| Oracle® Enterprise Manager Cloud Control Administrator's Guide 12c Release 1 (12.1.0.1) Part Number E24473-01 |
|
|
PDF · Mobi · ePub |
| Oracle® Enterprise Manager Cloud Control Administrator's Guide 12c Release 1 (12.1.0.1) Part Number E24473-01 |
|
|
PDF · Mobi · ePub |
Compliance is the conformance to standards, or requirements, or both.
Enterprise Manager Compliance Management (EMCM) provides the ability to evaluate the compliance of targets and systems as they relate to business best practices for configuration, security, and storage. This is accomplished by defining, customizing, and managing compliance frameworks, compliance standards, and compliance standard rules. In addition, EMCM provides advice of how to change configuration to bring your targets and systems into compliance.
This chapter explains how EMCM verifies that applications in your enterprise comply with preestablished standards and how to manage the compliance structure. This chapter includes:
Explains at a high level the compliance features in Enterprise Manager.
Explains how to best use the compliance features to evaluate compliance.
Explains how to perform the operations on compliance frameworks, compliance standards, and compliance standard rules.
The Oracle Enterprise Manager Compliance Management (EMCM) solution provides the tools to evaluate targets and systems for compliance with business best practices in terms of configuration, security, storage, and so on. In addition, EMCM provides the capability to define, customize, and manage the entities used to evaluate compliance.
The compliance solution:
Automatically determines if targets and systems have valid configuration settings and whether they are exposed to configuration-related vulnerabilities.
Advises how to change configurations to bring targets and systems into compliance with respect to best practices.
Provides real-time monitoring of a target's files, processes, and users to let Enterprise Manager users know where configuration change is taking place in their environment.
Provides out-of-box compliance frameworks (PCI, for example) and compliance standards to map to compliance standard rules. This mapping makes it possible to visualize how out-of-compliance settings and actions will affect any compliance framework an organization follows.
Provides a compliance-focused view if IT configuration and change that is suitable for Line of Business Owners, IT Managers, and Compliance Managers to refer to regularly to check on their organization's compliance coverage.
Before you start using the compliance features, there are a few basics you need to know. See the following for details:
Compliance frameworks, compliance standards, and compliance standard rules are some of the terms used when describing and managing compliance. The following terms are used throughout this chapter when discussing the compliance feature:
Compliance Framework
A compliance framework is an industry-specified best practices guideline that deals with the underlying IT infrastructure, applications, business services and processes, and how they are organized, managed and monitored. Compliance frameworks are hierarchical to allow for direct representation of these industry frameworks. A Compliance Framework can be used to represent a framework such as PCI.
A compliance framework is a way for you to map your standards to a structure similar to the regulatory or standard compliance structure you use in your company.
Compliance Standard
A compliance standard is a collection of checks or rules. It is the Enterprise Manager representation of a compliance control that must be tested against some set of IT infrastructure to determine if the control is being followed.
A compliance standard performs a collection of checks that follow broadly accepted best practices. This ensures that IT infrastructure, applications, business services and processes are organized, configured, managed, and monitored properly. A compliance standard evaluation can provide information related to platform compatibility, known issues affecting other customers with similar configurations, security vulnerabilities, patch recommendations, and more.
Compliance Standard Rule
A compliance standard rule is a test to determine if a configuration data change affects compliance. A compliance standard rule is mapped to one or more compliance standards.
Enterprise Manager 12c has the following types of rules.
Repository Rule
Used to perform a check against any metric collection data in the Management Repository
WLS Signature Rule
Used to check a WebLogic target for support best practice configurations. This type of rule is not relevant for external/partner plugins.
Real-time Monitoring Rule
Used to monitor actions to files, processes, and more. Also captures user login/logout activities.
Compliance Standard Rule Folder
Compliance standard rule folders are hierarchical structures that contain compliance standard rules.
Importance
For compliance frameworks, importance indicates the relative importance of a compliance standard to all other compliance standards in the compliance framework.
For compliance standards, importance indicates the relative importance of a compliance standard rule to all other compliance standard rules in the compliance standard. The values represent a way of weighting a compliance standard.
Score
A target's compliance score for a compliance standard is used to reflect the degree of the target's conformance with respect to a compliance standard. The compliance score is in the range of 0% to 100% inclusive. A compliance score of 100% indicates a target fully complies with the compliance standard.
Real-time Facets
The real-time monitoring rule definition includes facets that are used to determine what is important to monitor for a given target type, target properties, and entity type. A facet is a collection of patterns that make up one attribute of a target type.
Real-Time Observations
Observations are the actions that were seen on a host or target that were configured to be monitored through real-time monitoring rules. Each distinct user action results in one observation.
In Summary
Compliance standard rules perform single health and real-time monitoring checks. These checks are grouped into compliance standards which together constitute one test of compliance. These compliance standards are then grouped into respective compliance frameworks so that the results of the test can be associated with the areas of the your framework being affected.
To access the compliance features, navigate to the Enterprise menu on the Cloud Control home page, select Compliance, then select one of the following:
Results
Compliance results include evaluation results and errors for compliance frameworks and compliance standards, as well as target compliance.
Library
The Compliance Library page contains the entities used for defining standards. From the Compliance Library page you can manipulate compliance frameworks, compliance standards, compliance standard rules, and real-time monitoring facets.
Note that the real-time monitoring facets are only for real-time monitoring rules.
Real-Time Observations
Examination of observations made through Real-time Monitoring.
To use the compliance standard features, you need to have access to the following privileges and roles.
| Privilege | Description |
|---|---|
| CREATE_COMPLIANCE_ENTITY | Allows you to create compliance standards, compliance standard rules, and Real-time Monitoring facets |
| FULL_ANY_COMPLIANCE_ENTITY | Allows you to edit and delete compliance standards and compliance standard rules |
| VIEW_ANY_COMPLIANCE_FWK | Allows you to view compliance framework definition and results |
| MANAGE TARGET COMPLIANCE | Allows you to associate a compliance standard to a target |
| VIEW | Allows you to view a single target |
| Role | Description |
|---|---|
| EM_COMPLIANCE_DESIGNER | Using this role you can create, modify, and delete compliance standards, compliance standard rules, and Real-time Monitoring facets. |
| EM_COMPLIANCE_OFFICER | Using this role you can view compliance framework definitions and results. |
The following table lists the compliance tasks with the privileges and roles required.
| Task | Privileges and Roles Required |
|---|---|
| Create compliance framework | CREATE_COMPLIANCE_ENTITY privilege
VIEW_ANY_COMPLIANCE_FWK privilege |
| Edit and delete compliance framework | FULL_ANY_COMPLIANCE_ENTITY privilege
VIEW_ANY_COMPLIANCE_FWK privilege |
| Create, edit, and delete compliance framework | EM_COMPLIANCE_DESIGNER role
EM_COMPLIANCE_OFFICER role |
| Associate a compliance standard to a target | MANAGE_TARGET_COMPLIANCE privilege |
| Import or export a compliance framework | EM_COMPLIANCE_DESIGNER role
EM_COMPLIANCE_OFFICER role |
| Create a real-time monitoring rule | EM_COMPLIANCE_DESIGNER role |
| Create a real-time monitoring facet | EM_COMPLIANCE_DESIGNER role |
Additional restrictions regarding the use of the compliance features include:
You have privileges to access the compliance standards you will be associating with the target. In particular, you need the Manage Target Compliance privilege on the target.
When you are working with a compliance framework, ensure that the compliance framework to be edited is defined in the Management Repository
Ensure you have the privilege to manipulate real-time monitoring facets.
Compliance evaluation is the process of testing the compliance standard rules within a compliance standard against a target and recording any violations in the Management Repository.
By evaluating a target against a compliance standard, you are determining whether a target complies with the guidelines of the standard. In the case when a target does not meet the desired state, the test may suggest what changes are required to make that target compliant.
Compliance evaluation generates a score for a target as in how much the target is compliant with the standard. A 100% compliance score means that the target follows all requirements and regulations imposed by the compliance standard.
Because target compliance is required to be monitored regularly, you need to associate a compliance standard with a single target. Evaluation is automatically performed for any associated targets, when their state refreshes, that is when new data has been collected from the target. For Repository Rules, when new data for the target gets loaded into the Management Repository, evaluation happens again. For Real-time Monitoring, evaluation happens when an observation occurs.
What Compliance Evaluation Includes
Compliance evaluation includes:
Viewing the results of an evaluation
Only results from the targets for which you have View privilege will be available. The compliance standard rule evaluation results are rolled up in order to produce a compliance standard evaluation state as well as a compliance summary.
Studying out-of-box reports
Studying the trend overview as a result of the evaluation
Use the graphs in the Trend Overview pages to visually determine whether the targets are adhering to or distancing themselves from the compliance best practices.
To access the Trend Overview pages for compliance standards:
From the Enterprise menu select Compliance, then select Results.
From the Compliance Standards tab, choose Evaluation Results.
On the Evaluation Results page, choose the compliance standard you want to investigate and click Show Details.
On the resulting details page, click the Trend Overview tab.
Note that you can also review Trend Overview pages for compliance frameworks.
What You Can Do To Ensure Compliance
Consider performing the following:
Ensure your environments match baselines (or each other) by creating rules on top of configuration compare capabilities. Then monitor for configuration drift using real-time monitoring.
Study the results of the evaluations and make the needed changes to the targets
Evaluate compliance against best practices
Evaluate validity of configuration settings
Evaluate exposure to configuration-related vulnerabilities, storage, and security
Modify targets and systems to be compliant
Verify authorization of configuration changes
Continually test your systems, services, and targets, ensuring the best possible protection and performance your system can have
Use out-of-box compliance standards and compliance standard rules to determine compliance. Click here to see a demo of this functionality.
The following sections provide additional details:
Compliance statistics are available throughout the Enterprise Manager interface in Compliance Summary regions located on pages such as the Enterprise Summary page and a target's home page.
These regions report the violations and compliance scores for the particular targets. However, the region only reports that there is a violation; it does not give the details. For example, a violation can be against the Secure Port compliance standard rule that is part of the Secure Configuration for Host compliance standard. But you will not know the details just by looking at the Compliance Summary region.
Say that you are looking at the Enterprise Summary page and you notice that there are critical violations against the Secure Configuration for Host compliance standard. You need to find what targets are causing the violations. Follow these steps:
From the Enterprise menu, select Compliance, then select Results.
In the Evaluations Results tab for Compliance Standards, highlight the Secure Configuration for Host compliance standard. Click Show Details.
In the Summary tab on the Compliance Standard Result Detail page, you can look at the results either by target or compliance standard rule. For this example, we will use Result by Compliance Standard Rule.
In the navigational list, click the Secure Ports compliance standard rule. In the resulting Secure Ports Summary tab, you will get a list of all the targets that are violating the Secure Ports rule. This is a security issue that needs to be addressed.
Say that you want to see all the targets that are not compliant with the compliance standards. To access this information:
From the Enterprise menu, select Compliance, then select Results. You have the option of viewing violations associated with compliance standards and compliance frameworks.
Click the Target Compliance tab for a roll-up view of all violations across all targets, that is, all those targets that are out of compliance.
Click the Compliance Standards tab to view the list of compliance standards against which there are violations. From this tab, you can also access the Errors tab to view the errors against the compliance standard.
Navigate to the Home page for a particular target. The Compliance Standard Summary region lists the compliance violations according to severity level. Click the name of the compliance standard of interest to view the details of the violations.
Compliance summary information is available from the Cloud Control home page and individual target home pages.
To view compliance summary information from the Cloud Control home page, follow these steps:
Navigate to the Cloud Control home page.
From the Enterprise menu, select Compliance, then select Results.
To view compliance summary information from a target's home page, follow these steps:
Navigate to the Cloud Control home page.
From the Targets menu, select the target type, and click the target.
On the target's home page, scroll down to the Compliance Standards Summary region.
To view compliance summary information from the target menu on a target's home page, follow these steps:
Navigate to the Cloud Control home page.
From the Targets menu, select the target type, and click the target.
On the target's home page, click the target menu located at the top-left of the page.
Select Compliance, then select Results. On the Results page, click Target Compliance.
Target compliance evaluation results are available by way of the Cloud Control home page and individual target home pages. When testing a target, the possible evaluation results are:
| Evaluation Results | Description |
|---|---|
| Compliant | Target meets the desired state |
| Non-Compliant | Target does not meet the desired state. At least one test in the compliance standard detected a deviation from the desired state. |
| Error | No results returned due to an error. The error may be an unexpected internal error or an error in the test. Examples of errors in the test include attempts to:
|
To view results using Cloud Control home page, follow these steps:
Navigate to the Cloud Control home page.
From the Enterprise menu, select Compliance, then select Results.
Click the Target Compliance tab. The Target Results page displays the targets with their Average Compliance Score.
To view compliance evaluation results from a target's home page, follow these steps:
Navigate to the Cloud Control home page.
From the Enterprise menu, select Targets, then select the target type.
Click the name of the target in which you are interested.
On the target's home page, scroll to the Compliance Standard Summary region.
Use the page or region to get a comprehensive view about a target in regards to compliance over a period of time. Using the tables and graphs, you can easily watch for trends in progress and changes.
Note: Trend overview data might take up to six hours, after target discovery, to display in the time series charts.
To effectively use a compliance framework, organize the framework to reflect the compliance framework you use in your organization.
Oracle provides an out-of-box framework for Payment Card Industry (PCI), as well as one for the Oracle Generic Compliance. These out-of-box frameworks can be used as a starting point for you to create your own frameworks to match your needs.
To view the results of a compliance framework evaluation, use the Evaluations Results page accessed through the Compliance Frameworks tab.
From the Enterprise Manager Cloud Control Home page, select Enterprise, select Compliance, then select Results.
On the Compliance Results page, click the Compliance Frameworks tab and highlight the compliance framework of interest.
Tips on Using Compliance Frameworks
Here are a few tips on how to best use compliance frameworks:
Manage your compliance framework to match your company's framework
Specify or manage compliance standards to define all your compliance tests
Manage compliance standard rules
Use the Results page, accessed from the Compliance menu, to:
Browse and Search Compliance Framework Evaluation Results
Browse and Search Compliance Framework Errors
Benefits of Using Compliance Frameworks
Compliance standards are defined to perform tests, for example, test if a configuration is set properly, test to see if real-time changes are occurring, and so on. In turn, a compliance framework is a way to map how different areas of your compliance initiative are going to be affected by the results of those tests.
For example, an organization may choose to define a compliance framework that extends an out-of-box compliance framework. This is accomplished by creating a new compliance framework like the out-of-box compliance framework and include new or existing compliance standards.
Here are a few suggestions for investigating compliance violations. Attend to the most critical violations or those that have the biggest impact on your enterprise.
Study the statistics on the Enterprise Summary Home page. In particular, look at the statistics in the Compliance Summary region. The compliance violations with "Critical" severity should be dealt with first.
Address targets that have the lowest compliance scores.
For the compliance violations of a particular target, examine the home page for that target. The Compliance Standard Summary region provides overview information, but it also gives you access to the Trend for that target.
To deal with compliance standards regardless of the target, from the Enterprise menu, select Compliance. Using this option, you have access to all the compliance violations events for the enterprise (Result option), the compliance associations, the compliance standard library (Library option), and compliance evaluation errors.
Note:
Only results from those targets for which you have View privilege will be available for viewing.Navigate to the Results page for a particular compliance standard. In the navigation tree, click the name of the compliance standard and a summary page lists all the targets along with the number of violations.
Navigate to the Trend Overview page to see charts relating to the number of targets evaluated, the average violation count per target, number of targets by compliance score, and the average compliance score.
Using the Compliance Standards Evaluation Results Page
Use the Compliance Standards Evaluation Results page to:
View a summary of how well targets, that are expected to comply with a compliance standard, are actually adhering to the standard.
View the detailed evaluation results of the compliance standard.
Study the details of how well the compliance standard within the targets complied with the compliance standard. The results reflect the hierarchy within the compliance standard as defined by its folders.
View how the targets are complying with this compliance standard. By studying the graphs on the Trend Overview page, you can watch for trends and changes in the compliance of the targets to the compliance standard.
Study the compliance scores, violation count, and targets evaluated for all the elements of a compliance standard.Study the impact of violations and recommendations. The impact explains why the compliance standard is important. The recommendation explains how to bring a system back into compliance with the compliance standard.
Note: When viewing compliance evaluation results, the most recent results are provided. The results of a compliance evaluation overwrite the previous evaluation's results
The Evaluation Errors page reports the deviations from the norm, that is, statistics about the problems encountered during the evaluation. On initial display, the Evaluation Errors page shows all the evaluation errors.
Use the Evaluation Errors page to view the errors that occurred as a result of metric collection, as well as those that occurred during the last evaluation.
Use the search filter to view only those evaluation errors that meet a set of search criteria that you specify.
Click the message in the Message column to decide what your course of action should be to resolve the error.
Normally the results of an evaluation overwrite the previous evaluation's results. However, in the case of evaluation failure or data provider collection failure, the previous results are left untouched.
Once the underlying problem is fixed, the error is no longer reported.
Example of Search Filter
By default, all the evaluation errors in your enterprise configuration appear in the results table. However, you can specify a set of search criteria and then perform a search that will display only the evaluation errors that meet those criteria in the results table.
