1. Cloud Control Database Lifecycle Management Administrator's Guide
  2. Manage Configuration, Compliance and Change Management
  3. Manage Compliance
  4. Evaluate Compliance

Evaluate Compliance

Compliance evaluation is the process of testing the compliance standard rules mapped to a compliance standard against a target and recording any violations in the Management Repository.

By evaluating a target against a compliance standard, you are determining whether a target complies with the checks of the standard. In the case when a target does not meet the desired state, the test may suggest what changes are required to make that target compliant.

Compliance evaluation generates a score for a target based on how much the target is compliant with the standard. A 100% compliance score means that all checks of the compliance standard passed on the target. For real-time monitoring, the compliance score will drop as you have observations that have been marked as unauthorized either manually or through change request management integration. As these unauthorized observations are either cleared or changed to authorized, the score will improve.

Because target compliance is required to be monitored regularly, you need to associate a compliance standard with targets. Evaluation is automatically performed for any associated targets, when the target state refreshes, that is when new data has been collected from the target. For repository rules, when new data for the target gets loaded into the Management Repository, evaluation happens again. For Real-time Monitoring, evaluation happens every time an observation of a user action is seen.

What You Can Do To Ensure Compliance

When using Cloud Control to evaluate your compliance, you should regularly perform the following actions:

  • Regularly monitor the compliance dashboard to find areas that may indicate your organization has a low compliance score or is at risk.

  • View the results of an evaluation

    Study the results of the evaluations and make the needed changes to the targets

    Only results from the targets for which you have View privilege will be available. The compliance standard rule evaluation results are rolled up in order to produce a compliance standard evaluation state as well as a compliance summary.

  • Study Oracle provided reports

    Regularly monitor real-time monitoring observation UI reports to see if detected observations are normal or abnormal. Set abnormal observations to unauthorized until any unauthorized change can be reverted or until the actions can be investigated to the level required by your auditors.

  • Study the trend overview as a result of the evaluation

    Use the graphs in the Trend Overview pages to visually determine whether the targets are adhering to or distancing themselves from the compliance best practices.

    To access the Trend Overview pages for compliance standards:

    1. From the Enterprise menu, select Compliance, then select Results.

    2. From the Compliance Standards tab, choose Evaluation Results.

    3. On the Evaluation Results page, choose the compliance standard you want to investigate and click Show Details.

    4. On the resulting details page, click the Trend Overview tab.

    Note: You can also review Trend Overview pages for compliance frameworks.

  • Ensure your environments match baselines (or each other) by creating rules on top of configuration compare capabilities. Then monitor for configuration drift using real-time monitoring.

  • Evaluate validity of configuration settings.

  • Evaluate exposure to configuration-related vulnerabilities, storage, and security.

  • Modify targets and systems to be compliant.

  • Verify authorization of configuration changes or user actions.

  • Continually test your systems, services, and targets, ensuring the best possible protection and performance your system can have.

  • Use Oracle provided compliance standards and compliance standard rules to determine compliance.

  • Keep an eye on hosts in your environment that are not monitored for compliance as these introduce a large amount of compliance risk in your environment.

The following sections provide additional details:

Access Compliance Statistics

Compliance statistics are available throughout the interface in Compliance Summary regions located on pages such as the Compliance Dashboard, the Enterprise Summary page, and a target's home page.

These regions report the violations and compliance scores for the particular targets. However, the region only reports that there is a violation; it does not give the details. For example, a violation can be against the Secure Port compliance standard rule that is part of the Secure Configuration for Host compliance standard. But you will not know the details just by looking at the Compliance Summary regions.

Use the Compliance Dashboard Effectively

The compliance dashboard is a top level view of the Cloud Control compliance features. The dashboard includes several regions which give you a very good insight into how compliant your IT environment is according to the standards you have configured.

To access the Compliance Dashboard:

  1. From the Enterprise menu, select Compliance.
  2. Select Dashboard.

The Compliance Dashboard is also one of the pages available from the "Select Your Home" page and can be set as your home page when you log in to Cloud Control.

The Compliance Dashboard includes the following regions:

  • Compliance Framework Summary

    This region lets the user choose one Compliance Framework and it shows the compliance score for each second-level folder under that Compliance Framework. The needle on the dial shows the current compliance score for that given framework element. The score is based on the targets that the logged-in Enterprise Manager user is allowed to see.

