Em12c Compliance Part1 2152830

1
Copyright 2014, Oracle and/or its affiliates. All rights reserved.
Overview
Enterprise Manager 12c

Compliance Management
Part 1
Custom Compliance Methodology
Operational Aspects of Compliance
Compliance Related Roles and Privileges
Understanding Compliance Score Calculation
Understanding Compliance Results
Compliance Overview
Agenda
and recommendations.
Reusable and customizable compliance standards that map to Oracle best practices
Oracle Provided Content
with respect to best practices.
Advises how to change configurations to bring targets and systems into compliance
Notification on deviation from standard or change event.
Remediation
where configuration changes or unauthorized actions are happening.
Real-time monitoring of a target's files, processes, and users to let users know
are exposed to configuration-related vulnerabilities.
Automatically determine if targets have valid configuration settings and whether they
Auditing
Solution Overview
Compliance Framework
Real Time Facet

Group of related entities
Files, Processes or Users
Compliance Rule
Discreet Check or Test
Specific to Target Type
Compliance Standard
Group of Compliance Rules
Specific to Single Target Type
Compliance Framework
Group Compliance Standards
different Target Types
DBAs, Admins,
IT Managers
Compliance Manager,
Security Auditors
Real Time Facets
Compliance Rules
Compliance Standards
Compliance Frameworks
Reusable Compliance Hierarchy
Specific to Fusion Middleware
Weblogic Signature Rules
automated correlation against Change

Management
Detection of unauthorized changes through
Schema Actions ( Select, Update)
Process Actions ( Start, Stop )
File Actions ( Read, Write, Perm Change, etc)
Detection of real time activities including
Real-time Compliance Standard
Query Builder browser to aid in rule creation
Validated when target configuration changes
Evaluated against repository data
Repository Compliance Standard
3.
2.
1.
Maintain Compliance Three Options
Weblogic Health
Check scripts
executed by EM
Agent
Capture Changes
in Real Time using
EM Agent
Validate Collected
Configuration in
EM Repository
Configuration Best Practices for Pluggable Database
Basic Security Configuration for Pluggable Database

Storage Best Practices for Oracle Database
Configuration Best Practices for Oracle Database
Basic Security Configuration for Oracle Database
High Security Configuration for Oracle Database
Patchable Configuration for Oracle Database
Storage Best Practices for Oracle Database
Support Policy for Oracle Database
Support Policy for RAC Database
Storage Best Practices for Oracle RAC Database
Patchable Configuration for RAC Database
Configuration Best Practices for Oracle RAC Database
Certification for RAC Database
High Security Configuration for Oracle Cluster Database

Instance
Basic Security Configuration for Oracle Cluster Database

Instance
300+ Individual Compliance Rules
High Security Configuration for Oracle Listener
Basic Security Configuration for Oracle Listener
Listener
Cluster Database
Certification for Oracle Database
Single Instance Database Instance ( and RAC Instance )
Storage Best Practices for Pluggable Database
Pluggable Database ( NEW )
EM 12c Configuration Management

Oracle Provided DB Compliance Content
Description of all security standards and rules
Explains how to use Database security standards
Reference Documentation
Database Security Compliance Standards
Understanding Compliance
Results
10
Gauges - Current and Lowest Score in Last Week

Target and Violation Counts per Fwk/Std
Newly Discovered Unmanaged hosts may be risk

Least Compliant Target shows where to start remediation
Compliance Dashboard Single Pane Status
11
Select Standard and click

Show Details for additional
information.
Results by Framework, Standard and Target
Compliance Results
Number of
targets evaluating
Critical, Warning
and Compliant
Number of
violations at
Critical,
Warning and
Minor Warning
12
Targets by
Severity
Icon indicates
Rule with
violations
Rule
Evaluations
by Severity
Summary By Target or Rule
Compliance Standard Result Details
13
Trend Overview by Day, Week or Month
14
What caused
the violation
When did it
occur?
Violation
Details.
Offending
target.
Violation Events Actionable Details

Violation
message with
context
How to fix it.
15
Integrated MOS Knowledge base search
Knowledge
search results
Pre-populated Knowledge Search

