Overview of Compliance Management

The Compliance Management solution provides the tools to evaluate targets and systems for compliance with business best practices in terms of configuration, security, storage, and so on. In addition, Compliance Management provides the capability to define, customize, and manage the entities used to evaluate compliance.

The compliance solution:

Automatically determines if targets and systems have valid configuration settings and whether they are exposed to configuration-related vulnerabilities.
Advises how to change configurations to bring targets and systems into compliance with respect to best practices.
Provides real-time monitoring of a target's files, processes, and users to let Oracle Enterprise Manager Cloud Control (Cloud Control) users know where configuration change or unauthorized action are taking place in their environment.
Provides Oracle provided compliance frameworks (for example, Oracle Generic Compliance Framework) and compliance standards to map to compliance standard rules. This mapping makes it possible to visualize how out-of-compliance settings and actions will affect any compliance framework an organization follows.
Provides a compliance-focused view of IT configuration and change that is suitable for Line of Business Owners, IT Managers, and Compliance Managers to refer to regularly to check on their organization's compliance coverage.

Before you start using the compliance features, there are a few basics you need to know. See the following for details:

Terminology Used in Compliance

The following terms are used throughout this chapter when discussing the compliance feature:

Compliance Framework

A compliance framework is an organized list of control areas that need to be followed for a company to stay in compliance in their industry. Enterprise Manager uses compliance frameworks as a pyramid structure to map standards and rules to the control areas they affect. Compliance frameworks are hierarchical to allow for direct representation of these industry frameworks.

A single framework control area maps to one or more compliance standards. The outcome of these compliance standard evaluations results in a score for the given framework area.
Compliance Standard

A compliance standard is a collection of checks or rules that follow broadly accepted best practices. It is the Cloud Control representation of a compliance control that must be tested against some set of IT infrastructure to determine if the control is being followed. This ensures that IT infrastructure, applications, business services and processes are organized, configured, managed, and monitored properly. A compliance standard evaluation can provide information related to platform compatibility, known issues affecting other customers with similar configurations, security vulnerabilities, patch recommendations, and more. A compliance standard is also used to define where to perform real-time change monitoring.

A compliance standard is mapped to one or more compliance standard rules and is associated to one or more targets which should be evaluated.
Compliance Standard Rule

A compliance standard rule is a specific test to determine if a configuration data change affects compliance. A compliance standard rule is mapped to one or more compliance standards.

Cloud Control has the following types of compliance standard rules.
- Agent-Side Rule
  
  Used to perform configuration checks on the agent and upload violations into the Management Repository.
- Configuration Consistency Rule
  
  Reflects changes of target members within a system. For example, configuration consistency rules ensures that the configuration parameters for all databases within a cluster are the same.
- Configuration Drift Rule
  
  Compares the configuration of a target with the configuration of another target of the same type.
- Manual Rule
  
  Checks that must be performed but cannot be automated. For example: "Plans for testing installations, upgrades, and patches must be written and followed prior to production implementation."
- Missing Patches Rule
  
  Checks that must be performed but cannot be automated. For example: "Plans for testing installations, upgrades, and patches must be written and followed prior to production implementation."
- Real-time Monitoring Rule
  
  Used to monitor actions to files, processes, and database entities in real-time as the changes occur. Also captures users logging in and logging out, and SU and SUDO activities.
- Repository Rule
  
  Used to perform a check against any metric collection data in the Management Repository
Compliance Standard Rule Folder

Compliance standard rule folders are hierarchical structures that contain compliance standard rules.
Importance

Importance is a setting that the user can make when mapping compliance frameworks, standards, and rules. The importance is used to calculate the affect a compliance violation will have on the compliance score for that framework control area or compliance standard.

For compliance frameworks, when mapping a compliance standard, the importance for this compliance standard indicates the relative importance to other compliance standards in this framework.

For compliance standards, when mapping a compliance standard rule, importance indicates the relative importance of a compliance standard rule to all other compliance standard rules in the compliance standard.
Score

A target's compliance score for a compliance standard is used to reflect the degree of the target's conformance with respect to the compliance standard. The compliance score is in the range of 0% to 100% inclusive. A compliance score of 100% indicates that a target fully complies with the compliance standard.
Real-time Facets

The real-time monitoring rule definition includes facets that specify what is important to monitor for a given target type, target properties, and entity type. A facet is a collection of patterns that make up one attribute of a target type. For example, the networking configuration files for your operating system could be defined by one facet containing multiple file names or file patterns.
Real-Time Observations

Observations are the actions that were seen on a host or target that were configured to be monitored through real-time monitoring rules. Each distinct user action results in one observation.
Observation Audit Status

Every observation has an audit status that determines if the observation was authorized, or unauthorized, or neither (unaudited). The audit status can be set manually or automatically through the real-time monitoring compliance standard rule configuration.
Observation Bundles

Single observations are not reported from the Management Agent to the server. They are instead bundled with other observations against the same target, rule, and user performing the action. Bundles help combine like observations and make it easier to manage the observations in Cloud Control.

Access the Compliance Features

To access the compliance features, navigate to the Enterprise menu, select Compliance, then select one of the following:

Dashboard

The dashboard provides a very high level view of results that show how compliant or at risk your organization or your area is. The dashboard contains dials representing the compliance score for a selected framework, least compliant systems and targets, and unmanaged discovered hosts.
Results

Compliance results include evaluation results and errors for compliance frameworks and compliance standards, as well as target compliance.
Library

The Compliance Library page contains the entities used for defining standards. From the Compliance Library page you can manipulate compliance frameworks, compliance standards, compliance standard rules, and real-time monitoring facets.