    Clicking on the dial will take you to the Compliance Results page for the given second-level framework folder giving you more details on the next framework folders down and/or the compliance standards belonging to this folder.

  • Compliance Summary

    This region has a view for frameworks and a view for standards. In the Framework view, this region shows you the list of all defined compliance frameworks and their overall score and violation details. In the standard view, this region will list the worst scoring compliance standards along with their violation details. Clicking on a framework or standard name will take you to a screen showing you more details of that framework or standard.

    From this region, you can also click on the View Trends link to see a historic trend graph of the compliance score

  • Least Compliant Generic Systems

    This region shows the generic systems that have the lowest compliance score. The score for a given system is calculated by including all rules that are associated with all elements of that system. A generic system is used to define your IT Business Applications, such as HRIS, Payroll, and so on. Reporting these systems that have the lowest score can help identify which business units have compliance risk leading up to audit time.

  • Most Recent Discovered Unmanaged Hosts

    This region shows hosts that have been discovered recently using the Cloud Control automatic host discovery feature that have not been promoted to managed hosts. These hosts represent a specific compliance risk in that unmanaged hosts in an IT environment can be lead to many access control and data access risks. The intent of this region is to highlight the hosts that have recently been discovered but may not be under compliance control.

  • Least Compliant Targets

    This region is similar to the Least Compliance Generic Systems except it shows you all targets (including the generic systems again). This region is less useful for an IT management or auditor perspective since it may not be clear what these individual targets are used for. It however can be used as another data point to find the areas where you are at highest risk leading up to an IT compliance audit.

View Compliance Summary Information

Compliance summary information is available from the Cloud Control Compliance Results page and individual target home pages.

To view compliance summary information from the Cloud Control home page, follow these steps:

  1. From the Enterprise menu, select Compliance, then select Results.

To view compliance summary information from a target's home page, follow these steps:

  1. From the Targets menu, select the target type, and click the target.
  2. On the target's home page, select the target menu located at the top-left of the page.
  3. Select Compliance, then select Results. On the Results page, click Target Compliance.

View Target Compliance Evaluation Results

Target-specific compliance evaluation results are available on the Cloud Control home page and individual target home pages. By evaluating compliance rules and standards, the possible evaluation results will be:

Evaluation Results Description

Compliant

Target meets the desired state and there are no unauthorized real-time monitoring observations.

Non-Compliant

Target does not meet the desired state. At least one test in the compliance standard detected a deviation from the desired state or there is at least one unauthorized real-time monitoring observation.

Error

No results returned due to an error. The error may be an unexpected internal error or an error in the test. Examples of errors in the test include attempts to:

  • Divide by zero

  • Invoke a function with incorrect parameter values

To view results using Cloud Control home page, follow these steps:

  1. From the Enterprise menu, select Compliance, then select Results.

  2. Click the Target Compliance tab. The page displays the targets with their Average Compliance Score.

To view compliance evaluation results from a target's home page, follow these steps:

  1. From the Targets menu, select the target type.
  2. Click the name of the target in which you are interested.
  3. On the target menu located at the top-left of the page, select Compliance, then select Results.
  4. Click the Target Compliance tab. The page displays the targets with the Average Compliance Score.

Use the page or region to get a comprehensive view about a target in regards to compliance over a period of time. Using the tables and graphs, you can easily watch for trends in progress and changes.

Note: Trend overview data might take up to six hours after initial compliance standard to target association to display in the time series charts.

View Compliance Framework Evaluation Results

To effectively use a compliance framework, organize the frameworks to reflect the compliance framework control areas you use in your organization. The hierarchical structure of the framework should map directly to the control areas of the frameworks you follow.

Oracle provides a number of frameworks, for example, Oracle Generic Compliance, Fusion Applications Compliance, and Security Technical Implementation Guide (STIG). These frameworks can be used as a starting point for you to create your own frameworks to match your needs or can be used to understand how best to organize your own frameworks based on internal standards or based on SOX, HIPAA, NIST-800, or other common frameworks.

To view the results of a compliance framework evaluation, use the Evaluations Results page accessed through the Compliance Frameworks tab.

  1. From the Enterprise menu, select Compliance, then select Results.
  2. On the Compliance Results page, click the Compliance Frameworks tab and highlight the compliance framework of interest.