Criteria
16
actions taken to address the violation
Users can update event to inform others of
Each violation generates an event.
Event Updates
17
Understanding Compliance
Score Calculation
18
standard.
Score of 100% indicates a target fully complies with the compliance
Score is in the range of 0% to 100% inclusive.
reflect the degree of the target's conformance with respect to that

standard.
A target's compliance score for a compliance standard is used to
Compliance Scores
19
added to Framework/Standard
Importance is set when Standard/Rule
creation
Severity is set during Standard/Rule
importance and severity which together

determine its impact on score
Rules and Standards have an
average of all contained Standards.
A Frameworks score is a weighted
average of the results of all contained

rules
A Standards score is a weighted
Compliance Scores
Importance is
determined by
rule consumer.
Severity
determined by
rule author.
20
26-50
51-75
Normal
Low
86-95
76-85
66-75
Warning Severity (lo-hi)
Aggregate standard scores to find compliance framework score
3.
99-99
97-98
95-96
Minor Warning Severity (lo-hi)
Aggregate rule scores to find compliance standard score
hirange (hirange lorange ) * ( number of violations / number of rows evaluated )
Formula for single rule-target score:
0-25
High
2.
Critical Severity (lo-hi)
Use the following chart to find hirange and lorange for a rule
Importance
1.
Determine score for each target-rule combination in the standard.
2.
1.
Process Overview
Compliance Score Calculation
21
Note : If NO evaluations have violation, score is set to 100%
75 (75-51) * (16 / 16 )
75 (24) = 51
hirange (hirange lorange ) * ( number of violations / number of rows evaluated )
Substitute numbers from chart and violation into:
Example :
Rule (Security Recommendations ) has Severity Critical and
Importance Low
Rule-Target has 16 evaluations ALL of which are violations
Compliance Standard Rule-Target

Critical Severity
(lo-hi)
0-25
26-50
51-75
Importance
High
Normal
Low
86-95
76-85
66-75
Warning
Severity (lo-hi)
Compliance Score Calculation Example
99-99
97-98
95-96
Minor Warning
Severity (lo-hi)
Rule2
Rule3
22
(S1 x i1) + (S2 x i2) + (S3 x i3)

-------------------------------------(i1 + i2 + i3 )
Compliance Score of Compliance Standard-Target
Rule1
CS
Values
3
2
1
Importance
High
Normal
Low
CS Compliance Score
Rule Compliance Standard Rule. There are 3 rules: Rule1, Rule2 and Rule3
I1: importance for Rule1
S1: compliance score for rule1-target
Compliance Standard -Target
Compliance Score Calculation Step 2
iCS2
CS2
23
(ST1 x iCS1) + (ST2 x iCS2) + (ST3 x iCS3)

-------------------------------------------------------(iCS1 + iCS2 + iCS3 )
Compliance Score of Compliance Framework
iCS1
CS1
CF
Values
3
2
1
Importance
High
Normal
Low
CF Compliance Framework
CS1: compliance score 1
CS2: compliance score 2
iCS1: importance for CS1
ST1: compliance score for CS1-t1
Compliance Framework -Target
Compliance Score Calculation Step 3
Warning = 61-80
Compliant = 81-100
24
Target Type Settings
Change thresholds using Override
Critical = 0-60
Default Thresholds
its own thresholds for Compliant

Warning and Critical
Each Compliance Standard can have
Understanding and Changing
Compliance Score Thresholds
Since Warning
is 80, the score
of 87 shows
Compliant for
this single
target
25
Select Rule in navigator
Click Add and enter Exception
Click OK.
2.
3.
4.
Select Standard and Click Override

Target Type
1.
To add Global exception:
Custom rules
Can be used for Oracle provided or
for a individual target
Exceptions can be added globally or
Global Exceptions
2.
3.
User SYSMAN
will no longer
generate a
violation for this
rule on ANY
target.
Compliance Results Adding Exceptions

1.
26
Select target and click Edit
Select Rule in Navigator
Click Add and enter Exception
Click OK.
2.
3.
4.
5.
Select Standard and Associate

