Overview of Compliance Management
The Compliance Management solution provides the tools to evaluate targets and systems for compliance with business best practices in terms of configuration, security, storage, and so on. In addition, Compliance Management provides the capability to define, customize, and manage the entities used to evaluate compliance.
The compliance solution:
- Automatically determines if targets and systems have valid configuration settings and whether they are exposed to configuration-related vulnerabilities.
- Advises how to change configurations to bring targets and systems into compliance with respect to best practices.
- Provides real-time monitoring of a target's files, processes, and users to let Oracle Enterprise Manager Cloud Control (Cloud Control) users know where configuration change or unauthorized action are taking place in their environment.
- Provides Oracle provided compliance frameworks (for example, Oracle Generic Compliance Framework) and compliance standards to map to compliance standard rules. This mapping makes it possible to visualize how out-of-compliance settings and actions will affect any compliance framework an organization follows.
- Provides a compliance-focused view of IT configuration and change that is suitable for Line of Business Owners, IT Managers, and Compliance Managers to refer to regularly to check on their organization's compliance coverage.
Before you start using the compliance features, there are a few basics you need to know. See the following for details:
Terminology Used in Compliance
The following terms are used throughout this chapter when discussing the compliance feature:
-
A compliance framework is an organized list of control areas that need to be followed for a company to stay in compliance in their industry. Enterprise Manager uses compliance frameworks as a pyramid structure to map standards and rules to the control areas they affect. Compliance frameworks are hierarchical to allow for direct representation of these industry frameworks.
A single framework control area maps to one or more compliance standards. The outcome of these compliance standard evaluations results in a score for the given framework area.
-
A compliance standard is a collection of checks or rules that follow broadly accepted best practices. It is the Cloud Control representation of a compliance control that must be tested against some set of IT infrastructure to determine if the control is being followed. This ensures that IT infrastructure, applications, business services and processes are organized, configured, managed, and monitored properly. A compliance standard evaluation can provide information related to platform compatibility, known issues affecting other customers with similar configurations, security vulnerabilities, patch recommendations, and more. A compliance standard is also used to define where to perform real-time change monitoring.
A compliance standard is mapped to one or more compliance standard rules and is associated to one or more targets which should be evaluated.
-
A compliance standard rule is a specific test to determine if a configuration data change affects compliance. A compliance standard rule is mapped to one or more compliance standards.
Cloud Control has the following types of compliance standard rules.
-
Used to perform configuration checks on the agent and upload violations into the Management Repository.
-
Configuration Consistency Rule
Reflects changes of target members within a system. For example, configuration consistency rules ensures that the configuration parameters for all databases within a cluster are the same.
-
Compares the configuration of a target with the configuration of another target of the same type.
-
Checks that must be performed but cannot be automated. For example: "Plans for testing installations, upgrades, and patches must be written and followed prior to production implementation."
-
Checks that must be performed but cannot be automated. For example: "Plans for testing installations, upgrades, and patches must be written and followed prior to production implementation."
-
Used to monitor actions to files, processes, and database entities in real-time as the changes occur. Also captures users logging in and logging out, and SU and SUDO activities.
-
Used to perform a check against any metric collection data in the Management Repository
-
-
Compliance Standard Rule Folder
Compliance standard rule folders are hierarchical structures that contain compliance standard rules.
-
Importance is a setting that the user can make when mapping compliance frameworks, standards, and rules. The importance is used to calculate the affect a compliance violation will have on the compliance score for that framework control area or compliance standard.
For compliance frameworks, when mapping a compliance standard, the importance for this compliance standard indicates the relative importance to other compliance standards in this framework.
For compliance standards, when mapping a compliance standard rule, importance indicates the relative importance of a compliance standard rule to all other compliance standard rules in the compliance standard.
-
A target's compliance score for a compliance standard is used to reflect the degree of the target's conformance with respect to the compliance standard. The compliance score is in the range of 0% to 100% inclusive. A compliance score of 100% indicates that a target fully complies with the compliance standard.
-
The real-time monitoring rule definition includes facets that specify what is important to monitor for a given target type, target properties, and entity type. A facet is a collection of patterns that make up one attribute of a target type. For example, the networking configuration files for your operating system could be defined by one facet containing multiple file names or file patterns.
-
Observations are the actions that were seen on a host or target that were configured to be monitored through real-time monitoring rules. Each distinct user action results in one observation.
-
Every observation has an audit status that determines if the observation was authorized, or unauthorized, or neither (unaudited). The audit status can be set manually or automatically through the real-time monitoring compliance standard rule configuration.