Since compliance frameworks are a hierarchical structure, each folder or node of the framework will have its own score. The bottom most children of the hierarchy will have their score roll up to the parent folder and so on. If one person viewing these reports is primarily interested in one control area of the framework they follow, they can focus on the score for that specific control area as represented by the folder they look at under the framework.

Note:

If you notice a mismatch in dates in the Results page and in the Configuration Refresh page, runAll can be used to sync the collection date correctly. runAll fixes a stale or stuck collected date, the command does not force data collect. If there is no previously collected data before executing runAll, evaluations and scores will not be refreshed.

Manage Violations

Using the Compliance Results feature you can suppress and unsuppress violations, as well as clear manual violations.

Suppressing a violation enables you to acknowledge an existing violation while removing the violation from the compliance score calculation. Suppressing a violation prevents the violation from negatively impacting the compliance score but not delete it from the list of violations. Suppression can be indefinite or for a specified period of time.

Unsuppressing a violation causes the compliance score to be recomputed accounting for the violations that were unsuppressed.

Clearing of manual rule violations causes the violations to be cleared, and the compliance score to go up for the corresponding compliance standard or target. Clearing a manual rule violation can be indefinite or for a specified period or time.

Accessing the Managing Violations Feature

To access Managing Violation feature:

  1. From the Enterprise menu, select Compliance, then select Results.

  2. Highlight a compliance standard and click Manage Violations.

The following tabs are available:

  • Unsuppressed Violations

  • Suppressed Violations

  • Manual Rule Violations

Unsuppressed Violations Tab

Use this tab to suppress violations.

  1. Select one or more violations.

  2. Click Suppress Violations.

  3. On the Violation Suppressed Confirmation popup, you can suppress the violation indefinitely or provide a date by which the suppression will end. Optionally, you can provide an explanation for the suppression.

  4. Click OK.

This submits a job to do the suppression asynchronously and returns you to the Result Library page. A suppression adds an annotation to the underlying event stating that the violation is suppressed along with the reason (if a reason was provided). Note: The job results are not instantaneous. It may take a few minutes for the results to be displayed.

Suppressed Violations Tab

Use this tab to unsuppress violations.

  1. Select one or more violations.

  2. Click Unsuppress Violations.

  3. On the Violation Unsuppressed Confirmation popup, you can provide an explanation for the unsuppression.

  4. Click OK.

This submits a job to do the unsuppression asynchronously and returns you to the result library. An unsuppression adds an annotation to the underlying event that the violation is unsuppressed along with the reason (if a reason was provided). Note: The job results are not instantaneous. It may take a few minutes for the results to be displayed.

Manual Rule Violations Tab

To clear a manual rule violation:

  1. Select one or more manual rule violations.
  2. Click Clear Violations.
  3. On the Clear Violations Confirmation popup, you can clear the violation indefinitely or provide a date by which the clear will end. Optionally, you can provide an explanation for the clear.
  4. Click OK.

This submits a job to do the manual rule violations clearing asynchronously and returns you to the Result Library page. Clearing manual rule violations also clears the underlying violation event. Note: The job results are not instantaneous. It may take a few minutes for the results to be displayed.

Investigate Compliance Violations and Evaluation Results

Here are a few suggestions for investigating compliance violations. Attend to the most critical violations or those that have the biggest impact on your overall IT enterprise compliance.

  • Monitor the compliance framework scores along with the systems and targets that have the lowest scores on the compliance dashboard.
  • Ensure that recently discovered hosts are either being monitored using Cloud control for compliance risk or are not possibly introducing risk in your IT compliance.
  • Study the statistics on the Enterprise Summary Home page. In particular, look at the statistics in the Compliance Summary region. The compliance violations with "Critical" severity should be dealt with first.
  • Address generic systems (IT business applications) and targets that have the lowest compliance scores.
  • For the compliance violations of a particular target, examine the home page for that target. The Compliance Standard Summary region provides overview information, but it also gives you access to the Trend for that target.
  • Review compliance violation-related events in the Incident Management area of Cloud Control.
  • Navigate to the Results page for a particular compliance standard. In the navigation tree, click the name of the compliance standard and a summary page lists all the targets along with the number of violations.
  • Navigate to the Trend Overview page to see charts relating to the number of targets evaluated, the average violation count per target, number of targets by compliance score, and the average compliance score.
  • Navigate to the Rule Details tab under the Compliance Results page to see a summary of the Compliance rule, including its Type, Severity, State, Description, Rationale and Recommendation for resolution.