For example, if you choose Host in the Target Type list, contains in the Target Name list, and "-sun" in the adjacent Target Name text field, and then click Go, Enterprise Manager displays, in the results table, only the compliance standard rule evaluation errors for the hosts that contain "-sun" in their names.
Before you perform an audit, ensure that the compliance manager or line of business manager has associated the necessary compliance standards with compliance frameworks that are being followed. The IT administrator then ensures that the compliance standard is associated to the appropriate targets in the environment. Also ensure that you have Enterprise Manager login and view target privileges. (See Privileges and Roles Needed to Use the Compliance Features.)
To verify that targets are compliant, follow these steps:
Determine how compliant the targets are with respect to various compliance frameworks.
From the Enterprise menu on the Cloud Control home page, select Compliance, then select Results. Click Compliance Frameworks, then select Evaluation Results.
Analyze the evaluation errors and violations raised.
Determine how compliant the target is with respect to various associated and evaluated compliance standards for that target.
Click Target Compliance.
Analyze the evaluation errors and violations raised.
Enterprise Manager provides reports specific to compliance: Descriptions and Results. These compliance reports are available by selecting Reports on the Enterprise menu, selecting Information Publisher Reports, and then scrolling to the Compliance section.
Descriptions reports
The Descriptions reports list all the available compliance standards, compliance frameworks, and compliance standard rules available in the Compliance Library. These reports enable you to decide whether additional compliance standards and compliance frameworks need to be defined for your enterprise to attain and maintain its compliance to the standards.
Results reports
The Results reports provide details of the various evaluations against compliance standards and compliance frameworks. Using the Results reports you can view, in one place, all the statistics regarding the compliance of your enterprise against the defined standards. To view the target that is most likely in need of your immediate attention, view the Target with Lowest AVG COMPLIANCE SCORE report. The following are examples of the reports provided:
Compliance Standard Results Details
Displays the compliance summary for all the compliance standards evaluated against a target. Data includes compliance score, compliant and non-compliant rules, violations, and last evaluation date.
Compliance Standard Result Summary
Displays the compliance summary of a particular compliance standard. For example, if there are three targets each reporting on Security Recommendations for Oracle Products compliance, the Result Summary rolls up the information into one report. Data includes average compliance score, the number of targets that need immediate attention, and the number of rules that are non-compliant.
A target's compliance score for a compliance standard is used to reflect the degree of the target's conformance with respect to compliance standard. The compliance score is in the range of 0% to 100% inclusive. A compliance score of 100% indicates a target fully complies with the compliance standard.
During an evaluation, a target is found to be compliant or non-compliant with that compliance standard.
Types of Importance
For compliance frameworks, importance indicates the relative importance of a compliance standard to all other compliance standards in the compliance framework.
For compliance standards, importance indicates the relative importance of a compliance standard rule to all other compliance standard rules in the compliance standard. The values represent a way of weighting a compliance standard.
However, just because a compliance standard rule has an importance of 'low' does not mean that it can safely be ignored.
Importance is used to roll up results bottom up in a compliance standard hierarchy.
The following sections provide examples of how the compliance score is calculated.
Note: This calculation is used for WebLogic Server Signature rules and Repository rules.
Compliance score of a compliance standard rule-target is calculated by taking the severity and importance of the compliance standard rule and multiplying the result by the total number of violations divided by the total number of rows evaluated for that target.
The formula is:
hirange - (hirange - lorange) * (number of violations / number of rows evaluated)
The following table provides the combination of the severity and importance values used to calculate a compliance score.
Table 8-1 Importance and Severity Ranges
| Importance | Critical Severity (1) | Warning Severity (1) | Minor Warning Severity (1) |
|---|---|---|---|
|
High |
0-25 (2) |
66-75 |
95-96 |
|
Normal |
26-50 |
76-85 |
97-98 |
|
Low |
51-75 |
86-95 |
99-99 |
(1) low range and high range of the severity
(2) 0 is the lorange; 25 is the hirange
The compliance score of a real-time monitoring rule is a rule-based score that is the number of observation bundles that have violations rather than all observation bundles that have happened over time. (Note: There can only be one violation per bundle.)
When calculating the count of past observation bundles, the most recent bundles are rated and they have a different rating as they get older. For example, if there had been 1,000,000 observation bundles (all of which have no violations) over the history of the Enterprise Manager installation and then one day a new bundle comes in that has a violation, then the score would have been 999,999/1,000,000, or 100% when rounding.
This one violation, though in the context of other bundles that came in just in the last few days, may be really important. To continue the example, say in the last week there has only been 10 bundles. Then this one comes in, 9/10 of the observations are good, or 90% score. To keep track of the older observations, observation bundles are weighted by how old they are.
The score is calculated using the formula:
1 - V/T
where T is the sum of all the weighted counts
and V is the sum of the current violations (which is the same as the number
of bundles in violation at that time)
The result of the calculation of 1-V/T will be a number around 1 as V is 0 or will be a number near 0 when V is close to the value of T.
The compliance score of a compliance standard for each target is calculated by taking the individual compliance score of each rule - target and multiplying it by its importance. This multiplication is repeated for each rule then the resulting products are added. The sum of the products is then divided by the sum of the importance of each rule. See Figure 8-1.
The compliance framework score is a rolled up weighted average of all compliance standard-target scores across all compliance standards within the compliance framework hierarchy. The weight is based on the importance of a compliance standard. In Figure 8-2, compliance framework CF has 2 standards CS1 and CS2. CS1 is associated and evaluated on targets t1 and t2 and CS2 is associated and evaluated on targets t3 and t4.
The compliance score of a hierarchy node/parent node is calculated as shown in Figure 8-3. Compliance standards are hierarchical, thus the top node in the tree is known as the parent node.
In Figure 8-3:
i represents the number of children
S is the score of the child node
I is the importance of the child node
Before you can use the compliance features, compliance frameworks, compliance standards, and compliance standard rules must be defined for your enterprise.
The following sections describe how to define and maintain these compliance entities.
A compliance framework is a hierarchical structure comprised of one or more compliance standards, compliance standard rule folders, and compliance standard rules. It is a way for you to map your standards to a structure similar to the regulatory or standard compliance structure you use in your company.
Accessing Compliance Frameworks
To access compliance frameworks, follow these steps:
From the Enterprise menu on the Cloud Control home page, select Compliance, then select Library.
Click Compliance Frameworks tab.
Highlight the compliance framework you want to manage and choose the action you want to perform.
Frameworks Provided by Oracle and User-Defined Compliance Frameworks
There are compliance frameworks provided by Oracle and user-defined compliance frameworks.
Compliance frameworks provided by Oracle
PCI DSS 2.0 (Payment Card Industry Data Security Standard) is a standard which you can use to evaluate your managed targets compliance with security and best practices standards.
Oracle Generic Compliance Framework is a standard set of compliance standards and associated controls for tracking changes and events taking place across your IT infrastructure for determining how well your organization is in compliance with your IT policies.
User-defined compliance frameworks
You can define a compliance framework to satisfy the needs of your organization. You can also create a user-defined framework by performing a create-like on an out-of-box framework.
Compliance frameworks provided by Oracle cannot be deleted or edited. However, if you want to extend these frameworks, use the Create Like functionality to create your own user-defined frameworks based on the out-of-box frameworks and then edit the new frameworks.
Recommendation: It is highly recommended that you create a top level compliance framework like the ones provided for PCI and Oracle Generic compliance.
Example of Using the PCI Standard
If you follow the Payment Card Industry (PCI) standards framework, you may have a multiple level structure that mirrors the structure of PCI as follows:
PCI DSS 2.0 - Payment Card Industry Data Security Standards compliance framework which contains:
Build and Maintain a Secure Network (PCI 2.0) compliance standard which contains:
Encrypt all administrative access using SSH, VPN, or SSL/TLS (PCI 2.3) compliance standard rule
The compliance standard (PCI 2.0) contains a number of compliance standard rules that are specific to a target type. A single compliance score will be calculated for that compliance standard and then can be rolled up to all the compliance frameworks as well. The top level compliance framework (PCI 2.0) will always be treated as the actual compliance framework that is used.
Benefits of Using Compliance Frameworks
Compliance standards are defined to perform tests, for example, test if a configuration is set properly, test to see if real-time changes are occurring, and so on. In turn, a compliance framework is a way to map how different areas of your compliance initiative are going to be affected by the results of those tests.
For example, an organization may choose to define a compliance framework that extends an out-of-box compliance framework. This is accomplished by creating a new compliance framework like the out-of-box compliance framework and include new or existing compliance standard rules.
Reasons for Using Compliance Frameworks
There are a number of reasons for creating compliance frameworks including:
Mapping underlying IT violations to the regulatory and standard compliance controls used by your company
Compliance auditing at compliance specification level (for example, Payment Card Industry (PCI))
Auditing, security evaluation, and trend analysis
What Compliance Frameworks Can Do
A compliance framework can:
Represent industry-wide standards or can be created to match your internal frameworks in use.
Many companies may start by using an industry-wide framework, but modify it according to their own needs and auditing requirements. For example, an organization may choose to define a compliance framework that extends an out-of-box compliance framework. This is accomplished by creating a new compliance framework like the out-of-box compliance framework and include new or existing compliance standard rules.
Be used as a reference compliance framework or a certified compliance framework
Be a collection of compliance standards describing best practices in an enterprise. Compliance standards are defined to perform tests, for example, test if a configuration is set properly, test to see if real-time changes are occurring, and so on. In turn, a compliance framework is a way to map how different areas of your compliance initiative are going to be affected by the results of those tests.
Compliance Frameworks and Compliance Scores
The compliance framework is the entry point when looking at compliance scores from a high level view such as the Compliance Results dashboard. Each entity of a compliance framework should have a user-defined importance that is assigned for reporting/compliance score roll up. The importance can be set for all internal nodes in a compliance framework or compliance standard hierarchy.This importance at the top compliance framework is the default, but you may decide that more importance should be placed on one compliance sub group over another.
Compliance frameworks can include subgroups and nested subgroups.
Usage Notes
Evaluation Results for a repository rule may become invalidated if a compliance standard rule within a compliance framework is modified or deleted. Evaluation of a compliance standard always references the current compliance standard rule definition for each compliance standard rule within the standard.
Compliance frameworks can include subgroups and nested subgroups.
The compliance framework is the entry point when looking at compliance scores from a high level view such as the Compliance Results dashboard. Each entity of a compliance framework should have a user-defined importance that is assigned for reporting/compliance score roll up. The importance can be set for all internal nodes in a compliance framework or compliance standard hierarchy.The importance at the top compliance framework is the default, but you may decide that more importance should be placed on one compliance sub group over another.
Compliance frameworks can include compliance standards of different target types.
You can perform the following operations on a compliance framework:
The following sections explain these operations.
Before you create a compliance framework, ensure you have privileges to access the compliance standards you will be including during the definition of the framework. (See Privileges and Roles Needed to Use the Compliance Features.)
To make the creation for the compliance framework easier, ensure that the compliance standards, which will be referred to by the compliance framework, are already defined in the Enterprise Manager. The compliance standards you add to a compliance framework may be system-defined and user-defined standards as displayed on the Compliance Standard Library page. If you do not define the compliance standards before hand, you must add them later.
To create a compliance framework, follow these steps:
From the Enterprise menu on the Cloud Control home page, select Compliance, then select Library.
Click the Compliance Frameworks tab.
Click Create button.
Provide the Name and Author and click OK.
Once you have provided the information on the definition page, look at the options available when you right-click the name of the compliance framework (located at the top-left of the page). From this list you can create subgroups, include compliance standards, and so on.
Click Save.
Usage Notes
Lifecycle status can be either Development or Production.
Development
Indicates a compliance framework is under development and that work on its definition is still in progress. While in development mode, all management capabilities of compliance frameworks are supported including editing of the compliance framework and deleting the compliance framework. Results of development compliance standards will NOT be viewable in target and console home pages, and the compliance dashboard.
Lifecycle status default is Development. It can be promoted to Production only once. It cannot be changed from Production to Development.
Production
Indicates a compliance framework has been approved and is of production quality. When a compliance framework is in production mode, its results are rolled up into a compliance dashboard, target and console home page.
Production compliance frameworks can only refer to Production compliance standards. A production compliance framework can be edited to add/delete references to production compliance standards ONLY!
Lifecycle status cannot be changed from Production to Development.
All compliance frameworks with the same keyword will be grouped together when sorted by the Keyword column.
If you modify a compliance standard that has been added to a compliance framework, either by editing the compliance standard directly, or by using Import to overwrite the compliance standard with new settings, the existing evaluations become invalid. That is, if this modified compliance standard was included in a compliance framework that was previously evaluated, and has evaluation results, these results are no longer viewable.
Adding a Compliance Standard to a Compliance Framework
Use the Include Compliance Standard Reference page to select one or more compliance standards to be added to the compliance framework.
Use the search criteria to minimize the number of compliance standards that display in the Select list.
Once you make your selections, click Continue. The Include Compliance Standard Reference page appears with the compliance standards you chose on the Include Compliance Standard Reference page.
Editing Importance
After you add the compliance standards that are to be part of the compliance framework, the Create Compliance Framework page appears listing the compliance standards you chose to add to the compliance framework. At this time you can edit the importance of each compliance standard.
The importance impacts the overall compliance score. Those compliance standards with higher importance elevate the importance of the compliance framework, whereas those compliance standards with less importance lower the importance of the compliance framework.
See Compliance Score and Importance for details on how this score is computed.
To create a compliance framework like another compliance framework, follow these steps:
From the Enterprise menu on the Cloud Control home page, select Compliance, then select Library.
Click the Compliance Frameworks tab.
On the Compliance Framework Library page, highlight the compliance framework you want to use as the base and click the Create Like button.
Customize the fields as needed.
Ensure that the Compliance Framework name is different from the original compliance framework and any other existing compliance frameworks.
Click Save.
Use the edit compliance framework feature to add new compliance standard rules to a compliance framework, or edit details of existing compliance frameworks, or delete compliance standard rules from the compliance framework.
Before you edit a compliance framework, ensure that you have privileges to access the compliance framework to be edited. (See Privileges and Roles Needed to Use the Compliance Features.)
To edit a compliance framework, follow these steps:
From the Enterprise menu on the Cloud Control home page, select Compliance, then select Library.
Click the Compliance Frameworks tab.
Highlight the compliance framework you want to edit and click the Edit button.
Update the properties as needed.
To add standards and subgroups, right-click the name of the framework located at the top left of the page.
Click Save.
Usage Notes
Changing a compliance framework definition may impact trend analysis.
The compliance standards you add to a compliance framework may be system-defined and user-defined compliance standards as displayed on the Compliance Standard Library page.
If you modify a compliance standard that has been added to a compliance framework, either by editing the compliance standard directly, or by using Import to overwrite the compliance standard with new settings, the existing evaluations become invalid. That is, if this modified compliance standard was included in a compliance framework that was previously evaluated, and has evaluation results, these results are no longer viewable. The compliance framework evaluation results will again become visible after the next evaluation happens. The new evaluation includes the changes to the compliance standard within the compliance framework.
The importance impacts the overall compliance score. Those compliance standards with higher importance elevate the importance of the compliance framework, whereas those compliance standards with less importance lower the importance of the compliance framework.
A compliance standard can be added to more than one compliance framework, and can have a different importance when added to a different compliance framework. For example, you could have a compliance standard called Check Password Expired which flags user accounts with expired passwords. This compliance standard may be a member of two compliance frameworks: All System Passwords Secure and 30-day Password Validation. The All System Passwords compliance framework verifies a password's security, whereas the 30-day Password Validation compliance framework checks the date that this password was last set.
The Check Password Expired compliance standard could have Extremely High importance for the 30-day Password Validation compliance framework, since this check is warning users that their passwords are about to expire.
In the All System Passwords Secure compliance framework, the Check Password Expired compliance standard could have a Normal importance, and other added compliance standards that do security checks could have a higher importance within the compliance framework.
Before you delete a compliance framework, ensure that you have privileges to access the compliance framework to be deleted. (See Privileges and Roles Needed to Use the Compliance Features.)
To delete a compliance framework, follow these steps:
From the Enterprise menu on the Cloud Control home page, select Compliance, then select Library.
Click the Compliance Frameworks tab.
Highlight the compliance framework you want to delete, click Delete button.
Confirm that you want to delete the compliance framework by clicking OK.
Usage Notes
You can delete a single compliance framework or a list of compliance frameworks. When you delete a compliance framework, the associated metadata and evaluation results are also deleted.
YOU CANNOT DELETE COMPLIANCE FRAMEWORKS DEFINED BY ORACLE.
Exporting allows you to re-use a compliance framework that you already have, that is, minimize duplication of effort.
Before you export a compliance framework, ensure that you have privileges to access the compliance framework to be exported. (See Privileges and Roles Needed to Use the Compliance Features.)
To export a compliance framework, follow these steps:
From the Enterprise menu on the Cloud Control home page, select Compliance, then select Library.
Click the Compliance Frameworks tab.
Highlight the compliance framework you want to export.
From the Actions menu, select Export.
