This chapter explains how to use the Security Technical Implementation Guides (STIG) based compliance standards, as well as how to customize them to meet environmental-specific requirements.
In keeping with Oracle's commitment to provide a secure database environment, Enterprise Manager supports an implementation in the form of compliance standards of several Security Technical Implementation Guide (STIG). A STIG is a set of rules, checklists, and other best practices created by the Defense Information Systems Agency (DISA) to ensure compliance with Department of Defense (DOD)-mandated security requirements.
The currently available STIG based compliance standards are:
Security Technical Implementation Guide(STIG Version 1.8) for Oracle Database [Release 1.8]
Security Technical Implementation Guide(STIG Version 1.8) for Oracle Cluster Database [Release 1.8]
Security Technical Implementation Guide(STIG Version 8 Release 1.11) for Oracle Database
Security Technical Implementation Guide(STIG Version 8 Release 1.11) for Oracle Cluster Database
Oracle 11.2g Database STIG - Version 1, Release 2 for Oracle Database
Oracle 11.2g Database STIG - Version 1, Release 2 for Oracle Cluster Database
For detailed information on STIGs, visit the Information Assurance Support Environment website: http://iase.disa.mil/stigs/Pages/index.aspx
.
To determine whether a database satisfies STIG Compliance Standards, you have to associate the database target with the standards.
From the Enterprise menu, select Compliance, then select Library.
Select the Compliance Standards tab and search for the STIG standard. There sare two target types, Oracle Database and Oracle Cluster Database.
Select the appropriate standard and click Associate Targets.
Click Add and select the database targets you want to monitor. The targets appear in the table after you close the selector dialog.
Click OK then confirm that you want to save the association. The association internally deploys the configuration extension "STIG Configuration" to the appropriate Management Agents.
After deployment and subsequent configuration collection occurs, you can view the results. From the Enterprise menu, select Compliance, then select either Dashboard or Results.
There are four options for handling STIG Compliance Standards:
Address the violation by fixing the security configuration on the database according to the STIG check recommendation.
From the Enterprise menu, select Compliance, then select Results.
Select the STIG Compliance Standards row and click Manage Violations.
Locate the rule violation row in the table and note the recommended fix in the far right column.
After making the change per the recommendation, refresh the database configuration in Enterprise Manager as follows:
Go to the database target home page.
From the database menu, select Configuration, then select Last Collected.
From the Actions menu on the right, select Refresh.
When the refresh completes, select the configuration extension in the left pane and ensure that there is no sign of a failed configuration.
From the Enterprise menu, select Compliance, then select Results. Verify that the violation no longer appears for the database target.
Checks that cannot be automated are implemented as Manual Rules. These checks must be performed by the administrator following the procedure described in the rule description or in the STIG guide itself.
When compliance standards containing manual rules are first associated to a target, each manual rule will generate one violation. Administrators can then clear the violation after successfully completing the check. The user performing the operation, as well as a description of the operation, are recorded during the process. Users can also set an expiration date at which time the violation will be re-generated. This provides for periodic reassessment of compliance.
From the Enterprise menu, select Compliance, then select Results.
Select the STIG compliance Standard row, and click Manage Violations.
Select the Manual Rule Violations tab.
Select one or more rules and click Clear Violations.
Enter a reason and optionally an expiration date and click OK.
Suppressing a violation removes it from the compliance score calculation, as well as the results. Although suppressed, you can still create reports using the management views showing the suppressed violations.
Violations can be permanently or temporarily suppressed allowing for permanent exceptions or grace periods. If you choose to enter a date, the violation will re-appear on that date unless it has been cleared as a result of the underlying condition being corrected.
From the Enterprise menu, select Compliance, then select Results.
Select the STIG Compliance Standards row and click Manage Violations.
Select Unsuppressed Violations.
Select the rows listing the violations you want to suppress and click the Suppress Violations button.
In the dialog that opens, select Indefinite or select an expiration date. Optionally provide a reason for the suppression. Click OK.
In some cases, the rule detecting the violation, while desirable in its intent, needs some fine-tuning to work in your environment. The STIG Compliance Standard allows you to view and customize the query that evaluates the compliance standard violation. The process involves the following tasks:
To illustrate the process, assume a scenario where you want to update the query for rule DG0116 DBMS privileged role assignments
.
To customize the STIG Configuration extension:
From the Enterprise menu, select Configuration, then select Configuration Extensions.
Select the appropriate STIG Configuration table row (database instance or cluster database) and click the Create Like button.
Provide a new name for the extension; for example, Custom STIG Configuration.
On the Files & Commands tab, select all the command rows and click Delete.
On the SQL tab, locate the rule alias DG0116 DBMS privileged role assignments. Delete all other rows above and below it.
Modify the query for DG0116 and rename the alias; for example, Custom DG0116 DBMS privileged role assignments.
Preview the results: select the sample target and click Preview.
If the violation no longer appears, save the Custom STIG Configuration Extension.
To customize the Compliance Standard rule:
From the Enterprise menu, select Compliance, then select Library.
Select the Compliance Standard Rules tab and search for rule DG0116 DBMS privileged role assignments
with agent-side rule type.
Select the rule and click the Create Like button.
Change the name; for example, Custom DG0116 DBMS privileged role assignments. Click Continue.
On the Check Definition page, click the magnifying glass icon to select a new STIG Configuration Extension (Custom STIG Configuration Extension) and alias (Custom DG0116 DBMS privileged role assignments).
Select the custom configuration extension and alias and click OK, then click Next to go the Test page.
Select a target and test the compliance rule.
Click Next, then click Finish to create the new compliance rule.
To create a Compliance Standard with a new rule:
From the Enterprise menu, select Compliance, then select Library.
