Infrastructure at your Service

David Hueber

ODA and CIS / GDPR features

We all know that security becomes…sorry, is one of the hottest topic when setting up IT environment. One basis for that is to be compliant with regulations or standards such as GDPR or CIS. What is not so well known, is that ODA already integrates some tool to support you for that.

During this first day @DOAG2018 I followed and interesting session from Tammy Bednar, Senior Director of Product Management for ODA, about ODA and Security.

Beside the traditional points about the integrated stack of ODA, SUDO configuration or the Oracle Database Security options, I also heard about nice scripts available on ODA since version 12.2.1.3 to check ODA compliance against CIS standards.

For reminder the CIS, Center for Internet Security, produces security guidelines for components such as Linux, databases and much more. As member of the CIS, dbi services proposes security audits based on these guidelines (https://www.dbi-services.com/offering/services/it-security-services/)

On ODA there is now, out of the box, a „small“ Python script, which allows to check the CIS „status“ on OS level for your ODA.

To do so you can simply go in /opt/oracle/oak/bin and run the script cis.py.

IMG_0181

Sorry, as I couldn‘t take my ODA with me in Nürnberg, I do have only a picture of the script so far ;-)

There are 2 good news when running this script on an brand new installed ODA.

  1. The ODA is out of the box already 41% CIS compliant, which is not bad at all
  2. The ODA is only 41% compliant with CIS, which means there still room for improvement and some work for sysadmins like me ;-)

More seriously a real added value of this tool is that beside doing the compliance check it provides a features to fix some/all points. The advantage here is that in comparison of manual changes it makes sure it does not change anything which ODA relies on and breaks it.

What about the database?

Of course ODA is not only an Operating System. At the end there are databases running on it. So the question is: if the cis.py performs checks on OS level, what can I do on DB one?

For this Oracle released of free (yes free) tool called DBSAT, which stands for Database Security Assessment Tool.
https://www.oracle.com/database/technologies/security/dbsat.html

This tools runs against your database and make CIS but also some GDPR compliance checks providing a report. The report can be export in JSON for activities such as cross databases check.

More blogs to follow about these tools, once back from the DOAG…but now it‘s slowly time for the traditional Schweitzer Abend and some party ;-)

Leave a Reply

David Hueber
David Hueber

Chief Executive Officer (CEO), Principal Consultant