Oracle linux package manager
- Preface
- Oracle Linux Security Overview
- Basic Security Considerations
- Keep Software up to Date
- Restrict Network Access to Critical Services
- Follow the Principle of Least Privilege
- Monitor System Activity
- Keep up to Date on the Latest Security Information
- Pre-Installation Tasks
- Installing Oracle Linux
- Shadow Passwords and Hashing Algorithms
- Strong Passwords
- Separate Disk Partitions
- Encrypted Disk Partitions
- Software Selection
- Network Time Service
- Configuring and Using Data Encryption
- Configuring a GRUB Password
- Configuring and Using Certificate Management
- About the openssl Command
- About the keytool Command
- About Local Oracle Linux Authentication
- About IPA
- About LDAP Authentication
- About NIS Authentication
- About Winbind Authentication
- About Kerberos Authentication
- About SELinux Administration
- About SELinux Modes
- Setting SELinux Modes
- About SELinux Policies
- Targeted Policy
- Multilevel Security (MLS) Policy
- Setting SELinux Policies
- Customizing SELinux Policies
- Displaying SELinux User Mapping
- Displaying SELinux Context Information
- Changing the Default File Type
- Restoring the Default File Type
- Relabelling a File System
- Mapping Oracle Linux Users to SELinux Users
- Configuring the Behavior of Application Execution for Users
- Configuring Update and Patch Management
- Installing and Using the Yum Security Plugin
- Configuring and Using Packet-filtering Firewalls
- Listing Firewall Rules
- Inserting Rules in a Chain
- Deleting Rules in a Chain
- Running DNS and FTP Services in a Chroot Jail
- Creating a Chroot Jail
- Using a Chroot Jail
- Address Space Layout Randomization
- Data Execution Prevention
- Position Independent Executables
- Design Principles for Secure Coding
- General Guidelines for Secure Coding
- General Guidelines for Network Programs
- Minimizing the Software Footprint
- Configuring System Logging
- Disabling Core Dumps
- Minimizing Active Services
- Locking Down Network Services
- Configuring a Packet-filtering Firewall
- Configuring TCP Wrappers
- Configuring Kernel Parameters
- Restricting Access to SSH Connections
- Configuring File System Mounts, File Permissions, and File Ownerships
- Checking User Accounts and Privileges
- About SCAP
- Installing the SCAP Packages
- About the oscap Command
- Displaying the Available SCAP Information
- Displaying Information About a SCAP File
- Displaying Available Profiles
- Validating OVAL and XCCDF Files
- Running a Scan Against a Profile
- Generating a Full Security Guide
- Running an OVAL Auditing Scan
- FIPS Validated Cryptographic Modules for Oracle Linux
- Enabling FIPS Mode on Oracle Linux
- Installing FIPS Validated Cryptographic Modules for Oracle Linux
- Installing and Using the OpenSSL FIPS Object Module
- Installing the OpenSSL FIPS Object Module
- Using the OpenSSL FIPS Object Module
The software described in this documentation is either in Extended Support or Sustaining Support. See https://www.oracle.com/us/support/library/enterprise-linux-support-policies-069172.pdf for more information.
Oracle recommends that you upgrade the software described by this documentation as soon as possible.3.11 Configuring and Using Software Management
Oracle Linux provides the yum utility which you can use to install or upgrade RPM packages. The main benefit of using yum is that it also installs or upgrades any package dependencies. yum downloads packages from repositories such as those that are available on the Oracle Linux yum server and the Unbreakable Linux Network (ULN), but you can also set up your own repositories on systems that do not have Internet access.
The Oracle Linux yum server is a convenient way to install Oracle Linux packages rather than installing them from installation media. You can also subscribe to the Oracle Linux errata mailing list, and obtain bug fixes, security fixes and enhancements. You can access the server at https://yum.oracle.com/.
