Security Compliance for the Enterprise

I was talking with a customer today, and discussing the problems of tracking security compliance for all of their systems, the OS, Middleware and database tiers. I mentioned that Enterprise manager could do this, and was meant with surprise because “Enterprise Manager is JUST a DATABASE tool!”

Well, maybe back in the old days of it was, but a lot has changed over the years. Enterprise Manager 13c does more than just database!

 

Following is a quick rundown on how you can do this in Enterprise Manager 13c using the Compliance functionality.

Before you can pull a report, you need to first associate standards to a target. In this example I will use a host target, but the process is basically the same for any target type.

First, lets navigate to the target home, in this case I will use an the OEM host itself. Next  in the Host drop down, select Compliance –> Standard Associations

image

Now you can view, any existing Associations. In this case we already have added the “ORAchk Best Practices For Host” to the system.

image

 

Next click on “Edit Association Settings” , this is where we can enable, disable add and remove compliance standards. In this case, let’s add a new standard, so clink on Add.

image

You will now see a list of Compliance Standards that are installed. You can download new standards via the

 

Use the CTRL key and select the standards you wish to monitor the server with, and then clock OK

image

 

Next you should see the summary, you will need to click OK to associate the standards to the server.

image

Next click Yes, to save the associations.

image

A job will get submitted, and you can click through the next OK to see the status of what Standards are successfully transferred.

 

image

 

Here, the highlighted ones are processed, depending on you system and the standards selected this process can take up to 30 minutes.

 

image

 

To pull a report, form the target menu select Compliance-> Results

image

You should now see the scorecard for the target.

image

 

Each Compliance Standard will be listed, with the Violation Counts per standard and per severity. There are three severities, image Critical,  image Warning and image Minor Warning

You can click through the count to take you to the details, like this; that even includes the patch required to resolve the issue!

image

 

Now that you know how to do this, you can track compliance a lot easier than manually checking every system. If the standard is not available from Oracle you can even create your own custom standard, more on that later.

One Reply to “Security Compliance for the Enterprise”

  1. Good find, Erik! Thanks for sharing. Are you going to do a follow-up on customizing your own standards?

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.