Note:

Only results from those targets for which you have View privilege will be available for viewing.

Investigating Violations of Repository Compliance Standard Rules and Targets Causing Violations

If you are looking at the Enterprise Summary page and you notice that there are critical violations against the Secure Configuration for Host compliance standard, you need to find what targets are causing the violations. Follow these steps:

  1. From the Enterprise menu, select Compliance, then select Results.
  2. In the Evaluations Results tab for Compliance Standards, highlight the Secure Configuration for Host compliance standard. Click Show Details.
  3. In the Summary tab on the Compliance Standard Result Detail page, you can look at the results either by target or compliance standard rule. For this example, we will use Result by Compliance Standard Rule.
  4. In the navigational list, click the Secure Ports compliance standard rule. In the resulting Secure Ports Summary tab, you will get a list of all the targets that are violating the Secure Ports rule. This is a security issue that needs to be addressed.
  5. In the navigational list, click the Secure Ports compliance standard rule. In the resulting Secure Ports Summary, navigate to the Rule Detail tab. Here you will see a detailed summary of the rule, its Severity, Rule State (Production, Test), Description, Rationale and Recommendation for solutions.

Viewing All the Violations Reported for Your Enterprise

If you want to see all the targets that are not compliant with the compliance standards:

  • From the Enterprise menu, select Compliance, then select Results.

    You have the option of viewing violations associated with compliance standards and compliance frameworks.

    • Click the Target Compliance tab for a roll-up view of all violations across all targets, that is, all those targets that are out of compliance.

    • Click the Compliance Standards tab to view the list of compliance standards against which there are violations. From this tab, you can also access the Errors tab to view the errors against the compliance standard.

  • Navigate to the Home page for a particular target. The Compliance Standard Summary region lists the compliance violations according to severity level. Click the name of the compliance standard of interest to view the details of the violations.

Examples of Viewing Violations

As noted in the previous sections, the compliance feature provides violation details that help you resolve compliance issues. There are a number of ways to access violation details.

Violations are available from the following:

  • Compliance Summary region located on the Enterprise Summary page. You can easily see the violations against compliance frameworks and compliance standards.
  • Compliance Results page. From the Enterprise menu, select Compliance, then select Results.

The following are examples of how to find violation details:

  • Example 1 - Accessing Violation Details of a Compliance Framework: To see the violations of a compliance framework, click the Compliance Frameworks tab then the Evaluation Results tab. The Violations columns list how many violations exist for each framework. When you click the number in a Violations column, all the targets with their associated compliance standards are listed.

    In turn, when you click the number in the Violation Count column, the resulting Violations page lists the compliance standard rule that is violated. Again when you click the number in the Violation Count column, the resulting Violation Details page lists all metrics for a particular compliance standard rule that are responsible for the violations.

  • Example 2 - Accessing Violation Details of a Compliance Standard: When you click the Compliance Standards tab then the Evaluation Results tab, the Violations columns report how many violations exist for each compliance standard.

    When you click the number in a Violations column, the Violations pop-up appears listing all the targets violating the standard.

    Figure 23-2 Violations for a Compliance Standard


    Description of Figure 23-2 follows
    Description of "Figure 23-2 Violations for a Compliance Standard"

    Again, click the number in the Violation Count column and the Violations pop-up appears. All the Compliance Standard Rules, for example Security Recommendations, are listed.

    You continue the process by clicking the number in the Violation Count column again in the Violations pop-up. The subsequent pop-up displays the Violations Details. For example, the Violations Details pop-up displays the name of the patch that is causing the problem.

  • Example 3 - Accessing Violations of a Target

    When you click the Target Compliance tab, the Violations columns report how many violations exist for each target.

    Figure 23-3 Violations Using the Target Compliance Tab


    Description of Figure 23-3 follows
    Description of "Figure 23-3 Violations Using the Target Compliance Tab"

    Again, click the number in the Violation Count column and the Violations pop-up appears. All the Compliance Standard Rules, for example Security Ports, are listed.

