EM12c Release 4: New Compliance features including DB STIG Standard
- by DaveWolf
Normal
0
false
false
false
EN-US
X-NONE
X-NONE
MicrosoftInternetExplorer4
Enterprise Manager’s compliance framework is a powerful and
robust feature that provides users the ability to continuously validate their target
configurations against a specified standard. Enterprise Manager’s compliance library
is filled with a wide variety of standards based on Oracle’s recommendations, best
practices and security guidelines. These standards can be easily associated to a
target to generate a report showing its degree of conformance to that standard. ( To get an overview of Database compliance management in Enterprise Manager see this screenwatch. )
Starting with release 12.1.0.4 of Enterprise Manager the
compliance library will contain a new standard based on the US Defense
Information Systems Agency (DISA) Security Technical Implementation Guide
(STIG) for Oracle Database 11g. According to the DISA website, “The STIGs
contain technical guidance to ‘lock down’ information systems/software that
might otherwise be vulnerable to a malicious computer attack.” In essence, a
STIG is a technical checklist an administrator can follow to secure a system or
software. Many US government entities are required to follow these standards
however many non-US government entities and commercial companies base their
standards directly or partially on these STIGs.
You can find more information about the Oracle Database and other STIGs on
the DISA website.
The Oracle Database 11g STIG consists of two categories of
checks, installation and instance. Installation checks focus primarily on the
security of the Oracle Home while the instance checks focus on the
configuration of the running database instance itself. If you view the STIG compliance standard in Enterprise Manager, you
will see the rules organized into folders corresponding to these categories.
Normal
0
false
false
false
EN-US
X-NONE
X-NONE
MicrosoftInternetExplorer4
-"/
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
The rule names contain a rule ID ( DG0020 for example )
which directly map to the check name in the STIG checklist along with a helpful
brief description. The actual description field contains the text from the STIG
documentation to aid in understanding the purpose of the check. All of the
rules have also been documented in the Oracle Database Compliance Standards
reference documentation.
In order to use this standard both the OMS and agent must be at
version 12.1.0.4 as it takes advantage of several features new in this release including:
Normal
0
false
false
false
EN-US
X-NONE
X-NONE
MicrosoftInternetExplorer4
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
Agent-Side Compliance Rules
Manual Compliance Rules
Violation Suppression
Additional BI Publisher Compliance Reports
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
Agent-Side Compliance Rules
Normal
0
false
false
false
EN-US
X-NONE
X-NONE
MicrosoftInternetExplorer4
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
Agent-side compliance rules are essentially the result of a
tighter integration between Configuration Extensions and Compliance Rules. If
you ever created customer compliance content in past versions of Enterprise
Manager, you likely used Configuration Extensions to collect additional
information into the EM repository so it could be used in a Repository
compliance rule. This process although powerful, could be confusing to
correctly model the SQL in the rule creation wizard. With agent-side rules, the
user only needs to choose the Configuration Extension/Alias combination and
that’s it. Enterprise Manager will do the rest for you.
This tighter integration also means their lifecycle is
managed together. When you associate an agent-side compliance standard to a
target, the required Configuration Extensions will be deployed automatically
for you. The opposite is also true, when you unassociated the compliance
standard, the Configuration Extensions will also be undeployed.
The Oracle Database STIG compliance standard is implemented as
an agent-side standard which is why you simply need to associate the standard to
your database targets without previously deploying the associated Configuration Extensions.
You can learn more about using Agent-Side compliance rules in the screenwatch Using Agent-Side Compliance Rules on Enterprise Manager's Lifecycle Management page on OTN.
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
Manual Compliance Rules
Normal
0
false
false
false
EN-US
X-NONE
X-NONE
MicrosoftInternetExplorer4
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
There are many checks in the Oracle Database STIG as well as
other common standards which simply cannot be automated. This could be
something as simple as “Ensure the datacenter entrance is secured.” or complex
as Oracle Database STIG Rule DG0186 – “The database should not be directly
accessible from public or unauthorized networks”. These checks require a human
to perform and attest to its successful completion.
Enterprise Manager now supports these types of checks in
Manual rules. When first associated to a target, each manual rule will generate
a single violation. These violations must be manually cleared by a user who is
in essence attesting to its successful completion. The user is able to
permanently clear the violation or give a future date on which the violation
will be regenerated. Setting a future date is useful when policy dictates a periodic re-validation of conformance wherein the user will have to reperform the check. The optional reason field gives the user an opportunity to provide details of the check results.
Normal
0
false
false
false
EN-US
X-NONE
X-NONE
MicrosoftInternetExplorer4
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
Violation Suppression
There are situations that require the need to permanently or
temporarily suppress a legitimate violation or finding. These include approved
exceptions and grace periods. Enterprise Manager now supports the ability to
temporarily or permanently suppress a violation. Unlike when you clear a manual rule
violation, suppression simply removes the violation from the compliance results
UI and in turn its negative impact on the score. The violation still remains in
the EM repository and can be accounted for in compliance reports. Temporarily suppressing a violation can give
users a grace period in which to address an issue. If the issue is not
addressed within the specified period, the violation will reappear in the
results automatically. Again the user may enter a reason for the suppression which will be permanently saved with the event along with the suppressing user ID.
Normal
0
false
false
false
EN-US
X-NONE
X-NONE
MicrosoftInternetExplorer4
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
Additional BI Publisher compliance reports
As I am sure you have learned by now, BI Publisher now
ships and is integrated with Enterprise Manager 12.1.0.4. This means users
can take full advantage of the powerful reporting engine by using the Oracle provided
reports or building their own. There are many new compliance related reports
available in 12.1.0.4 covering all aspects including the association status, library
as well as summary and detailed results reports.
10 New Compliance Reports
Compliance Summary Report Example showing STIG results
Normal
0
false
false
false
EN-US
X-NONE
X-NONE
MicrosoftInternetExplorer4
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
Conclusion
Together with the Oracle Database 11g STIG compliance
standard these features provide a complete solution for easily auditing and
reporting the security posture of your Oracle Databases against this well known
benchmark. You can view an overview presentation and demo in the screenwatch Using the STIG Compliance Standard on Enterprise Manager's Lifecycle Management page on OTN.
Additional EM12c Compliance Management Information
Compliance Management - Overview ( Presentation )
Compliance Management - Custom Compliance on Default Data (How To)
Compliance Management - Custom Compliance using SQL Configuration Extension (How To)
Compliance Management - Customer Compliance using Command Configuration Extension (How To)