By Srini Chavali-Oracle on Mar 31, 2015
This blog post is brought to you by Drew Darrow of the Exalogic A-Team, Oracle Product Development.
With the release of the Exalogic Lifecycle (ELLC) Toolkit
14.2, Oracle introduced STIGfix, a tool that can be used to harden guest
vServers and physical compute nodes on an Exalogic machine running at minimum
EECS 220.127.116.11.0 Virtual or 18.104.22.168.0 Physical. STIGfix is installed
and available for use when you install ELLC 14.2 in your environment.
STIGs are security configuration standards
defined by the Defense Information Systems Agency (DISA) an agency within the
United States Department of Defense. More information on STIGs can be
found here http://iase.disa.mil/stigs/
Before using STIGfix you must ensure that 'root' is not the only user as once run, direct SSH access to the vServer or compute node as 'root' user will be restricted. Configuring which STIGs are applied to your environment is simple and done by editing the stigfix.json file, which specifies the STIGs the tool will apply or skip. After running the STIGfix tool, rollback scripts are generated in the backup directory to rollback any STIG you applied that were not intended or had an adverse effect on your application.
Additional considerations :
STIGfix can only be run on Exalogic guest vServers or Exalogic Physical Compute nodes, It must never be run on dom0's or control vServers
After STIG-hardening your guest vServers you can no longer use ExaBR to backup STIG-hardened guest vServers. ExaBR only supports STIG-hardened Oracle Linux compute nodes. The ExaBR Guide has been updated to reflect these changes
STIGfix is not supported on EECS 22.214.171.124.2 running the Oracle Enterprise Linux 6 base image
Detailed instructions for use of STIGfix can be found in the STIGfix user guide available at http://docs.oracle.com/cd/E18476_01/doc.220/e53111/toc.htm