Targets
1.
To add Target Instance exception:
single target only.
Target Instance exceptions are for a
Target Instance Exceptions
3.
2.
4.
1.
User SYSMAN
will no longer
generate a
violation for this
target ONLY.
Compliance Results Adding Exceptions
27
Compliance Related
Roles and Privileges
28
administrator or owner of
any target.
Not necessarily an
software ( DB, Weblogic)
Typically SME for a specific
and Facets
Creates Standards, Rules
Compliance Designer
administrator or owner of
any target.
Typically not an
across datacenter
Needs compliance visibility
Standards developed by
Designer
Creates Frameworks using
Compliance Officer
results of their targets
Acts upon compliance
owner of targets.
Typically an administrator or
Standards created by
Designer
Associates targets to
DBA, Administrator
Three Primary Compliance Roles
Using this role you can view compliance framework definitions and results.
Description
Allows you to create compliance standards, compliance standard rules, and Real-time
Monitoring facets
Allows you to edit and delete compliance standards and compliance standard rules
Allows you to view compliance framework definition and results
Description
Ability to associate compliance standard to the target
View the compliance results of a target
EM_COMPLIANCE_OFFICER
Resource Type Privileges
Create Compliance Entity
Full any Compliance Entity
View any Compliance Framework
Target Type Privileges
Manage Target Compliance
View
Using this role you can create, modify, and delete compliance standards, compliance
standard rules, and Real-time Monitoring facets.
EM_COMPLIANCE_DESIGNER
29
Description
Role
EM Compliance Roles and Privileges
30
CREATE_COMPLIANCE_ENTITY privilege
VIEW_ANY_COMPLIANCE_FWK privilege
FULL_ANY_COMPLIANCE_ENTITY privilege
VIEW_ANY_COMPLIANCE_FWK privilege
EM_COMPLIANCE_DESIGNER role
EM_COMPLIANCE_OFFICER role
MANAGE_TARGET_COMPLIANCE privilege
EM_COMPLIANCE_OFFICER role
Create compliance framework
Edit and delete compliance framework
Create, edit, and delete compliance framework
Associate a compliance standard to a target
Import or export a compliance framework
Create a real-time monitoring rule
Create a real-time monitoring facet
Privileges and Roles Required
Task
Compliance Tasks and Required Privs/Roles
31
Operational Aspects of
Compliance
Availability Job
Status
Events
Target Down
Compliance Other
events:
Standard
Violations
Application Applications
Servers
Hosts/VMs Databases
Enterprise Manager
Metric
Alerts
Events
32
Space
Determine significant events and

combine related events
Performance
Incidents
EM Administrator
Manage by Incidents
Significant events
Combination of events related to the same issue
(e.g. events raised from database, host, storage
indicating lack of space)
Centralized incident management console
View, manage, diagnose and resolve incidents
from one location
Support for incident lifecycle operations
Assign, acknowledge, prioritize, track status,
escalate, suppress
Notify and open helpdesk ticket
Integrated Oracle expertise
Access to My Oracle Support (MOS) knowledge
base
Accelerates incident and problem diagnosis and
resolution
Compliance - Incident Manager Integration
33
score drops below threshold
Generated when standard
Violation
Compliance Standard Score
Generated for each violation
Violation
Compliance Standard Rule
Events Available:
notification.
Use Incident Rule Set to configure
Notification using Incident Manager
Proactive Compliance
34
Associate
(management settings)
Template
Collection
Set Lifecycle Status = Production

to join PROD group
(Lifecycle Status
=Production)
Administration
Group PROD
Automated monitoring setup

When adding new target, set its properties
Enterprise Manager adds it to group, autoapplies management settings
Template Collections
Set of management settings (monitoring
templates, compliance standards, cloud
policies)
Associated with administration groups
Administration Groups
Auto-deploys management settings to targets
when they join the group
Defined by membership criteria
Administration Groups and Template Collections
35
FINANCE
HCM
SALES
PRODUCTION
FINANCE
NonPROD
HCM
SALES
Line of
Business
Lifecycle
Status
TARGETS
One administration group hierarchy per Enterprise Manager site
Membership criteria:
Lifecycle Status =
Production AND
Line of Business =
Finance
Membership criteria:
Lifecycle Status =
Production
ALL TARGETS in
Admin Group
Administration Group Hierarchy
36
bundles Compliance
Standards.
Plugin may or may not
Type Type Specific
Plug-in
Frameworks
New or updated
Any Target type
Self Update
Self-Update and Plugins
Updating Content
37
decommissioned.
Reports will remain until IP is
Non-configurable.
Legacy Reports ( 7 )
Information Publisher Reports
Compliance Reporting
38
future releases.
Look for more reports in
Email delivery
Scheduled
Output format
Scope
Configurable
Existing Reports ( 3 )
Business Intelligence Reports
Compliance Reporting
39
Custom Compliance
Methodology
40
Security Recommendations/Best Practices
> 30 Compliance Standards
>1700 Compliance Rules
Rich Out of the box content:
Start with Oracle provided
YES!
Can I create a customize Compliance Standard?
Custom Compliance Standards
Corporate
DB Standard
41
No
Yes
Compliance
Rule Exists?
Yes
Required
Data Collected?
No
Create Custom
Compliance Rule
Extend Target
Using Configuration
Extension
Automating Compliance Reporting with Enterprise Manager
Add Compliance
Rule to Compliance
Standard
42
No
Yes
Compliance
Rule Exists?
Yes
Required
Data Collected?
No
Create Custom
Compliance Rule
Extend Target
Using Configuration
Extension
Add Compliance
Rule to Compliance
Standard
43
find match to your check
Review Descriptions and Rationale to
Put keywords in Description
Set Applicable to: Target Type
Use Search to filter
Go to : Enterprise->Compliance->Library
Check Compliance Library
Compliance Rule Exists?

