In Enterprise Manager 12c, using the compliance standard results might be a good solution for DBA’s to detect security incoherences (for example a lambda user who has the sysdba role …) for their various targets.
From the 18.104.22.168 version, a new column named ‘Required Data Available’ appeared in the Compliance Standard Result screen. This column defines if the data for the compliance evaluation rules for each target are in the repository or not.
If the value is ‘YES’, it means that the data necessary for the compliance rule has been collected. If the value is ‘NO’, it means that nothing has been collected nor evaluated. Thus we can consider that for this target the compliance rule is not OK.
Let’s have a look on my EM12c configuration. I added the OMSREP database in order to apply on the target the High Security Configuration for Oracle Database. Apparently everything is fine, except the required data available:
The requested configuration data is not available, and we do not have any violations available for this target’s security compliance.
EM 12c provides many compliance standards for various targets, in our case High Security Configuration for Oracle Database. But by default the configuration is not collected. We can notice that when we associate a target to a compliance standard, we receive the following message:
We have to enable those collections by applying an Oracle Certified Template to the target, in our case it will be Oracle Certified – Enable Database Security Configuration Metrics, because those configuration metrics are not enabled by default in order not to overload the OMR (Oracle Management Repository):
You choose the Oracle Certified Database Security Configuration Metrics, you select Apply, you select your target database, and then select OK:
Now the target has its collections enabled.
At the beginning of our test we did not have any schedule about oracle security. Using emctl staus agent scheduler combined with a grep on the instance name and another grep with the metric collection gived no result:
oracle@em12c:> emctl status agent scheduler | grep OMSREP | grep oracle_security oracle@em12c:>
Now the collection for the certified template has been applied, but we have to start the schedule:
oracle@em12c:> emctl startschedule agent -type oracle_database Oracle Enterprise Manager Cloud Control 12c Release 5 Copyright (c) 1996, 2015 Oracle Corporation. All rights reserved. Start Schedule TargetType succeeded
And the agent status agent scheduler command shows the oracle_security collections and their scheduled time:
oracle@em12c:>emctl status agent scheduler | grep OMSREP | grep oracle_security 2015-11-23 10:33:59.854 : oracle_database:OMSREP:oracle_security_inst2 2015-11-23 10:34:50.068 : oracle_database:OMSREP:oracle_security
We can run a collection from the agent12c with emctl:
oracle@em12c:>emctl control agent runCollection OMSREP:oracle_database oracle_security Oracle Enterprise Manager Cloud Control 12c Release 5 Copyright (c) 1996, 2015 Oracle Corporation. All rights reserved. --------------------------------------------------------------- EMD runCollection completed successfully
Finally now we can visualize the violations and target evaluations:
If you use the compliance standard, be careful with the column ‘Required Data Available’, you won’t be sure you will have correct compliance results. Don’t forget that some configuration metrics are not enabled by default.