Provide the file name to which the compliance framework definition is to be exported. Determine whether is to be a shallow or deep export. In a shallow export, no leaf level rules or compliance standards are to be exported. In a deep export, all leaf level rules and compliance standards are exported.
The system generates an XML representation of the compliance framework in the directory and file you specify.
Importing allows you to re-use a compliance framework that you already have, that is, minimize duplication of effort.
Before you import a compliance framework, ensure the compliance framework to be imported is defined in a file. The location of the file is independent of Enterprise Manager. Also ensure that you have privileges to access the compliance framework definition XML file to be imported. (See Privileges and Roles Needed to Use the Compliance Features.)
To import a compliance framework, follow these steps:
From the Enterprise menu on the Cloud Control home page, select Compliance, then select Library.
Click the Compliance Frameworks tab.
From Actions menu, select Import.
Provide the file name from which the compliance framework definition (as per Compliance Framework XSD) will be imported. Specify whether to override an existing definition if one already exists. Specify whether to import referring content as well, that is, shallow or deep import. In a shallow import, no leaf level rules or compliance standards are to be imported. In a deep import, all leaf level rules and compliance standards are imported. In a deep import, real-time monitoring facets are also imported for real-time monitoring type of rules.
Click OK.
Before you browse compliance frameworks, ensure you have privileges to access the compliance framework definitions you will be browsing. (See Privileges and Roles Needed to Use the Compliance Features.)
To browse a compliance framework, follow these steps:
From the Enterprise menu on the Cloud Control home page, select Compliance, then select Library.
Click the Compliance Frameworks tab.
To view the details of a particular compliance framework, highlight the compliance framework and click Show Details.
Before you search compliance frameworks, ensure you have privileges to access the compliance framework definitions you will be searching. (See Privileges and Roles Needed to Use the Compliance Features.)
To search a compliance framework, follow these steps:
From the Enterprise menu on the Cloud Control home page, select Compliance, then select Library.
Click the Compliance Frameworks tab.
In the Search portion of the page, provide criteria to use to narrow the search.
Click Search.
Before you browse compliance framework evaluation results, ensure you have privileges to access the compliance framework definitions you will be browsing. (See Privileges and Roles Needed to Use the Compliance Features.)
To browse compliance framework evaluation results, follow these steps:
From the Enterprise menu on the Cloud Control home page, select Compliance, then select Results.
Click the Compliance Frameworks tab and then the Evaluation Results tab.
Highlight the compliance framework and click Show Details to view the details of a particular compliance framework.
Results include the following:
Average compliance score for different targets evaluated for compliance standards referred to by the compliance framework
Count of target evaluations (critical, warning, compliant) for different compliance standards referred to by the compliance framework
Count of violations (critical, warning, minor warning) related to compliance standards referred to by the compliance framework
Before you search compliance framework evaluation results, ensure you have privileges to access the compliance framework evaluation results you will be searching. (See Privileges and Roles Needed to Use the Compliance Features.)
To search compliance framework evaluation results, follow these steps:
From the Enterprise menu on the Cloud Control home page, select Compliance, then select Results.
Click the Compliance Frameworks tab and then the Evaluation Results tab.
In the Search portion of the page, provide criteria to use to narrow the search.
Click Search.
Before you browse compliance frameworks, ensure you have privileges to access the compliance framework evaluation errors you will be browsing. (See Privileges and Roles Needed to Use the Compliance Features.)
To browse compliance framework errors, follow these steps:
From the Enterprise menu on the Cloud Control home page, select Compliance, then select Results.
Click the Compliance Frameworks tab and then the Errors tab.
Usage Notes
The error may be an unexpected internal error or an error in the test.
Evaluation errors can often be due to configuration and installation issues. See the following manuals for information:
Oracle Enterprise Manager Cloud Control Basic Installation Guide
Oracle Enterprise Manager Cloud Control Advanced Installation and Configuration Guide
If the installation and configuration are correct and the errors persist, call Oracle for assistance.
Before you search compliance framework errors, ensure you have privileges to access the compliance framework evaluation errors you will be searching. (See Privileges and Roles Needed to Use the Compliance Features.)
To search for compliance framework errors, follow these steps:
From the Enterprise menu on the Cloud Control home page, select Compliance, then select Results.
Click the Compliance Frameworks tab and then the Errors tab.
In the Search portion of the page, provide criteria to use to narrow the search.
Click Search.
Usage Notes
The error may be an unexpected internal error or an error in the test.
Evaluation errors can often be due to configuration and installation issues. See the following manuals for information:
Oracle Enterprise Manager Cloud Control Basic Installation Guide
Oracle Enterprise Manager Cloud Control Advanced Installation and Configuration Guide
If the installation and configuration are correct and the errors persist, call Oracle for assistance.
For auditors to verify that database targets are in compliance with the compliance frameworks, the Enterprise Manager structure needs to be defined. The steps to provide this structure include the following:
Super Administrator creates three Enterprise Manager users: Compliance Author, IT Administrator, and Compliance Auditor.
Super Administrator assigns the appropriate roles and privileges to the Compliance Author and IT Administrator.
Super Administrator assigns the same target privileges to IT Administrator and Compliance Auditor.
Compliance Author logs in to Enterprise Manager and views out-of-box compliance frameworks, compliance standards, and compliance standard rules.
He then enables and disables the appropriate compliance standard rules and creates new compliance standard rules.
IT Administrator logs in to Enterprise Manager and associates the targets for which he has target privileges with the appropriate compliance standards.
IT Administrator sets up the correct configuration parameters and settings for the compliance frameworks, compliance standards, and compliance standard rules for a particular target.
He then creates a monitoring template from this target and applies it to the other targets, to which he has privileges, that require compliance standards.
Compliance Auditor logs in to Enterprise Manager to view the violations and errors at the Enterprise level, for which he has view privileges, and at each target level.
He would then take the necessary actions to rectify the errors and violations.
A compliance standard is a collection of checks or rules. It is the Enterprise Manager representation of a compliance control that must be tested against some set of IT infrastructure to determine if the control is being followed.
Compliance standards are made up of the following in a hierarchical structure (see Figure 8-4):
Compliance standard rules
Rule folders that can include nested rule folders and individual compliance standard rules.
Rule Folders are hierarchical structures that contain compliance standard rules. A rule folder has an importance attribute that denotes the importance of the rule folder relative to its siblings at the same level. This importance is considered when determining compliance scores being rolled up from other sibling rule folders. A certain rule folder may have multiple tests that occur, in this way a certain test can be given more weight than other tests.
Included compliance standards. A compliance standard can include other compliance standards.
What Compliance Standards Can Do
Can represent industry-wide standards. A compliance standard is applicable to a single target type.
Be used as a reference configuration or a certified configuration
Be a collection of compliance standard rules describing best practices in an enterprise
For example, when a target fails to adhere to a compliance standard, the target is not in compliance with the compliance standard.
Accessing Compliance Standards
The compliance standards, including those provided by Oracle, are available on the Compliance Standard Library page. To access this page, follow these steps:
From the Enterprise menu on the Cloud Control home page, select Compliance, then select Library.
Click the Compliance Standards tab.
To view the compliance standard rules associated with the compliance standard, click the name of the compliance standard and click Show Details. Once the Compliance Standard Detail page appears, right click the name of the standard located at the top left of the page, and select either Expand or Expand All Below.
Note: The compliance standards defined by Oracle cannot be changed. However, you can create a standard similar to the one provided by Oracle by using the Create Like feature.
General Usage Notes for Compliance Standards
You can override an existing compliance standard by checking the Overwrite existing compliance standards check box. As a result:
If you override a compliance standard, the override deletes all target and template associations, as well as evaluation results for that compliance standard.
If the overwritten compliance standard is part of a compliance framework, the compliance standard is updated in the compliance framework. However, the evaluation results for that compliance standard within the compliance framework are invalidated.
Evaluations of compliance standards happen after the compliance standards are associated to a target.
For repository compliance standards, the evaluation happens after the standard is associated with a target. For WebLogic Server compliance standards, evaluation happens when the Agent-side evaluation metric is refreshed. The refresh occurs once every 24 hours for Oracle WebLogic Domain, Oracle WebLogic Java EE Server, and Oracle WebLogic Cluster targets.
For Real-time Monitoring Rules, an evaluation is when a compliance standard is associated to a target. A violation occurs when an observation bundle contains at least one observation that is unauthorized
Usage Note Specific to Repository Rules
If you manually type a WHERE clause in the compliance standard rule XML definition, then the < (less than) symbol must be expressed as <, to create a valid XML document. For example:
<WhereClause>:status < 100</WhereClause>
Example of How to Set Up Compliance Standards for Auditing Use
For auditors to verify that database targets are in compliance with the compliance frameworks, the Enterprise Manager structure needs to be defined. The steps to provide this structure includes the following:
Super Administrator creates three Enterprise Manager users: Compliance Author, IT Administrator, and Compliance Auditor.
Super Administrator assigns the appropriate roles and privileges to the Compliance Author and IT Administrator.
Super Administrator assigns the same target privileges to IT Administrator and Compliance Auditor.
Compliance Author logs in to Enterprise Manager and views out-of-box compliance frameworks, compliance standards, and compliance standard rules.
He then enables and disables the appropriate compliance standard rules and creates new compliance standard rules.
IT Administrator logs in to Enterprise Manager and associates the targets for which he has target privileges with the appropriate compliance standards.
IT Administrator sets up the correct configuration parameters and settings for the compliance frameworks, compliance standards, and compliance standard rules for a particular target.
He then creates a monitoring template from this target and applies it to the other targets, to which he has privileges, that require compliance standards.
Compliance Auditor logs in to Enterprise Manager to view the violations and errors at the Enterprise level, for which he has view privileges, and at each target level.
He would then take the necessary actions to rectify the errors and violations.
You can perform the following operations on a compliance standard:
The following sections explain these operations.
You can use the compliance standards provided by Oracle, for example, Security Configuration for Oracle Database, or create your own standard.
Before creating a compliance standard, ensure the compliance standards and compliance standard rules, which will be referred to by the compliance standard, are defined in the Management Repository. Also ensure the you have privileges to access the compliance standards and compliance standard rules you will be including in the compliance standard. (See Privileges and Roles Needed to Use the Compliance Features.)
To create a compliance standard, follow these steps:
From the Enterprise menu on the Cloud Control home page, select Compliance, then select Library.
Click the Compliance Standards tab.
Click the Create button. You will prompted for the Name, Author, target type to which the standard is applicable., and the type of compliance standard (Repository, WebLogic Server Signature, Real-time Monitoring). Click OK.
On the resulting Compliance Standard Detail page, provide the property values.
Click Add to either add a keyword by which this standard is identified or use an existing keyword.
To further define the compliance standard, right-click the name of the compliance standard located at the top left of the page. From this menu, you can create rule folders, add rules, and compliance standards.
By using rule folders, you can view the summary of results, categorized by the targets that were evaluated against the selected rule folder and the Compliance Standard Rules evaluated for the selected rule folder.
Click Save.
Once you define the compliance standard, associate the standard with a target and define the target type settings.
While on the Compliance Standards Library page, ensure the correct compliance standard is highlighted.
Click the Associate Target button.
On the Target Association for Compliance Standard page, click Add to choose the target to be evaluated against the standard.
In the Search and Select: Targets popup, choose the appropriate target.
Click Select.
After you associate the target with the compliance standard, you can edit the parameters associated with the target.
While on the Target Association for Compliance Standard page, click Edit.
On the Customize Compliance Standard Parameters page, change the parameters as needed.
Note:
You can also associate a compliance standard with a target. At the top left of the target's home page, right click the name of the target. On the resulting menu, select Compliance, then select Standard Associations.In addition you can, edit and remove existing associations. See Compliance Score and Importance for additional information.
Adding a Compliance Standard to Another Compliance Standard
Use the Include Compliance Standard page to select one or more compliance standards to be added to the compliance standard. This list is prefiltered by the target type of the compliance standard.
To add a compliance to another compliance standard:
From the Compliance Standard Library page, highlight the compliance standard to which you want to add another compliance standard.
Click the Edit button.
On the Properties page, right-click the node, located at the top left of the page.
On the resulting menu, select Add Standards.
Select the compliance standard to include. Click OK.
When you include a compliance standard within another top level compliance standard, the included standard must be of the same target type as the top level compliance standard. For composite target types, one of the member target types of the composite target type of the top level standard is a member target type within the top level composite target type.
Note that a root compliance standard is associated to a root target (of composite target type). Compliance standards are associated to member targets of the same applicable target type and target filter criteria.
On the Properties page, choose the Importance for the compliance standard you just included. Click Save.
After the compliance standard is included, highlight the root compliance standard. The Properties page displays a set of parameters.
A parameter is a variable that can be used by one or more compliance standard rules contained in that compliance standard. When a compliance standard rule references a parameter, the parameter's actual value is substituted at compliance standard rule evaluation time. It is through the use of parameters that customizations of compliance standards is supported.
Usage Notes
Because compliance standards are hierarchical, the top node in the tree is known as the parent node.
When you create a compliance standard, the version is 1.
Lifecycle status default is Development. It can be promoted to Production only once. It cannot be changed from Production to Development.
Development
Indicates a compliance standard is under development and that work on its definition is still in progress. While in Development mode, all management capabilities of compliance standards are supported including complete editing of the compliance standard, deleting the compliance standard, and so on. However, while the compliance standard is in Development mode, its results are not viewable in Compliance Results nor on the target or Cloud Control home page.
Production
Indicates a compliance standard has been approved and is of production quality. When a compliance standard is in production mode, you have limited editing capabilities, that is, you can add references to production rules, and you can delete references to rules ONLY from a compliance standard. All other management capabilities such as viewing the compliance standard and deleting the compliance standard will be supported. Results of production compliance standards are viewable in target and console home pages, and the compliance dashboard. Production compliance standards can only refer to production compliance standards and production compliance standard rules.
Once the mode is changed to Production, then its results are rolled up into compliance dashboard, target home page, and Cloud Control home page. Production compliance standards can only refer to other production compliance standards and production compliance standard rules. A production compliance standard can be edited to add and delete references to production compliance standards and production compliance standard rules ONLY.
Before creating a compliance standard like another compliance standard, ensure that you have privileges to access the compliance standard you will be copying from. (See Privileges and Roles Needed to Use the Compliance Features.)
To create a compliance standard like another compliance standard, follow these steps:
From the Enterprise menu on the Cloud Control home page, select Compliance, then select Library.
Click the Compliance Standards tab.
Click the Create Like button.
Customize the fields as needed.
The name has to be different than an existing Compliance Standard.
Click Save.
You can customize compliance standards by editing the existing compliance standard rule settings. You can change the importance for the compliance score calculation, prevent template override, override default parameter values (when possible), and exclude objects from a compliance standard rule's evaluation (when possible).
Before editing a compliance standard, ensure that you have privileges to access the compliance standard to be edited. (See Privileges and Roles Needed to Use the Compliance Features.)
Note: You cannot edit an out-of-box compliance standard, that is, a compliance standard defined by Oracle.
To edit a compliance standard, follow these steps:
From the Enterprise menu on the Cloud Control home page, select Compliance, then select Library.
Click the Compliance Standards tab.
Highlight the standard you want to edit and click the Edit button.
Update the parameters as needed.
Click Save.
Before you delete a compliance standard, ensure you have privileges to access the compliance standard to be deleted. (See Privileges and Roles Needed to Use the Compliance Features.) Also ensure the compliance standard is not in use by a compliance framework. You must remove any references to the compliance standard in all compliance frameworks.
Note: You cannot delete an out-of-box compliance standard, that is, a compliance standard provided by Oracle.
To delete a compliance standard, follow these steps:
From the Enterprise menu on the Cloud Control home page, select Compliance, then select Library.
Click the Compliance Standards tab.
Highlight the compliance standard you want to delete, click Delete button.
Confirm that you want to delete the standard by clicking OK.
The Export feature provides a mechanism for transporting user-defined compliance standard definitions across Management Repositories and Cloud Control instances. The export stores the definitions in an operating system file. Because the exported compliance standard definitions are in XML format, they conform to the Oracle Compliance Standard Definition (XSD) format. You can then change the definition of the compliance standard and re-import the generated compliance standard definitions into another Management Repository.
Before you export a compliance standard, ensure the compliance standard to be exported is defined in the Management Repository. Also ensure that you have privileges to access the compliance standard to be exported. (See Privileges and Roles Needed to Use the Compliance Features.)
To export a compliance standard, follow these steps:
From the Enterprise menu on the Cloud Control home page, select Compliance, then select Library.
Click the Compliance Standards tab.
Highlight the standard you want to export.
From the Actions menu, select Export.
Provide the file name to which the standard definition is to be exported. Determine whether is to be a shallow or deep export. In a shallow export, no leaf level rules or compliance standards are to be exported. In a deep export, all leaf level rules and compliance standards are exported.
The XML representation of the compliance standard is generated. The file is located in the directory you specify.
The Import feature uploads an XML-based compliance standard definition file containing definitions of a single user-defined compliance standard or a list of user-defined compliance standards. This upload creates a new user-defined compliance standard or a list of user-defined compliance standards. This compliance standard must have been previously exported.
The compliance standard xml definition must comply to the compliance standard XML Schema Definition (XSD) as defined in User-Defined Compliance Standard XML Schema Definition.
