21 SCAP Supported Standards

Enterprise Manager supports Security Content Automation Protocol (SCAP) enabled compliance standards. SCAP is a multi-purpose framework of specifications that supports automated configuration, vulnerability and patch checking, technical control compliance activities, and security measurement.

Note:

OSCAP is not part of Enterprise Manager or an Oracle product. It's part of the OpenSCAP initiative.

SCAP rules will show as user-defined rules, but will work as system-defined rules. For these rules to function properly you need to deploy configuration extensions into the agent. For more information on configuration extensions see: Working with Configuration Extensions.

SCAP Prerequisites

Before uploading and using SCAP supported standards, ensure the following prerequisites are met:

  • Install OpenSCAP (OSCAP) on the agent targets using the install method of your choice (RPM, YUM, DNF). To download OSCAP see: https://www.open-scap.org/download/.

    For Oracle Linux, install openscap-utils, openscap-scanner, and scap-security-guide on each target host. 

    yum install openscap-utils openscap-scanner scap-security-guide

    Note:

    If you are using Oracle Linux make sure that the LibXML PERL module is installed. To install use the following code:
    yum install "perl(XML::LibXML)"

    For information on how to install binaries in Oracle Linux using YUM see: Installing Software from Oracle Linux Yum Server.

  • Ensure that the Database Lifecycle Management Pack for Oracle Database is enabled before using SCAP supported standards. For more information see: Database Lifecycle Management Pack for Oracle Database.

SCAP Best Practices

  • Ensure the OSCAP command runs with any applicable out-of-the-box SCAP standard, such as PCI-DSS, HIPAA, DISA STIG, or Standard System Security Profile, on a few reference hosts. (Outside of Enterprise Manager)
  • Ensure the other hosts where you intend to run OSCAP are identical to the reference hosts.
  • Ensure the latest OSCAP version is installed on all hosts. (YUM or RPM install)

Once all these best practices are met, you can associate all the Enterprise Manager host targets to the newly created SCAP compliance standard.

The following diagram shows the SCAP standards compliance flow after a host target is associated with a SCAP compliance standard.

Figure 21-1 SCAP Standards Compliance Process

SCAP Standards Compliance Process

SCAP Standards Available for Oracle Linux 7

The following is a list of SCAP Standards included in Oracle Enterprise Manager 24.1:

Health Insurance Portability and Accountability Act (HIPAA): The HIPAA Security Rule establishes US national standards to protect individuals' electronic personal health information that is created, received, used or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information. This profile configure Oracle Linux 7 to the HIPAA Security Rule for securing electronic protected health information. (V0.1.72).

For more information on securing Linux configuration for HIPAA compliance see: https://complianceascode.github.io/content-pages/guides/ssg-ol7-guide-hipaa.html.

DISA STIG For Oracle Linux 7: This profile contains configuration checks that align to DISA STIG for Oracle Linux V1R1. (V0.1.72).

For more information see: https://complianceascode.github.io/content-pages/guides/ssg-ol7-guide-stig.html

PCI-DSS v3.2.1 Control Baseline for Oracle Linux 7: Ensures PCI-DSS v3.2.1 related security configuration settings are applied. (V0.1.72).

For more information see: https://complianceascode.github.io/content-pages/guides/ssg-ol7-guide-pci-dss.html

Standard System Security Profile for Oracle Linux 7: This profile contains rule to ensure standard security baseline of an Oracle Linux 7 system. (V0.1.72).

For more information see: https://complianceascode.github.io/content-pages/guides/ssg-ol7-guide-standard.html

SCAP Standards Available for Oracle Linux 8

The following is a list of SCAP Standards included in Oracle Enterprise Manager 24.1:

Health Insurance Portability and Accountability Act (HIPAA): The HIPAA Security Rule establishes US national standards to protect individuals' electronic personal health information that is created, received, used or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information. This profile configure Oracle Linux 8 to the HIPAA Security Rule for securing electronic protected health information. (V0.1.72). For more information on securing Linux configuration for HIPAA compliance see: https://complianceascode.github.io/content-pages/guides/ssg-ol8-guide-hipaa.html.

DISA STIG for Oracle Linux 8: This profile contains configuration checks that align to DISA STIG for Oracle Linux 8. (V0.1.72).

For more information see: https://complianceascode.github.io/content-pages/guides/ssg-ol8-guide-stig.html.

PCI-DSS v3.2.1 Control Baseline Draft for Oracle Linux 8: Ensures PCI-DSS v3.2.1 related security configuration settings are applied. (V0.1.72).

For more information see: https://complianceascode.github.io/content-pages/guides/ssg-ol8-guide-pci-dss.html.

Standard System Security Profile for Oracle Linux 8: his profile contains rule to ensure standard security baseline of an Oracle Linux 8 system. (V0.1.72).

For more information see: https://complianceascode.github.io/content-pages/guides/ssg-ol8-guide-standard.html.

SCAP Standards Available for Oracle Linux 9

The following is a list of SCAP Standards included in Oracle Enterprise Manager 24.1:

Health Insurance Portability and Accountability Act (HIPAA): The HIPAA Security Rule establishes US national standards to protect individuals' electronic personal health information that is created, received, used or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information. This profile configure Oracle Linux 9 to the HIPAA Security Rule for securing electronic protected health information. (V0.1.69). For more information on securing Linux configuration for HIPAA compliance see: https://complianceascode.github.io/content-pages/guides/ssg-ol9-guide-hipaa.html.

DISA STIG for Oracle Linux 9: This profile contains configuration checks that align to DISA STIG for Oracle Linux 9. (V0.1.69).

For more information see: https://complianceascode.github.io/content-pages/guides/ssg-ol9-guide-stig.html.

PCI-DSS v3.2.1 Control Baseline Draft for Oracle Linux 9: Ensures PCI-DSS v4.0 related security configuration settings are applied. (V0.1.69).

For more information see: https://complianceascode.github.io/content-pages/guides/ssg-ol9-guide-pci-dss.html.

Standard System Security Profile for Oracle Linux 9: his profile contains rule to ensure standard security baseline of an Oracle Linux 8 system. (V0.1.69).

For more information see: https://complianceascode.github.io/content-pages/guides/ssg-ol9-guide-standard.html.

Import XCCDF-based Standards Using EMCLI

SCAP Extensible Configuration Checklist Description Format (XCCDF) standards that are not included by default can be imported into Enterprise Manager using the EM CLI verb upload_compliance_standard and the -file parameter with the XML data stream file containing one or more standards.

OSCAP consumes XCCDF compliance standards delivered through Oracle Linux. These payloads can be imported into Enterprise Manager using the EM CLI verb upload_compliance_standard to manage compliance of monitored targets against defined policies.

Example:
$ emcli upload_compliance_standard -file="ssg-ol8-ds.xml"

Note:

Enterprise Manager cannot resolve compatibility issues if the payload is incompatible with the OSCAP installed on the hosts. It can only report these errors.