Define Oracle Database Credentials
A database credential is needed in addition to the host credential for proper rule-set evaluation as the rules in database assessments are evaluated using SQL.
Prerequisites
-
The SSH credential is configured.
-
The credential store has been created.
-
The cloud agent is on the same host as the database.
-
The user has privileges to execute the compliance SQL scripts.
Add Oracle Database Credentials
Add a database credential to run compliance assessments of your Oracle Database using Oracle Configuration and Compliance.
Oracle Configuration and Compliance will automatically use the database credentials being used by Oracle Infrastructure Monitoring to assess databases if you do not specify a database credential in the agent wallet. This functionality requires agent version 1.35+. If you already created a monitoring user, skip to Grant Oracle Database Privileges.
Grant Oracle Database Privileges
Before you can monitor your database using out-of-the-box rule sets you need to grant the following privileges to your monitoring user.
By default, the credential being used by Oracle Infrastructure Monitoring will be used to connect to the database by Oracle Configuration and Compliance. If the monitoring credential user (e.g. moncs) was created using the script provided by Oracle, additional privileges will need to be granted to the monitoring user for proper evaluation of the rule sets.
For proper evaluation of the Oracle Database 12c STIG Benchmark and CIS Oracle Database 12c Benchmark, it is recommended that a second privileged user be used as granting the necessary privileges to the monitoring user (e.g. moncs ) will cause violations in these rule sets. It is recommended you use dbsnmp (a built-in user in Oracle Database) as this user has the necessary privileges by default with a few exceptions.
Required Privileges for User dbsnmp
These are the required privileges you will need to grant to user dbsnmp for the following rule sets.
Basic Security Configuration for Oracle Database
grant select on sys.link$ to dbsnmp;
Required Privileges for User moncs
These are the required privileges you will need to grant to user moncs for the following rule sets.
To create user moncs, see Oracle Database in Using Oracle Infrastructure Monitoring.
Basic Security Configuration for Oracle Database
grant select on dba_tab_privs to moncs;
grant select on dba_profiles to moncs;
grant select on dba_role_privs to moncs;
grant select on sys.link$ to moncs;
grant select on dba_users to moncs;
grant select on dba_users_with_defpwd to moncs;
Oracle Database 12c Single Instance Database STIG Configuration
grant select on dba_tab_privs to moncs;
grant select on dba_profiles to moncs;
grant select on dba_role_privs to moncs;
grant select on sys.link$ to moncs;
grant select on dba_users to moncs;
grant select on dba_users_with_defpwd to moncs;
grant select on dba_db_links to moncs;
grant select on v_$controlfile to moncs;
grant select on v_$log to moncs;
grant select on dba_sys_privs to moncs;
grant select on dba_tables to moncs;
grant select on dba_external_tables to moncs;
grant select on dba_objects to moncs;
grant select on dba_sys_privs to moncs;
grant select on dba_roles to moncs;
grant select on v_$encrypted_tablespaces to moncs;
grant select on v_$tablespace to moncs;
grant select on dba_encrypted_columns to moncs;
grant select on dba_constraints to moncs;
CIS Oracle Database 12c Benchmark Level 1
grant select on dba_tab_privs to moncs;
grant select on dba_profiles to moncs;
grant select on dba_role_privs to moncs;
grant select on sys.link$ to moncs;
grant select on dba_users to moncs;
grant select on dba_users_with_defpwd to moncs;
grant select on dba_db_links to moncs;
grant select on v_$controlfile to moncs;
grant select on v_$log to moncs;
grant select on dba_sys_privs to moncs;
grant select on dba_tables to moncs;
grant select on dba_external_tables to moncs;
grant select on dba_objects to moncs;
grant select on dba_sys_privs to moncs;
grant select on dba_roles to moncs;
grant select on v_$encrypted_tablespaces to moncs;
grant select on v_$tablespace to moncs;
grant select on dba_encrypted_columns to moncs;
grant select on dba_constraints to moncs;
grant select on dba_proxies to moncs;
grant select on dba_stmt_audit_opts to moncs;
grant select on dba_priv_audit_opts to moncs;
grant select on dba_obj_audit_opts to moncs;
Note:
Violations will be generated using these privileges to user moncs. It is recommended that you use user system for the CIS Oracle Database 12c Level 1rule set.
Once complete, you must assign a tag on each entity with key equal to complianceusedbcred. This will cause Oracle Configuration and Compliance to use the Database Credential configured in the wallet instead of the Oracle Infrastructure Monitoring credential.
Remove the Wallet Credential Requirement for Database Assessments
Apply this configuration to your hosts and database targets to remove the wallet credential requirement.
Using this tag will cause root privilege rules to be skipped because applying this tag to Host targets will run all assessments with the privilege level associated to the Cloud Agent. Typically SCAP benchmarks require root level privileges in order to execute all rules. Database targets don't have this limitation since the rules are always executed with the secondary Database Credential.
- From the menu, select Administration, and click Entity Configuration
- Add a new tag with Name UseAsAgentCredential, leave the Value empty.
- Assign the Entities you want to configure.
- Click OK.
- Log in to each of the entities you want to configure and open a
command-line interface. Run the following command:
$ <AGENT_BASE_DIR>/agent_inst/bin/omcli setproperty agent -allow_new -name _enableAsAgentCredential -value true