Yes
No
Yes
Required Data Collected?
No
Create Custom Compliance

Rule
Extend Target using

Configuration Extension
Add Compliance Rule to

Compliance Standard
44
No
Yes
Compliance
Rule Exists?
Yes
Required
Data Collected?
No
Create Custom
Compliance Rule
Extend Target
Using Configuration
Extension
Add Compliance
Rule to Compliance
Standard
45
property names
If found, make note of folder and
Click each folder to see data
Configuration -> Last Collected
Go to : <Target Home> ->
Check Default Collection

Yes
No
Yes
No

Rule
Extend Target using


Compliance Standard
46
No
Yes
Compliance
Rule Exists?
Yes
Required
Data Collected?
No
Create Custom
Compliance Rule
Extend Target
Using Configuration
Extension
Add Compliance
Rule to Compliance
Standard
47
Choose a parser that matches data format
SQL Query
OS Command Output
Entire File
Multiple Collection Methods:
Extend ANY target
>Configuration Extension
Go to Enterprise->Configuration-
Configuration Extension (CE )
Extend Target Collection

Yes
No
Yes
No

Rule
Extend Target using


Compliance Standard
48
No
Yes
Compliance
Rule Exists?
Yes
Required
Data Collected?
No
Create Custom
Compliance Rule
Extend Target
Using Configuration
Extension
Add Compliance
Rule to Compliance
Standard
49
Keywords
Recommendation
Rationale
Description
user to understand and take action
Add details to be seen in Violation for
Go to Enterprise->Compliance->Library
Add to Compliance Library
Create Custom Rule

Yes
No
Yes
No

Rule
Extend Target using


Compliance Standard
50
No more manual SQL Entry
Leverages Configuration Search
for you!
Use SQL Modeler to write the SQL
Add to Compliance Library
Create Custom Rule

Yes
No
Yes
No

Rule
Extend Target using


Compliance Standard
51
No
Yes
Compliance
Rule Exists?
Yes
Required
Data Collected?
No
Create Custom
Compliance Rule
Extend Target
Using Configuration
Extension
Add Compliance
Rule to Compliance
Standard
52
Organize Rules in folder hierarchy
Standards ( Low, Normal, High )
Set Importance in context of
Standard
Create New or Add to existing
Customize Compliance
Standards
Add Rule to Standard

Yes
No
Yes
No

Rule
Extend Target using


Compliance Standard
53
Real Time Compliance

Monitoring
54
Linux, Solaris, AIX, Windows
Which platforms are supported?
Key attributes captured include user ID, process ID and time of action
What is captured?
Each item has unique actions that can be monitored (detailed later)
Files, processes, users, database changes, windows objects
What can be monitored?
Proactive monitoring of critical components (tnsnames.ora)
Audit adherence to change management processes
Primary Use Cases
Real Time Compliance Monitoring Overview
55
Define Facet ( What to monitor )
Define Rule ( How to Monitor items in Facet )
Define/Add rule to Standard
Associate Standard to Targets
4.
5.
6.
7.
Set Real Time Monitoring Credentials
3.
http://docs.oracle.com/cd/E24628_01/em.121/e27046/install_realtime_ccc.htm#autoId7
Configure Privilege Delegation ( Sudo/PBRun )
a)
Ensure Operating System or DB specific pre-requisites met
2.
1.
Real Time Compliance Monitoring Setup
56
Telnet Login
SSH Login
SU Login
Sudo
RDP Login
Console Login
FTP Login
Content Modified
Delete
Rename
Create
Permission Change
Ownership Change
Read
Users
Files
Linux, Solaris, AIX
Monitored Events
Stop
Start
Processes
57
Computer Attrib Modify
Group
Attribute
Modify
Group Delete
Member
Delete
User Attrib
Modify
Create Value
Computer Delete
Group Create
Delete Value
User Delete
Delete Key
Computer Create
AD Groups
Member Add
User Create
Create Key
AD Computers
Modify Value
AD Users
Registry
Windows
Monitored Events
58

