Configure Benchmark Engines
To execute an industry-standard benchmark assessment, you must configure a third party Security Content Automation Protocol (SCAP) certified engine, such as Open SCAP.
If the operating system, entity type, and version combination is not available in Oracle Configuration and Compliance, you can create a new engine configuration.
From the menu, select Engine Configuration, and click Add.
Enter the engine parameters, and click Save.
The populated variables are mapped to an engine operating system command. At assessment template runtime, the appropriate engine configuration is selected for the entity-benchmark combination, and the runtime arguments field will be bound and executed. The following example shows you how to configure Open SCAP to run benchmark assessments:$ENGINE_PATH/oscap xccdf eval --profile __RULESETID__ --results $RESULTS_PATH/__SCANID__.__ENTITYID__.results.xml $SCAP_INPUT_PATH/__RULESETFILENAME__
The $ENGINE_PATH parameter maps to the absolute path of the SCAP engine, ending with the executable.
The output location is the $RESULTS_PATH parameter, which maps to the writable directory where the results are written.
The content location is the $SCAP_INPUT_PATH parameter, which maps to the readable SCAP benchmarks that are executed by the engine.
If you want a different engine configuration, you can override the default for the same entity type and version engine configuration. For example, a customer can create an override engine configuration if the configuration’s default output path resides on a disk partition that has insufficient disk space.
Configure a User-Defined Rule
Oracle Configuration and Compliance can execute user-defined, language-independent custom scripts or standard output, and it can map multiple exit codes on pass or fail compliance violations.
You can create user-defined custom scripts or processes are created in named rule entries. You group these named rule entries within named rulesets. In the menu, select Library and click Rulesets.
Custom rule or end-user-created custom scripts and processes are executed by the host where an Oracle cloud agent is configured and running. The custom scripts or executables must have the appropriate file system permissions and binary executable bits set so that Oracle Configuration and Compliance can invoke them.
From the menu, select Library, and click Rules.
Click Add to configure a new rule.
Enter a name for the rule.
Enter the fully qualified path and executable name.
Enter the metadata in accordance with your business objectives.
- Add the rule to a new or existing ruleset, and click Save.
Table 1. Metadata descriptions
The information in this table will describe what each field expects while configuring a user-defined rule.
|Description||A description of the rule|
|Severity||A critical, high, medium, low, informational violation value|
|Entity Type||The type that the rule will be mapped and executed against|
Optional values that are passed to the script on the command line
For the optional script parameters, you can specify the following key or value pairs:
stdin: Content to be passed to the script’s standard input
args: A list of command-line arguments to be appended to the script path
|Reference URL||An HTTP URL provided for the loose-coupling of additional runbook remediation or metadata|
|Rationale||Explains the importance of this rule and the consequences of non-compliance|
|Fixtext||Explains the steps necessary to bring the entity into compliance with this rule|
|Message||The explanatory message sent to notification services upon the observation of a new violation|
|Tags||Comma-separated key words used for classification.|
Provides the exit code; map multiple exit codes or standard out text to pass or fail compliance violations
Process exit codes have the following order of preference.
Manually specified values such as the following are evaluated first:
If the exit code is zero and standard output exists, regular expressions are evaluated.
If the exit code is not zero and is not a manually specified value, it’s mapped to a "rule error" (nonzeroExitCode).
If the exit code is zero and isn’t one of the regular mapped expressions, the rule results in a "rule pass" (emptyOutput, nonemptyOutput)
|Enabled||Lets you disable the execution of a rule without having to removing it from a ruleset|