This chapter explains how Enterprise Manager Grid Control verifies that applications in your enterprise comply with preestablished standards. This chapter contains the following sections:
To have your enterprise run efficiently, it must adhere to standards that promote the best practices for security, configuration, and storage. Once these standards are developed, you can apply and test for these standards throughout your organization; that is, test for compliance. Compliance is the conformance to standards, or requirements, or both.
Using Enterprise Manager Grid Control, you can test the conformance of your targets for security standards, and configuration and storage requirements.
By continually testing your systems, services, and targets, you are ensuring the best possible protection and performance your system can have.
Compliance is two-fold: evaluating the compliance of your targets, and the policy group life cycle management. The following sections describe these two concepts.
Note:
To view the compliance features:Navigate to the Grid Control Home page.
Click the Compliance tab to access information regarding the policies, policy groups, and security statistics for your enterprise.
Oracle provides two types of compliance management: policies and policy groups. Policies and policy groups define the optimal configurations of systems.
Policies and policy groups are similar in purpose, that is, they both provide rules against which managed entities are evaluated. However, there are differences:
Rules within a policy group are managed as a set. They are viewed, maintained, evaluated, and reported, in the context of a policy group.
Policy rules are not evaluated as a set. Policy rules are viewed, maintained, and evaluated as standalone entities.
Whether you use the out-of-box policies and policy groups defined by Oracle or customize policies to meet your particular system requirements, any deviations to your systems or applications are reported. Examples of deviations include inappropriate settings and incorrect system configurations.
This section contains the following subsections:
To access compliance management pages in Grid Control:
Click the Compliance tab to view violations associated with policies and policy groups.
Click the Policies tab for a roll-up view of all policy violations across all targets. From this tab, you can also access policy associations, the policy library, and errors.
Click the Policy Groups tab to view the list of policy groups against which there are violations. From this tab, you can also access the library of policy groups and policy group evaluation errors.
Click the Security At a Glance tab for a roll-up view of security statistics across the enterprise.
Navigate to the Home page for a particular target. The links in the Policy Violations section display the number of policy violations according to severity level. Click the links to drill down to critical, warning, and informational policy violations for that target.
Here are a few suggestions for investigating policy violations. Attend to the most critical violations or those that have the biggest impact on your enterprise.
Study the statistics on the Enterprise Manager Grid Control Home page. In particular, look at the statistics in the All Targets Policy Violations section. The policy violations with "Critical" severity should be dealt with first.
Study the security-related violations reported in the Security Policy Violations section. Non-compliance with these policy rules can greatly impact the security of your enterprise.
Address targets that have the lowest compliance scores.
For the policy violations of a particular target, examine the home page for that target. The Policy Violations section provides overview information, but it also gives you access to the Policy Trend Overview for that target.
To deal with policies regardless of the target, navigate to the Compliance tab and then click Policies. Using this tab, you have access to all the policy violations for the enterprise, the policy associations, the policy rule library which lists all the policies, and policy evaluation errors.
Navigate to the Policy Violations page and enter an appropriate value in the "Most Recent Violation within n days" filter.
Suppress violations if you want to handle the violations at a later time.
To deal with policy groups regardless of the target, click Policy Groups. Using this tab, you have access to all the evaluation results for the enterprise, the policy group library, and policy group evaluation errors.
Note:
Only results from those targets for which you have VIEW privilege will be available for viewing.Navigate to the Evaluation Results page for a particular policy group. In the navigation tree, click the name of the policy group and a summary page lists all the targets along with the number of violations.
Navigate to the Trend Overview page to see charts relating to the number of targets evaluated, the average violation count per target, number of targets by compliance score, and the average compliance score.
See Also:
"About Policies" and "About Policy Groups" in the Grid Control online help for an overview of policies and policy groups and pointers to more information about viewing and managing policies and policy groups.Security policies are available for many targets, including Host, Database Instance, Cluster Database, Listener, OC4J, Oracle HTTP Server, and Web Cache.
Security policy groups are available for Database Instance, Cluster Database, and Listener.
Because security is crucial to the stability of your enterprise, security statistics are displayed prominently in Grid Control. On the Enterprise Manager Grid Control Home page, and many target home pages, there is a separate section displaying the security statistics for the target. This allows you to pay close attention to the security health of the enterprise.
In addition, the Security At a Glance feature provides an overview of the security health of the enterprise for all the targets or specific groups. This helps you to quickly focus on security issues by showing statistics about security policy violations and noting the critical security patches that have not been applied.
