Publishing Guidelines for Images

To create templates, stacks, images, and listings for Oracle Cloud Infrastructure Marketplace, ensure that you comply with all the relevant guidelines.

About Marketplace Publisher Guidelines

OCI allows Oracle partners to distribute their solutions to OCI customers via Marketplace. Oracle customers trust that these solutions are built and maintained in a way that ensures that their security and privacy is the top priority.

Customers also expect that solutions deliver as promised, include excellent documentation, and provide a support experience that is effective and low friction. This document describes the minimum bar required of Oracle partners for inclusion in Marketplace. You're encouraged to exceed these specifications, wherever possible. Solutions that include exceptions to these standards must be reviewed and approved by Oracle.

Keywords

This document uses key words as defined by IETF RFC 2119. For more information, seehttps://www.ietf.org/rfc/rfc2119.txt.

Must - This word, or the terms "Required" or "Shall", mean that the definition is an absolute requirement of the specification.
Must not - This phrase, or the phrase "Shall not", mean that the definition is an absolute prohibition of the specification.
Should - This word, or the adjective "Recommended", mean that there may exist valid reasons in particular circumstances to ignore a particular item, but the full implications must be understood and carefully weighed before choosing a different course.
Should not - This phrase, or the phrase "Not recommended" mean that there may exist valid reasons in particular circumstances when the particular behavior is acceptable or even useful, but the full implications should be understood and the case carefully weighed before implementing any behavior described with this label.
May - This word, or the adjective "optional", mean that an item is truly optional. One vendor may choose to include the item because a particular marketplace requires it or because the vendor feels that it enhances the product while another vendor may omit the same item. An implementation which does not include a particular option must be prepared to interoperate with another implementation which does include the option, though perhaps with reduced functionality. In the same vein an implementation which does include a particular option must be prepared to interoperate with another implementation which does not include the option (except, of course, for the feature the option provides.)

Vulnerability Severity Levels

Where there is any reference to security vulnerability in this section, the reference is to the Common Vulnerability Scoring System (CVSS) v3.0 ratings system. For more information about CVSS v3.0, see https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator.

Security

The Oracle Cloud Infrastructure security overview states that:

We [Oracle] believe that a dynamic security-first culture is vital to building a successful 
security-minded organization. We have cultivated a holistic approach to security culture in which 
all our team members internalize the role that security plays in our business and are
actively engaged in managing and improving our products' security posture. We have also
implemented mechanisms that assist us in creating and maintaining a security-aware culture.

You must read and understand the entire Oracle Cloud Infrastructure approach to security. See Oracle Cloud Infrastructure Security Guide in the Oracle Cloud Infrastructure documentation.

You must maintain a security first culture that understands and values the trust of our mutual customers.

Controls

You must maintain awareness of security alerts and advisories that have an impact on your solutions. Here are some common sources of security alerts:
- SecurityFocus maintains recent advisories for many open source and commercial products. https://www.securityfocus.com/
- The National Vulnerability Database. https://nvd.nist.gov/vuln
- US-CERT and the Industrial Control Systems CERT (ICS-CERT) publish regularly updated summaries of the most frequent, high-impact security incidents. https://www.us-cert.gov/ics
- Full Disclosure at SecLists.org, is a high volume, public, vendor-neutral forum for detailed discussion of vulnerabilities and exploitation techniques. https://seclists.org/fulldisclosure/
- The Computer Emergency Readiness Team Coordination Center (CERT/CC) has up-to-date vulnerability information for the most popular products. https://www.cert.org
You should watch for Oracle Cloud Infrastructure platform updates that may have an impact on images that you have published.
You must notify OCI within 3 business days of any newly discovered vulnerabilities that impact your solutions with a CVSS rating of 9.0 or higher.
You must notify Oracle Cloud Infrastructure within 5 business days of any newly discovered vulnerabilities that impact your solutions with a CVSS rating between 7.0 and 8.9.
You must notify OCI within 20 business days of any newly discovered vulnerabilities that impact your solutions with a CVSS rating between 4.0 and 6.9.
You must publish updated solutions that mitigate newly discovered vulnerabilities in a timely fashion.
You must allow customers to keep their solutions updated to protect against newly discovered vulnerabilities. Some common patterns are:
- Automatically applying security updates.
- Allowing a customer to run a command to apply security updates.
- Providing a process that allows a customer to replace any current deployments with an updated version. This process should be sufficiently low friction so that a customer is not discouraged from performing the work required.
You should publish updated solutions with general security updates on a quarterly basis.
If you might require the execution of a non-disclosure agreement before disclosing a vulnerability to Oracle, your must have executed an Oracle Confidentiality Agreement (CDA) prior to publication of your first image. Your Oracle Partner team will assist with this process.

