1. Using Oracle Configuration and Compliance
  2. Get Started with Oracle Configuration and Compliance
  3. Configure Oracle Configuration and Compliance
  4. Define Oracle Database Credentials

Define Oracle Database Credentials

A database credential is needed in addition to the host credential for proper rule-set evaluation as the rules in database assessments are evaluated using SQL.

Prerequisites

  • The SSH credential is configured.

  • The credential store has been created.

  • The cloud agent is on the same host as the database.

  • The user has privileges to execute the compliance SQL scripts.

Add Oracle Database Credentials

Add a database credential to run compliance assessments of your Oracle Database using Oracle Configuration and Compliance.

Oracle Configuration and Compliance will automatically use the database credentials being used by Oracle Infrastructure Monitoring to assess databases if you do not specify a database credential in the agent wallet. This functionality requires agent version 1.35+. If you already created a monitoring user, skip to Grant Oracle Database Privileges.

  1. Open a terminal on the agent host and search for your <DB_NAME>, <entity_type> pair using the following command:
    $ omcli config agent listtargets

    You will need this information in order to add a new monitoring agent using omcli.

  2. Create and save a JSON file, for example test_db_cred.json, with your credential information as follows:
    [
  {
    "entity":"omc_oracle_db.<DB_NAME>",
    "name":"omc_oracle_<DB_NAME>-DBUserCreds",
    "type":"DBUserCreds",
    "globalName":"DBCred",
    "description":"DB Credential for the db entity",
    "properties":[
      { "name":"USERNAME", "value":"CLEAR[YourUserName]" },
      { "name":"PASSWORD", "value":"CLEAR[YourPassword]" }
    ]
  }
]

    Where:

    • DB_NAME is the name of your database. For example: dbserver.example.com

    • Name is any name for your credential. For example, as best practice, name this credential your entity type followed by DB_NAME and DBUserCreds, for example: omc_oracle_db-dbserver.example.com-DBUserCreds

    • YourUserName is the username used as your DB credential.

    • YourPassword is the password for your DB credential.

    • All other field values must remain as listed. They are reserved values.

  3. Add the credential to the credentials store using the test_db_cred.json file. 
    $ omcli add_credentials agent -credential_file test_db_cred.json
  4. Verify that the credential was installed correctly:
    $ omcli list_credentials agent 

Oracle Management Cloud Agent Copyright (c) 1996, 2018 Oracle Corporation. All rights reserved.
Credential Name Type Entity Global Name Usage 

omc_oracle_db-dbserver.example.com-DBUserCreds DBUserCreds (dbserver.example.com) "DBCred"

Grant Oracle Database Privileges

Before you can monitor your database using out-of-the-box rule sets you need to grant the following privileges to your monitoring user.

By default, the credential being used by Oracle Infrastructure Monitoring will be used to connect to the database by Oracle Configuration and Compliance. If the monitoring credential user (e.g. moncs) was created using the script provided by Oracle, additional privileges will need to be granted to the monitoring user for proper evaluation of the rule sets.

For proper evaluation of the Oracle Database 12c STIG Benchmark and CIS Oracle Database 12c Benchmark, it is recommended that a second privileged user be used as granting the necessary privileges to the monitoring user (e.g. moncs ) will cause violations in these rule sets. It is recommended you use dbsnmp (a built-in user in Oracle Database) as this user has the necessary privileges by default with a few exceptions.

Required Privileges for User dbsnmp

These are the required privileges you will need to grant to user dbsnmp for the following rule sets.

Basic Security Configuration for Oracle Database

grant select on sys.link$ to dbsnmp;

Required Privileges for User moncs

These are the required privileges you will need to grant to user moncs for the following rule sets.

To create user moncs, see Oracle Database in Using Oracle Infrastructure Monitoring.

Basic Security Configuration for Oracle Database

grant select on dba_tab_privs to moncs;
grant select on dba_profiles to moncs;
grant select on dba_role_privs to moncs;
grant select on sys.link$ to moncs;
grant select on dba_users to moncs;
grant select on dba_users_with_defpwd to moncs;

Oracle Database 12c Single Instance Database STIG Configuration

grant select on dba_tab_privs to moncs;
grant select on dba_profiles to moncs;
grant select on dba_role_privs to moncs;
grant select on sys.link$ to moncs;
grant select on dba_users to moncs;
grant select on dba_users_with_defpwd to moncs;
grant select on dba_db_links to moncs;
grant select on v_$controlfile to moncs;
grant select on v_$log to moncs;
grant select on dba_sys_privs to moncs;
grant select on dba_tables to moncs;
grant select on dba_external_tables to moncs;
grant select on dba_objects to moncs;
grant select on dba_sys_privs to moncs;
grant select on dba_roles to moncs;
grant select on v_$encrypted_tablespaces to moncs;
grant select on v_$tablespace to moncs;
grant select on dba_encrypted_columns to moncs;
grant select on dba_constraints to moncs;

CIS Oracle Database 12c Benchmark Level 1

grant select on dba_tab_privs to moncs;
grant select on dba_profiles to moncs;
grant select on dba_role_privs to moncs;
grant select on sys.link$ to moncs;
grant select on dba_users to moncs;
grant select on dba_users_with_defpwd to moncs;
grant select on dba_db_links to moncs;
grant select on v_$controlfile to moncs;
grant select on v_$log to moncs;
grant select on dba_sys_privs to moncs;
grant select on dba_tables to moncs;
grant select on dba_external_tables to moncs;
grant select on dba_objects to moncs;
grant select on dba_sys_privs to moncs;
grant select on dba_roles to moncs;
grant select on v_$encrypted_tablespaces to moncs;
grant select on v_$tablespace to moncs;
grant select on dba_encrypted_columns to moncs;
grant select on dba_constraints to moncs;
grant select on dba_proxies to moncs;
grant select on dba_stmt_audit_opts to moncs;
grant select on dba_priv_audit_opts to moncs;
grant select on dba_obj_audit_opts to moncs;

Note:

Violations will be generated using these privileges to user moncs. It is recommended that you use user system for the CIS Oracle Database 12c Level 1rule set.

Once complete, you must assign a tag on each entity with key equal to complianceusedbcred. This will cause Oracle Configuration and Compliance to use the Database Credential configured in the wallet instead of the Oracle Infrastructure Monitoring credential.

Remove the Wallet Credential Requirement for Database Assessments

Apply this configuration to your hosts and database targets to remove the wallet credential requirement.

Using this tag will cause root privilege rules to be skipped because applying this tag to Host targets will run all assessments with the privilege level associated to the Cloud Agent. Typically SCAP benchmarks require root level privileges in order to execute all rules. Database targets don't have this limitation since the rules are always executed with the secondary Database Credential.

  1. From the menu, select Administration, and click Entity Configuration
  2. Add a new tag with Name UseAsAgentCredential, leave the Value empty.
  3. Assign the Entities you want to configure.
  4. Click OK.
  5. Log in to each of the entities you want to configure and open a command-line interface. Run the following command: 
    $ <AGENT_BASE_DIR>/agent_inst/bin/omcli setproperty agent -allow_new -name _enableAsAgentCredential -value
    true