This post discusses the tasks for preparing the operating system before installing WebLogic Server.
1) Validate Operating System
The very first thing to do is to validate that the latest critical updates and patches are applied. Everyone talks about it. However, breaches occur regularly because it is not done.
I recommend manually running the process to validate that the latest critical updates and patches are all applied before starting the installation. This means running Windows update on Windows machines. Linux and Unix provide similar capabilities.
Next, I recommend validating that the process is scheduled to run regularly to retrieve and install the latest critical updates and patches. It is one thing to check manually; it is another to be proactive about it.
Another aspect that is critical is subscribing to vulnerability alerts. It is simple, if you are serious about information security, you must subscribe. Software vendors such as IBM, Microsoft, Novell, Oracle, Red Hat and many more publish them. You must be proactive about it. There might be a delay before a critical update or patch is available. This window presents an opportunity. I suggest being paranoid about it and assume your systems are at risk instead of scrambling to deal with a breach.
2) Create Dedicated User and Group
Linux and Unix security best practices recommend using dedicated users and groups for operations, administration, and management (OA&M) of application software, services and components that can be accessed remotely. The same approach applies to a Windows machine. Obviously, when installing WebLogic Server, I recommend applying this practice. Many Oracle products are installed using a user named oracle. Here again, I suggest being paranoid and using an original user name.
3) Create Installation Directories
Generally, on Unix and Linux machines, I recommend installing WebLogic Server following the Filesystem Hierarchy Standard (FHS). As an example, I usually install WebLogic Server on Linux in a directory such as /usr/local/oracle/middleware. On Windows, I will install in a directory such as \oracle\middleware (obviously in the root of the drive). In beyond basics, I will explore the benefits and tradeoffs of using a known or common path to install WebLogic Server.
Most importantly, you must secure the installation directory. Assuming WebLogic Server will be installed to /usr/local/oracle/middleware, access control should be set up to limit access to the /usr/local/oracle directory (all files and subdirectories it includes) to the account used for installing WebLogic Server. I even recommend removing all permissions for the group, not just world (or everyone in Windows).
Furthermore, following OA&M best practices, I recommend locating (application and user) data separately from software products. The WebLogic domain could easily be located in the /var hierarchy on Linux or within the home or user directory to the account used for installing WebLogic Server. Similarly, this directory must be “locked down”, and only accessible to the account used for installing WebLogic Server.
In Closing…
Those are general basic recommendations to prepare the environment before proceeding with the installation. Some are basic, well-known, and common practices. However, as stated before breaches occur regularly because they are not followed.
When preparing the operating system, there are other practices that can be applied depending on the level of risks, and/or your appetite for risks. I suggest having a look at the NSA Hardening Guides. You can also find many additional resources on the internet along the same lines.
In my next post, I will discuss additional security practices (e.g. software firewalls) to consider before proceeding with installing WebLogic Server.