Guidelines for Images

When you create an image list in Oracle Cloud Infrastructure Marketplace, ensure that the images you create for the listing comply with the relevant guidelines.

Mandatory Guidelines for Linux Images

The following table lists the mandatory image guidelines and corresponding error code. Each guideline must be followed. Before an image is published to Oracle Cloud Infrastructure Marketplace, each image is validated against each of the following mandatory guidelines.


Error Code	Description
S01	SSH host keys must be unique to each instance. Use the oci-image-cleanup utility provided by the `oci-utils` package on GitHub. This will remove all SSH host keys, so that they are regenerated on first boot.
S08	Images must ingest an SSH public key provided by a customer as part of the instance launch process. Ensure the image is `cloud-init` enabled.
S10	Any `authorized_keys` files must only contain keys provided by the user when the instance is launched. Use the oci-image-cleanup utility provided by the `oci-utils` package on GitHub.
S14	Root user login must be disabled. At least 1 of the following 3 conditions must be met: The root user's login shell must be set to `/sbin/nologin`. The SSH service config `/etc/ssh/sshd_config` must not permit root login. Manually configure the following setting: `PermitRootLogin no` All entries in the `/root/.ssh/authorized_keys` file must contain no-port-forwarding, no-agent-forwarding, no-X11-forwarding. The root user must not have usable entries in the `authorized_keys` file. Use the oci-image-cleanup utility provided by the `oci-utils` package on GitHub. By default, Oracle Cloud Infrastructure instances that are launched from `cloud-init` enabled images add the forwarding options and use the command option of the `authorized_keys` file to effectively disable any user-provided SSH key for the root user. The code below is a sample of the `authorized_keys` file created by Oracle Cloud Infrastructure using `cloud-init:` no-port-forwarding, no-agent-forwarding, no-X11-forwarding, command="echo 'Please login as the user \"opc\" rather than the user \"root\".';echo;sleep 10"
S16	Images must not have any operating system level users configured with a password and MUST NOT have an empty password.
G01	Image must boot for all compatible shapes. Manually verify by successfully launching instances for each compatible shape.
G03	Image must not have any hard-coded MAC addresses. Empty the `/etc/udev/rules.d/70-persistent-net.rules` file.
G05	DHCP must be enabled. Ensure it is configured manually. Ensuring you can SSH into an instance of this image confirms that DHCP is enabled.
G08	Ensure that the image does not use Instance Metadata Service v1 (IMDSv1). If the image uses IMDSv1 endpoints, Oracle recommends that you disable IMDSv1 and upgrade to IMDSv2. See Upgrading to the Instance Metadata Service v2 in Oracle Cloud Infrastructure documentation.

Mandatory Guidelines for Windows Images


Error Code	Description
W01	Before creating a custom Windows image, you must generalize the Windows instance using Sysprep.
W02	The opc account must not be preserved when running Sysprep generalize.
G08	Ensure that the image does not use Instance Metadata Service v1 (IMDSv1). If the image uses IMDSv1 endpoints, Oracle recommends that you disable IMDSv1 and upgrade to IMDSv2. See Upgrading to the Instance Metadata Service v2 in Oracle Cloud Infrastructure documentation.

Recommended Guidelines for Linux Images

The following guidelines are recommended for images listed in Oracle Cloud Infrastructure Marketplace. Each guideline is considered a best practice that should be followed if possible.


Error Code	Description
S02	Mandatory Access Control (MAC) should be enabled. See https://www.linux.com/news/securing-linux-mandatory-access-controls.
S03	An Operating System (OS) Firewall should be enabled and configured to block any ports not specifically required as indicated in the listing documentation.
S04	All sensitive data such as passwords and private keys should be removed. This type of data can often be found in log files, source code, or build artifacts. To remove such files, use the oci-image-cleanup utility provided by the `oci-utils` package on GitHub.
S07	`cloud-init` packages should be available for use during instance launch.
S11	Configure the SSH service to prevent password-based login. Manually configure the following settings: PasswordAuthentication no ChallengeResponseAuthentication no UsePAM no
S15	Image software should be updated as part of the final packaging process.
S17	Application passwords should not be hard-coded. Any passwords should be uniquely generated the first time the instance launches:
G02	Images should run in paravirtualized mode. Images may run in native mode. Images should not run in emulated mode.
G04	Any network managers should be stopped. See https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux_OpenStack_Platform/3/html/Installation_and_Configuration_Guide/Disabling_Network_Manager.html.
G06	Images should utilize the NTP service provided by Oracle Cloud Infrastructure. See Configuring the Oracle Cloud Infrastructure NTP Service for an Instance.
G07	Images should have iSCSI timeout values set for proper boot volume connectivity. See https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/Online_Storage_Reconfiguration_Guide/iscsi-modifying-link-loss-behavior-root.html.