and informs the security vulnerability for enable/disable of grub password deployed

access : Checks/Fix and informs the security vulnerability for all access classifications deployed

force : Enables rerun of the script for security vulnerability fix for all classifications. This option must be exercised along with fix option only

rollback: Rollback of System files to ODA Imaged state prior to STIG script execution. This option must be exercised along with fix option only

restore_prev : Restore all previous system files state. This option must be exercised along with fix option only

This solution has no attachment