EM12c Release 4: New Compliance features including DB STIG Standard
By Davewolf-Oracle on Jun 13, 2014
Enterprise Manager’s compliance framework is a powerful and
robust feature that provides users the ability to continuously validate their target
configurations against a specified standard. Enterprise Manager’s compliance library
is filled with a wide variety of standards based on Oracle’s recommendations, best
practices and security guidelines. These standards can be easily associated to a
target to generate a report showing its degree of conformance to that standard. ( To get an overview of Database compliance management in Enterprise Manager see this screenwatch. )
Starting with release 126.96.36.199 of Enterprise Manager the compliance library will contain a new standard based on the US Defense Information Systems Agency (DISA) Security Technical Implementation Guide (STIG) for Oracle Database 11g. According to the DISA website, “The STIGs contain technical guidance to ‘lock down’ information systems/software that might otherwise be vulnerable to a malicious computer attack.” In essence, a STIG is a technical checklist an administrator can follow to secure a system or software. Many US government entities are required to follow these standards however many non-US government entities and commercial companies base their standards directly or partially on these STIGs.
You can find more information about the Oracle Database and other STIGs on the DISA website.
The Oracle Database 11g STIG consists of two categories of checks, installation and instance. Installation checks focus primarily on the security of the Oracle Home while the instance checks focus on the configuration of the running database instance itself. If you view the STIG compliance standard in Enterprise Manager, you will see the rules organized into folders corresponding to these categories.
The rule names contain a rule ID ( DG0020 for example )
which directly map to the check name in the STIG checklist along with a helpful
brief description. The actual description field contains the text from the STIG
documentation to aid in understanding the purpose of the check. All of the
rules have also been documented in the Oracle Database Compliance Standards
In order to use this standard both the OMS and agent must be at version 188.8.131.52 as it takes advantage of several features new in this release including:
- Agent-Side Compliance Rules
- Manual Compliance Rules
- Violation Suppression
- Additional BI Publisher Compliance Reports
Agent-Side Compliance Rules
Agent-side compliance rules are essentially the result of a tighter integration between Configuration Extensions and Compliance Rules. If you ever created customer compliance content in past versions of Enterprise Manager, you likely used Configuration Extensions to collect additional information into the EM repository so it could be used in a Repository compliance rule. This process although powerful, could be confusing to correctly model the SQL in the rule creation wizard. With agent-side rules, the user only needs to choose the Configuration Extension/Alias combination and that’s it. Enterprise Manager will do the rest for you.
This tighter integration also means their lifecycle is managed together. When you associate an agent-side compliance standard to a target, the required Configuration Extensions will be deployed automatically for you. The opposite is also true, when you unassociated the compliance standard, the Configuration Extensions will also be undeployed.
The Oracle Database STIG compliance standard is implemented as an agent-side standard which is why you simply need to associate the standard to your database targets without previously deploying the associated Configuration Extensions.
You can learn more about using Agent-Side compliance rules in the screenwatch Using Agent-Side Compliance Rules on Enterprise Manager's Lifecycle Management page on OTN.
Manual Compliance Rules
There are many checks in the Oracle Database STIG as well as other common standards which simply cannot be automated. This could be something as simple as “Ensure the datacenter entrance is secured.” or complex as Oracle Database STIG Rule DG0186 – “The database should not be directly accessible from public or unauthorized networks”. These checks require a human to perform and attest to its successful completion.
Enterprise Manager now supports these types of checks in
Manual rules. When first associated to a target, each manual rule will generate
a single violation. These violations must be manually cleared by a user who is
in essence attesting to its successful completion. The user is able to
permanently clear the violation or give a future date on which the violation
will be regenerated. Setting a future date is useful when policy dictates a periodic re-validation of conformance wherein the user will have to reperform the check. The optional reason field gives the user an opportunity to provide details of the check results.
There are situations that require the need to permanently or
temporarily suppress a legitimate violation or finding. These include approved
exceptions and grace periods. Enterprise Manager now supports the ability to
temporarily or permanently suppress a violation. Unlike when you clear a manual rule
violation, suppression simply removes the violation from the compliance results
UI and in turn its negative impact on the score. The violation still remains in
the EM repository and can be accounted for in compliance reports. Temporarily suppressing a violation can give
users a grace period in which to address an issue. If the issue is not
addressed within the specified period, the violation will reappear in the
results automatically. Again the user may enter a reason for the suppression which will be permanently saved with the event along with the suppressing user ID.
Additional BI Publisher compliance reports
As I am sure you have learned by now, BI Publisher now ships and is integrated with Enterprise Manager 184.108.40.206. This means users can take full advantage of the powerful reporting engine by using the Oracle provided reports or building their own. There are many new compliance related reports available in 220.127.116.11 covering all aspects including the association status, library as well as summary and detailed results reports.
10 New Compliance Reports
Compliance Summary Report Example showing STIG results
Together with the Oracle Database 11g STIG compliance
standard these features provide a complete solution for easily auditing and
reporting the security posture of your Oracle Databases against this well known
benchmark. You can view an overview presentation and demo in the screenwatch Using the STIG Compliance Standard on Enterprise Manager's Lifecycle Management page on OTN.
Additional EM12c Compliance Management Information