After importing a user-defined compliance standard, you can edit the standard.
Before importing a compliance standard, ensure the compliance standard to be imported is defined in a file. Also ensure that you have privileges to access the compliance standard definition XML file to be imported. (See Privileges and Roles Needed to Use the Compliance Features.)
To import a compliance standard, follow these steps:
From the Enterprise menu on the Cloud Control home page, select Compliance, then select Library.
Click the Compliance Standards tab.
From the Actions menu, select Import.
Provide the file name from which the compliance framework definition (as per Compliance Framework XSD) will be imported. Specify whether to override an existing definition if one already exists. Specify whether to import referring content as well, that is, shallow or deep import.
Click OK.
Before browsing compliance standards, ensure you have privileges to access the compliance standard definitions you will be browsing. (See Privileges and Roles Needed to Use the Compliance Features.)
To browse a compliance standard, follow these steps:
From the Enterprise menu on the Cloud Control home page, select Compliance, then select Library.
Click the Compliance Standards tab.
To view the details of a particular standard, highlight the standard and click Show Details.
Before you search the compliance standards, ensure you have privileges to access the compliance standard definitions you will be searching. (See Privileges and Roles Needed to Use the Compliance Features.)
To search for compliance standards, follow these steps:
From the Enterprise menu on the Cloud Control home page, select Compliance, then select Library.
Click the Compliance Standards tab.
In the Search portion of the page, provide criteria to use to narrow the search.
Click Search.
Before you browse the compliance standard evaluation results, ensure you have privileges to access the compliance standard evaluation results you will be browsing. (See Privileges and Roles Needed to Use the Compliance Features.)
To browse compliance standard evaluation results, follow these steps:
From the Enterprise menu on the Cloud Control home page, select Compliance, then select Results.
Click the Compliance Standards tab and then the Evaluation Results tab.
Highlight the compliance standard and click Show Details to view the details of a particular standard.
Results include the following:
Average compliance score for different targets
Count of target evaluations (critical, warning, compliant)
Count of violations (critical, warning, minor warning)
Before you search the compliance standard evaluation results, ensure you have privileges to access the compliance standard evaluation results you will be searching. (See Privileges and Roles Needed to Use the Compliance Features.)
To search for compliance standard evaluation results, follow these steps:
From the Enterprise menu on the Cloud Control home page, select Compliance, then select Results.
Click the Compliance Standards tab and then the Evaluation Results tab.
In the Search portion of the page, provide criteria to use to narrow the search.
Click Search.
Before you browse compliance standard evaluation errors, ensure you have privileges to access the compliance standard evaluation errors you will be browsing. (See Privileges and Roles Needed to Use the Compliance Features.)
To browse compliance standard evaluation errors, follow these steps:
From the Enterprise menu on the Cloud Control home page, select Compliance, then select Results.
Click the Compliance Standards tab and then the Errors tab.
Before you search compliance standard evaluation errors, ensure you have privileges to access the compliance standard evaluation errors you will be searching. (See Privileges and Roles Needed to Use the Compliance Features.)
To search for compliance standard errors, follow these steps:
From the Enterprise menu on the Cloud Control home page, select Compliance, then select Results.
Click the Compliance Standards tab and then the Errors tab.
In the Search portion of the page, provide criteria to use to narrow the search.
Click Search.
Usage Notes
Use the Evaluation Errors page to view the errors that occurred as a result of metric collection, as well as those that occurred during the last evaluation.
Use the search filter to view only those evaluation errors that meet a set of search criteria that you specify.
Click the message in the Message column to decide what your course of action should be to resolve the error.
On initial display, the Evaluation Errors page shows all the evaluation errors.
Normally the results of an evaluation overwrite the previous evaluation's results. However, in the case of evaluation failure or data provider collection failure, the previous results are left untouched.
Once the underlying problem is fixed, the error is no longer reported.
Example of Search Filter
By default, all the evaluation errors in your enterprise configuration appear in the results table. However, you can specify a set of search criteria and then perform a search that will display only the evaluation errors that meet those criteria in the results table.
For example, if you choose Host in the Target Type list, contains in the Target Name list, and "-sun" in the adjacent Target Name text field, and then click Go, Enterprise Manager displays, in the results table, only the compliance standard rule evaluation errors for the hosts that contain "-sun" in their names.
After you create a compliance standard, you can associate the standard with a target. As part of the association, you can customize parameters, that is, the importance of the standard in relation to the target, status of the compliance standard evaluation, reason for changing the evaluation status, and the thresholds.
Before you associate a compliance standard with a target, ensure you have privileges to access the targets you want to associate compliance standards to. (See Privileges and Roles Needed to Use the Compliance Features.)
To associate a compliance standard with a target, follow these steps:
From the Enterprise menu on the Cloud Control home page, select Compliance, then select Library.
Click the Compliance Standards tab.
Highlight the compliance standard you want to associate with various targets. Click the Associate Target button.
Select the targets you want to associate with this compliance standard. Click OK.
With the compliance standard still highlighted, click the Override Target Type Settings button.
Customize the critical and warning thresholds and importance as needed.
By changing critical and warning thresholds, you signify how the Compliance standard score event is generated. For example, if the actual score is less than the critical threshold, then a critical score event is raised.
Changing the importance can change the compliance score. The importance denotes how important the compliance standard is in the hierarchy.
Click OK.
To further customize the evaluation of a compliance standard against a target, you can alter compliance standard parameters: importance, critical threshold, and warning threshold. Customizations can also be made on the compliance standard rules used within the compliance standards. For example, for the Secure Ports compliance standard rule, DFLT_PORT is an override parameter. You can change the default value of the port. You can also exclude objects from the evaluation, for example a particular port from the evaluation.
Note: For real-time monitoring, you can change parameters that are used in facet patterns. You can also change Automatic Change Management reconciliation settings.
By changing critical and warning thresholds, you signify how the Compliance standard score event is generated. For example, if the actual score is less than the critical threshold, then a critical score event is raised.
Compliance standards serve as standards by which targets are measured. Compliance standards report deviations and enable closed loop remediation by optionally taking action to bring systems back into compliance. Oracle provides a number of compliance standards including:
These standards represent best practices and allow you to maintain consistency across enterprise systems and configurations. The trend analysis feature allows fine grained tracking of compliance progress over time.
The following sections provide the highlights of each compliance standard.
The Basic Security Configuration For Oracle Database compliance standard provides a benchmark by which to test the targets in your enterprise for compliance to Oracle database security standards.
The compliance standard rules associated with this compliance standard comply with the Oracle recommended security checklist. This standard includes:
Ensuring well-known accounts are locked and expired
Ensuring that all profiles have been set to a reasonable of daysData dictionary protection has been enabled
Principle of least privileges is being practiced
Access controls are effective
Clients are properly authenticated
The High Security Configuration for Oracle Listener compliance standard tests Oracle Listeners against the Oracle recommended security checklist.
This compliance standard adheres to the security standards available for the Oracle Listener. This standard ensures that:
Access to the Listener is restricted, making it more difficult for an operating system user to attack the database
Network configuration parameter settings are secure.
Access to the listener configuration tasks are secure. For example, access to the listener is password protected and that no runtime modifications to the listener configuration are allowed.
This compliance standard checks the Automatic Storage Management (ASM) settings to ensure that customers are correctly setting up the disk groups and therefore avoiding potential space and performance problems. This compliance standard ensures that the disk group:
With NORMAL or HIGH Redundancy has mirrored or parity protected disks
Contains disks of significantly different sizes
Contains disks with different redundancy attributes
Is checked for disks that are not mirrored or parity protected
The Secure Configuration for Host compliance standard tests hosts against operating system threats and attacks.
This compliance standard ensures adherence with best-practice security configuration settings that help protect against operating-system-related threats and attacks, providing a more secure operating environment. This compliance standard ensures that:
OS configuration parameter, which enables execution of code on the user stack, is not enabled.
No unintended ports are left open
There are no insecure services (for example, telnet and ftp) running on the server
File system on a Windows operating system uses the New Technology File System (NTFS).
Rule Folders are hierarchical structures used to group similar compliance standard rules within a compliance standard. The same compliance standard rules can be added to different Rule Folders within a compliance standard. Rule Folders can be nested within a compliance standard.
A rule folder has an importance attribute that denotes the importance of the rule folder relative to its siblings at the same level. This importance is considered when determining compliance scores being rolled up from other sibling rule folders. A certain rule folder may have multiple tests that occur, in this way a certain test can be given more weight than other tests.
The following topics address compliance standard rule folders:
To create a rule folder, follow these steps:
From the Enterprise menu on the Cloud Control home page, select Compliance, then select Library.
Click the Compliance Standards tab.
Either create a compliance standard or edit an existing compliance standard.
On the Compliance Standard Library page, highlight the compliance standard and click Edit.
On the Properties page, right-click the name of the compliance standard. The name of the standard is located in the top-left corner of the page.
Select Create Rule Folder.
Type the name of the folder and click OK.
On the Properties page, provide a description, ReferenceUrl, and importance. See Compliance Score and Importance for additional information regarding importance.
After you create a rule folder and populate it with compliance standard rules, you can perform the following actions on the folder:
Edit the tree structure by re-ordering the Rule Folder, Rule Reference, and Compliance Standard Reference nodes in the tree or by deleting any of these nodes.
Select any node (except the top-level Compliance Standard node) object and then click Remove menu item from context menu. The Remove option is disabled on the root node. You can also select multiple objects and click Remove to delete multiple nodes.
A compliance standard rule is a test to determine if a configuration data change affects compliance. It describes how to take something that is observed in a target and associate it with a rule group or folder structure so that a compliance score can be built for each level of the rule folder.
This score can then be rolled up and reported by compliance framework. These rule compliance scores are rolled up to compute the compliance standard score and then this score can be rolled up and reported along with the compliance framework scores.
Types of Compliance Standard Rules
The types of compliance standard rules are: Repository rules, WebLogic Server Signature rules, and Real-time Monitoring rules.
Repository Rules
Used to perform a check against any metric collection data in the Management Repository.
Used for checking the configuration state of one or multiple targets. A rule is said to be compliant if it is determined that the configuration items do in fact meet the desired state; that is, the rule test failed to identify any violations. Otherwise, a rule is said to be non-compliant if it has one or more violations. The data source that is evaluated by a compliance standard rules test condition can be based on a repository query. A compliance standard rules test condition can be implemented using a threshold condition based on the underlying metrics (or queries) column value or SQL expression or a PLSQL function
A repository-check based rule checks the configuration state of one or multiple targets. A rule is said to be compliant if the test fails to identify a violation. In other words, the test determines that the configuration item is in the desired state or has the prescribed value. A rule that uncovers any violation is said to be noncompliant.
The data source that is evaluated by a rules test condition can be based on a repository query. A rules test condition can be implemented using a threshold condition based on the underlying metrics/queries column value or SQL expression or a PL/SQL function.
Integration points in this area include:
Define Compliance Standard Rules, Compliance Standards, and Compliance Frameworks
Replace out-of-box policy groups (10.2.x/11.1) with Compliance Standards you create that can refer to Compliance Standard Rules
Map your compliance standards to the appropriate Compliance Frameworks
Define BI Publisher reports for compliance
WebLogic Server Signature Rules
Used to check a WebLogic target for supporting best practice configurations. This type of rule is not relevant for external/partner plugins.
WebLogic Server signature rules describe potential problems based on information about WebLogic Servers and the environment in which they are deployed, including Java Virtual Machines (JVMs), operating systems, and databases. Signature rules contain executable logic that can identify specific versions of these products, as well as their configuration settings.
See WebLogic Server Signature Rules for additional information.
Real-time Monitoring Rules
Real-time monitoring rules monitor actions to files, processes, and more that users perform on targets. These actions may lead to configuration changes. The actions are detected in real-time as observations. Also captures user login/logout activities.
These rules monitor Process, OS User, Database tables, views, index, user, Windows Registry key, Active Directory Group, and so on. These rules contain configuration parameters specifying what entities they will be monitoring, for instance, what files to monitor, how to monitor (for example, operations (read/write)), when to do the monitoring (time-period), who to monitor (user name).
See Operations on Real-time Monitoring Rules for additional information.
Importance
A rule has an importance attribute that denotes the importance of the rule, which is considered when determining a compliance score.
Importance is used in compliance score rollup function for both rule/target, and compliance standard/target score. Importance is per node in the hierarchy. Weighted average of the child nodes is used to compute the score of the parent node.
The rule can also have a severity level, which could be Critical (serious issue if this rule is violated), Warning (not a serious issue if violated), or Minor Warning (a minor issue if violated). Severity impacts the compliance score.
Considerations When Creating Compliance Standards
A compliance standard will refer to one or more Compliance Standard Rules. When creating a compliance standard, the standard should be granular enough that it can be appropriately mapping to one or more related Compliance Frameworks. For example, consider this Compliance Framework structure that exists in Enterprise Manager based on PCI:
PCI - Payment Card Industry Compliance Framework
PCI Requirement 10 - Regularly monitor and test networks
PCI 10.5 - Secure audit trails
Many compliance standards will exist that should mapped to this part of the Compliance Framework structure, each with their own rules to address this specific requirement. One may check that audit settings are set properly. Another may be used to check in real-time if anyone changes an auditing configuration. Another standard may check that regular users are not trying to read from an audit trail.
In this example, the "audit trail" referenced in the Compliance Framework can relate to many different types of targets. Oracle Database, WebLogic, Enterprise Manager, EBS, and Peoplesoft all have their own types of audit trails that all need to be secured. Any Standards created to monitor these target-specific audit trails would map to the same Compliance Framework named "PCI 10.5 - Secure Audit Trails."
If compliance standards are structured in a granular way so that they can map to existing and future compliance frameworks, then violations in a rule can be rolled up to impact the score of the compliance framework properly.
Usage Notes
Compliance standard rules are mapped to one or more compliance standards.
The following sections explain the operations you can perform on compliance standard rules.
Before you create a compliance standard rule, ensure that you have privileges to create compliance standard rules. (See Privileges and Roles Needed to Use the Compliance Features.)
To create a compliance standard rule, follow these steps:
From the Enterprise menu on the Cloud Control home page, select Compliance, then select Library.
Click the Compliance Standard Rules tab.
Click the Create button.
In the Create Rule popup, select the type of compliance standard rule you want to create:
Repository rule
Checks if the target has the desired configuration state based on configuration data collected in the Management Repository.
WebLogic Server Signature rule
Preemptively identifies WebLogic Server configuration problems. The purpose of the WebLogic Server Signature rules is to evaluate at the WebLogic Server if certain configuration data satisfies some conditions (or checks) and the evaluation results are sent as violation information to the Oracle Management Service.
Detailed information about how to identify problems is specified in the WebLogic Server Signature rule definition. The WebLogic Server Signature rule definition includes Dataspec and XQuery logic that are used to determine what is important to collect and evaluate for a given target type and target properties. A Dataspec is a group of MBeans used to collect from a WebLogic Server. The XQuery logic contains the check on the collected data (by the MBeans). The WebLogic Server Signature rule can be associated with one or more specific Web Logic targets: Web Logic Domain, Web Logic Java EE Server, and Web Logic Cluster.
Version-specific details include:
To enable data collection for the WebLogic Server signature-based rules on WebLogic Server targets earlier than v10.3.3, you need a copy of bea-guardian-agent.war. You can find a copy of this war file in your OMS installation's work directory:
$T_WORK/middleware/wlserver_10.3/server/lib/bea-guardian-agent.war
For WebLogic Server v9 and v10.0
Install and deploy bea-guardian-agent.war to all servers in the domain. Do not change the context root. See http://<host>:<port>/console-help/doc/en-us/com/bea/wlserver/core/index.html for more information on installing a web application.
For WebLogic Server v10.3 up to and including v10.3.2
Copy the war file from your OMS installation into each target's $WL_HOME/server/lib directory. Restart all the servers in the target domain.
For WebLogic Server v.10.3.3 and higher
No action is required.
Real-time Monitoring rule
Monitors operating system and database level entities that store configuration data. Real-time monitoring rules define the entities to monitor, user actions to watch for, and any types of filters to apply to the monitoring. Monitoring can be filtered by: when changes occurred, who made the changes, and what process made the changes.
The real-time monitoring rule definition includes facets that are used to determine what is important to monitor for a given target type, target properties, and entity type. A facet is a collection of patterns that make up one attribute of a target type. For example, you may choose to define a facet that lists all of the critical configuration files for the Host target type. These configuration files would be the ones that, if changed, would most likely result in instability of the host. You may also create a facet that lists all users which are DBA users.
The real-time monitoring rule can be part of a compliance standard that is associated with one or more targets. The monitoring can occur on any operating system level entity, for example, file, process, user, registry, and so on. Real-time monitoring rules can additionally specify whether observations captured by the rule are automatically reconciled. This reconciliation determines whether the actions observed were authorized or not.
Change Request Management reconciliation compares open change requests to actions performed on targets. If there is a match of expected actions to actual actions, then those actions are authorized, otherwise they are unauthorized. Authorizations can also be done manually. All observations are captured and bundled by rule, target and user. Attributes can be set on the frequency of observation data collection. For additional information, refer to the Oracle Enterprise Manager Cloud Control Administrator's Guide.
