In Enterprise Manager 12c, using the compliance standard results might be a good solution for DBA’s to detect security incoherences (for example a lambda user who has the sysdba role …) for their various targets.

From the 12.1.0.3 version, a new column named ‘Required Data Available’ appeared in the Compliance Standard Result screen. This column defines if the data for the compliance evaluation rules for each target are in the repository or not.

If the value is ‘YES’, it means that the data necessary for the compliance rule has been collected. If the value is ‘NO’, it means that nothing has been collected nor evaluated. Thus we can consider that for this target the compliance rule is not OK.

Let’s have a look on my EM12c configuration. I added the OMSREP database in order to apply on the target the High Security Configuration for Oracle Database. Apparently everything is fine, except the required data available:

co1

The requested configuration data is not available, and we do not have any violations available for this target’s security compliance.

EM 12c provides many compliance standards for various targets, in our case High Security Configuration for Oracle Database. But by default the configuration is not collected. We can notice that when we associate a target to a compliance standard, we receive the following message:

co2

We have to enable those collections by applying an Oracle Certified Template to the target, in our case it will be Oracle Certified – Enable Database Security Configuration Metrics, because those configuration metrics are not enabled by default in order not to overload the OMR (Oracle Management Repository):

co3

You choose the Oracle Certified Database Security Configuration Metrics, you select Apply, you select your target database, and then select OK:

co5

Now the target has its collections enabled.

At the beginning of our test we did not have any schedule about oracle security. Using emctl staus agent scheduler combined with a grep on the instance name and another grep with the metric collection gived no result:

oracle@em12c:> emctl status agent scheduler | grep OMSREP | grep oracle_security
oracle@em12c:>

Now the collection for the certified template has been applied, but we have to start the schedule:

oracle@em12c:> emctl startschedule agent -type oracle_database
Oracle Enterprise Manager Cloud Control 12c Release 5
Copyright (c) 1996, 2015 Oracle Corporation. All rights reserved.
Start Schedule TargetType succeeded

And the agent status agent scheduler command shows the oracle_security collections and their scheduled time:

oracle@em12c:>emctl status agent scheduler | grep OMSREP | grep oracle_security

2015-11-23 10:33:59.854 : oracle_database:OMSREP:oracle_security_inst2
2015-11-23 10:34:50.068 : oracle_database:OMSREP:oracle_security

We can run a collection from the agent12c with emctl:

oracle@em12c:>emctl control agent runCollection 
OMSREP:oracle_database oracle_security 
Oracle Enterprise Manager Cloud Control 12c Release 5 
Copyright (c) 1996, 2015 Oracle Corporation. 
All rights reserved. 
--------------------------------------------------------------- 
EMD runCollection completed successfully

 

Finally now we can visualize the violations and target evaluations:

co6

 

Conclusion

If you use the compliance standard, be careful with the column ‘Required Data Available’, you won’t be sure you will have correct compliance results. Don’t forget that some configuration metrics are not enabled by default.