Securing Autonomous Linux
Autonomous Linux manages, monitors, and controls the OS software content of instances, ensuring that they're up-to-date with the latest security patches. Follow these security best practices to secure Autonomous Linux.
Security Responsibilities
To use Autonomous Linux securely, learn about your security and compliance responsibilities.
In general, Oracle provides security of cloud infrastructure and operations, such as cloud operator access controls and infrastructure security patching. You are responsible for securely configuring your cloud resources. Security in the cloud is a shared responsibility between you and Oracle.
Oracle is responsible for the following security requirements:
- Physical Security: Oracle is responsible for protecting the global infrastructure that runs all services offered in Oracle Cloud Infrastructure. This infrastructure consists of the hardware, software, networking, and facilities that run Oracle Cloud Infrastructure services.
Your security responsibilities are described on this page, which include the following areas:
- Access Control: Limit privileges as much as possible. Users should be given only the access necessary to perform their work.
- Patching: Keep software up-to-date with the latest security patches to prevent vulnerabilities.
Initial Security Tasks
Use this checklist to identify the tasks you perform to secure Autonomous Linux in a new Oracle Cloud Infrastructure tenancy.
Task | More Information |
---|---|
Use IAM policies to grant access to users and resources | Autonomous Linux Policies |
Configure groups to control access to the service | User Group |
Add only the software sources you require to the service | Selecting Software Sources |
Use profiles to control the software sources attached to an instance | Selecting Software Sources |
Routine Security Tasks
After getting started with Autonomous Linux, use this checklist to identify security tasks that we recommend you perform regularly.
Task | More Information |
---|---|
Apply the latest security patches | Patching Software |
Use Ksplice to apply security updates | Patching Software |
Remove unnecessary packages on instances | Removing Unnecessary Packages |
Review reports to verify security compliance | Reviewing Reports |
IAM Policies
Use policies to limit access to Autonomous Linux.
See Autonomous Linux Policies.
Autonomous Linux uses OS Management Hub to manage instances. Follow the OS Management Hub policy guidance for dynamic group rules and policies required for OCI instances.
In addition to setting the required OS Management Hub policies, add the following policies to allow the use of notifications in Autonomous Linux.
To allow the Autonomous Linux service to publish notifications:
Allow any-user to use ons-topics in tenancy where request.principal.type='alx-notification'
- Tenancy-level policies
-
To allow the user to create and use notification topics:
allow group <user_group> to manage ons-topics in tenancy
- Compartment-level policies (if not using tenancy-level)
-
If the tenancy administrator doesn't permit setting IAM policies at the tenancy level, you can restrict the use of Autonomous Linux resources to a compartment and its subcompartments (policies use compartment inheritance).
To allow the user to create and use notification topics in a compartment inside the tenancy:
allow group <user_group> to manage ons-topics in compartment <compartment_name>
Selecting Software Sources
When creating a software source profile, only include software sources that are required. This minimizes the number of packages available to the instance reducing the package installation footprint. Similarly, when creating a group
Patching Software
Ensure that your managed instances are running the latest security updates.
Keep instance software up-to-date with security patches. We recommend that you periodically apply the latest available software updates to instances registered with Autonomous Linux. Consider using multiple update jobs to keep instances up-to-date. For example, apply zero-downtime Ksplice updates often and apply regular security updates on a slower cadence.
- Creating Update Jobs
-
To ensure instances receive regular updates, you can create a job to schedule recurring updates, see:
- Running Ksplice Updates
-
Use Oracle Ksplice to apply critical security patches to Linux kernels on instances without requiring a reboot. Ksplice also updates the glibc and OpenSSL user space libraries, applying critical security patches without disrupting workloads. Create a recurring update job that applies Ksplice updates.
Removing Unnecessary Packages
Remove unnecessary packages from instances to reduce the installation footprint and prevent potential security issues.
Removing a software source doesn't remove packages that were installed from the software source. For example, suppose you're moving from UEK R6 to UEK R7. You add the software source for UEK R7 and then remove the software source for UEK R6. Any installed UEK R6 packages remain on the system. Those packages, however, are no longer updated because the software source has been removed and thus could appear in security scans.
For information about removing packages, see:
Reviewing Reports
Autonomous Linux generates reports for security updates, bug updates, and instance activity. Review these reports to identify any instances that are out-of-date. See Viewing Reports.