Click OK.
Usage Notes
Rules are visible in the global rule library.
All rules are visible to all users.
Users can create compliance standards based on these rules. Note: Rules cannot be evaluated directly. These rules are evaluated in context of a compliance standard, and their violations are viewed in context of a compliance standard they are referred from.
One rule can be referred to by multiple compliance standards.
The association of rules with targets can be customized per compliance standard rule, in context of the compliance standard from which the rule is included.
Because the user-defined compliance standard rule is defined by a privileged user, only privileged users can modify the compliance standard rule. Violation results are available to all users.
To share this user-defined compliance standard rule with other privileged users, provide the XML schema definition (using the Export feature) so they can import the compliance standard rule to their Management Repository.
To minimize scrolling when reading the Description, Impact, and Recommendation information, restrict the text to 50 characters per line. If more than 50 characters are needed, start a new line to continue the text.
Once the compliance standard rule is created, it is not automatically evaluated. Consider adding the rule to a compliance standard.
Look at the context-sensitive help for information for each page in the Compliance Standard Rule wizard.
A compliance standard rule can be added to more than one compliance standard, and can have a different importance when added to a different standard. For example, you could have a compliance standard rule called Check Password Expired which flags user accounts with expired passwords. This compliance standard rule may be a member of two compliance standards: All System Passwords Secure and 30-day Password Validation. The All System Passwords compliance standard verifies a password's security, whereas the 30-day Password Validation compliance standard checks the date that this password was last set.
The Check Password Expired compliance standard rule could have Extremely High importance for the 30-day Password Validation compliance standard, since this check is warning users that their passwords are about to expire.
In the All System Passwords Secure compliance standard, the Check Password Expired compliance standard rule could have a Normal importance, and other added compliance standard rules that do security checks could have a higher importance within the compliance standard.
Before you create a compliance standard rule like another compliance standard rule, ensure that you have privileges to access the compliance standard rule you will be copying from. (See Privileges and Roles Needed to Use the Compliance Features.)
To create a compliance standard rule like another compliance standard rule, follow these steps:
From the Enterprise menu on the Cloud Control home page, select Compliance, then select Library.
Click the Compliance Standard Rules tab.
Highlight the rule you want to replicate.
Click Create Like button.
Customize the fields as needed.
Click Save.
Before you edit a compliance standard rule, ensure that you have privileges to access the compliance standard rule to be edited. (See Privileges and Roles Needed to Use the Compliance Features.)
To edit a compliance standard rule, follow these steps:
From the Enterprise menu on the Cloud Control home page, select Compliance, then select Library.
Click the Compliance Standard Rules tab.
Highlight the rule you want to edit and click the Edit button.
Update the parameters as needed.
Click Save.
Usage Notes
You can change all the rule properties except the rule name and target type. Additionally for real-time monitoring rules, you cannot change entity type or target properties.
If you change the critical rule properties for a repository rule, for example, rule query, violation condition, parameters, or severity, then editing the rule invalidates the results for compliance standards which refer to the rule. The compliance standards compliance score will be reevaluated at the next rule evaluation.
For rules in production mode, you have a choice to either create and save a draft of the rule or to overwrite the existing production rule. If you create a draft, you can edit the draft rule, at a later point in time, test it, and then overwrite and merge it back to the original production rule the draft was made from. Note: You cannot include a draft rule into any compliance standard. After you successfully test a draft rule, you can overwrite the original production rule from which the draft was created.
For WebLogic Server Signature rule or Real-time Monitoring rule, if the rule being edited is referred to by a compliance standard which is associated with a target, then the rule definition will be deployed to the Management Agent monitoring the target, so that the Management Agent can evaluate the latest definition of the rule. In the case where the Management Agent is down or unreachable, the rule definition changes will be propagated to the Management Agent as soon as the Management Agent is available.
Before you delete a compliance standard rule, ensure that you have privileges to access the compliance standard rule to be deleted. (See Privileges and Roles Needed to Use the Compliance Features.)
Also, ensure that compliance standard rule references have been removed from compliance standards before deleting the compliance standard rule.
To delete a compliance standard rule, follow these steps:
From the Enterprise menu on the Cloud Control home page, select Compliance, then select Library.
Click the Compliance Standard Rules tab.
Highlight the rule you want to delete, click Delete button.
Confirm that you want to delete the rule by clicking OK.
Note: You can only delete rules that are not referred to, or used by, any compliance standard.
Before you export a compliance standard rule, ensure the compliance standard rule to be exported is defined in the Management Repository. Also ensure that you have privileges to access the compliance standard rule to be exported. (See Privileges and Roles Needed to Use the Compliance Features.)
To export a compliance standard rule, follow these steps:
From the Enterprise menu on the Cloud Control home page, select Compliance, then select Library.
Click the Compliance Standard Rules tab.
Highlight the rule you want to export.
From the Actions menu, select Export.
Provide the file name to which the standard rule is to be exported.
The XML representation of the compliance standard rule is generated and placed in the directory and file you specified.
Before you import a compliance standard rule, ensure the compliance standard rule to be imported is defined in a file. Also ensure that you have privileges to access the compliance standard rule definition XML file to be imported. (See Privileges and Roles Needed to Use the Compliance Features.)
To import a compliance standard rule, follow these steps:
From the Enterprise menu on the Cloud Control home page, select Compliance, then select Library.
Click the Compliance Standard Rules tab.
From Actions menu, select Import.
Provide the file name from which the rule definition (as per Compliance Standard Rule XSD) will be imported. Specify whether to override an existing definition if one already exists.
Click OK.
Before you browse compliance standard rules, ensure you have privileges to access the compliance standard rule definitions you will be browsing. (See Privileges and Roles Needed to Use the Compliance Features.)
To browse compliance standard rules, follow these steps:
From the Enterprise menu on the Cloud Control home page, select Compliance, then select Library.
Click the Compliance Standard Rules tab.
To view the details of a particular standard rule, highlight the rule and click Show Details.
Before you search compliance standard rules, ensure you have privileges to access the compliance standard rule definitions you will be searching. (See Privileges and Roles Needed to Use the Compliance Features.)
To search for compliance standard rules, follow these steps:
From the Enterprise menu on the Cloud Control home page, select Compliance, then select Library.
Click the Compliance Standard Rules tab.
In the Search portion of the page, provide criteria to use to narrow the search.
By default, all the compliance standard rules in the compliance standard rule library appear in the results table. However, you can specify a set of search criteria and then perform a search that will display only the compliance standard rules that meet those criteria in the results table.
For example, if you choose Security in the Category list, contains in the Compliance Standard Rule list, "port" in the adjacent Compliance Standard Rule text field, Host in the Target Type list, and then click Go, Enterprise Manager displays, in the results table, only the compliance standard rules for the host security category that contain "port" in their names.
Click Search.
Oracle provides over 1600 compliance standard rules.
WebLogic Server (WLS) signature rules deliver pre-emptive support to WebLogic customers by scanning WebLogic installations for vulnerabilities and violations, based primarily on in-depth knowledge of common pitfalls and best practices. This is the Enterprise Manager compliance solution for WebLogic Server. The following sections explain WLS Signature rules in detail.
A signature describes a potential problem in a WebLogic installation. It consists of categorization metadata, a user-readable description of the problem, and an XQuery expression for evaluating whether the problem exists at the target.
A WLS Signature rule is an agent-side rule that checks a signature definition against an associated target for the existence of the problem the signature defines. WebLogic Server targets include: WLS Domain; WLS Cluster; WebLogic Managed Server. The first two are composite target types: logical groupings of instances of simple WebLogic Server targets. Rules must be evaluated against the whole domain or cluster to render meaningful violation results.
WLS Signature rules, like other compliance rules, are grouped into Compliance Standards, which are logical groupings based on signature metadata such as severity and remedy.
The general workflow is as follows:
Rule creation takes place in the wizard, where the rule is grouped into its logical Compliance Standard and is associated with a target.
The rule, in the context of its Compliance Standard, gets deployed to the agent monitoring the associated target.
The standard/rule combination gets evaluated agent-side against a metric collected specifically for the Compliance Standard and target type to determine compliance.
The evaluation generates violations (if any).
Violations are uploaded to OMS, from where they are subsequently uploaded into violations repository tables.
Violations are then viewable in compliance results pages and the dashboard.
There are several hundred out-of-box WLS signature rules designed to uncover compliance violations known to occur in WebLogic installations. You can supplement this rules repertoire to expose additional, lesser-known violations by creating your own WLS signature rules.
Use the WebLogic Signature Rules wizard to create custom WLS signature rules. To access the wizard:
From the Enterprise menu, select Compliance, then select Library.
Select Compliance Standard Rules.
Click Create and select WebLogic Server Signature Rule. Click Continue.
The wizard opens. Complete the wizard process as described in the Cloud Control online help.
Alternatively, you can select a WLS signature rule on the Compliance Standard Rules tab and click the Create Like button to base rule creation on an existing rule. After you name the new rule, the wizard opens, displaying the contents of the existing rule. Edit the rule as described in the Cloud Control online help.
Instructions you provide to the wizard shape the makeup of a WLS signature rule, but a rule's nerve center is the code you provide as the signature definition. A signature definition consists of a list of managed beans (MBeans) and an XQuery expression. Managed beans represent the configuration data to collect. They define a type and the attributes within the type to collect. They also declare which attributes to consider in determining whether there are violations. The XQuery expression defines the logic to use in evaluating the collected data for compliance. An XML example signature definition follows.
<SignatureDefinition>
<MBeanList>
<MBean scoreBase="true" mBeanType="ServerRuntime">
<AttributeName>Name</AttributeName>
<AttributeName>WeblogicVersion</AttributeName>
</MBean>
</MBeanList>
<XQueryLogic>declare function local:getServerRuntimesEqualToVersionWithPatch($targetData, $major as xs:integer,
$minor as xs:integer, $servicePack as xs:integer, $crNumber as xs:string) {
for $ServerRuntime in $targetData/DataCollection/ServerRuntime
let $weblogicVersion := fn:replace($ServerRuntime/@WeblogicVersion, "WebLogic Server Temporary Patch", "")
let $majorVersion :=
let $spaceParts := fn:tokenize(fn:substring-after($weblogicVersion, "WebLogic Server "), " ")
let $majorVersionParts := fn:tokenize($spaceParts[1], "\.")
return
$majorVersionParts[1] cast as xs:integer
let $SP_MP :=
if ($majorVersion = 8) then
"SP"
else
if ($majorVersion >= 9) then
"MP"
else " "
let $minorVersion :=
let $spaceParts := fn:tokenize(fn:substring-after($weblogicVersion, "WebLogic Server "), " ")
let $minorVersionParts := fn:tokenize($spaceParts[1], "\.")
return
$minorVersionParts[2] cast as xs:integer
let $servicePackVersion :=
let $spaceParts := fn:tokenize(fn:substring-after($weblogicVersion, "WebLogic Server "), " ")
let $servicePackParts := fn:substring-after($spaceParts[2], $SP_MP)
return
if ($servicePackParts = "") then
0
else
$servicePackParts cast as xs:integer
where $majorVersion = $major and $minorVersion = $minor and $servicePackVersion = $servicePack and
fn:contains(fn:upper-case($ServerRuntime/@WeblogicVersion),fn:upper-case($crNumber))
return
$ServerRuntime
};
for $server in local:getServerRuntimesEqualToVersionWithPatch(/,10,0,1,"CR366527") |
local:getServerRuntimesEqualToVersionWithPatch(/,10,0,0,"CR366527")
return <Server Name="{fn:data($server/@Name)}"/></XQueryLogic>
</SignatureDefinition>
Effectively, this definition collects the server name and WebLogic version of all runtime servers. Much of the definition iterates over the preciseness of the version—major and minor patch, service pack, CR number, and so forth. A violation occurs if any server has either of the stated patches (10.0.1 CR366527 or 10.0.0 CR 366527), in which case return the name of the server to be reported in violation. Hence, the rule definition must include a column to account for display of the server name. The version is irrelevant in the context of the display. Those alerted are interested only in which servers are in violation.
The real-time monitoring rule definition includes facets that are used to determine what is important to monitor for a given target type, target properties, and entity type. A facet is a collection of patterns that make up one attribute of a target type.
The following sections explain real-time monitoring facets in detail:
A facet makes up a target type. A target type has several facets to it. A target type will have a facet of which files are critical configuration files, which files are log files, which files are executables, which database tables have sensitive configuration data, and so on. The sum of all of these facets for a given target type makes up everything that is important to monitor for the given target type in terms of compliance.
For a given target type, you can create any number of facets. A facet is not only for a specific target type, but for a specific target type plus a combination of some number of target type properties. For instance, creating a facet for a Host Target Type on Windows is different than creating a facet for a Host Target type on Linux. A facet can have several target type properties. If no target type criteria are set, it is assumed that a facet applies to all criteria (any target of this type).
Real-time Monitoring facets based on target types are used to specify the entities to monitor. Facets are reusable. They can be created on their own, or created inline with a Real-time Monitoring rule. No matter how they are created, they can be used again at a later time in any number of rules.
Facets are used for monitoring and also for filtering.
As an example, if monitoring a host for file changes, a facet can be a list of distinct single files, patterns with wildcards that would include many files, or simply an entire directory. These patterns can also include parameters that have a default, but can be overridden as needed for each target. There are also built-in parameters, such as ORACLE_HOME that will be dynamically filled in for each target. For instance, if you wanted to specify monitoring the database configuration file tnsnames.ora, your pattern may be {ORACLE_HOME}/network/admin/tnsnames.ora.
When performing continuous real-time monitoring, it is important to scope your monitoring only to critical entities. Monitoring more activity than is important to the organization will result in higher CPU loads on the agent as well as a very large amount of data to be processed/stored by the Oracle Enterprise Manager servers.
Each facet has an entity type which defines what kind of entities the facet describes. For example, for OS level monitoring, there is File, Process, User, Windows Registry, and several Active Directory elements. For database monitoring, the entity types include Table, View, Index, Procedure among others. The possible entity types are fixed by the continuous real-time configuration change monitoring capabilities available from the Management Agent.
Creation of facets is possible through the Facet Library screen. In this screen, you can add/edit patterns for facets, and see which facets are being consumed by rules.
When you specify a real-time monitoring rule, you must first decide what entity type on a host will be monitored. You can use Enterprise Manager to monitor the following entity types with Real-time Monitoring Rules:
Table 8-2 Monitored Entity Types
| Entity Types | ||
|---|---|---|
|
OS File |
Oracle Database Table |
Oracle Database Package |
|
OS Process |
Oracle Database View |
Oracle Database Library |
|
OS User |
Oracle Database Procedure |
Oracle Database Trigger |
|
Microsoft Windows Registry |
Oracle Database User |
Oracle Database Tablespace |
|
Microsoft Active Directory User |
Oracle Database Index |
Oracle Database Materialized View |
|
Microsoft Active Directory Computer |
Oracle Database Sequence |
Oracle Database Cluster |
|
Microsoft Active Directory Group |
Oracle Database Function |
Oracle Database Link |
|
Oracle Database Dimension |
Oracle Database Profile |
Oracle Database Public DB Link |
|
Oracle Database Synonym |
Oracle Database Public Synonym |
Oracle Database Segment |
|
Oracle Database Type |
Oracle Database Role |
Oracle Database SQL Query Statement |
A facet contains one or more patterns. These patterns can express inclusion or exclusion filters. For instance, you may define a facet for critical configuration files that looks like the following:
Include c:\myapp1\config
Exclude c:\myapp1\config\dummy.cfg
In this case, everything under c:\myapp1\config will be considered to be a member of this facet except for the individual file c:\myapp1\config\dummy.cfg. In general there are some rules to how patterns work given the most common use cases listed below. Each entity type might have special cases or special formats of patterns.
Patterns of the same specificity with one being include and one being exclude, the include will win.
Patterns that are more specific override (like in the above example, exclude dummy.cfg overrides the inherited include c:\dummy.cfg from the first pattern.)
If there are no patterns at all, exclude * is assumed (for example, no entities in the facet)
For each pattern that you add to a facet, an optional description field is available to let you document their patterns.
The following sections explain the operations you can perform on facets:
When a you create a facet and subsequently use a facet in a Real-time Monitoring Compliance Standard Rule, the compliance rule only references the facet. If the content changes, then the rule will use the new content automatically. Because a rule references a facet, the facet can change and the rule always uses the current facet definition.
The content of the facet being used becomes important when the compliance standard is assigned to a target.
Each facet is assigned a description that allows you to document the facet. Each pattern also has an optional description field.
Ensure you have the privileges to create, delete, and modify facets as these configurations relate to the compliance monitoring. See Privileges and Roles Needed to Use the Compliance Features for information.
To create or edit a facet, follow these steps:
From the Enterprise Manager Cloud Control home page, click Enterprise, then choose Compliance from the drop-down menu, and then select Library. Choose the Real-time Monitoring Facets Library tab.
Enterprise Manager displays the Facet Library page that lists all exiting facets along with their target type, entity type, and other details about the facet. From this page you can perform administrative tasks such as create, create like, view, delete, import and export.
Click Create to create a new facet.
The Create Facet page displays.
