Em12c Compliance Part3 2152833

1
Copyright 2014, Oracle and/or its affiliates. All rights reserved.
(Example using Department of Defense STIG for Oracle DB)
Custom Compliance Example

using SQL Configuration Extension
Enterprise Manager 12c

Compliance Management
Part 3
approved application user.
Check Details : Check all dba_objects and ensure the owner is an
authorized for ownership.
Check Description : Application objects should be owned by accounts
We will use STIG Check DG0008-ORACLE11
compliance rule against.
STIG provides the SQL to run which we will use to build a custom
Oracle Database 11g STIG ( Secure Technical Implementation Guide )
This example will use a real check from the Department of Defense
SQL Based Configuration Extension and Check
Example Overview
Actual SQL Query to

check for violation is
given in the document.
Explanation of check.
Oracle 11g DB STIG Check DG0008-ORACLE11
Oracle DB 11g STIG Actual Documentation
No
Yes
Compliance
Rule Exists?
Yes
Required
Data Collected?
No
Create Custom
Compliance Rule
Extend Target
Using Configuration
Extension
Follow the flow for each custom validation.
Custom Compliance Methodology
Add Compliance
Rule to Compliance
Standard
Answer = No
Answer = No
Be sure to follow the Custom Configuration Setup steps later in this

presentation to setup monitoring credentials BEFORE continuing (
only if you are using EM Version <12.1.0.3 )
So we must build a configuration extension first, deploy it to the

targets and then create a custom rule using the newly collected data.
a)
Next we check if the default configuration data of the DB contained

the data we need to validate.
a)
Following the standard methodology we first check if there is an

Oracle provided rule that matches our needs.
3.
2.
1.
Follow Custom Compliance Methodology
For example select username|| :||profile from J
concatenate them in the collection output.
Only return 1 column. If you want to see more than 1 item then
results which ARE ONLY violations.
Perform the actual check for violations ON the agent and only return
Guidelines for Custom SQL based Configuration

Extension used in Compliance
Go to Enterprise->Configuration->Configuration Extensions
Start at the Configuration Extensions Page
Click Create
Create new Configuration Extension
10
Select Monitoring Database Credential which is the

default monitoring credential using dbsnmp user.
If you are using <12.1.0.3 select the Custom
monitoring credentials you created following the
appendix of this presentation.
Enter Name. Select Target Type, Sample Target and Creds. Click Add.
Enter basic Configuration Extension information
11
Copied verbatim from STIG

document as only 1 column
returned and only violations.
Alias will be important later

when creating compliance
rule!
Enter SQL, Alias and select parser. Click Preview
Populate the SQL details
12
Select Alias to see results.
Click DG0008 to see results. Click OK.
1 Attribute with 1 Value
Ensure Results returned properly
13
Click Save
Save Configuration Extension
14
Click Manage Deployments
Deploy to Targets
15
Click Add
Select Targets to deploy
16
Select 1 or more targets. Click Select
Chose only targets with Credentials configured
17
Click Save
Confirm selection and Save
18
Click Refresh until Successfully Deployed
Wait for deployment
19
Go to the targets Last Collected page to see results.
Check configuration of one of the targets
20
Select Alias, verify results
View parsed configuration
21
We are now ready to create

a custom compliance rule
against the Configuration
Extension.
22
Go to Compliance->Library
Start at the Compliance Library
23
Click Create on Compliance Standard Rules tab
Create a new Rule
24
Select Repository Rule and Click Continue
Create a repository rule
25
Enter basic rule information. Click Next.
Add rule overview details
Taken direct from STIG

document.
26
Let EM help build the query. Click Model Query
Use to SQL Modeler!
27
Click Add Properties
Use the Target Model
28
Select all four Parsed Properties. Click OK.
Select the Parsed data.
29
Click Search
View progress so far
The Container and Attribute

do not contain useful data
for the violation context. We
will choose not to display
them therefore.
Notice the Alias specified in the

Custom Configuration is the
Data Source Name.
We will use it to make sure we
only get results of this single
query.
30
Narrow results using Data Source. Undisplay non-distinguishing

columns. Search to verify. Then click OK
Narrow the results
31
This hard coded text column is added

to ensure you will have at least 1 nonkey column which is required for
compliance rules. We will hide it in
next step.
Add Compliant and Non-Compliant Messages. Click Next.
Add messages text
32
Choose not to display info column
Choose Value as Key column
Enter 1=1 which means ALL results are violations.
Select SQL Condition
Select SQL Condition. Enter 1=1. Click Next.
Enter conditions
33
Select target selector.
Choose a target
34
Select Sample target and click Select.
Select target with custom configuration
35
Click Run Test
Run Test
36
Click Close
Continue to see results
37
Review violations. Click Next.
Review and confirm violations
38
Review. Click Finish.
Finish rule creation
39
Rule Created.
Confirm creation
40
Click Create on Compliance Standard tab.
Add a new Compliance standard
41
Enter Compliance Details. Click Continue.
Enter basic information
42
Enter Descriptions and select Production State.
Enter Standard details
43
Right Click Standard Name. Select Add RulesJ
Add rule to standard
44
Search for Rule. Select rule. Click OK.
Add Custom Rule
45
Optionally, change Importance. Click Save.
Change Importance
46
Select Compliance Standard. Click Associate Targets.
Associate Targets
47
Click Add
Add targets
48
Select Target. Click Select.
Select targets with Custom Configuration
49
Click OK.
Confirm selection and continue
50
Click YES
Confirm message
51
View Results. Go to Compliance->Results
View Results
52
Select Standard. Click Show Details.
Find Standard and view details
53
View Summary
Review standard summary page
54
Select Rule. Select Violation Events Tab. Select a Violation to see details.
View Custom rule details
55
Important information like

