DISA STIG for RHEL 8.2 & Oracle DB 19.3.0

Latest response

I am trying to run oracle DB 19c on RHEL8.2 with DISA STIG security profile enabled during RHEL installation.

Applied oracle DB installation prerequisites, when I try to start runInstaller I got "Operation Not Permitted".

Cannot find what prevent "oracle" user from running 'perl' while root can do so..

[oracle@rh8-1 ~]$ cd /u01/app/oracle/product/19.3.0/dbhome_1/
[oracle@rh8-1 dbhome_1]$ export CV_ASSUME_DISTID=OEL7.8
[oracle@rh8-1 dbhome_1]$ ./runInstaller
./runInstaller: line 67: /u01/app/oracle/product/19.3.0/dbhome_1/perl/bin/perl: Operation not permitted
[oracle@rh8-1 dbhome_1]$ head -67 runInstaller | tail -1
${ORACLE_HOME}/perl/bin/perl -I${ORACLE_HOME}/perl/lib -I${ORACLE_HOME}/bin ${ORACLE_HOME}/bin/dbSetup.pl -J-D${CVU_OS_SETTINGS} $*
[oracle@rh8-1 dbhome_1]$ ${ORACLE_HOME}/perl/bin/perl
bash: /u01/app/oracle/product/19.3.0/dbhome_1/perl/bin/perl: Operation not permitted
[oracle@rh8-1 dbhome_1]$ su -
Password:
Last login: Mon Nov 2 00:11:31 +03 2020 on pts/0
[root@rh8-1 ~]# cd /u01/app/oracle/product/19.3.0/dbhome_1/perl/bin/
[root@rh8-1 bin]# ./perl --version

This is perl 5, version 28, subversion 1 (v5.28.1) built for x86_64-linux-thread-multi

Copyright 1987-2018, Larry Wall

Perl may be copied only under the terms of either the Artistic License or the
GNU General Public License, which may be found in the Perl 5 source kit.

Complete documentation for Perl, including FAQ lists, should be found on
this system using "man perl" or "perldoc perl". If you have access to the
Internet, point your browser at http://www.perl.org/, the Perl Home Page.

[root@rh8-1 bin]#

Responses

I have oracle DB 19c installed successfully on RHEL8.2 when I don't apply security profile at RHEL installation

Stopping/disabling fapolicyd systemd unit (systemctl stop fapolicyd, followed by, systemctl disable fapolicyd) helps.

CAUSE: Incorrect umask value set for the installing user or Perl interpreter is not able to execute the perl program, due to Operating system hardening.

SOLUTION: 1) Set the default file mode creation mask (umask) to 022 for the Installation user.

2) Disable operating system hardening at the OS level, with the assistance of the Unix System Administrator.

Re-execute:

./runInstaller

Hi Wang,

Great solution:

I would prefer Solution 1, as it does not effect other hardening settings.

Regards,

Jan Gerrit

Hello Wang,

We set the default UMASK to 077 at build time, along with other security requirements, however, we will often change it temporarily by command line to 022 if needed for an install.

egrep UMASK /etc/login.defs
UMASK 077

Regards,
RJ

Updated my post above