1 Introduction
Enterprise Manager 13c provides a rich and powerful compliance management framework that automatically tracks and reports conformance of managed targets to industry, Oracle, or internal standards. Enterprise Manager 13c ships with compliance standards for Oracle hardware and software including Database, Exadata Database Machine, Fusion Middleware, and more. These compliance standards validate conformance to Oracle configuration recommendations, best practices, and security recommendations.
1.1 Compliance Overview
The compliance framework in Enterprise Manager 13c is hierarchical in nature allowing for ease of management and reuse. Starting from the top level, the hierarchy contains Compliance Frameworks, Compliance Standards, and Compliance Rules. Compliance Frameworks aggregate the compliance scores of Compliance Standards which may be for different target types. Compliance Standards contain one or more Compliance Rules but are specific to a single target type. Compliance Rules are responsible for executing a single and specific validation of a target and reporting conformance.
Figure 1-1 Compliance Framework Hierarchy
Compliance Standards are the only item associated to a target. Once associated, all rules contained in the compliance standard are executed against the data in the Enterprise Manager repository (there could be some exceptions). The compliance score for each target and the standard as a whole is a computed result based on numerous factors including number of violations, the severity of the compliance rule with the violation, the importance given to the rule in the specific compliance standard, and more. For complete information on how Compliance scores are calculated please see the Managing Compliance chapter in the Oracle Enterprise Manager Lifecycle Management Administrator's Guide.
1.2 Using Compliance Standards Provided by Oracle
Enterprise Manager 13c ships with ready-to-use compliance standards. You can choose to implement some or all of these compliance standards which consist of thousands of compliance rules.
For most of the compliance standards, you can use them out-of-the-box. However, to leverage a security standard, you must apply security monitoring templates. In other words, you must enable additional configuration collections for targets you want to associate to these compliance standards.
Oracle provides monitoring templates specifically to enable these additional collections for Database Instance (Standalone and Cluster Member), Cluster Database, Pluggable Database, and Listener. Table 1-1 lists the Oracle Certified monitoring template that can be used to enable the required configuration collections necessary for use in the Security Standards. For complete information on how to use Monitoring templates see the Oracle Enterprise Manager Cloud Control Administrator's Guide.
Table 1-1 Security Monitoring Templates
| Target Type | Oracle Monitoring Template | Security Compliance Standard |
|---|---|---|
|
Cluster Database |
Oracle Certified-Enable RAC Security Configuration Metrics |
Basic Security Configuration for Oracle Cluster Database High Security Configuration for Oracle Cluster Database Basic Security Configuration for Oracle Cluster Database Instance High Security Configuration for Oracle Cluster Database Instance |
|
Database Instance |
Oracle Certified-Enable Database Security Configuration Metrics |
Basic Security Configuration for Oracle Database High Security Configuration for Oracle Database |
|
Pluggable Database |
Apply either a Real Application Cluster or Database template to a container database. |
Basic Security Configuration for Oracle Pluggable Database High Security Configuration for Oracle Pluggable Database |
|
Listener |
Oracle Certified-Enable Listener Security Configuration Metrics |
Basic Security Configuration for Oracle Listener High Security Configuration for Oracle Listener |
Associating a Target to a Compliance Standard
You associate a target to a compliance standard using the Compliance Library page.
-
From the Enterprise menu, select Compliance, then select Library.
-
Select the Compliance Standard and click the Associate button.
-
Choose the target to add and click OK.
1.3 Viewing and Understanding Compliance Results
Once a Compliance Standard is associated to a specific target, the results can be seen almost immediately in the Compliance Results page. (From the Enterprise menu, select Compliance, then select Results.)
Results can be viewed by Compliance Framework, Compliance Standard, and Target. The Target Compliance tab shows the compliance score of a target across all compliance standards. This allows you to focus on your least compliant targets by sorting by the average score column.
Likewise the Compliance Standards tab shows the results of each Compliance Standard currently being evaluated. Compliance Standards that do not have any targets associated with them do not show in the list. It is important to understand how to interpret the different columns of the Evaluation Results page.
Column descriptions follow.
Target Evaluations
Target Evaluations
The Target Evaluation column shows how many targets evaluated with a score being Critical (less than 60), Warning (between and including 60 and 80) or Compliant (greater than 80). These levels are default and can be changed at a per target basis during the association process.
Clicking on the number in a column will show the list of targets and their specific compliance score. See Figure 1-3.
Figure 1-3 Warning Target Evaluations Details
Violations
The Violations columns show the number of unique violations by compliance rule severity (Critical, Warning, or Minor Warning) across all evaluated targets. It is important to remember that the number of violations is not related to the number of compliance rules in the compliance standard. Each compliance rule may generate multiple violations for a target. For example, the Secure Ports rule checks for open well known ports on hosts like SMTP(25) and FTP(21).
If a single host has both of these ports open for example, it would generate 2 different violations. Clicking on a number in a column will show the number of violations per target. See Figure 1-4.
Figure 1-4 Critical Compliance Violations
To see details of the violations as well as historical trend information, click the Show Details button with a Compliance Standard highlighted.
Figure 1-5 Compliance Standard Result Details - Summary
The navigator on the left allows you to select different levels of the hierarchy of the Compliance Standard to see the score at that level in the tree. The detail section at the bottom of the page shows the Results By Target or by Compliance Standard rule. The summary tab at the top shows Targets by Severity and Rule Evaluations results by severity.
Clicking the Trend Overview tab shows the historical compliance metrics which can each be changed to show date ranges of 1 day, 1 week, or 1 month.
Figure 1-6 Compliance Standard Result Details - Trend Overview
When a rule having violations is selected in the navigator, a Violations Events tab displays. The table at the top shows summary information about each violation including target name and violation condition. By selecting a specific row in the table, a detailed section appears showing complete event details and guided resolution areas.
Figure 1-7 Compliance Violation Events Detail
For every Oracle provided compliance rule contains information to assist you in understanding the rationale behind the validation as well as recommendations on how to correct the violation. In Figure 1-7, we can see the "Auditing of SYS Operations Enabled" rule has a violation event. We can see the category of this event is security related and exactly when it was reported. In addition we can see the recommendation to "Set AUDIT_SYS_OPERATIONS to TRUE" in the Guided resolution area.
From this point you have many options to investigate the violation further or resolve the issue including:
-
View My Oracle Support Knowledge base pertaining to this validations (assuming My Oracle Support (MOS) is in Online mode.)
-
View the Topology of the target and related targets to perform dependency analysis.
-
View recently detected configuration changes to see when the change may have been made causing the violation.
-
Disable the rule for the target causing the violation in case it is determined this rule is not relevant to this target.
-
Create an incident from this event to prevent escalation notifications and create a workflow to resolution.
-
View any updates to the event by other users.
Once the underlying cause of the violation has been resolved, the next scheduled configuration collection will cause the automatic recalculation of the targets compliance score. If you want to force a collection sooner, you can select refresh from the targets Last Collected configuration page as shown in Figure 1-8.
1.4 Summary
Enterprise Manager 13c makes it easy for you to validate your targets against Oracle recommendations, best practices and security standards by providing ready to use Compliance Standards. As DBAs and IT managers can easily track, manage, and report on the adherence of your managed targets to your standards in an automated and consistent manner.