    You continue the process by clicking the number in the Violation Count column again in the Violations pop-up. The subsequent pop-up displays Violations Details. For example, the Violations Details pop-up displays the numbers of the ports violating the compliance standard.

  • Example 4 - Violations Using Show Details on Compliance Standards Page

    You can also drill-down on violations using the Show Details option on the Compliance Results page. Highlight a standard and click Show Details.

    Figure 23-4 Show Details Page


    Description of Figure 23-4 follows
    Description of "Figure 23-4 Show Details Page"

    On the resulting page, you have the option of seeing violations by target or by compliance standard rule.

    When you click the Violations tab, details regarding the compliance standard are listed including Event Details and Guided Resolution.

    Figure 23-5 Event Details and Guided Resolution


    Description of Figure 23-5 follows
    Description of "Figure 23-5 Event Details and Guided Resolution"

  • Example 5: Accessing Violations from Enterprise Summary Page

    When you click the name of a compliance standard in the Compliance Summary region of the Enterprise Summary page, the Compliance Standard Result Detail page appears. By clicking the Violations tab, you can view all the targets that violate the particular compliance standard.

    Figure 23-6 Compliance Summary Region on Enterprise Summary Page


    Description of Figure 23-6 follows
    Description of "Figure 23-6 Compliance Summary Region on Enterprise Summary Page"

    On the Compliance Standard Result Detail page, when you click the Summary tab then the Result By Target tab, the number of violations against the target display. When you click a number in the violations columns, the Violations pop-up appears listing the compliance standard rules that are causing the violation. In turn, when you click the number in the Violation Count column, the name of the offending metric or patch displays.

    Note:

    • Similar drill-downs are available from the Target Compliance tab.
    • Target evaluations are only one level while Violations are multi-level.

    Tip: To get to the end result of a Violation, continue clicking the number in the Violation Count column. More and more details are presented, narrowing the cause of the problem.

Investigate Evaluation Errors

The Evaluation Errors page reports statistics about the problems encountered during the evaluation. On initial display, the Evaluation Errors page shows all the evaluation errors.

  • Use the Evaluation Errors page to view the errors that occurred as a result of metric collection, as well as those that occurred during the last evaluation.

  • Use the search filter to view only those evaluation errors that meet a set of search criteria that you specify.

  • Click the message in the Message column to decide what your course of action should be to resolve the error.

  • Normally the results of an evaluation overwrite the previous evaluation's results. However, in the case of evaluation failure or data provider collection failure, the previous results are left untouched.

After the underlying problem is fixed, the error will no longer be reported.

Search Filter for Evaluation Errors

By default, all the evaluation errors in your enterprise configuration appear in the results table. However, you can specify a set of search criteria and then perform a search that will display only the evaluation errors that meet those criteria in the results table.

For example, if you choose Host in the Target Type list, contains in the Target Name list, and "-sun" in the adjacent Target Name text field, and then click Go, Cloud Control displays, in the results table, only the compliance standard rule evaluation errors for the hosts that contain "-sun" in their names.

Analyze Compliance Reports

Cloud Control provides reports specific to compliance. To access these reports:

  1. From the Enterprise menu, select Reports, then select Information Publisher Reports.
  2. Scroll to the Compliance section

Compliance reports include the following:

  • Descriptions reports

    The Descriptions reports list all the available compliance standards, compliance frameworks, and compliance standard rules available in the Compliance Library. These reports enable you to decide whether additional compliance standards and compliance frameworks need to be defined for your enterprise to attain and maintain its compliance to the standards.

  • Results reports

    The Results reports provide details of the various evaluations against compliance standards and compliance frameworks. Using the Results reports you can view, in one place, all the statistics regarding the compliance of your enterprise against the defined standards. To view the target that is most likely in need of your immediate attention, view the Target with Lowest AVG COMPLIANCE SCORE report. The following are examples of the reports provided:

    • Compliance Standard Results Details

      Displays the compliance summary for all the compliance standards evaluated against a target. Data includes compliance score, compliant and non-compliant rules, violations, and last evaluation date.

    • Compliance Standard Result Summary

      Displays the compliance summary of a particular compliance standard. For example, if there are three targets each reporting on Security Recommendations for Oracle Products compliance, the Result Summary rolls up the information into one report. Data includes average compliance score, the number of targets that need immediate attention, and the number of rules that are non-compliant.