when violation detected,
Notifications sent and
Incident ID.
Expanded view of Details.
Non-Compliant message from Rule
Violation details as will be seen in

notifications and event.
Note violation details
We could have
entered a
recommendation on
how to address the
violation in the rule
which would show
here.
56
Example
End
57
Custom Compliance Setup

when using Custom
Configuration Collections
58
Setup New Host Monitoring Credentials
Cannot use Agent credentials
Command
Setup New SQL Monitoring Credentials ( for 12.1.0.1, 12.0.1.2 )
allows its use.
Default DB Monitoring Credentials not available in 12.1.0.1 or 12.1.0.2. 12.1.0.3
SQL Based
If not, you must create custom monitoring credentials for target type
CAN use agent credentials IF files accessible to user
File Based
Custom Configuration use Monitoring Credentials
Setup for Compliance leveraging Custom

Collections
59
SQL Based Custom

Configuration Setup
60
Use Custom Configuration to Create Monitoring Credentials
SQL Based Custom Configuration Setup
61
Enter any text for a name, select

Database Instance target type, and
click Create
62
Enter a name for the Credential Set
Create Monitoring Credential Set
63
Cancel Creation
Note: A Monitoring Credential of this

name is now associated with every
target of this type. We must now set
the credential values for at least 1
sample target so we can use it
during test.
64
Choose the Target

Type and select
Manage Credentials
Setup->Security->Monitoring Credentials
65
Select a sample target and new

credentials set and click Set
Credentials
66
Set Monitoring Credential Values for the target
NOTE: Only NORMAL

DB Role is currently
supported.
Enter username and

password then click
Test and Save.
67
Ensure Credential Test Successful
We can now create a SQL

Configuration Extension using
this Monitoring Credentials
set and sample target.
68

Em12c Compliance Part3 2152833

Transféré par

Informations du document

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Em12c Compliance Part3 2152833

Transféré par

Droits d'auteur :

Formats disponibles

1

Copyright 2014, Oracle and/or its affiliates. All rights reserved.

Copyright 2014, Oracle and/or its affiliates. All rights reserved.

(Example using Department of Defense STIG for Oracle DB)

Custom Compliance Example

Enterprise Manager 12c

Copyright 2014, Oracle and/or its affiliates. All rights reserved.

approved application user.

Check Details : Check all dba_objects and ensure the owner is an

authorized for ownership.

Check Description : Application objects should be owned by accounts

We will use STIG Check DG0008-ORACLE11

compliance rule against.

Oracle Database 11g STIG ( Secure Technical Implementation Guide )

SQL Based Configuration Extension and Check

Copyright 2014, Oracle and/or its affiliates. All rights reserved.

Actual SQL Query to

Oracle 11g DB STIG Check DG0008-ORACLE11

Oracle DB 11g STIG Actual Documentation

Copyright 2014, Oracle and/or its affiliates. All rights reserved.

Follow the flow for each custom validation.

Custom Compliance Methodology

Be sure to follow the Custom Configuration Setup steps later in this

So we must build a configuration extension first, deploy it to the

Next we check if the default configuration data of the DB contained

Following the standard methodology we first check if there is an

Copyright 2014, Oracle and/or its affiliates. All rights reserved.

Follow Custom Compliance Methodology

Copyright 2014, Oracle and/or its affiliates. All rights reserved.

For example select username|| :||profile from J

concatenate them in the collection output.

results which ARE ONLY violations.

Guidelines for Custom SQL based Configuration

Copyright 2014, Oracle and/or its affiliates. All rights reserved.

Start at the Configuration Extensions Page

Copyright 2014, Oracle and/or its affiliates. All rights reserved.

Create new Configuration Extension

Copyright 2014, Oracle and/or its affiliates. All rights reserved.

Select Monitoring Database Credential which is the

Enter basic Configuration Extension information

Copyright 2014, Oracle and/or its affiliates. All rights reserved.

Copied verbatim from STIG

Alias will be important later

Enter SQL, Alias and select parser. Click Preview

Populate the SQL details

Copyright 2014, Oracle and/or its affiliates. All rights reserved.

Select Alias to see results.

Click DG0008 to see results. Click OK.

1 Attribute with 1 Value

Ensure Results returned properly

Copyright 2014, Oracle and/or its affiliates. All rights reserved.

Save Configuration Extension

Copyright 2014, Oracle and/or its affiliates. All rights reserved.

Click Manage Deployments

Copyright 2014, Oracle and/or its affiliates. All rights reserved.

Select Targets to deploy

Copyright 2014, Oracle and/or its affiliates. All rights reserved.

Select 1 or more targets. Click Select

Chose only targets with Credentials configured

Copyright 2014, Oracle and/or its affiliates. All rights reserved.

Confirm selection and Save

Copyright 2014, Oracle and/or its affiliates. All rights reserved.

Click Refresh until Successfully Deployed

Wait for deployment