Enter the name you want to assign to the facet in the Facet Name field, then choose the target type for the facet you are creating from the drop-down list in the Target Type field. Once you choose the Target Type, you can enter values in the Target Property Filter fields.
The target properties you add here limit which targets to which this facet can ultimately be assigned. For instance, you could define a facet to work only for Linux version 5 on 64-bit servers.
Choose the Entity Type from the drop-down.
Enter a description for the facet in the Description field.
The Create Facet page contains three tabs you can use to enter more information and parameters for the facet you create. Use the Patterns tab to add patterns to be either Included or Excluded when this facet is used by a Real-time Monitoring Compliance Standard Rule. Use the Add or Delete buttons to add additional patterns or to remove a selected pattern from the facet definition.
If you are defining a facet for the OS File entity type, there is an optional ability to browse a host to find the files you want to monitor. The right side of the page has an area where you can choose the host to use as the basis for looking for files. In the pattern area, you can click the Browse button to interactively browse the files on the selected host and select the files to include in the pattern. After selecting patterns from a host, you can continue to manually add more or edit existing ones.
Use the Parameters tab to view parameters that are part of the new facet. Oracle provides a set of predefined parameters based on target parameters (such as ORACLE_HOME) that are defined out of the box. These parameters do not require a default value and are always set according to the target's value. Parameters will appear under this tab when they are used in a pattern. To start using a new parameter, simply add the parameter to the pattern by enclosing it in curly brackets {}. For instance, a pattern of {INSTALL_DIR}\config\main.conf would result in a parameter of INSTALL_DIR being listed under this tab. All parameters must have a default value that will be automatically used for all targets against which this facet is used. This value can be overridden when associating a compliance standard containing a real-time monitoring rule to one or more targets. The Parameters tab displays the Parameter Name, Default Value, Used in Pattern, and Description. Used in Pattern indicates that the parameter is currently in use. This parameter may have been defined at some point in a pattern and then removed. The pattern will still be available for use again at a later time even if the pattern is not currently in use. If the entity for which you are adding a pattern includes a "{" or "}", you can escape these characters by using "{{}" and "{}}" in the pattern respectively. These will not be counted as parameters.
The Operation Time Window tab is only available if the facet being created/edited is of entity type Operations Time Window. A facet of this entity type is only usable as a filter in a Real-time monitoring rule. For instance, you can specify in the rule that you only want to monitor an item during a specific time, for example, "Production Hours". In the Duration section, choose either a 24 Hour Interval or Limit Hours to, which allows you to enter a Start time and an Interval in Hours and Minutes. In the Repeating section, you can choose either All the time or you can select Repeat and then choose which days of the week to repeat the operation.
Choose OK to create the facet.
Deleting a facet is not possible as long as the facet is in use either as a monitoring facet in a rule or as a filter facet in a rule. If this facet is not in use in any rules, then the facet can be deleted. If a facet is in use, the user is alerted to the current use and not allowed to delete the facet until the rules using it are modified to no longer include it.
When deleting a facet, the data will no longer be referenced to the facet and instead it will show "(Deleted Facet)" as the name of the facet to which it is related. The data will only be available through the Search Observations page, not the Browse pages.
Ensure you have the privilege to delete a facet. See Privileges and Roles Needed to Use the Compliance Features for information.
For compliance users, customers would want to keep the unused facet available so the compliance data is not lost. You can also remove the patterns as long as you keep the actual facet to maintain collected observations. Then only after the compliance data related to this old facet is no longer available, you can delete the facet without any data loss.
To delete a facet, follow these steps:
From the Enterprise Manager Cloud Control home page, click Enterprise, then choose Compliance from the drop-down menu, and then select Library. Choose the Real-time Monitoring Facets Library tab.
Enterprise Manager displays the Facet Library page that lists all exiting facets along with their target type, entity type, and other details about the facet. From this page you can perform administrative tasks such as create, create like, view, delete, import and export.
Select the facet from the list of facets in the table on the page.
Click Delete to delete the facet. You will be prompted to confirm that you want to delete the facet.
Facets that ship with the product or with a plug-in cannot be changed. If you want to enhance or modify the out-of-box content, you must use the create-like functionality to make your own copy of the facet which can then subsequently be edited.
Ensure you have the privilege to create a rule and also create and edit a facet. See Privileges and Roles Needed to Use the Compliance Features for information
An important limitation to the Create Like function is that you cannot change the target type or entity type. The patterns contained in the facet may be dependent on target type or entity type. Should you want to use Create Like and change these attributes, you should use Export to export the original facet, edit the name, target type, entity type in the XML, and then import the new facet.
To use create like to create a new facet, follow these steps:
From the Enterprise Manager Cloud Control home page, click Enterprise, then choose Compliance from the drop-down menu, and then select Library. Choose the Real-time Monitoring Facets Library tab.
Enterprise Manager displays the Facet Library page that lists all exiting facets along with their target type, entity type, and other details about the facet. From this page you can perform administrative tasks such as create, create like, view, delete, import and export.
Choose the facet from the facet table that you want to use as the basis for the new facet you want to create.
Click Create Like.
Enterprise Manager displays the Create Facet page. All the values that were applicable to the facet you want to clone are entered. Use the page to edit the values for the new facet and click OK.
It is important to understand that if the original base facet you used in the create like activity is changed, that change will not be reflected in the newly created facet. There is no relationship maintained when using Create Like.
For more information about using the Create Facet page, see Creating and Editing Facets.
You can select facets and export or import them. All selected facets will be exported into one output file.
On import, if a facet of the same name/target type/entity type combination already exists, the import fails with an error that the facet already exists. The user must change the import file to remove the duplicate name and retry the import.
The combination of name, target type, and entity type define a unique facet. You can have the same name facet across different target types and entity types.
To export a facet, follow these steps:
From the Enterprise Manager Cloud Control home page, click Enterprise, then choose Compliance from the drop-down menu, and then select Facet Library.
Enterprise Manager displays the Facet Library page that lists all exiting facets along with their target type, entity type, and other details about the facet. From this page you can perform administrative tasks such as create, create like, view, delete, import and export.
Select one or more facets from the list of facets on the Facet Library page that you want to export and then click Export.
On the Open dialog box, you can choose to open or save the facet xml file using an XML editor of your choice and then either edit or save the file to another location.
To import a facet, follow these steps:
From the Enterprise Manager Cloud Control home page, click Enterprise, then choose Compliance from the drop-down menu, and then select Library. Choose the Real-time Monitoring Facets Library tab.
Enterprise Manager displays the Facet Library page that lists all available facets along with their target type, entity type, and other details about the facet. From this page you can perform administrative tasks such as create, create like, view, delete, import and export.
Click Import and choose the facet XML file you want to import into the Facet Library.
Enterprise Manager imports all facets specified in the imported XML file. You can then edit the facet or use any other action on it as you would any other facet in the library.
After a facet is in use in at least one rule (either as a monitoring facet or as a filter facet), you cannot change the facet name, target type, entity type, or target criteria of the facet since the rules that have been created are already bound to these attributes. The only attributes that can be changed are the facet patterns, parameters and description fields. Although the rule is not dependent on the facet name, users have used them in their rules based on the name of the facet. Allowing the name of the facet to change after consumption will only lead to confusion of the rule authors.
If a facet is not currently in use but has been in use in the past, then it is treated the same as an in-use facet.
You cannot make changes to the out-of-box facets that ship with the Enterprise Manager product. If you want to use an out-of-box facet with changes, you can perform a “Create Like” operation and then modify it as needed.
To change base facet attributes, follow these steps:
From the Enterprise Manager Cloud Control home page, click Enterprise, then choose Compliance from the drop-down menu, and then select Library. Choose the Real-time Monitoring Facets Library tab.
Enterprise Manager displays the Facet Library page that lists all exiting facets along with their target type, entity type, and other details about the facet. From this page you can perform administrative tasks such as create, create like, view, delete, import and export.
Choose the facet from which you want to create a new facet with modified attributes. Click Create Like.
Enter a new Facet Name and change whatever attributes to create a new facet based on the previous facet.
Any user that can view observation data is able to also view the facet library and see the facet history for any facet.
To view the facet library, follow these steps:
From the Enterprise Manager Cloud Control home page, click Enterprise, then choose Compliance from the drop-down menu, and then select Library. Choose the Real-time Monitoring Facets Library tab.
Enterprise Manager displays the Facet Library page that lists all exiting facets along with their target type, entity type, and other details about the facet. From this page you can perform administrative tasks such as create, create like, view, delete, import and export if you have the audit author role.
The Facet Library page displays the Facet Name, Author, Target Type, Entity Type, Rules Using the facet, Description, and the Last Updated time of the facet. You can see the details of any facet by selecting it from the table and clicking Show Details.
You can choose which columns to display in the table by clicking View and then choosing Columns. You can either choose to Show All columns or you can select individually the columns you want to appear in the table. You can reorder the columns by clicking Reorder after you click View and then changing the order in which the columns appear by moving them up or down using the arrow keys.
You can view a history of a selected facet by choosing it from the table and then clicking History. The View History page displays.
The following sections explain the operations you can perform on real-time monitoring rules:
Use the following steps to create a Real-time monitoring rule:
From the Enterprise Manager Cloud Control home page, click Enterprise, then choose Compliance from the drop-down menu, and then select Library.
Click on the Compliance Standard Rule tab.
At the top of the Rules table, choose Create from the Actions menu.
From the Create Rule panel that displays, choose Real-time Monitoring Rule from the list of selections then click OK.
Cloud Control displays the first page of the Create Rule Real-time Monitoring wizard.
Use the Details page to set basic properties for the Real-time monitoring rule.
Use the Entitites to Monitor page to choose existing facets or create new facets. Facets available for monitoring in this rule are based on the entity type and target type chosen in the previous screen. Facets contain the patterns of entities that will be monitored.
Use the Actions to Monitor page to choose one or more possible user actions to monitor. When associating a Compliance Standard using this rule to target(s), various audit settings on the target may need to be enabled. Refer to the documentation for any operating system specific audit settings required.
Use the Filters page to add filters if you want to only perform monitoring under specific conditions. Based on the entity type you chose for the rule, there maybe various filters that can be applied. You can use existing facets as filters or create new facets.
Use the Settings page to configure Change Request Management reconciliation as well as advanced settings related to how observation bundles are created.
Use the Review page to review all settings for the rule before promoting it to production or saving it as a draft.
For any rule that is in use in a compliance standard, the rule name, target type, target properties, and entity type cannot be changed. You must first either do a Create Like on the rule and replace the compliance standard association with this new rule, or unassociate the rule from all compliance standards before modifying the rule.
For out of the box rules that are included in the Enterprise Manager product, you can change the following pieces of the rule.
Facets patterns and parameter defaults – but cannot change the facets monitored
Actions to Monitor
Filter
Settings
All other parts of the rule cannot be changed. To use this facet with modifications, you can use Create Like and then modify it.
To edit a rule, follow these steps:
From the Enterprise Manager Cloud Control home page, click Enterprise, then choose Compliance from the drop-down menu, and then select Library.
Click on the Compliance Standard Rule tab.
Enterprise Manager displays the Compliance Standard Rule Library page.
Select the rule you want to edit from the Rules table and click Edit.
Usage Notes
You can change all the rule properties except the rule name and entity type.
If you change the critical rule properties for a repository real-time monitoring rule, for example, rule query, violation condition, parameters, or severity, then editing the rule invalidates the results for compliance standards which refer to the rule. The compliance standards compliance score will be reevaluated at the next rule evaluation.
For rules in production mode, you have a choice to either create and save a draft of the rule or to overwrite the existing production rule. If you create a draft, you can edit the draft rule, at a later point in time, test it, and then overwrite and merge it back to the original production rule the draft was made from. Note: You cannot include a draft rule into any compliance standard. After you successfully test a draft rule, you can overwrite the original production rule from which the draft was created.
For a WebLogic Server Signature rule or Real-time monitoring rule, if the rule being edited is referred to by a compliance standard which is associated with a target, then the rule definition will be deployed to the Management Agent monitoring the target, so that the Management Agent can evaluate the latest definition of the rule. In the case where the Management Agent is down or unreachable, the rule definition changes will be propagated to the Management Agent as soon as the Management Agent is available.
Use the following steps to view an existing Real-time monitoring rule:
From the Enterprise Manager Cloud Control home page, click Enterprise, then choose Compliance from the drop-down menu, and then select Library.
Click on the Compliance Standard Rule tab.
In the Rules table, choose the real-time monitoring rule you want to view.
From the Action menu, choose Show Details.
Cloud Control displays the Compliance Rule Details page that shows you all the detailed information about the rule.
A compliance standard rule can only be deleted if it is not actively part of any compliance standard. When deleting a rule, any facets that were associated with the rule are unassociated. The facet itself is not changed. The facet remains and any other rules using the facets are not affected.
Any data that references this rule will remains. When you view it from the Observation Search, it simply displays "(Deleted Rule)". You cannot access the data through the two Browse-by screens
For compliance users, a very common use case would be that customers would want to keep the unused rule around so the compliance data is not lost. The user can simply remove the reference to the rule from compliance standards to avoid future evaluations of the rule. Then only after the compliance data related to this old rule is no longer available, they can delete the rule without any data loss.
To delete a rule, follow these steps:
From the Enterprise Manager Cloud Control home page, click Enterprise, then choose Compliance from the drop-down menu, and then select Library.
Click on the Compliance Standard Rule tab.
Enterprise Manager displays the Compliance Standard Rule Library page.
Select the rule you want to delete from the Rules table and click Delete.
Usage Notes
You can only delete rules that are not referred to, or used by, any compliance standard.
When first creating a rule, the rule may be in development mode if you select this as a production rule in the first page of the rule creation wizard. When you are finished with the rule creation process, on the last screen of the wizard you can decide to promote the rule to production. This means the rule can then be used in a compliance standard.
Any time during the rule creation step, you can save the rule. Some key fields for the rule, for example the rule name, are required.
This makes the Configuration Change CS Rule consistent with the other two types of Compliance Standard rules.
To save a development copy of a rule prior to production, follow these steps:
From the Enterprise Manager Cloud Control home page, click Enterprise, then choose Compliance from the drop-down menu, and then select Library.
Click on the Compliance Standard Rule tab.
Enterprise Manager displays the Compliance Standard Rule Library page.
Click Create.
The Create Rule dialog box opens where you can select the type of Compliance Standard Rule you want to create.
Select Real-time Monitoring Rule and click OK.
The Create Rule: Real-time Monitoring wizard opens to the Details page. Fill in all appropriate information for the rule you want to create.
Proceed through the rule creation wizard. On the Review page, click Finish while leaving the Lifecycle State as "Development".
You can select rules to export or import.
To import rules, follow these steps:
From the Enterprise Manager Cloud Control home page, click Enterprise, then choose Compliance from the drop-down menu, and then select Library.
Click on the Compliance Standard Rule tab.
Enterprise Manager displays the Compliance Standard Rule Library page.
From the Actions menu, click Import.
Enterprise Manager displays the Import Rule dialog box that allows you to select a file for import.
Enter the location and name of the file you want to import, or use the Browse function to navigate to the file on your system or network. Click OK to import the rule.
Optionally you can use the Overwrite Option to overwrite a file with the same name upon import.
To export a rule, follow these steps:
From the Enterprise Manager Cloud Control home page, click Enterprise, then choose Compliance from the drop-down menu, and then select Library.
Click on the Compliance Standard Rule tab.
Enterprise Manager displays the Compliance Standard Rule Library page.
Select the rule from the Rule table that you want to export.
From the Actions menu, click Export.
You can choose to open the file using the default or a chosen XML editor, or you can save the file to a location on your system or network.
Like all compliance standard rules, you can set a severity level for the rule so that any violations can be weighted for compliance score calculation.
To set the severity level for a rule, follow these steps:
From the Enterprise Manager Cloud Control home page, click Enterprise, then choose Compliance from the drop-down menu, and then select Library.
Click on the Compliance Standard Rule tab.
If you are setting the severity level for an existing rule, choose the Real-time Monitoring Rule for which you want to set a severity level and click Edit. Enterprise Manager opens the Edit Rule: Real Time Monitoring wizard and displays the Details page of the wizard. In the Severity field, choose the severity level from the drop-down list. You can select Critical, Minor Warning, or Warning.
If you are creating a rule, you can similarly set the Severity Level on the Details page of the Create Rule: Real-time Monitoring wizard.
When creating a rule, you must choose a target type for the rule. Since the Real-time monitoring capabilities on the agent have some dependencies on operating system and versions of operating systems, when creating a rule for real-time configuration change monitoring, you must be allowed to set the criteria for a rule. The target may be different on a target type, so patterns in the facets may be different. For instance, Oracle Database on Microsoft Windows is not the same as it is on the UNIX operating system.
Why would I set target criteria?
If target criteria is not set, all rule options are available then at target-cs association time, if a target's settings do not match, then that rule/facet is ignored. If you only set, for example, the platform name, but not version, then only the options that are common across all versions of the platform are available.
The list of facets that are selectable when creating a rule are filtered by the target criteria that a facet is created to support. For instance if you have a facet, FACET1, that works on Linux or HPUX and you create a rule for Windows, this facet for Linux and HPUX will not be available to select for your rule. This applies both when selecting the monitoring facet or using a facet as a filter. However if you create a rule for either Linux or HPUX, FACET1 will be available because the criteria for the rule at least overlapped with that of the facet.