Insert
Select
Update
Delete
Create
Drop
Truncate
Alter
Comment
Rename
Lock
Grant
Revoke
Audit
NOAUDIT
Flashback
Views
Tables
Action
Materialized Views
Monitored Events Oracle Database
59

NOAUDIT
usage
Truncate
Execute
Audit
Revoke
Analyze
Alter
Grant
Drop
Function
Create
Procedure
Select
Sequence
Index
Action
Package
Library
Trigger
Tablespace
Cluster
Link
Dimension
60

Create
Drop
Alter

Audit
NOAUDIT
usage
Logoff
Login
Truncate
Execute
Role/System
User
Role
Revoke
Type
Role/System
Synonym
Public Synonym
Grant
Select
Analyze
Public Link
Profile
Action
61
Entity
Define inclusion and exclusion
patterns in single facet
Select files from existing target
by Browsing
Specific to Target type and
Determines WHAT to monitor
Real-Time Compliance Monitoring Facets
62
Entity
Choose Facet to define
WHAT to monitor
Specific to Target type and
Determines HOW to monitor
Real-Time Compliance Monitoring Rules
63
( for notification and mgmt )

Automatic Authorization
Requires Change Request
Management Connector
Remedy only supported CMS
Choose to generate an event
Authorized = Positive effect
Unauthorized = Negative effect
compliance score
Unaudited = No Effect on
Manually Authorization
Determine the default status of
observations which effect
compliance scoring.
Real-Time Compliance Monitoring

Authorization Options
64

Em12c Compliance Part1 2152830

Transféré par

Informations du document

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Em12c Compliance Part1 2152830

Transféré par

Droits d'auteur :

Formats disponibles

1

Copyright 2014, Oracle and/or its affiliates. All rights reserved.

Copyright 2014, Oracle and/or its affiliates. All rights reserved.

Enterprise Manager 12c

Copyright 2014, Oracle and/or its affiliates. All rights reserved.

Custom Compliance Methodology

Operational Aspects of Compliance

Compliance Related Roles and Privileges

Understanding Compliance Score Calculation

Understanding Compliance Results

Copyright 2014, Oracle and/or its affiliates. All rights reserved.

Oracle Provided Content

with respect to best practices.

Notification on deviation from standard or change event.

where configuration changes or unauthorized actions are happening.

are exposed to configuration-related vulnerabilities.

Copyright 2014, Oracle and/or its affiliates. All rights reserved.

Real Time Facet

Real Time Facets

Reusable Compliance Hierarchy

Specific to Fusion Middleware

Weblogic Signature Rules

automated correlation against Change

Detection of unauthorized changes through

Schema Actions ( Select, Update)

Process Actions ( Start, Stop )

File Actions ( Read, Write, Perm Change, etc)

Detection of real time activities including

Real-time Compliance Standard

Query Builder browser to aid in rule creation

Validated when target configuration changes

Evaluated against repository data

Repository Compliance Standard

Copyright 2014, Oracle and/or its affiliates. All rights reserved.

Maintain Compliance Three Options

Configuration Best Practices for Pluggable Database

Basic Security Configuration for Pluggable Database

Storage Best Practices for Oracle Database

Configuration Best Practices for Oracle Database

Basic Security Configuration for Oracle Database

High Security Configuration for Oracle Database

Patchable Configuration for Oracle Database

Storage Best Practices for Oracle Database

Support Policy for Oracle Database

Support Policy for RAC Database

Storage Best Practices for Oracle RAC Database

Patchable Configuration for RAC Database

Configuration Best Practices for Oracle RAC Database

Certification for RAC Database

High Security Configuration for Oracle Cluster Database

Basic Security Configuration for Oracle Cluster Database

300+ Individual Compliance Rules

High Security Configuration for Oracle Listener

Basic Security Configuration for Oracle Listener

Certification for Oracle Database

Single Instance Database Instance ( and RAC Instance )

Storage Best Practices for Pluggable Database

Pluggable Database ( NEW )

Copyright 2014, Oracle and/or its affiliates. All rights reserved.

EM 12c Configuration Management

Copyright 2014, Oracle and/or its affiliates. All rights reserved.

Description of all security standards and rules

Explains how to use Database security standards

Database Security Compliance Standards