2 Assess Host and Database Compliance with Industry Standards
Oracle Configuration and Compliance enables you to use Open Vulnerability and Assessment Language (OVAL) industry standards when you run compliance assessments.
Topics:
Users benefit from the automation of industry-standard compliance benchmarks. They also benefit when benchmarks are updated and can be immediately evaluated. Because of this, industry-standard compliance benchmarks assessments play an important part in the compliance function and can stand alone. This chapter covers this standalone configuration business use case. In addition to industry-standard compliance benchmarks assessments, Oracle Configuration and Compliance can execute corporate standards and cloud assessments independently or as part of the same assessment evaluation. On-premises, cloud-only, and hybrid cloud customers benefit because they can enforce all three capabilities within a single policy assessment.
Typical Workflow for Assessing Compliance with Industry Standards
| Task | More Information |
|---|---|
| Add a Secure Socket Shell (SSH) host credential | Define SSH Host Credentials |
| Add a Oracle Database credential | Define Oracle Database Credentials |
| Run SCAP assessments with Expanded Privileges | Run SCAP Assessments with Expanded Privileges |
| Run an assessment with industry-standard benchmarks | Run Assessments with Industry-Standard Benchmarks |
Run SCAP Assessments with Expanded Privileges
You can run SCAP Assessments from your terminal using Oracle Configuration and Compliance.
To successfully evaluate all rules in standard benchmarks, SCAP requires root access to run assessments. The following example is for OSCAP, but the same principle can be used for CISCAT or other third party tools.
-
Configure the user that is running the agent with no password sudo access.
For example, assume the agent was installed as user oracle. Make the following changes in /etc/sudoers on every target system that is running the cloud agent.Note:
You must distribute this configuration file among all hosts that use a privileged sudo execution.
... # # Disable "ssh hostname sudo <cmd>", because it will show the password in clear. # You have to run "ssh -t hostname sudo <cmd>". # Defaults requiretty # The agent user emga needs to disable tty Defaults:emga !requiretty ... ## ## Allow root to run any commands anywhere root ALL=(ALL) ALL # Allow agent user oracle to run root commands without prompting for password oracle ALL=(ALL) NOPASSWD:ALL .... -
Modify the PATH property of the relevant Engine Configuration from "/usr/bin/oscap" to "sudo /usr/bin/oscap".
Run Assessments with Industry-Standard Benchmarks
Oracle Configuration and Compliance can use the command executor to invoke third-party SCAP certified engines such as Open SCAP and consume the resulting Extensible Configuration Checklist Description Format (XCCDF) output.
- From the menu, select Assessments, and click Templates.
- Click Add, and enter a name and description for your assessment template.
- Select the check boxes for the industry-standard benchmark rules that you want to assess.
- Click Add, and select the entities for which you want to apply the selected rulesets.
- Select a schedule, and click Save.