To view the results of an evaluation, use any or all of the following:
Study the statistics in the Policy Violations section of the target's home page
Use the Policy Trend Overview page and the Trend Overview page available from the Evaluation Results page
Access the Security At a Glance page
The Policy Violations reports and Policy Groups reports are available through the Reports feature. These reports deal with non-suppressed violations for all targets, groups, and a single target. The reports also deal with compliance summary for a group and target. In addition, suppressed violations are reported according to all targets, groups, and a single target.
See Also:
Chapter 8, "Information Publisher"Compliance evaluation is the process of testing the policy and policy group rules against a target and recording any violations in the Oracle Management Repository.
For the evaluation to take place, you must enable the evaluation in one of two ways:
For a policy, use the Metric Thresholds option on the Metric and Policy Settings page
For a policy group, use the Policy Group Library page
To view the results of a policy group evaluation, use the Policy Groups Evaluations Results page accessed through the Policy Groups tab.
From the Enterprise Manager Grid Control Home page, click the Compliance tab.
Click the Policy Groups tab, select the Evaluation Results page.
Choose the target type and policy group in which you are interested. If you are not sure what policy groups are available, click the Library tab and select the target type. Click Go. The policy group information appears.
Oracle provides a number of out-of-box policies (also known as policy rules) and policy groups for various targets.
When you add a target to Enterprise Manager, that target automatically uses predefined policy rules for that type of target. For example, Oracle provides security, configuration, and storage policy rules for the database instances and cluster databases. Security and configuration policy rules are provided for hosts.
Note:
Policy Groups are not automatically associated with targets.You can customize policies by editing the existing policy rule settings. You can enable or disable a policy evaluation, change the importance for the compliance score calculation, assign a corrective action, prevent template override, override default parameter values (when possible), and exclude objects from a policy's evaluation (when possible).
See Also:
Online help for compliance scoresOne of the features of customizing policies is the ability to define corrective actions. Corrective Actions is a special type of job that executes automatically in response to a policy violation.
Corrective Actions utilize the Enterprise Manager Grid Control Job System and, like regular jobs, can consist of multiple steps, can be run with arbitrary host and target credentials, and reports its success or failure and its output to the Management Repository.
See Also:
Chapter 6, "Job System"A monitoring template defines all Enterprise Manager parameters you would normally set to monitor a target.
Monitoring templates simplify the task of setting up monitoring for large numbers of targets by allowing you to specify the monitoring and policy settings once and applying them as often as needed. You can save, edit, and apply these templates across one or more targets or groups.
See Also:
"Monitoring Templates" in Chapter 1, "Monitoring"Policy groups serve as standards by which targets are measured. Policy groups report deviations and enable closed loop remediation by optionally taking action to bring systems back into compliance. Oracle provides the following policy groups:
These standards represent best practices and allow you to maintain consistency across enterprise systems and configurations. The trend analysis feature allows fine grained tracking of compliance progress over time.
The following sections provide the highlights of each policy group.
This policy group adheres to the security standards available for the Oracle Database. The categories deemed the most important for this policy group are:
Post Installation
These rules ensure that a database is not compromised by having a default database server account left open that uses its default password.
Oracle Directory and File Permissions
These rules ensure that access should be restricted, making it more difficult for an operating system user to attack the database.
Oracle Parameters Settings
These rules ensure database initialization parameter settings are secure.
Database Password Profile Settings
These rules ensure database profile settings are correctly defined. Oracle password management is controlled through the use of user profiles which are then assigned to database users, enabling greater control over database security.
Database Access Settings
These rules ensure that access to and use of the database at the object level is restricted such that users are only given those privileges that are actually required to efficiently perform their jobs.
This policy group adheres to the security standards available for the Oracle Cluster Database. The categories deemed the most important for this policy group are:
Post Installation
These rules ensure that a database is not compromised by having a default database server account left open that uses its default password.
Oracle Directory and File Permissions
These rules ensure that access should be restricted, making it more difficult for an operating system user to attack the database.
Database Password Profile Settings
These rules ensure database profile settings are correctly defined. Oracle password management is controlled through the use of user profiles which are then assigned to database users, enabling greater control over database security.
Database Access Settings
These rules ensure that access to and use of the database at the object level is restricted such that users are only given those privileges that are actually required to efficiently perform their jobs.
This policy group adheres to the security standards available for the Oracle Listener. The categories deemed the most important for this policy group are:
Oracle Directory and File Permissions
These rules ensure that access should be restricted, making it more difficult for an operating system user to attack the database.
Network Configuration Settings
These rules ensure that network configuration parameter settings are secure.