Work with Security Assessments for Target Database Groups

Oracle Data Safe automatically creates a security assessment for a single registered target database; however, for a target database group, you need to select the checks for the security assessment yourself. After that, you can run the assessment, view it, and compare it to a template baseline assessment. Note that when you configure the security assessment for a target database group, you also configure the baseline security assessment.

Structure of a Security Assessment for a Target Database Group

A Security Assessment for a target database group consists of the following sections:

  • Details tab
  • Complaince deviation tab
  • Assessment details tab

Details tab

This tab shows you the following metadata:

  • OCID for the assessment
  • Compartment in which the assessment is stored
  • Assessment date and time
  • Target database group name and number of databases in the group
  • Name of the assessment template
  • Name of the baseline template
  • Number of checks in the applied template

Tip:

You can change the auto-generated name of the assessment to a name that has specific meaning for your organization. You and other users can then more easily identify assessments. For example, you could change the name of the autogenerated security assessment SA_1670530009857 to SA_target05.

Compliance deviation tab

At the top of the page, you can view a compliance deviation summary for your target database group, including counts for non-compliant target databases, non-compliant findings, failed assessments, findings that have deviated from the baseline, and total checks. The bottom of the page lists each finding with their category and risk level deviation. You can view more detail for each finding.

Assessment details tab

At the top of the page is a summary table that displays counts of various categories for each potential risk level. Categories include user accounts, privileges and roles, authorization control, fine-grained access control, auditing, encryption, and database configuration. You can also view the number of deferred findings and total findings for each category. At the bottom of the page you can view assessment details. Each finding is listed with its category and target databases.

View a Security Assessment Analysis Across All Target Database Groups

  1. On the Security assessment landing page, select the Target group summary tab.
  2. Next to Applied filters, select the compartment that contains the target database groups for which you want to view an assessment. If needed, use the Search and Filter box to help filter the list of targets.
    • To include all compartments in your tenancy, set the scope to root with its child compartments.
    • You can access only compartments and target databases within compartments for which you have permissions in Oracle Cloud Infrastructure Identity and Access Management (OIM).
  3. For each target database group, view the Number of checks, Compliant findings, Non-compliant findings, Compliant target databases, Non-compliant target databases, and Last comparison time.

Create a Security Assessment for a Target Database Group

When you can create a security assessment for a target database group, you define the metadata for the assessment, select security checks, and set a baseline severity level.

A. Define the name and select the target database group.

  1. On the Security assessment landing page, select the Target group summary tab.
  2. Select Create assessment for target database group.
  3. For Name, enter a name of the security assessment.
  4. For Compartment, select the compartment that contains the target database group.
  5. (Optional) Enter a description.
  6. For Select target database group compartment, select the compartment in which you want to store the assessment.
  7. For Select target database group, select the name of the target database group.
  8. (Optional) Create tags. To create a tag, select Add tag, select a namespace, select a key, and enter a value.
  9. Select Next.

B. Select security checks.

  1. Choose to Apply an existing template or Create a new template.
  2. If you choose to apply an existing template, select a template from the drop-down list.
  3. If you choose to create a new template, complete the following template information items:
    1. For Name, enter a template name.
    2. For Compartment, select the compartment in which you want to store the template.
    3. (Optional) For Description, enter a description for your template.
    4. Select Import checks, and then select a template.
    5. Select the checks you want to import. If needed, you can use the Search and Filter box to filter the list of checks by check, check category, CIS Benchmark, DISA STIG, EU GDPR, Oracle recommended practices, or Remarks.
    6. Select Select checks.
    7. (Optional) Select Add tag, select a namespace, select a key, and enter a value.
  4. Select Next.

C. Update the template baseline severity.

  1. For Name, enter a name for the baseline template.
  2. (Optional) Enter a description for the baseline template.
  3. (Optional) Select the Search and Filter box and set a filter on check, check category, expected severity, CIS Benchmark, DISA STIG, EU GDPR, Oracle recommended practices, or Remarks.
  4. (Optional) Update the template baseline severity for target database group. To do this, select the three dots for a check, and then select a severity level (high, medium, low, advisory, evaluate, pass, or deferred).
  5. Select Next.

D. Review and submit the template.

  1. Review the template information and checks.
  2. To update information, select Previous to navigate to the previous steps and make changes.
  3. To finish, select Submit. The wizard goes through the following processes and may take a few minutes to finish creating the assessment. When the processes are completed, the assessment is listed in the table on the Target group summary tab.
    1. Create target database group assessment
    2. Apply template to a security assessment
    3. Create template baseline
    4. Compare assessment with template baseline
  4. For your target database group, view the number of checks, compliant findings, non-compliant findings, compliant target databases within the group, and non-compliant target databases within the group, as well as the last comparison time.

View the Latest Security Assessment for a Target Database Group

By analyzing the security risk across all your target database groups, you can identify risks and recommendations across your database fleet. A security assessment for a target database group is displayed across three tabs: Details, Compliance deviation, and Assessment details.

A. To view metadata about the security assessment for a target database group:

  1. On the Security assessment landing page, select the Target group summary tab.
  2. Select a target database group. The security assessment information is displayed across three tabs: Details, Compliance deviation, and Assessment details.
  3. On the Details tab, view the following metadata about the assessment, target database group, and template:
    • OCID for the security assessment
    • Compartment for the security assessment
    • Created - Timestamp when the security assessment was created
    • Name - Link to the target database group
    • Target database(s) - Number of target databases
    • Assessment template - Link to the security assessment template
    • Baseline template - Link to the baseline template
    • Checks - Number of checks performed during the assessment
  4. To remove the security assessment template, select Remove template. A Confirm remove associated template panel opens. Select Remove template.

B. To view compliance deviation for the target database group:

  1. Select the Compliance deviation tab.
  2. Review the summary at the top of the page. It lists the counts for non-compliant target databases, non-compliant findings, failed assessments, findings that have deviated from the baseline, and total checks.
  3. Review the list of individual findings, their categories, and risk level deviation.

C. To view security assessment details for each target in the target database group:

  1. Select the Assessment details tab to review the full security assessment.
  2. In the Summary section, view totals counts for each risk level across each category (User accounts, Privileges and roles, Authorization control, Fine-grained access control, Auditing, Encryption, Database configuration). You can also view totals for each risk level.
  3. In the Assessment details section, for each finding, at a glance you can view the number of target databases that are identified at an indicated risk level.
    • To view more detail about identified target databases, select the three dots for a finding, and then select to view the target databases. A panel opens where you can expand each target database listed, and view target-specific details regarding the finding. If needed, you can set a filter on target databases. You can also select links to documentation.
    • If changes occur on any of the target databases in the group, Oracle Data Safe automatically updates the findings list.
    • To learn what has changed over time on your target databases, run a comparison to generate a new comparison report.
  4. Select Close to close the panel.