If you have registered your system with ULN, you can use yum with the ULN channels to maintain the software on your system
You can use the RPM package manager to verify the integrity of installed system files. The rpm -V package and rpm -Vf filename commands verify packages and files respectively by comparing them with package metadata in the RPM database. The verify operation compares file size, MD5 sum, permissions, type, owner, and group and displays any discrepancies. To see more verbose information, specify the -v option. You can use the rpm -qa command to verify the integrity of all the packages that are installed on a system, for example:
#
for i in `rpm -qa`>do>rpm -V $i > .tmp || echo -e "\nDiscepancies for package $i" && cat .tmp>rm -f .tmp>doneDiscepancies for package gdm-2.30.4-33.0.1.el6_2.x86_64 .M. G.. /var/log/gdm .M. /var/run/gdm missing /var/run/gdm/greeter Discepancies for package libgcj-4.4.6-4.el6.x86_64 ..5. T. c /usr/lib64/security/classpath.security Discepancies for package sudo-1.7.4p5-12.el6_3.x86_64 S.5. T. c /etc/sudoers Discepancies for package libcgroup-0.37-4.el6.x86_64 S.5. T. c /etc/cgconfig.conf Discepancies for package yum-3.2.29-30.0.1.el6.noarch . T. c /etc/yum.conf Discepancies for package kernel-2.6.32-279.el6.x86_64 . T. /etc/ld.so.conf.d/kernel-2.6.32-279.el6.x86_64.conf .A string of character codes indicates the discrepancies between an installed file and the metadata for that file. The following table lists the meanings of the character codes in the output from rpm -V :
Description of Difference
Installing Software Packages (rpm, yum)
This article provides an overview of the rpm and yum commands for installing software packages on Linux, with specific reference to the information needed for the RHCSA EX200 and RHCE EX300 certification exams.
Remember, the exams are hands-on, so it doesn’t matter which method you use to achieve the result, so long as the end product is correct.
rpm
The rpm command is used to install, update, list and remove software packages. The command expects to be supplied with flags to indicate the mode of operation and one or more package files. Check out the man pages for a list of all the available options. Using the «-i» flag indicates you are attempting an install of one or more packages. The example below attempts to install a package from a CD. Notice wildcards are supported.
# cd /media/cdrom/Packages # rpm -ivh system-config-lvm* warning: system-config-lvm-1.1.12-9.el6.noarch.rpm: Header V3 RSA/SHA256 Signature, key ID ec551f03: NOKEY Preparing. ########################################### [100%] 1:system-config-lvm ########################################### [100%] #
The «-U» option uses the supplied packages to update the system. If a package already exists on the system, but the supplied package is newer it will be applied. If the package does not already exist on the system it will be installed.
# rpm -Uvh system-config-lvm* warning: system-config-lvm-1.1.12-9.el6.noarch.rpm: Header V3 RSA/SHA256 Signature, key ID ec551f03: NOKEY Preparing. ########################################### [100%] package system-config-lvm-1.1.12-9.el6.noarch is already installed #
The «-q» option allows you to query installed packages. You can then erase specific packages using the «-e» option.
# rpm -q system-config-lvm system-config-lvm-1.1.12-9.el6.noarch # rpm -e system-config-lvm-1.1.12-9.el6.noarch #
The big limitation of the rpm command is it does not handle dependencies for you. If there are missing dependencies, an installation will fail. It is for this reason you will probably prefer to use the yum command described below.
yum Repositories
The yum command requires a repository as the source of the packages. If you are connected to the internet, you may choose to use the repository provided by your Linux distribution. In this case I am using Oracle Linux 6.x, so I could use the repository provided by Oracle (public-yum.oracle.com). If you have paid for RHEL support, you will register your server using the rhn_register command, which will configure a yum repository.
You can also create a local repository from a distribution DVD, CD or iso file. To do this you will need to mount the DVD, CD or iso file
# mkdir /media/cdrom # # Mount physical/virtual cdrom/dvd # mount /dev/cdrom /media/cdrom # # Mount ISO image # mount -o loop /path/to/disk1.iso /media/cdrom
Next, you can do one of two things.
