Since 1998, Defense Information Systems Agency (DISA) has played a key role in enhancing the security position of Department of Defense ( DoD) systems, by providing the Security Technical Implementation Guide (STIG), which are a cybersecurity methodology for standardizing security within DoD servers, networks, database etc. with the goal to enhance overall security. Tracking STIG compliance of mission critical systems, like databases, can be a time consuming task for the DBA. Oracle Enterprise Manager 13c (EM13c) offers an automated way to track and report on compliance, as part of the Lifecycle management Pack. EM13c also allows you to track all systems against a single compliance standard, enabling enterprise wide reporting. Setting this up is actually very easy to do, once EM13c is installed, and the database targets are discovered.
First navigate to the database target home page . In this case, the database is db12c.bubba.local. The first step is to associate the STIG compliance standard to the database target. Click on the Oracle Database->Compliance->Standard Associations menu open, as seen below
You should see the Target Association screen, where you will click on “Edit Association Settings” to add the STIG check.This will start the process to link a Compliance Standard to a target.
On this screen you will lick on “Add” to add as new compliance standard. The click on the Compliance Standard that you want to associate to the database. In this example, I am using the STIG Version 8 Release 1.11.
You should then see the Compliance Standard in the list for the target. Make sure this is the standard you want to add before clicking OK.
Nect clock OK, and when prompted to save the association, do not forget to click “yes”
The Association will save, and automatically start the evaluation process. Depending on the number of targets, this can take a few minutes.
When the transfer is successfully done, you can view the results for the target by selecting Oracle Database –> Compliance->Results
The results page will show data for all Compliance Standards assigned to the target.In this example there is only on standard associated, the STIG. You will see the Score, as well as the Target Evaluations and Violations summaries.
The Target Evaluations will show how many targets have Critical, Major and passing status. Since we are only looking at a single target, we will see the one critical count.
The Violations will who have many standard on the target are rated Critical, Major and Warning. For this Target, we have one critical violation.
You can click on critical Violation to drill down, to see what standard is non-complaint.
You can do the same thing on the other Violations, drilling down for more details.
There is more though, as the value of EM13c is as an Enterprise wide too. You can repot on all targets by clicking on Enterprise->Compliance_Results.
This will pull up all Compliance Standards that EM13c is tracking, reporting on all targets. In this case, both Database STIG and Host Security recommendations are being tracked.
Click on the Compliance Standard to generate a dashboard view of that specific standard. In this case the STIG compliance for database. This report can also be automatically sent out using the built-in BI Publisher engine, but that is a different BLOG post.
This should get you started with the EM13c compliance reporting engine and the STIGs. If you have any questions please feel free to leave a note in the comment section.
Erik –
In the past I know we had to manually load the new STIG files once someone on the EM team generated them based on the updated DISA templates.
Is this still the case? I haven’t seen the latest 12c RDBMS STIG template for upload to EM yet & could really use it. (released by DISA ~20180128)
I know STIG templates can be updated via EM’s plugins, and of course you don’t have to wait for new versions, you can always make your own compliance templates.