Securing OS Management Hub
OS Management Hub manages, monitors, and controls the OS software content of instances, ensuring that they're up-to-date with the latest security patches. Follow these security best practices to secure OS Management Hub.
Security Responsibilities
To use OS Management Hub securely, learn about your security and compliance responsibilities.
In general, Oracle provides security of cloud infrastructure and operations, such as cloud operator access controls and infrastructure security patching. You are responsible for securely configuring your cloud resources. Security in the cloud is a shared responsibility between you and Oracle.
Oracle is responsible for the following security requirements:
- Physical Security: Oracle is responsible for protecting the global infrastructure that runs all services offered in Oracle Cloud Infrastructure. This infrastructure consists of the hardware, software, networking, and facilities that run Oracle Cloud Infrastructure services.
Your security responsibilities are described on this page, which include the following areas:
- Access Control: Limit privileges as much as possible. Users should be given only the access necessary to perform their work.
- Patching: Keep software up-to-date with the latest security patches to prevent vulnerabilities.
Initial Security Tasks
Use this checklist to identify the tasks you perform to secure OS Management Hub in a new Oracle Cloud Infrastructure tenancy.
| Task | More Information |
|---|---|
| Use IAM policies to grant access to users and resources | IAM Policies |
| Configure groups to control access to the service | Recommended User Group |
| Add only the software sources you require to the service | Selecting Software Sources |
| Use profiles to control the software sources attached to an instance | Selecting Software Sources |
| Configure regular mirror syncs for the management stations | Syncing Mirrors |
Routine Security Tasks
After getting started with OS Management Hub, use this checklist to identify security tasks that we recommend you perform regularly.
| Task | More Information |
|---|---|
| Apply the latest security patches | Patching Software |
| Use Ksplice to apply security updates | Patching Software |
| Monitor mirror sync status and create sync jobs | Syncing Mirrors |
| Remove unnecessary packages on instances | Removing Unnecessary Packages |
| Review reports to verify security compliance | Reviewing Reports |
IAM Policies
Use policies to limit access to OS Management Hub.
For policy management, define groups of users and dynamic groups of resources. Then create policies that grant permissions to the groups instead of individual users or resources. See Example Policies for specific use cases. See Getting Started with Policies for general information on policies.
Recommended User Group
Create a user group to administer the OS Management Hub service in the tenancy. Any user that belongs to the group automatically inherits the policies and permissions with that specific group.
Required Dynamic Group
Create a dynamic group to include the instances that will be managed by OS Management Hub. As new instances register with the OS Management Hub, the dynamic group will include them based on the rule statements. Dynamic group rules are compartment specific. You must specify a rule for every compartment and subcompartment with instances that you want managed by OS Management Hub.
A single resource can belong to a maximum of five dynamic groups. A good practice is to reuse the same dynamic group wherever possible across services instead of creating one or more dynamic groups for each service.
The rule builder provides flexibility for creating rules that reference multiple resources. Be aware of the differences when using ALL and ANY conditions with rule builder. For more information, see Managing Dynamic Groups .
OCI instances require a different dynamic group rule than non-OCI instances (on-premises or third-party cloud). If managing multiple instance types, include both rules. You can use a single dynamic group that contains rules for both instance types.
- Rule for OCI instances
-
Add a rule statement for each compartment (and subcompartment) that will contain instances.
ALL {instance.compartment.id='<compartment_ocid>'} - Rule for non-OCI instances
-
Add a rule statement for each compartment (and subcompartment) that will contain instances.
ALL {resource.type='managementagent', resource.compartment.id='<compartment_ocid>'}
Required Policies
You must have a policy that allows instances to register with OS Management Hub and allows users to manage and operate the service. Before creating the policy, create a dynamic group and the recommended user group. You can set the required IAM policies for OS Management Hub either at the tenancy or compartment level.
The policy statement uses the default identity domain unless you define the identity domain before the group or dynamic group name (for example,
<identity_domain_name>/<dynamic_group_name>). For more information, see Policy Syntax. - Tenancy-level policies
-
To apply the required IAM policies at the tenancy level, use the following policy statements:
allow dynamic-group <osmh_dynamic_group> to {OSMH_MANAGED_INSTANCE_ACCESS} in tenancy where request.principal.id = target.managed-instance.id allow group <user_group> to manage osmh-family in tenancyIf managing on-premises or third-party cloud instances, include the following additional policy statements. These aren't required if managing only OCI instances.
allow group <user_group> to manage management-agents in tenancy allow group <user_group> to manage management-agent-install-keys in tenancy - Compartment-level policies (if not using tenancy-level)
-
If the tenancy administrator doesn't permit setting IAM policies at the tenancy level, you can restrict the use of OS Management Hub resources to a compartment and its subcompartments (policies use compartment inheritance).
To apply the IAM policies to a compartment inside the tenancy, use the following policy statements:
allow dynamic-group <osmh_dynamic_group> to {OSMH_MANAGED_INSTANCE_ACCESS} in compartment <compartment_name> where request.principal.id = target.managed-instance.id allow group <user_group> to manage osmh-family in compartment <compartment_name>If managing on-premises or third-party cloud instances, include the following additional policy statements. These aren't required if managing only OCI instances.
allow group <user_group> to manage management-agents in compartment <compartment_name> allow group <user_group> to manage management-agent-install-keys in compartment <compartment_name>
Selecting Software Sources
Only add the minimal number of vendor software sources you require to the service. When creating custom software sources use filters or specify a package list to further reduce the content available to instances. Only include the packages necessary to support your workload.
When creating a software source profile, only include software sources that are required. This minimizes the number of packages available to the instance reducing the package installation footprint. Similarly, when creating a group or lifecycle environment only attach the minimal set of software sources necessary.
Syncing Mirrors
Regularly sync mirrored software sources to ensure the management station distributes the latest software packages to instances.
By default a mirror sync job runs once a week. Adjust this frequency based on your security requirements. You can edit the mirror sync schedule as needed. Also, monitor the status of the management station's mirror syncs and run an on-demand mirror sync job at anytime.
Patching Software
Ensure that your managed instances are running the latest security updates.
Keep instance software up-to-date with security patches. We recommend that you periodically apply the latest available software updates to instances registered with OS Management Hub. Consider using multiple update jobs to keep instances up-to-date. For example, apply zero-downtime Ksplice updates often and apply regular security updates on a slower cadence.
- Creating Update Jobs
-
To ensure instances receive regular updates, you can create a job to schedule recurring updates, see:
- Running Ksplice Updates
-
Use Oracle Ksplice to apply critical security patches to Linux kernels on instances without requiring a reboot. Ksplice also updates the glibc and OpenSSL user space libraries, applying critical security patches without disrupting workloads. Create a recurring update job that applies Ksplice updates.
Removing Unnecessary Packages
Remove unnecessary packages from instances to reduce the installation footprint and prevent potential security issues.
Removing a software source doesn't remove packages that were installed from the software source. For example, suppose you're moving from UEK R6 to UEK R7. You add the software source for UEK R7 and then remove the software source for UEK R6. Any installed UEK R6 packages remain on the system. Those packages, however, are no longer updated because the software source has been removed and thus could appear in security scans.
For information about removing packages, see:
Reviewing Reports
OS Management Hub generates reports for security updates, bug updates, and instance activity. Review these reports to identify any instances that are out-of-date. See Viewing Reports.