To set the target criteria for a rule, follow these steps:
From the Enterprise Manager Cloud Control home page, click Enterprise, then choose Compliance from the drop-down menu, and then select Library.
Click on the Compliance Standard Rule tab.
Click Create to create a new rule.
Enterprise Manager opens the Create Rule: Real-time Monitoring wizard and displays the Details page.
After defining the Rule name, Lifecycle State, Severity level and the target type in the Applicable to field, if necessary, expand the Target Property Filter section.
Use this section to define the criteria of which targets could be associated If the filter is not defined, all targets will be evaluated against this rule. However, without a Compliance Standard and Compliance Standard associated to a target, no targets will be evaluated. This just limits which targets could be associated, but it does not simply enable all monitoring at this time.
Enter the Lifecycle State, Version, and Platform information for the filter.
When creating a rule, you can decide which types of observations or user actions are important to be monitored and reported back to Enterprise Manager. The Management Agent has a specific set of observations that are possible for each entity type. Some options may be specific to certain operating system platforms or versions. You can select one or more of these options.
The observation types that you may be able to select can also be limited by the target properties/criteria selected for the rule. For instance, some operating systems may not have every monitoring capability for files. When building the list of available observation types available, the target type, entity type, and target properties are all taken into consideration to come up with the resulting available observation types.
To select the type of observations you want to monitor in a rule, follow these steps:
From the Enterprise Manager Cloud Control home page, click Enterprise, then choose Compliance from the drop-down menu, and then select Library.
Click on the Compliance Standard Rule tab.
If you want to select observations for a currently existing rule, click on the Real-time Monitoring rule in the Rules table and then click Edit.
Enterprise Manager opens the Edit Rule: Real-time Monitoring wizard and displays the Details page. Move to the Observations page.
If you want to select observations while creating a new rule, click Create to create a new rule. Enterprise Manager opens the Create Rule: Real-time Monitoring wizard and displays the Details page. After entering relevant information on the Details and Facets pages of the wizard, move to the Observations page.
On the Observations page, select one or more activities to be observed from the list that appears. During target association for this rule, auditing must be enabled to capture selected details. It is important to note that different operating systems and different capabilities have specific auditing requirements.
In the Parameters section, if there are additional observation parameters, you can review and update the parameters.
When creating a rule, facets can be used in two ways. The first is to use the facet to specify what entities to monitor in the rule. The second is to use the facet as a filter to apply on top of activities detected by the agent.
You can use the same facet as a monitoring facet in one rule and a filtering facet in another rule. The benefit is once you define a collection of patterns, for example to define your administrative users, you can use that collection in many ways without having to redefine the collection again.
Filters in rules are set up to reduce the observations that are captured and reported to the OMS. If there are no filters defined, then all observations related to the monitoring facet(s) selected in the rule are captured. When selecting a facet as a filter, the default is to only include observations that have attributes that match. The following example IT compliance control demonstrates an example for the filtering:
IT Control: Monitor all changes to critical OS configuration files by administrators during production hours.
To implement this IT control, you can create a compliance standard rule with the following:
Create a rule and select the file facet “Critical OS configuration files” for the monitoring facet that has patterns covering all critical OS configuration files.
Select “content change” as the observation types to capture
Add an OS Users filter selecting facet “Administrators” that lists patterns describing all of the OS user accounts that are considered administrators.
Add a Time Window filter selecting facet “Production Hours” that lists patterns describing the times of the week that are considered to be production hours. For example, Every day 4am-2pm PST.
When the agent sees any content change to the patterns in Critical OS configuration files, it will only report these changes back to the OMS if the change happened during production hours and if any user described in the Administrator's facet is the one making the change. Filters can also be inverted to monitor anyone not in the administrators group or for changes outside of production hours.
To use facets as filters in rules, follow these steps:
From the Enterprise Manager Cloud Control home page, click Enterprise, then choose Compliance from the drop-down menu, and then select Library.
Click on the Compliance Standard Rule tab.
If you want to use facets as filters in a currently existing rule, click on the Real-time Monitoring rule in the Rules table and then click Edit.
Enterprise Manager opens the Edit Rule: Real-time Monitoring wizard and displays the Details page. Move to the Observation Filters page.
If you want to use facets as filters while creating a new rule, click Create to create a new rule. Enterprise Manager opens the Create Rule: Real-time Monitoring wizard and displays the Details page. After entering relevant information on the Details, Facets, and Observations pages of the wizard, move to the Observation Filters page.
To add a facet as a filter, click Add.
Enterprise Manager opens the Add Observation Filter dialog box. From here you can enter a Filter Type for the target type you are using, and then can choose to either Apply the filter as specified or Invert the filter to monitor everything except what is specified in the filter.
At the bottom of the filter step in the wizard is a readable description of what will be monitored to specify what affect adding filters will have on monitoring.
From the list of available facets in the table, select (or multi-select) the facets you want to use as filters. Click OK.
You can delete any of the facets from the rule by highlighting them in the Facets table and clicking Remove from Rule.
You can create an inline facet to use as filter for a rule by clicking Create. Enterprise Manager displays the Create (Inline Rule) Filter page where you can create the facet.
Observation bundles are logical groupings of observations that occur over a relatively short period of time against the same rule on the same target and by the same user. The last three factors cannot be configured by the user because they will be how the agent groups observations before sending them back to the Enterprise Manager server.
The user creating the rule however does have three variables that they need to be able to configure:
Idle timeout: The amount of time after the user has no more activity from their last activity on an entity in a given rule on a given target. The use case for this is that a user logs into a server, starts making a few file changes and then no more file changes are made after 15 minutes. This 15 minute waiting period is the idle timeout. After this idle timeout period is reached, the current observation bundle is closed and sent to the Enterprise Manager server. The next time a new observation is detected, a new group will be started and the process starts over.
Maximum lifespan of a group: If a user were to set the idle timeout to 15 minutes and a user on a host was making one file change every 10 minutes for an indefinite period of time (say through a script or even manual), the observation bundle will never close and therefore never get sent to the Enterprise Manager server for reporting/processing. Setting the maximum lifespan of a group tells the agent to only allow a group to accumulate for a maximum specific time. For example, this maximum lifespan may be 30 minutes or an hour.
Maximum number of observations in a group: If a rule is being triggered because of an activity that is causing a lot of observations to be detected, it may be desirable for the user to not group every observation together if there are too many. Groups have a management lifecycle to them where observations can be set to authorized/unauthorized, and so on. Having observation bundles with tens of thousands of observations in it could become hard to manage.
These three fields must have a value.
The user creating a rule cannot choose to turn off grouping, but if they desired to reduce delays in observation reporting to Enterprise Manager server, they could set the idle timeout and maximum lifespan of a group to be lower.
The event/incident subsystem will track only the observation bundles, not each individual observation.
Observation bundles are built at the agent and will only be sent to the Enterprise Manager server when the group is complete. In most compliance use cases, this is acceptable because you will not need to view the results immediately. Capturing and grouping results together is more important.
When an observation becomes part of two or more groups on the agent because the same facet is used in multiple rules or multiple targets on the same host monitor the same facet with shared entities, then whenever the first group either hits its ending criteria (idle timeout, group maximum life, or maximum group entries), then all of the groups containing these shared observations are closed at the same time.
To control observation bundle lifetimes, follow these steps:
From the Enterprise Manager Cloud Control home page, click Enterprise, then choose Compliance from the drop-down menu, and then select Library.
Click on the Compliance Standard Rule tab.
If you want to control observation bundle lifetimes in a currently existing rule, click on the Real-time Monitoring rule in the Rules table and then click Edit.
Enterprise Manager opens the Edit Rule: Real-time Monitoring wizard and displays the Details page. Move to the Settings page. You must expand the section to view these settings.
If you want to control observation bundle lifetimes while creating a new rule, click Create to create a new rule. Enterprise Manager opens the Create Rule: Real-time Monitoring wizard and displays the Details page. After entering relevant information on the Details, Facets, Observations, and Observation filters pages of the wizard, move to the Settings page.
Under the Collection Settings section, enter the values as discussed above into the appropriate fields.
You can create a fact inline while creating a rule. This flow is useful when the person creating a rule also knows the facets that need to be created. In some cases, the person that creates the rule may be a different person than whomever must populate the pattern content for the facet. This is because the knowledge of a specific facet definition is owned by a team other than the compliance team that creates rules. In this flow, one person can create a rule and specify none or some of the facet patterns and allow someone else to come later to populate the facet content.
When you create a new facet inline with a rule creation, this facet becomes part of the global facet library and can be used by other users in other rules as well. The facet can be created/edited in line with selecting a facet for monitoring or when selecting facets to be used as filters.
When you edit a facet either that was created inline or one that was already in the global library, the changes made are automatically applied to all consumers of the facet automatically.
Follow the steps below to create a facet inline while creating a rule:
From the Enterprise Manager Cloud Control home page, click Enterprise, then choose Compliance from the drop-down menu, and then select Library.
Click on the Compliance Standard Rule tab.
Enterprise Manager displays the Compliance Standard Rule Library page.
Click Create.
The Create Rule dialog box opens where you can select the type of Compliance Standard Rule you want to create.
Select Real-time Monitoring Rule and click OK.
The Create Rule: Real-time Monitoring wizard opens to the Details page. Fill in all appropriate information for the rule you want to create.
Move to the Facets page of the wizard.
The Facets table on this page lists all facets associated with the selected or created rule. You can choose to associate existing facets or you can create a new facet inline.
Click Create to create a new facet inline.
Enterprise Manager displays the Create (Inline Rule) Facet page where you can define a new facet to be used in your definition of the rule you are creating. For more information about creating a facet, see Creating and Editing Facets.
Observations are the actions that were seen on a host or target that were configured to be monitored through real-time monitoring rules. Each distinct user action results in one observation. Observations are additionally bundled if there are multiple observations done in a short period of time by the same user on the same target and against the same real-time monitoring rule.
The following sections explain the various methods by which to view observations.
Viewing a Summary of Observation Bundle Reconciliation Results From Incident Pages
Viewing Observations With Compliance Violations From the Target Search Page
When observations occur, they can be marked as authorized or unauthorized automatically. This provides one way you to find observations that are important for you to look into. However, if a rule is not configured to reconcile observations with a change management server or if there is a large number of observations, it is difficult to find the observations that are important to you through only an attribute search. Being able to view observations by business application and drilling down into observation details allows you to discover where there may be issues that should be investigated.
Typically, IT managers and line of business owners must identify when unwanted configuration drift occurs in their business applications. By browsing observations by systems, you can easily see which changes affect specific business applications. Observations can be filtered by whether they are authorized, unauthorized, unaudited or both. They can also be filtered by time.
This begins with you choosing one or more business applications and being able to see the relative counts of observations taking into account some number of filters that have occurred over periods of time. You will most likely not know what a target is which is why the view starts at business applications. A business application is modeled in Enterprise Manager as a composite target/target group with type of “generic system.”
If you are more technical, this instance may be about being able to start from the business application view and drilling down to the actual observations themselves to see the details of what is changing.
To view observations by systems, follow these steps:
From the Enterprise Manager Cloud Control home page, click Enterprise, then choose Compliance from the drop-down menu, and then select Real-Time Observations.
Enterprise Manager displays the Real-Time Observations page that lists three options you can choose:
Browse Observations by Compliance Framework
Allows you to select your compliance framework to see where observations are occurring in each area. You can drill down through various levels to narrow the view to highlight observations that need investigation.
Browse Observations by System Targets
Allows you to select your business applications modeled as System Targets to see where observations are occurring in each area. You can drill down through various levels to narrow the view to highlight observations that need investigation.
Search Observations
Allows you to search across any of the attributes of an observation for actions that occurred.
Click Browse Observations by System Targets
Enterprise Manager displays the Select Root Target(s) page that lists the Target Name for each group.
You can filter the Targets using the search criteria at the top of the page. Alternately, you can also either use a Saved Search by choosing it from the drop-down list, or create a Saved Search by conducting a search and then clicking Save to save the criteria. Clicking Save opens the Create Saved Search dialog box where you can add a name for the Saved Search and then choose to Set as Default, Run Automatically, or Save Results Layout. Click OK to save the search.
You can submit a target name to a journal page by selecting the target and clicking Submit to Journal Page.
You will see counts for each system target selected. Click on the system target name to drill down and show the counts by each target that comprises the system target. Continuing to drill down provides more specific information.
Clicking on the count displays a screen that shows the actual observations that occurred during that time period.
The ability to view observations as they relate to a compliance standard structure is something that is typically done by a non-technical role such as an IT Manager, Line of Business Owner, Compliance Manager, or Executive.
You can identify some set of Compliance Frameworks that reflect the IT compliance framework that the organization follows. Observations can be filtered by whether they are authorized, unauthorized, unaudited or both. They can also be filtered by time.
This instance begins with you choosing one or more top level Compliance Frameworks and being able to see the relative counts of observations that have occurred over periods of time.
To view observations by Compliance Framework, follow these steps:
From the Enterprise Manager Cloud Control home page, click Enterprise, then choose Compliance from the drop-down menu, and then select Real-Time Observations.
Enterprise Manager displays the Real-Time Observations page that lists three options you can choose:
Browse Observations by Compliance Frameworks
Allows you to select your compliance framework modeled as Compliance Frameworks to see where observations are occurring in each area. You can drill down through various levels to narrow the view to highlight observations that need investigation.
Browse Observations by System Targets
Allows you to select your business applications modeled as System Targets to see where observations are occurring in each area. You can drill down through various levels to narrow the view to highlight observations that need investigation.
Search Observations
Allows you to search across any of the attributes of an observation for actions that occurred.
Click Browse Observations by Compliance Frameworks
Enterprise Manager displays the Select Compliance Framework(s) page that lists the Compliance Framework Name for each group.
You can filter the Compliance Frameworks using the search criteria at the top of the page. Alternately, you can also either use a Saved Search by choosing it from the drop-down list, or create a Saved Search by conducting a search and then clicking Save to save the criteria. Clicking Save opens the Create Saved Search dialog box where you can add a name for the Saved Search and then choose to Set as Default, Run Automatically, or Save Results Layout. Click OK to save the search.
Click on any Compliance Framework and choose Submit to Journal Page.
Usage Notes
There are filters available to allow you to narrow the observation counts and observations you can view. Some of these filters are:
Time range: A time range the report covers
User: A user that would have had any activity
Authorized Status: Shows all observations, only authorized, only unauthorized, only unaudited, etc.
The first level shows the top level Compliance Frameworks, children Compliance Frameworks, and compliance standards in a hierarchical structure. Along with each cs group, a count of all observations made during the time range will be shown. Selecting some number of cs groups takes the user to the next level
The second level shows counts of observations based on filter settings for all selected compliance standards along with counts of observations by compliance standard and time bucket. Selecting a compliance standard allows the user to drill into the next level
The third level shows the targets that as associated with the selected compliance standard along with counts of observations for these targets and compliance standard by time bucket. Selecting a target allows the user to drill into the next level.
The fourth level shows the entity type. The fifth level shows the facets that are monitored on the target along with counts of observations by face and time bucket. Selecting a facet allows the user to drill into the next level
The sixth level shows the entities in a hierarchy fashion with counts of observations by entity. As an example, if the entity type is file, then the hierarchy shows the disk structure to the files involved. Clicking on an entity takes the user to the next level
The last level shows the actual observation details in a table with each column showing the various attributes of the observation. The user can also get to this screen by clicking on a count from any of the previous levels.
This drill-down capability provided by these screens makes it easy for you to easily find where observations are occurring. When you have an environment with tens of thousands of targets across hundreds of business applications, it is impossible to view observations simply using a table and search unless you know exactly the search conditions they are looking for. In a matter of an hour, with this large of an environment even with little activity, there can be tens of thousands of observations.
Observations are logically bundled together based on the compliance standard rule, target and user that performed the action.
The Observations page shows the list of observations in an observation bundle. You can filter on various attributes for each observation, including but not limited to the authorized/unauthorized status, user, time, entity, entity type, observation type, and so on.
You can use this page to show the user the observations in a bundle that are unauthorized. You can navigate to this page by clicking on some link from another page showing violations or notation of unauthorized activity.
When the Incident Manager Console opens a change request in a Change Management server for an observation bundle that has an unauthorized observation, the details in that incident may have a link that will take you to the bundle detail page. The URL allows you to display a page that shows each unauthorized observation in the observation bundle.
When looking at a compliance standard violation, you can see the detail of the observation bundle involved in the violation. Any observation bundle that has at least one unauthorized observation will be considered a violation. From the Event Details page under the Incident Management console, you can jump to this page to list all observations and filter on the unauthorized observations.
In an observation bundle, there can be a mix of observations; some number that are authorized, some number that are unauthorized and some that are unaudited, meaning they were not reconciled with a change management server and you have not manually set an authorized/unauthorized status.
To view the details of an incident, follow these steps:
From the Cloud Control Home page, navigate to the Incident page by clicking Enterprise, then clicking Monitoring, then Incident Manager.