Note: The real-time monitoring facets are only for real-time monitoring rules.
Real-time Observations

Observations are the actions that were seen on a host or target that were configured to be monitored through real-time monitoring rules. Each distinct user action results in one observation. Observations are additionally bundled if there are multiple observations done in a short period of time by the same user on the same target and against the same real-time monitoring rule.Multiple UI-based reports are provided to allow users to analyze the actions that are being observed.

Roles and Privileges Needed for Compliance Features

To use the compliance standard features, you need to have access to the following roles and privileges.

Role	Description	Contains the Privileges
EM_COMPLIANCE_DESIGNER	Enables you to create, modify, and delete compliance frameworks, compliance standards, compliance standard rules, and real-time monitoring facets.	Target Privileges: Manage Any Target Compliance Manage Any Target Metric View any Target Resource Privileges: Compliance Framework (Create Compliance Entity; Full any Compliance Entity) Configuration Extensions (Manage Configuration Extensions owned by any user) Job System (Create)
EM_COMPLIANCE_OFFICER	Enables you to view compliance framework definition and results.	No target privileges Resource Privilege Compliance Framework (View any Compliance Framework)

Role

Description

Contains the Privileges

EM_COMPLIANCE_DESIGNER

Enables you to create, modify, and delete compliance frameworks, compliance standards, compliance standard rules, and real-time monitoring facets.

Target Privileges:

Manage Any Target Compliance
Manage Any Target Metric
View any Target

Resource Privileges:

Compliance Framework (Create Compliance Entity; Full any Compliance Entity)
Configuration Extensions (Manage Configuration Extensions owned by any user)
Job System (Create)

EM_COMPLIANCE_OFFICER

Enables you to view compliance framework definition and results.

No target privileges

Resource Privilege

Compliance Framework (View any Compliance Framework)

The target and resource privileges used in compliance include:

Privilege	Type of Privilege	Included in Role	Description
Manage any Target Compliance	Target	EM_COMPLIANCE_DESIGNER	Allows you to mange the compliance of any target including the association of a compliance standard to a target.
Manage any Target Metric	Target	EM_COMPLIANCE_DESIGNER	Enables you to manage a metric for any target.
View any Target	Target	EM_COMPLIANCE_DESIGNER	Allows you to view all managed targets in Enterprise Manager.
View any Compliance Framework	Target	EM_COMPLIANCE_OFFICER EM_COMPLIANCE_DESIGNER	Allows you to view compliance framework definition and results Note: This privilege is part of the Compliance Framework resource privilege. This privilege is granted by default for EM_COMPLIANCE_OFFICER role but it is not granted by default for the EM_COMPLIANCE_DESIGNER role.
Create Compliance Entity	Resource	EM_COMPLIANCE_DESIGNER	Allows you to create compliance frameworks, compliance standards, compliance standard rules, and real-time monitoring facets. This privilege is part of the Compliance Framework resource privilege.
Full any Compliance Entity	Resource	EM_COMPLIANCE_DESIGNER	Allows you to edit and delete compliance frameworks, compliance standards, compliance standard rules, and real-time monitoring facets. This privilege is part of the Compliance Framework resource privilege.
Compliance Framework	Resource	EM_COMPLIANCE_DESIGNER EM_COMPLIANCE_OFFICER	Provides the capability to define, customize, and manage compliance frameworks, compliance standards, and compliance standard rules, and evaluate the compliance of targets and systems with regards to business best practices for configuration, security, storage, and so on. This privilege contains the following privileges: Create Compliance Entity (granted by default in EM_COMPLIANCE_DESIGNER role) Full any Compliance Entity (granted by default in EM_COMPLIANCE_DESIGNER role) View any Compliance Framework (granted by default in EM_COMPLIANCE_OFFICER role)
Configuration Extensions	Resource	EM_COMPLIANCE_DESIGNER	Allows extending target configuration collections. This privilege contains the following privileges: Manage Configuration Extensions owned by any user (granted by default) Manage Configuration Extensions owned by the user
Job System	Resource	EM_COMPLIANCE_DESIGNER	Job is a unit of work that may be scheduled that an administrator defines to automate the commonly run tasks. This privilege contains the following privileges: Create (granted by default) Manage View Access

The following table lists the compliance tasks with the roles and privileges required.

Task	Roles and Privileges Required
Create compliance framework	Create Compliance Entity privilege View any Compliance Framework privilege
Edit and delete compliance framework	Full any Compliance Entity privilege View any Compliance Framework privilege
Create, edit, and delete compliance framework	EM_COMPLIANCE_DESIGNER role EM_COMPLIANCE_OFFICER role
Associate a compliance standard to a target	Manage any Target Compliance privilege or MANAGE_TARGET_COMPLIANCE privilege on the target
Import or export a compliance framework	EM_COMPLIANCE_DESIGNER role EM_COMPLIANCE_OFFICER role
Create a real-time monitoring rule	EM_COMPLIANCE_DESIGNER role
Create a real-time monitoring facet	EM_COMPLIANCE_DESIGNER role

Note:

In addition, ensure you have privileges to access the target you will be associating with a compliance standard. In particular, you need the Manage any Target Compliance privilege on the target.