1 Introduction

1.1 Compliance Overview

The compliance framework in Enterprise Manager 12c is hierarchical in nature allowing for ease of management and reuse. Starting from the top level, the hierarchy contains Compliance Frameworks, Compliance Standards, and Compliance Rules. Compliance Frameworks aggregate the compliance scores of Compliance Standards which may be for different target types. Compliance Standards contain one or more Compliance Rules but are specific to a single target type. Compliance Rules are responsible for executing a single and specific validation of a target and reporting conformance.

Compliance Standards are the only item associated to a target. Once associated, all rules contained in the compliance standard are executed against the data in the Enterprise Manager repository. The compliance score for each target and the standard as a whole is a computed result based on numerous factors including number of violations, the severity of the compliance rule with the violation, the importance given to the rule in the specific compliance standard, and more. For complete information on how Compliance scores are calculated please see the Enterprise Manager 12c - Lifecycle Management Administrator's Guide.

As of this writing, there are 23 database compliance standards provided with Oracle Enterprise Manager 12c. The breakdown of these is as follows:

1.2 Oracle Database Compliance Standards

For the Oracle Database and related targets, Enterprise Manager 12c ships with 16 ready-to-use compliance standards. Users can choose to implement some or all of these compliance standards which consist of more than 300 compliance rules. The following is a list of compliance standards by target type.

Oracle Single Instance Database Standards

• Basic Security Configuration for Oracle Database

• Configuration Best Practices for Oracle Database

• High Security Configuration for Oracle Database

• Patchable Configuration for Oracle Database

• Storage Best Practices for Oracle Database

Oracle Real Application Cluster Database Standards

• Basic Security Configuration for Oracle Cluster Database

• Configuration Best Practices for Oracle Real Application Cluster Database

• High Security Configuration for Oracle Cluster Database

• Patchable Configuration for Real Application Cluster Database

• Storage Best Practices for Oracle Real Application Cluster Database

• Basic Security Configuration for Oracle Cluster Database Instance

• High Security Configuration for Oracle Cluster Database Instance

Automatic Storage Management (ASM) Standards

• Storage Best Practices for ASM

• Patchable Configuration for ASM

Oracle Listener Standards

• Basic Security Configuration for Oracle Listener

• High Security Configuration for Oracle Listener

In order to leverage a security standard, you must apply the following templates first.

• To leverage any of the "Security" compliance standards, users must enable additional configuration collections for targets they wish to associate to these compliance standards. Oracle provides monitoring templates specifically to enable these additional collections for Database Instance (Standalone and Cluster Member), Cluster Database and Listener. Table 2 lists the Oracle Certified monitoring template that can be used to enable the required configuration collections necessary for use in the Security Standards. For complete information on how to use Monitoring templates see the Enterprise Manager 12c - Administrator's Guide.

Note: Monitoring Template and Compliance Standard names as of Bundle Patch 1 (February 2012).

You associate a target to a compliance standard using the Compliance Library page.

1. From the Enterprise menu, select Compliance, then select Library.

2. Select the Compliance Standard and click the Associate button.

3. Choose the target to add and click OK.

1.3 Viewing and Understanding Compliance Results

Once a Compliance Standard is associated to a specific target, the results can be seen almost immediately in the Compliance Results page. (From the Enterprise menu, select Compliance, then select Results.)

Results can be viewed by Compliance Framework, Compliance Standard, and Target. The Target Compliance tab shows the compliance score of a target across all compliance standards. This allows users to focus on their least compliant targets by sorting by the average score column. Likewise the Compliance Standard tab shows the results of each Compliance Standard currently being evaluated. Compliance Standards that do not have any targets associated with them do not show in the list. It is important to understand how to interpret the different columns of the evaluation results page.

Column descriptions follow.

Target Evaluations

The Target Evaluation column shows how many targets evaluated with a score being Critical (less than 60), Warning (between and including 60 and 80) or Compliant (greater than 80). These levels are default and can be changed at a per target basis during the association process.

Clicking on the number in a column will show the list of targets and their specific compliance score. Figure 1-3.

Violations

The Violations columns show the number of unique violations by compliance rule severity (Critical, Warning, or Minor Warning) across all evaluated targets. It is important to remember that the number of violations is not related to the number of compliance rules in the compliance standard. Each compliance rule may generate multiple violations for a target. For example, the Secure Ports rule checks for open well known ports on hosts like SMTP(25) and FTP(21).

If a single host has both of these ports open for example, it would generate 2 different violations. Clicking on a number in a column will show the number of violations per target. Figure 1-4.

To see details of the violations as well as historical trend information, click the Show Details button with a Compliance Standard highlighted.

The navigator on the left allows you to select different levels of the hierarchy of the Compliance Standard to see the score at that level in the tree. The detail section at the bottom of the page shows the results by target or by Compliance Standard rule. The summary tab at the top shows Target by Severity and Rule Evaluation results by severity.

Clicking the Trend Overview tab shows the historical compliance metrics which can each be changed to show date ranges of 1 day, 1 week, or 1 month.

When a rule having violations is selected in the navigator, a Violations Events tab displays. The table at the top shows summary information about each violation including target name and violation condition. By selecting a specific row in the table, a detailed section appears showing complete event details and guided resolution areas.

For every Oracle provided compliance rule contains information to assist users in understanding the rationale behind the validation as well as recommendations on how to correct the violation. In Figure 1-7, we can see the "Auditing of SYS Operations Enabled" rule has a violation event. We can see the category of this event is security related and exactly when it was reported. In addition we can see the recommendation to "Set AUDIT_SYS_OPERATIONS to TRUE" in the Guided resolution area.

From this point the user has many options to investigate the violation further or resolve the issue including:

• View My Oracle Support Knowledge base pertaining to this validations (assuming My Oracle Support (MOS) is in Online mode.)

• View the Topology of the target and related targets to perform dependency analysis.

• View recently detected configuration changes to see when the change may have been made causing the violation.

• Disable the rule for the target causing the violation in case it is determined this rule is not relevant to this target.

• Create an incident from this event to prevent escalation notifications and create a workflow to resolution.

• View any updates to the event by other users.

Once the underlying cause of the violation has been resolved, the next scheduled configuration collection will cause the automatic recalculation of the targets compliance score. If users want to force a collection sooner, they can select refresh from the targets Last Collected configuration page as shown in Figure 1-8.

1.4 Summary

Enterprise Manager 12c makes it easy for users to validate their databases against Oracle recommendations, best practices and security standards by providing ready to use Compliance Standards. DBAs and IT managers can easily track, manage, and report on the adherence of their managed databases to these standards in an automated and consistent manor.