- Use the DVD directly as a Yum repository.
- Create a new Yum repository by copying the packages off the DVD.
To use the DVD directly, create a file called «/etc/yum.repos.d/dvd.repo» with the following contents, where the «baseurl» points to your DVD mount point.
[dvd] name=Oracle Linux Installation DVD baseurl=file:///media/cdrom enabled=0
Import the GPG key from the DVD.
# rpm --import /media/cdrom/RPM-GPG-KEY
You can now use the DVD as a Yum repository by referencing it using the «—enablerepo» option.
# yum install --enablerepo=dvd system-config-lvm
If you want to take the second option and create a new Yum repository by copying the packages off the DVD, create a local directory to hold the yum repository and copy the packages to it.
# mkdir /repo # cp /media/cdrom/Packages/* /repo
To create a repository, we need to install the createrepo package, which requires a couple of dependencies.
# cd /repo # rpm -ivh deltarpm* python-deltarpm* # rpm -ivh createrepo*
Now we can create a repository out of the contents of the directory.
To allow the yum command to use the repository, we must create a «.repo» file in the «/etc/yum.repos.d» directory. Create a file called «/etc/yum.repos.d/localrepo.repo» with the following contents.
[localrepo] name=localrepo baseurl=file:///repo/ enabled=1 gpgcheck=0
Notice the «baseurl» parameter. This indicates the location of the repository. In this case I am using a local file system, so the parameter is set to «file://» followed by the path to the repository «/repo/». If this were an internet repository we would expect a baseurl with a HTTP address. For example, the Oracle Linux repository setting would be as follows.
baseurl=http://public-yum.oracle.com/repo/OracleLinux/OL6/2/base/$basearch/ gpgkey=http://public-yum.oracle.com/RPM-GPG-KEY-oracle-ol6
When using internet repositories, you typically expect the «gpgkey» entry as a security precaution.
You should now be able to use the yum command to install packages.
yum
The yum command allows you to install, update, list and remove packages.
# yum install system-config-lvm # yum update system-config-lvm # yum list system-config-lvm # yum remove system-config-lvm
The advantage of yum over the rpm command is it deals with all dependencies for you, prompting you with the required dependencies and the total size of the operation. If you agree, all necessary dependencies will be installed, in addition to your specified package(s).
The main Linux distribution repositories also support package groups, allowing you to install, update or remove entire feature sets using a single command. To check if any groups have been defined in the repository, issue the following command.
You can install, update or remove entire groups of packages as follows.
# yum groupinstall "Development Libraries" # yum groupupdate "Development Libraries" # yum groupremove "Development Libraries"
GUI
The «Add/Remove Software» dialog is available from the console menu (System > Administration > Add/Remove Software). Provided you have yum repository available, you can use this tool to install individual packages or package groups.
Kernel Updates
Updating the kernel on a system is simple using the yum command. Simply issue the following command and the kernel and all its dependencies will be updated.
The updated version of the kernel will be set as the default in the «/boot/grub/grub.conf» file, so next time the system is booted it will be used.
yum-cron
You can choose to download and apply package updates automatically using yum-cron .
If you are using Oracle Linux, you will have to enable to optional repository (ol*_optional_latest) in the «/etc/yum.repos.d/public-yum-ol*.repo» file by switching the «enabled» flag to «1».
Once installed check the «man yum-cron» page for configuration options. Most of the config files are under the «/etc/yum» directory, but depending on your version of RHEL/OL, the main config file may be placed under the same directory, or under the «/etc/sysconfig» directory.
You can choose to download-only, or download and apply the package changes. In newer versions of RHEL/OL, you also get options to specify the types of changes that will be applied, like only critical updates etc. You can also get it to email you when changes have been applied.
Remember, kernel updates will only take effect after a reboot, so you will need to schedule this where appropriate.
Hope this helps. Regards Tim.
Created: 2012-03-08 Updated: 2019-07-31
- Basic Security Considerations
