Securing OS Management
Describes security information and recommendations for OS Management.
OS Management allows you to manage and monitor updates and patches for the operating system environments on your Oracle Cloud instances, including instances managed by the OS Management Oracle Autonomous Linux service.
Security Responsibilities
To use OS Management securely, learn about your security and compliance responsibilities.
In general, Oracle provides security of cloud infrastructure and operations, such as cloud operator access controls and infrastructure security patching. You are responsible for securely configuring your cloud resources. Security in the cloud is a shared responsibility between you and Oracle.
Oracle is responsible for the following security requirements:
- Physical Security: Oracle is responsible for protecting the global infrastructure that runs all services offered in Oracle Cloud Infrastructure. This infrastructure consists of the hardware, software, networking, and facilities that run Oracle Cloud Infrastructure services.
Your security responsibilities are described on this page, which include the following areas:
- Access Control: Limit privileges as much as possible. Users should be given only the access necessary to perform their work.
- Patching: Keep software up to date with the latest security patches to prevent vulnerabilities.
Initial Security Tasks
Use this checklist to identify the tasks you perform to secure OS Management in a new Oracle Cloud Infrastructure tenancy.
| Task | More Information |
|---|---|
| Use IAM policies to grant access to users and resources | IAM Policies |
| Remove software sources that are not required on the instance | Software Sources |
| Set your notification topic for Oracle Autonomous Linux instances | Oracle Autonomous Linux |
Routine Security Tasks
After getting started with OS Management, use this checklist to identify security tasks that we recommend you perform regularly.
| Task | More Information |
|---|---|
| Apply the latest security patches | Schedule Patching |
| Perform a security audit | Auditing |
IAM Policies
Use policies to limit access to OS Management.
A policy specifies who can access Oracle Cloud Infrastructure resources and how. For more information, see How Policies Work.
Assign a group the least privileges that are required to perform their responsibilities. Each policy has a verb that describes what actions the group is allowed to do. From the least amount of access to the most, the available verbs are: inspect, read, use, and manage.
For more information about OS Management policies and to view examples, see Setting Up IAM Policies for OS Management and Setting Up Required IAM Policies for Autonomous Linux.
Software Sources
Remove software sources that are not required for your Oracle Linux instances.
OS Management uses software sources to provide packages to instances, and to track the available updates to those packages. Standard software sources are provided in the root compartment of the tenancy. The standard software sources are linked to the standard upstream repositories for the operating system.
When OS Management is enabled for an instance, a set of default software sources for the operating system are added to the instance. You can remove software sources that are not required for your instances to minimize the number of packages available to the instance, thus reducing the package installation footprint.
For more information about removing software sources, see Removing Software Sources.
You can further minimize the package installation footprint by creating custom software sources. For more information about custom software sources, see Software Sources for Oracle Linux.
Oracle Autonomous Linux
Set your notification topic for Oracle Autonomous Linux instances
After creating an Oracle Autonomous Linux instance, set the notification topic for the instance using the Console, CLI, or API. Autonomous Linux uses Notifications service topics to send out notifications about autonomous updates and events.
For more information, see Managing Autonomous Linux Settings.
Scheduling Patching
Ensure that your managed instances are running the latest security updates.
Keep instance software up to date with security patches. We recommend that you periodically apply the latest available software updates to your instances. For more information, see Managing Linux Packages and Managing Windows Updates.
- For Oracle Autonomous Linux instances, your instances receive automatic daily updates, including zero-downtime Ksplice updates for kernel, OpenSSL, and glibc libraries. For more information, see Autonomous Linux Overview.
- For Oracle Linux and Windows instances, schedule recurring jobs for tasks such as installing all package updates on managed instance groups (for Oracle Linux) and installing all updates on managed instance groups (for Windows). For information about setting up managed instances groups, see Administering Managed Instance Groups.
Auditing
Run compliance reports regularly to ensure managed instances have installed the latest security updates.
Using the Python SDK with the OS Management service, you can run a security compliance report. For an example Python script that generates a security compliance report, either across a tenancy or per compartment, for all managed instances that are missing security updates, see Using the Python SDK to Generate Compliance Reports.