Overview of Compliance Score and Importance

A target's compliance score for a compliance standard is used to reflect the degree of the target's conformance with respect to compliance standard. The compliance score is in the range of 0% to 100% inclusive. A compliance score of 100% indicates a target fully complies with the compliance standard.

During an evaluation, a target is found to be compliant or non-compliant with that compliance standard.

Types of Importance

Importance is a setting that the user can make when mapping compliance frameworks, standards, and rules. The importance is used to calculate the affect a compliance violation will have on the compliance score for that framework control area or compliance standard.

For compliance frameworks, when mapping a compliance standard, the importance for this compliance standard indicates the relative importance to other compliance standards in this framework.

For compliance standards, when mapping a compliance standard rule, importance indicates the relative importance of a compliance standard rule to all other compliance standard rules in the compliance standard.

However, just because a compliance standard rule has an importance of 'low' does not mean that it can safely be ignored. All compliance violations should be triaged and cleared once the risk has been removed through a fix or a compensating control.

Importance is used to weight compliance scores as they roll up in a compliance standard hierarchy.

The following sections provide examples of how the compliance score is calculated.

Compliance Score of a Compliance Standard Rule -Target

Note: This calculation is used for Repository rules.

Compliance score of a compliance standard rule-target is calculated by taking the severity and importance of the compliance standard rule and multiplying the result by the total number of violations divided by the total number of rows evaluated for that target.

The formula is:

hirange - (hirange - lorange) * (number of violations / number of rows evaluated)

The following table provides the combination of the severity and importance values used to calculate a compliance score.

Table 23-1 Importance and Severity Ranges

Importance Critical Severity (1) Warning Severity (1) Minor Warning Severity (1)

High

0-25 (2)

66-75

95-96

Normal

26-50

76-85

97-98

Low

51-75

86-95

99-99

(1) low range and high range of the severity

(2) 0 is the lorange; 25 is the hirange

Compliance Score of a Compliance Standard for a Target

The compliance score of a compliance standard for each target is calculated by taking the individual compliance score of each rule - target and multiplying it by its importance. This multiplication is repeated for each rule then the resulting products are added. The sum of the products is then divided by the sum of the importance of each rule.

Figure 23-7 How Compliance Score of a Compliance Standard-Target Is Calculated


Description of Figure 23-7 follows
Description of "Figure 23-7 How Compliance Score of a Compliance Standard-Target Is Calculated"

Compliance Framework Compliance Score

The compliance framework score is calculated based on weighted average of all the compliance score for each standard and target association within the compliance framework hierarchy. The weight is based on the importance of a compliance standard.

Parent Node Compliance Score

The compliance score of a hierarchy node/parent node is calculated as shown below. Compliance standards are hierarchical, thus the top node in the tree is known as the parent node.

Figure 23-8 Compliance Score of Parent Node

Description of Figure 23-8 follows
Description of "Figure 23-8 Compliance Score of Parent Node"
  • i represents the number of children
  • S is the score of the child node
  • I is the importance of the child node

Evaluate Compliance with Oracle Enterprise Manager

Managing compliance offers new features for Oracle Enterprise Manager 13c Release 4 Update 5 (13.4.0.5) users.

About the Compliance Dashboard

The Compliance Dashboard lets you access and manage your infrastructure's compliance from a single page.

The dashboard contains the following sections:

Figure 23-9 Compliance Dashboard with Engineered Systems Tab

Compliance Dashboard with Engineered Systems Tab

Starting with Enterprise Manager 13c Release 5 Update 3 (13.5.0.3) the Compliance Dashboard features a new Engineered Systems tab, detailing information for AHF EXAchk compliance management of Exadata Engineered Systems targets, violations and reports. For more information on AHF EXAchk Compliance Standards see: AHF EXACHK Compliance Standards in Oracle Enterprise Manager Cloud Control Oracle Compliance Standards Reference.

Filters

The filter ribbon located at the top of the Compliance Dashboard allows you to filter by:
  • Target Type: Filters by the type of monitored target in Enterprise Manager.
  • Severity: Filters by the severity of the warning. Critical, Warning, Minor Warning.
  • Properties: A set of values that are defined within the monitored target metadata, for example:
    • Contact
    • Downtime Contact
    • Cost Center
    • Department
    • Line of Business
    • Location
    • Site
    • Life Cycle
The filter ribbon will show all currently applied filters, you can close them by clicking on each filter. To apply new filters click on the Filter icon on the right hand side of the ribbon.