-
Single observations are not reported from the Management Agent to the server. They are instead bundled with other observations against the same target, rule, and user performing the action. Bundles help combine like observations and make it easier to manage the observations in Cloud Control.
Access the Compliance Features
To access the compliance features, navigate to the Enterprise menu, select Compliance, then select one of the following:
-
The dashboard provides a very high level view of results that show how compliant or at risk your organization or your area is. The dashboard contains dials representing the compliance score for a selected framework, least compliant systems and targets, and unmanaged discovered hosts.
-
Compliance results include evaluation results and errors for compliance frameworks and compliance standards, as well as target compliance.
-
The Compliance Library page contains the entities used for defining standards. From the Compliance Library page you can manipulate compliance frameworks, compliance standards, compliance standard rules, and real-time monitoring facets.
Note: The real-time monitoring facets are only for real-time monitoring rules.
-
Observations are the actions that were seen on a host or target that were configured to be monitored through real-time monitoring rules. Each distinct user action results in one observation. Observations are additionally bundled if there are multiple observations done in a short period of time by the same user on the same target and against the same real-time monitoring rule.Multiple UI-based reports are provided to allow users to analyze the actions that are being observed.
Roles and Privileges Needed for Compliance Features
To use the compliance standard features, you need to have access to the following roles and privileges.
Role | Description | Contains the Privileges |
---|---|---|
EM_COMPLIANCE_DESIGNER | Enables you to create, modify, and delete compliance frameworks, compliance standards, compliance standard rules, and real-time monitoring facets. | Target Privileges:
|
EM_COMPLIANCE_OFFICER | Enables you to view compliance framework definition and results. | No target privileges
Resource Privilege
|
Privilege | Type of Privilege | Included in Role | Description |
---|---|---|---|
Manage any Target Compliance | Target | EM_COMPLIANCE_DESIGNER | Allows you to mange the compliance of any target including the association of a compliance standard to a target. |
Manage any Target Metric | Target | EM_COMPLIANCE_DESIGNER | Enables you to manage a metric for any target. |
View any Target | Target | EM_COMPLIANCE_DESIGNER | Allows you to view all managed targets in Enterprise Manager. |
View any Compliance Framework | Target | EM_COMPLIANCE_OFFICER
EM_COMPLIANCE_DESIGNER |
Allows you to view compliance framework definition and results
Note: This privilege is part of the Compliance Framework resource privilege. This privilege is granted by default for EM_COMPLIANCE_OFFICER role but it is not granted by default for the EM_COMPLIANCE_DESIGNER role. |
Create Compliance Entity | Resource | EM_COMPLIANCE_DESIGNER | Allows you to create compliance frameworks, compliance standards, compliance standard rules, and real-time monitoring facets.
This privilege is part of the Compliance Framework resource privilege. |
Full any Compliance Entity | Resource | EM_COMPLIANCE_DESIGNER | Allows you to edit and delete compliance frameworks, compliance standards, compliance standard rules, and real-time monitoring facets.
This privilege is part of the Compliance Framework resource privilege. |
Compliance Framework | Resource | EM_COMPLIANCE_DESIGNER
EM_COMPLIANCE_OFFICER |
Provides the capability to define, customize, and manage compliance frameworks, compliance standards, and compliance standard rules, and evaluate the compliance of targets and systems with regards to business best practices for configuration, security, storage, and so on.
This privilege contains the following privileges:
|
Configuration Extensions | Resource | EM_COMPLIANCE_DESIGNER | Allows extending target configuration collections.
This privilege contains the following privileges:
|
Job System | Resource | EM_COMPLIANCE_DESIGNER | Job is a unit of work that may be scheduled that an administrator defines to automate the commonly run tasks.
This privilege contains the following privileges:
|
Task | Roles and Privileges Required |
---|---|
Create compliance framework | Create Compliance Entity privilege
View any Compliance Framework privilege |
Edit and delete compliance framework | Full any Compliance Entity privilege
View any Compliance Framework privilege |
Create, edit, and delete compliance framework | EM_COMPLIANCE_DESIGNER role
EM_COMPLIANCE_OFFICER role |
Associate a compliance standard to a target | Manage any Target Compliance privilege or MANAGE_TARGET_COMPLIANCE privilege on the target |
Import or export a compliance framework | EM_COMPLIANCE_DESIGNER role
EM_COMPLIANCE_OFFICER role |
Create a real-time monitoring rule | EM_COMPLIANCE_DESIGNER role |
Create a real-time monitoring facet | EM_COMPLIANCE_DESIGNER role |
Note:
In addition, ensure you have privileges to access the target you will be associating with a compliance standard. In particular, you need the Manage any Target Compliance privilege on the target.