I was talking with a customer today, and discussing the problems of tracking security compliance for all of their systems, the OS, Middleware and database tiers. I mentioned that Enterprise manager could do this, and was meant with surprise because “Enterprise Manager is JUST a DATABASE tool!”
Well, maybe back in the old days of it was, but a lot has changed over the years. Enterprise Manager 13c does more than just database!
Following is a quick rundown on how you can do this in Enterprise Manager 13c using the Compliance functionality.
Before you can pull a report, you need to first associate standards to a target. In this example I will use a host target, but the process is basically the same for any target type.
First, lets navigate to the target home, in this case I will use an the OEM host itself. Next in the Host drop down, select Compliance –> Standard Associations
Now you can view, any existing Associations. In this case we already have added the “ORAchk Best Practices For Host” to the system.
Next click on “Edit Association Settings” , this is where we can enable, disable add and remove compliance standards. In this case, let’s add a new standard, so clink on Add.
You will now see a list of Compliance Standards that are installed. You can download new standards via the
Use the CTRL key and select the standards you wish to monitor the server with, and then clock OK
Next you should see the summary, you will need to click OK to associate the standards to the server.
Next click Yes, to save the associations.
A job will get submitted, and you can click through the next OK to see the status of what Standards are successfully transferred.
Here, the highlighted ones are processed, depending on you system and the standards selected this process can take up to 30 minutes.
To pull a report, form the target menu select Compliance-> Results
You should now see the scorecard for the target.
Each Compliance Standard will be listed, with the Violation Counts per standard and per severity. There are three severities, 
Critical, 
Warning and 
Minor Warning
You can click through the count to take you to the details, like this; that even includes the patch required to resolve the issue!
Now that you know how to do this, you can track compliance a lot easier than manually checking every system. If the standard is not available from Oracle you can even create your own custom standard, more on that later.
Good find, Erik! Thanks for sharing. Are you going to do a follow-up on customizing your own standards?