Recently in the news, we have seen reports of computer systems being hacked, often due to insecure settings. One of the easiest ways to secure your Operating System, is when you install it. The Anaconda installer used by Oracle Linux makes this easy to do. Embedded in the installer is the ability to apply a SCAP based security profile to the OS when it is installed! SCAP stands for Security Content Automation Protocol, which consist of several open standards that are used to track software flaws and configuration issues related to the security of an system. There are several applications that can use SCAP to provide for security monitoring and remediation, most commonly Open SCAP. Additionally, SCAP can be used by Anaconda to apply a standard when the Operating system is built, simplifying the process of securing the system.
SCAP files can be downloaded from multiple sources, depending on the security standard being following. DISA STIG files can be downloaded from https://public.cyber.mil/stigs/scap/ and NIST files from https://nvd.nist.gov/ncp/repository?scap. Additionally, SCAP files are available for standards like PCI and HIPPA.
Applying a SCAP profile is easy to do when installing the operating system. In the Installation Summary page select the “Security Policy” option.
As a note, the install iso file will often include many profiles, but these ISOs are only created once. For better results , you should obtain an SCAP xml file from your security team, to make sure you have the latest approved policy being applied to a new server.
If you want to import an new policy, select “Change Content”. As a reminder, make sure you enable the networking before trying to import new policies.
You will then be able to put in a URL where you can import an updated standard. In this case I am importing an updates STIG policy for Oracle Linux. V2R2 is the latest version, but the ISO had V1R1. Importing updates policies is always recommended when possible.
Once imported, you can select the profile you want to use.
As a note, your selected profile may require changes to your storage. In this example, /tmp /home, /var/log and /var/log/audit needs to be on separate partitions/filesystems. Items like this will be flagged, and need to be resolved before you install the OS. Take a few minutes to read the changes required, and make sure they are done before starting the installation.