Select the Compliance Standards tab and search for STIG for database instance with agent-side rule type.
Select the compliance standard and click the Create Like button.
Change the name; for example, Custom Security Technical Implementation Guide. Click Continue.
Open the Oracle Database Check Procedures folder in the left pane and scroll down to DG0116 DBMS privileged role assignments.
Right-click the rule and select Remove Rule Reference from the pop-up menu. Click OK to confirm removal.
Right-click the Oracle Database Check Procedures folder and select Add Rules from the pop-up menu.
Locate the Custom DG0116 DBMS privileged role assignments row in the table and click OK.
On the Compliance Standard Create Like page, click the Save button to create the new compliance standard.
You can now associate the custom compliance standard with target databases as described in Section 7.2.
The Enterprise Manager implementation of Security Technical Implementation Guide for Oracle Database does not fully support Windows databases. The following rules do not report violations on Windows databases:
The Enterprise Manager implementations of the Oracle Database 11g STIGs deviate slightly from the checklist. These modifications include error corrections, enhancements to the check ( i.e. additional default users ) or automated scripts where manual checks may have been specified. It is important that you review and understand the modifications to ensure they are acceptable in your environment. If not, follow the previously discussed customization procedures in order to match your requirements.For detailed information on these changes, see Chapter 8, "Security Technical Implementation Guidelines (STIG) Rules Enhanced by Oracle".
Table 7-1 Deviations from Oracle Database 11g V8 R8 and R11 STIGS
STIG ID | Oracle Modification |
---|---|
DG0008 |
Added Default Users/Roles |
DG0009 |
Script provided by Oracle |
DG0012 |
Script provided by Oracle |
DG0019 |
Script provided by Oracle |
DG0077 |
Added Default Users/Roles |
DG0079 |
Incorrect query. Replaced NULL with string 'NULL'. |
DG0091 |
Added Default Users |
DG0102 |
Script provided by Oracle |
DG0116 |
Added Default Users |
DG0117 |
Added Default Users |
DG0119 |
Added Default Users |
DG0121 |
Added Default Users |
DG0123 |
Added Default Users |
DG0152 |
Script Provided by Oracle |
DG0179 |
Script Provided by Oracle |
DO0120 |
Script Provided by Oracle |
DO0145 |
Script Provided by Oracle |
DO0155 |
Added Default Users |
DO0221 |
Used default instance name as orcl. |
DO0231 |
Added Default Users |
DO0250 |
Combined the rule queries to return db_link as violations only if dba_repcatalog has records |
DO0270 |
Used stricter query to get the violations |
DO0286 |
Script Provided by Oracle |
DO0287 |
Script Provided by Oracle |
DO0340 |
Added Default Users |
DO0350 |
Added Default Users/Roles |
DO3536 |
Combined the queries. De-referenced the DEFAULT value for the limit. |
DO3609 |
Added Default Users/Roles |
DO3689 |
Added Default Users/Roles |
DO6740 |
Script Provided by Oracle |
DO6746 |
Script Provided by Oracle |
Table 7-2 Deviations from Oracle Database 11gR2 V1 Release 2 STIG
STIG ID | Oracle Modification |
---|---|
SV-66381r1_rule |
Query implemented by Oracle. Discounted default users. |
SV-66395r1_rule |
Added 'SYSTEM' and 'DELETE_CATALOG_ROLE' as filters. |
SV-66401r1_rule |
Fixed table name in query. Added privilege to be checked. Discounted Default Users. |
SV-66405r1_rule |
Fixed table name in query. Added privilege to be checked. Discounted Default Users. |
SV-66419r1_rule |
STIG document has incorrect query. Prepared a new query for the rule. Discounted default users. |
SV-66427r1_rule |
Combined the 3 conditions into 1. The query raises a violation if:
|
SV-66439r1_rule |
Discounted default users. |
SV-66441r1_rule |
Dereferenced default profile. |
SV-66459r1_rule |
Rule checks the database archive log mode from repository table instead of using the "archive log list" command. |
SV-66485r1_rule |
Query provided by Oracle. Used limit=35 from the Fix Text. |
SV-66489r1_rule |
Query provided by Oracle. Used limit=6 from the Fix Text. |
SV-66507r1_rule |
Dereferenced default profile. |
SV-66553r1_rule |
Query provided by Oracle. |
SV-66571r1_rule |
Query provided by Oracle. Used limit=35 from the Fix Text. |
SV-66599r1_rule |
Query provided by Oracle. Discounted default users. |
SV-66623r1_rule |
Query provided by Oracle. Discounted default users. |
SV-66627r1_rule |
Discounted default users. |
SV-66647r1_rule |
Joined queries from document. Discounted default users. |
SV-66651r1_rule |
Joined queries from document. Discounted default users. |
SV-66657r1_rule |
Script provided by Oracle |
SV-66663r1_rule |
Added check for SYSTEM tablespace. |
SV-66665r1_rule |
Added check for SYSTEM tablespace. |
SV-66669r1_rule |
This rule always passes for Oracle. |
SV-66673r1_rule |
This rule always passes for Oracle. |
SV-68205r1_rule |
User should manually discount db_links used for replication. |
SV-68229r1_rule |
Added default users. |
SV-68233r1_rule |
Additional column selected in query for better violation context. |
SV-68235r1_rule |
Added default users. |
SV-68241r1_rule |
Additional column selected in query for better violation context. |
SV-68249r1_rule |
Added default users. |
SV-68257r1_rule |
Added default users. |
SV-68283r1_rule |
Script provided by Oracle. |
SV-66431r1_rule |
Use v$parameter in query instead of sys.v$parameter. |