Note:

All widgets are filtered in real-time when filtering by target type, severity and properties.

Targets Evaluated

This widget shows all targets evaluated with the selected filters. Clicking the number will change the Compliance Summary to filter by the selected target type.

Violations and Errors

The Violations and Errors widget shows how your infrastructure compares to a compliance standard or framework regarding violations. Clicking a violation severity will filter the dashboard by severity. Clicking the error number will take you to the Compliance Standards Errors page.

To learn more about Compliance Standard Errors, see Manage Violations.

Open Security Incidents

The Open Security Incidents widget shows pending security incidents that require your attention. The incidents are sorted by severity and clicking the number will take you to Incident Manager where you can monitor and resolve service disruptions.

To learn more abut Incident Manager, see Using Incident Manager in Enterprise Manager Cloud Control Administrator's Guide.

Compliance Standard Score Distribution

The Compliance Standard Score Distribution graph filters your infrastructure by the selected target type and severity and sorts them by Compliance Score.

Compliance Violations By Target Type

This graph presents the number of compliance violations sorted by target type and severity. Clicking any bar will filter the Dashboard by the selected target type and severity.

Compliance Summary

The Compliance Summary widget shows how your infrastructure compares to compliance frameworks and standards selected while evaluating compliance. Clicking a Violation number for any target will open a modal with all violations of that type (critical, warning, minor warning) in a single page. These violations can be expanded to display the description of the violation, last evaluation date, rule name, remedy, and rationale.

Figure 23-10 Compliance Summary

This is a compliance summary screenshot for critical violations.

Compliance Evaluation Report

With the Compliance Evaluation Report you can access a full report of all violations for each target, for a particular standard, or for multiple targets or for multiple standards directly from the Compliance Dashboard. Follow these steps to obtain the reports:
  1. On the Compliance Dashboard, navigate to the Standards or Targets tabs.
  2. Drill down into any of the Evaluations or Violations rolled up information (indicated by number) that you wish to review.
  3. Click the Report link under the Average Compliance Score (%) column.
  4. A new pop up appears click Report to view the Compliance Evaluation Report. This report provides a summary of the compliance findings as well as details on the standard(s) and rule(s) that are in violation and suggestions to resolve these violations.

Note:

This report can also be saved as a single HTML file, with embedded images, for easy sharing within your organization. Depending on the browser you use, to save the report, right click the Report link and select Save Link As.

Figure 23-11 Compliance Evaluation Report

Sample image of the Compliance Evaluation Report

DBSAT Reports

To generate these reports Enterprise Manager uses additional enhanced Oracle Database Security Assessment (DSAT) rules. There are two available DBSAT reports Security Assessment Report and Sensitive Data Assessment eport. For more information on the Oracle DBSAT Compliance Standard see: Oracle DBSAT Compliance Standard in Oracle Enterprise Manager Cloud Control Oracle Compliance Standards Reference.

Note:

Oracle Enterprise Manager 13 Release 5 Update 11 (13.5.0.11) is required to use the Sensitive Data Assessment Report.
To access these reports On the Compliance Dashboard
  1. Navigate to the Standards tab and locate the evaluation you wish to view the DBSAT report on.
  2. In the Compliance Dashboard scroll down to the Compliance Summary and select either the Standards or Targets tab.
  3. Click on the number below Compliant Targets or Non-Compliant Targets.
  4. A new pop up appears click DBSAT Report
  5. In the DBSAT Report pop up there are two report options Security Assessment Report and Sensitive Data Assessment Report, click on the report of your choosing. These reports provide a summary of the DBSAT compliance findings as well as details on the standard(s) and rule(s) that are in violation and suggestions to resolve these violations.DBSAT Report Options

Note:

This report can also be saved as a single HTML file, with embedded images, for easy sharing within your organization. Depending on the browser you use, to save the report, right click the Report link and select Save Link As.

Figure 23-12 Oracle Database Security Assessment Report

Report detailing DBSAT compliance violations

Figure 23-13 Oracle Database Sensitive Data Assessment

Oracle Database Sensitive Data Assessment report details