How to automate STIG compliance checks for Oracle Database

Since 1998, Defense Information Systems Agency (DISA)  has played a key role in enhancing the security position of Department of Defense ( DoD)  systems, by providing the Security Technical Implementation Guide (STIG), which are a cybersecurity methodology for standardizing security within DoD servers, networks, database etc. with the goal to enhance overall security. Tracking STIG compliance of mission critical systems, like databases, can be a time consuming task for the DBA. Oracle Enterprise Manager 13c  (EM13c)  offers an automated way to track and report on compliance, as part of the Lifecycle management Pack. EM13c also allows you to track all systems against a single compliance standard, enabling enterprise wide reporting.  Setting this up is actually very easy to do, once EM13c is installed, and the database targets are discovered.

First navigate to the database target home page . In this case, the database is db12c.bubba.local. The first step is to associate the STIG compliance standard to the database target. Click on the Oracle Database->Compliance->Standard Associations menu open, as seen below

image

You should see the Target Association screen, where you will click on “Edit Association Settings” to add the STIG check.This will start the process to link a Compliance Standard to a target.

image

On this screen you will lick on “Add” to add as new compliance standard. The click on the Compliance Standard that you want to associate to the database. In this example, I am using the STIG Version 8 Release 1.11.

image

You should then see the Compliance Standard in the list for the target. Make sure this is the standard you want to add before clicking OK.

image

Nect clock OK, and when prompted to save the association, do not forget to click “yes”

image

The Association will save, and automatically start the evaluation process. Depending on the number of targets, this can take a few minutes.

image

When the transfer is successfully done, you can view the results for the target by selecting Oracle Database –> Compliance->Results

image

The results page will show data for all Compliance Standards assigned to the target.In this example there is only on standard associated, the STIG. You will see the Score, as well as the Target Evaluations and Violations summaries.

image

The Target Evaluations will show how many targets have Critical, Major and passing status. Since we are only looking at a single target, we will see the one critical count.

The Violations will who have many standard on the target are rated Critical, Major and Warning. For this Target, we have one critical violation.

image

You can click on critical Violation to drill down, to see what standard is non-complaint.

image

You can do the same thing on the other Violations, drilling down for more details.

image

There is more though, as the value of EM13c is as an Enterprise wide too. You can repot on all targets by clicking on Enterprise->Compliance_Results.

image

This will pull up all Compliance Standards that EM13c is tracking, reporting on all targets. In this case, both Database STIG and Host Security recommendations are being tracked.

image

Click on the Compliance Standard to generate a dashboard view of that specific standard. In this case the STIG compliance for database. This report can also be automatically sent out using the built-in BI Publisher engine, but that is a different BLOG post.

image

This should get you started with the EM13c compliance reporting engine and the STIGs. If you have any questions please feel free to leave a note in the comment section.

Leave a Reply

Your email address will not be published. Required fields are marked *

*