Template:Software-Policy
From The Linux Source
- Software installation must happen through Spacewalk, or Archiva for Java components. Only RPM packages can be installed on systems; tarballs are not allowed and must be converted to a RPM and installed via Spacewalk.
- Yum-priorities plugin for Non-Redhat systems and yum-protectbase plugin for RedHat and OracleLinux systems, must be installed and configured to ensure proper OS security updates are applied.
- All systems must be registered with Spacewalk. Spacewalk is used for all updates and for central management and reporting.
- OracleLinux 6.x must have UEK3 kernels disabled (6.x UEK3 is based on Enterprise 7.x) per Database Team requirements.
- Spacewalk required packages must be installed on CentOS. Note: RedHat now requires one additional package.
- Yum must be configured such that kernel and other packages are "updated", not "installed", to prevent multiple versions being installed simultaneously.
- Only approved repos with proper priority levels set may be utilized (out of kickstart), or, when using Spacewalk, Spacewalk must have proper priority levels set for all repos.
- JBoss must not be used, as it is not licensed to receive updates, and is vulnerable to known exploits. This also applies to internal systems since they may be exposed either directly, or indirectly via a proxy. Tomcat is approved as a JBoss replacement, as it receives security updates from the distro provider.
- Application deployments must not be run as root, but as an unprivileged app user. Deployments should include a separate one-time setup mode for any root-access required functionality (i.e., to install software from yum repos, verify users, etc. - but not add users, configuration, etc.), and regular deployments run as the app user.