Enterprise Manager displays the Incident Manager page.
In the All Open Events table, highlight the event for which you want to see incident details. If no event rules have been created to raise incidents, the real-time observation violations will show up under "Events without Incidents".
In the details section below, on the General tab you can click on the Details arrow to view the details of the incident.
When an Enterprise Manager incident is created because there was a violation, it is because an observation bundle had at least one observation that was unauthorized. This unauthorized observation could have been automatically reconciled to become unauthorized or you could have manually set the status to unauthorized. When looking at the incident history in the incident pages for an incident related to a real-time configuration change compliance standard rule, the incident will relate to a single observation bundle. The incident has a region that displays a summary of the statuses of the observations in the group. For instance, X authorized, Y unauthorized, Z unaudited out of N total observations. A link is also provided that takes you to the page that displays all of the observations in the observation bundle along with the details of the observations.
The Target Search page can display targets with compliance violations. These violations may be of any of the three types of compliance standard rules (config standards, guardian, or real-time configuration change monitoring. For real-time monitoring only, violations can either be for an entire group or for a single observation. You can view how many violations there are on the target related to real-time configuration change monitoring as well as navigate to a page that displays all the details of the observations that lead to the violation.
To view observations with compliance violations from the Target Search page, follow these steps:
Navigate to the Target Search page.
Click on the number that represents the compliance violation. To get to real-time compliance violations, you must continue to drill down.
The following sections describe authorized and unauthorized real-time observations. For additional information, refer to the Oracle Enterprise Manager Cloud Control Administrator's Guide.
Automatically Specifying Whether Real-time Observation Is Authorized
Annotating Change Requests With Observation Details for Authorized Observations
Treating Observation Bundles With Unauthorized Observations As Compliance Violations
Overriding the Automatic Determination of Authorized or Unauthorized For an Observation
Manually Setting an Observation As Authorized Or Not Authorized
Notifying a User When An Observation Occurs Without Change Management Integration
You can reconcile an observation against a change management system to determine if that observation is authorized or unauthorized.
Multiple observations can belong to the same Observation Bundle. Even though an observation is part of group, the determination of authorized vs. unauthorized is done for a single observation, not at the group level. If a group has at least one observation that is marked as “unauthorized”, then the group is considered to be a “violation” and an event or incident can be raised for this group violation.
This task provides an automated way to determine whether an observation was authorized.
To automatically specify whether real-time observation is authorized, follow these steps:
From the Enterprise Manager Cloud Control home page, click Enterprise, then choose Compliance from the drop-down menu, and then select Library.
Click on the Compliance Standard Rule tab.
Enterprise Manager displays the Compliance Standard Rule Library page.
You can specify whether Real-time Observation is authorized in an existing rule or when you create a new rule. In an existing rule select the rule you want to edit from the Rules table and click Edit and advance through the Edit Rule wizard until you get to the Settings page. Similarly, for a new rule enter the appropriate properties and attributes and advance to the Settings page.
On the Settings page of the Edit Rule wizard or Create Rule wizard, select Authorize Observations Automatically using Change Management System.
You must choose a Change Management Connector from the drop-down list that has been configured. Optionally you can choose the option that allows you to annotate a ticket with Authorized Details if a change request exists.
When an observation is detected on the agent and comes into the OMS, if the rule that caused the observation to be detected had integration with a change request management system set up, and the rule specified automatic reconcile changes with open change requests on the change request management server, then the observation is automatically determined to be authorized or unauthorized.
An observation can be determined to be authorized if one or more change requests match correlation criteria of the observation.
One user-configured option when selecting Change Request Management integration for a rule is to annotate the change requests with the details of the observations that were authorized by this change request. If an observation is authorized by more than one change request, all of these change requests will be annotated with details of this observation.
To specify that you want to annotate change requests with observation details, follow these steps:
From the Enterprise Manager Cloud Control home page, click Enterprise, then choose Compliance from the drop-down menu, and then select Library.
Click on the Compliance Standard Rule tab.
Enterprise Manager displays the Compliance Standard Rule Library page.
In an existing rule select the rule you want to edit from the Rules table and click Edit and advance through the Edit Rule wizard until you get to the Settings page. Similarly, for a new rule enter the appropriate properties and attributes and advance to the Settings page.
On the Settings page of the Edit Rule wizard or Create Rule wizard, select Authorize Observations Automatically using Change Management System.
You must choose a Change Management Connector from the drop-down list that has been configured.
Choose the option that allows you to annotate a ticket with Authorized Details if a change request exists.
Whenever you get an authorized observation it updates the authorizing change request with the details.
When an observation bundle has at least one unauthorized observation (either through automatic reconciliation or manually set by the user), this observation bundle is considered to be a compliance violation.
Compliance violations from either of the three available compliance standard rules provide a single measurable value to affect the compliance score for the compliance standard(s) to which this rule belongs.
The compliance score that is calculated for a real-time monitoring rule is based on the number of observation bundles that have unauthorized observations versus all observation bundles. Older Observation bundles are weighted less in the scoring.
Observation Bundle Score = 1-(# of unauthorized/total observations)
For example, if an observation bundle has 20 observations in it and one is unauthorized, the score for this bundle is 0.95. If this same bundle had 20 unauthorized observations, then the score would be 0.
If there are no unauthorized observations in a bundle, then the score for this bundle would be 1.0 (meaning it is 100% compliant).
You can override the audit status of an observation if you investigate the user action and determine that the activity should have resulted in a different audit status.
You can change an automatically authorized observation to unauthorized or vice-versa. You can also change an authorized or unauthorized observation into unaudited which is the same as it would have been if it was not checked against any change management requests (for example, the rule did not enable CM reconciliation).
If you change an unauthorized observation into an authorized observation, then you have the option of entering a change request ID that is known to authorize the change. This change request ID should match a request that already exists in your change request management system. You can also enter a comment. If a change request ID is provided, then the change request is annotated with the change just as if the system had automatically authorized it. If an incident had been created for the observation bundle, then the event/incident is updated with the new number of unauthorized observations.
If there was only one observation that was unauthorized in the group and you manually changed it to authorized, then the incident will automatically close. If after some time of the incident closing, you set one of the authorized observations back to unauthorized, a new event is automatically opened and a new incident may be created based on the event rule definitions. The system does not reopen the previous event/incidents, but creates a new one based on the observation bundle again becoming a violation.
If you change an authorized observation into an unauthorized or unaudited observation, any annotations that were made to any change requests are rolled back. If there was already an incident raised for the observation bundle, then the annotation is changed to update the number of unauthorized observations in the incident. If this is the first unauthorized observation in a group, then an event is created an incident is raised. You can provide a comment for the change.
Although the status will remain as authorized or unauthorized or unaudited, internally in the change tracking, the system notes who made the annotation. This is something that is visible when a customer goes to view the reconciliation history for a given observation. If there is no user name (or some system user name is used) then the annotation was done automatically by the reconciliation engine. Because automatic actions are done as 'sysman', if it has a real Enterprise Manager user name, then it was a manual setting.
When you manually set the observation to be authorized and enter a change request ID and the rule has change management integration enabled, no attributes of the change request are compared with the observation. The change request is simply updated with the observation details.
When rolling back annotations in the change management server, the observation annotations are marked as rolled-back instead of actually removing the annotation. This occurs to avoid user confusion not knowing possibly why the annotations were removed. Also, if the observation later becomes authorized again, the rolled-back marking can simply be removed to bring the annotation back.
For users that do not have a change management system integrated for CM reconciliation, all observations are by default given a reconciliation notation of unaudited – meaning they were not reconciled. You can manually set these observations as authorized or unauthorized.
If you are changing the observation from unaudited to authorized, you can provide a change request ID and a comment. Since the customer did not integrate with the CM server, no request updates are made to the change request to annotate the request.
If you changed the observation from unaudited to unauthorized, you can provide a comment. The observation bundle is treated as a compliance violation, resulting in an automatic Enterprise Manager event being raised. You can still decide in the Enterprise Manager event rule that an incident should be raised for the compliance violation. It is possible that even though CM integration was not configured for reconciliation that a change management incident ticket can still be created through the Enterprise Manager incident management system like any other incident.
Although the status remains as authorized or unauthorized or unaudited, internally in the change tracking, the system notes who made the annotation. Because system annotations are done as 'sysman', if there is no user name (or some system user name is used) then the annotation was done automatically by the reconciliation engine. If it has a real Enterprise Manager user name, then it was a manual setting.
To manually set an observation as authorized or not authorized when not integrating with a Change Management System, follow these steps:
From the Enterprise Manager Cloud Control home page, click Enterprise, then choose Compliance from the drop-down menu, and then select Real-Time Observations.
Enterprise Manager displays the Real-Time Observations page that lists three options you can choose:
Browse Observations by Compliance Framework
Allows you to select your compliance framework to see where observations are occurring in each area. You can drill down through various levels to narrow the view to highlight observations that need investigation.
Browse Observations by System Targets
Allows you to select your business applications modeled as System Targets to see where observations are occurring in each area. You can drill down through various levels to narrow the view to highlight observations that need investigation.
Search Observations
Allows you to search across any of the attributes of an observation for actions that occurred.
Click Search Observations
Enterprise Manager displays the Observations Search page that lists the observations returned by the search criteria you enter.
You can modify the search fields used to filter your query by clicking Advanced.
Enterprise Manager displays the Advanced Search Criteria dialog box that allows you to select the fields that appear in the search criteria.
Update the audit status of any observation by selecting the observation or multiple observations from the search results and clicking Update Audit Status.
Enterprise Manager displays the Update Audit Status dialog box. Choose the Action as either Authorized or Unauthorized, optionally add a Comment, and click OK.
If a compliance standard rule is created and you do not use change management reconciliation with the rule, then there will be no automated authorized/unauthorized check done on the observations. You can specify for this rule that each observation bundle should result in informational event being generated for the observation bundle.
The event will have a notation. From the Incident Management console the user can look at events and incidents. When looking at a single event, there is a link available to see the observations associated with this observation bundle's event. Each observation bundle can only have one event. If at least one observation in the bundle is unauthorized, then the bundle is considered to be in violation which results in the event being generated.
Since this notification does not require user intervention or follow-up action, it is treated as informational. If at a later time, someone changes one of these unaudited observations into an authorized or unauthorized one, a new informational event for the unaudited observations will not be re-delivered. It is delivered only once for the observation bundle. However if one of the observations is manually set to unauthorized, then a violation is raised for the entire observation bundle.
When at least one observation in a bundle is in an unauthorized state, a violation is created. That violation becomes an event in the Incident Manager Console. Use the Incident Manager feature to set up a notification. For more information about this, on the Incident Manager page, click on the online help link, Setting Up Notifications With Rules under the Setting Up Notifications section under Getting Started.
When an authorized observation occurs, it is not a typical for you to receive a notification on these observations since the activity that caused the observation was expected. If you are using change management reconciliation, you have an option to annotate the authorizing change request with the observation details. The updates to the change request is one way customers can learn of authorized activity. You can set filters in their change management system to let them know that a change request has had authorized activity against it.
Enterprise Manager has no other way to get an alert on an authorized observation.
If you are not using automatic reconciliation with a change management server, then to notify a user for every observation bundle with an informational event, follow the steps below:
From the Enterprise Manager Cloud Control home page, click Enterprise, then choose Compliance from the drop-down menu, and then select Library.
Click on the Compliance Standard Rule tab.
Enterprise Manager displays the Compliance Standard Rule Library page.
In an existing rule select the rule you want to edit from the Rules table and click Edit and advance through the Edit Rule wizard until you get to the Settings page. Similarly, for a new rule enter the appropriate properties and attributes and advance to the Settings page.
On the Settings page of the Edit Rule wizard or Create Rule wizard, select Authorize Observations Manually.
Under Collection Settings, expand the Advanced Settings box and choose the option that allows you to Generate an informational event during manual authorizations.
An informational event is only created using Manual Observations. When you return to the Rules page and manually change the status, an event is created. However the event is informational only and will not affect the compliance score of the rule now will it display on the Target Home page as an issue. You can then set up a notification on the Incident Manager Console to be sent to specific individuals.
Since notifications from events/incidents related to unauthorized events are typically indicative of a compliance issue, you should be able to identify notifications that have not been responded to after some period of time. If a notification is not responded to promptly, you should be able to escalate or reassign the notification to allow someone else to react to it.
A notification of an unauthorized observation (violation) typically results in one of two actions happening. Either the observation is investigated and found to be authorized through some change request or through the corporate process or the observation will actually be determined to be unauthorized. In the latter case, the result may be to create a change request to roll back a change or to change the IT corporate policies to ensure the problem does not happen again in the future.
The Incident Manager tracks notifications and the history of events. See the online help for the Incident Manager functionality to learn more about how to determine whether notifications or unauthorized observations have been acknowledged, reassigned, or escalated.
The following sections explain the possible operations on observations.
An observation presents many attributes or details about an observation. Some observations may have attributes that others do not simply because the entity type is different. For instance, a file change has some attributes that a process start does not have and vice-versa. You can customize the fields that you want to display. You can also designate the order of the fields.
Different types of users will want to see different details. Once you set the fields these settings can be saved per user per screen.
To select observation attributes to display when viewing observations, follow these steps:
From the Enterprise Manager Cloud Control home page, click Enterprise, then choose Compliance from the drop-down menu, and then select Real-Time Observations.
Click Search Observations
Enterprise Manager displays the Observations Search page that lists the observations returned by the search criteria you enter.
You can choose which columns to display on the table. Click View, then click Columns. From here you can either click Show All to display all available columns for the entity type, or you can click Show More Columns to see a list of columns to display.
You can reorder the columns as they appear in the table by clicking View, then Reorder Columns. The Reorder Columns dialog box displays where you can highlight columns and use arrow keys to move columns up, down, to the top or bottom of the list.
The ability to search observations is something that is typically done by a technical role such as a systems administrator, operator, or DBA.
You can select a set of criteria and search for observations matching these criteria. This is most effective when you know several attributes on which you want to search.
Use a search by attributes when you already know the specific types of observations for which you are looking. You can search based on time and user if you are trying to find the activity of a specific user. You can also search by time and a specific target to perform root-cause-analysis for a system failure.
The result of the search is a table of observations where each row is one observation and each column is one attribute of the observation.
To search observations by observation attributes, follow these steps:
From the Enterprise Manager Cloud Control home page, click Enterprise, then choose Compliance from the drop-down menu, and then select Real-Time Observations.
Enterprise Manager displays the Real-Time Observations page that lists three options you can choose:
Browse Observations by Compliance Frameworks
Allows you to select your compliance framework modeled as Compliance Frameworks to see where observations are occurring in each area. You can drill down through various levels to narrow the view to highlight observations that need investigation.
Browse Observations by System Targets
Allows you to select your business applications modeled as System Targets to see where observations are occurring in each area. You can drill down through various levels to narrow the view to highlight observations that need investigation.
Search Observations
Allows you to search across any of the attributes of an observation for actions that occurred.
Click Search Observations
Enterprise Manager displays the Observations Search page that lists the observations returned by the search criteria you enter.
You can modify the search fields used to filter your query by clicking Advanced.
Enterprise Manager displays the Advanced Search Criteria dialog box that allows you to select the fields that appear in the search criteria.
You can update the audit status of any observation by selecting the observation from the search results and clicking Update Audit Status.
When viewing observations, you can see the current authorized/unauthorized status, you can change the status and also add a comment. This function is only available on a page that shows individual observations.
You can select one or more rows on the screen and apply the same change to all of the selected rows. When doing more than one row at a time, the same comment is applied to each observation.
Although the status remains as authorized or unauthorized or unaudited, internally in the change tracking, it is noted as a manual setting rather than an automatic reconciliation setting.
Ensure you have the privileges to change the status. See Privileges and Roles Needed to Use the Compliance Features for information.
To change the status and annotate observations, follow these steps:
From the Enterprise Manager Cloud Control home page, click Enterprise, then choose Compliance from the drop-down menu, and then select Real-Time Observations.
Enterprise Manager displays the Real-Time Observations page that lists three options you can choose:
Browse Observations by Compliance Frameworks
Allows you to select your compliance framework modeled as Compliance Frameworks to see where observations are occurring in each area. You can drill down through various levels to narrow the view to highlight observations that need investigation.
Browse Observations by System Targets
Allows you to select your business applications modeled as System Targets to see where observations are occurring in each area. You can drill down through various levels to narrow the view to highlight observations that need investigation.
Search Observations
Allows you to search across any of the attributes of an observation for actions that occurred.
Click Search Observations
Enterprise Manager displays the Observations Search page that lists the observations returned by the search criteria you enter.
Conduct a search displaying the results of the search including the Audit Status column. If the Audit Status column is not part of the column listing, you can add it by clicking View, then Columns, and choosing Audit Status from the list of available columns.
Select the row or rows containing the Audit Status you want to update and click Update Audit Status. Enterprise Manager displays the Update Audit Status dialog box. In the Action field, choose the audit status you want to assign to the observation. The dialog box also lists the User and a Comment field where you can add annotated text.
You can view the audit history of an observation by clicking the Audit Status link in the table row. Enterprise Manager displays the Audit History dialog box that shows the Time, Status, and other information about each audit event.
|
 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Legal Notices |
|