Professional Documents
Culture Documents
Overview
Compliance Overview
Agenda
and recommendations.
Reusable and customizable compliance standards that map to Oracle best practices
Advises how to change configurations to bring targets and systems into compliance
Remediation
Real-time monitoring of a target's files, processes, and users to let users know
Automatically determine if targets have valid configuration settings and whether they
Auditing
Solution Overview
Compliance Framework
Compliance Rule
Discreet Check or Test
Specific to Target Type
Compliance Standard
Group of Compliance Rules
Specific to Single Target Type
Compliance Framework
Group Compliance Standards
different Target Types
DBAs, Admins,
IT Managers
Compliance Manager,
Security Auditors
Compliance Rules
Compliance Standards
Compliance Frameworks
3.
2.
1.
Weblogic Health
Check scripts
executed by EM
Agent
Capture Changes
in Real Time using
EM Agent
Validate Collected
Configuration in
EM Repository
Listener
Cluster Database
Compliance Standards
Compliance Standards
Reference Documentation
Understanding Compliance
Results
10
11
Compliance Results
Number of
targets evaluating
Critical, Warning
and Compliant
Number of
violations at
Critical,
Warning and
Minor Warning
12
Targets by
Severity
Icon indicates
Rule with
violations
Rule
Evaluations
by Severity
13
14
What caused
the violation
When did it
occur?
Violation
Details.
Offending
target.
15
Knowledge
search results
16
Event Updates
17
Understanding Compliance
Score Calculation
18
standard.
Compliance Scores
19
added to Framework/Standard
creation
Compliance Scores
Importance is
determined by
rule consumer.
Severity
determined by
rule author.
20
26-50
51-75
Normal
Low
86-95
76-85
66-75
3.
99-99
97-98
95-96
0-25
High
2.
Use the following chart to find hirange and lorange for a rule
Importance
1.
2.
1.
Process Overview
21
75 (75-51) * (16 / 16 )
75 (24) = 51
Example :
Rule (Security Recommendations ) has Severity Critical and
Importance Low
Rule-Target has 16 evaluations ALL of which are violations
Importance
High
Normal
Low
86-95
76-85
66-75
Warning
Severity (lo-hi)
99-99
97-98
95-96
Minor Warning
Severity (lo-hi)
Rule2
Rule3
22
Rule1
CS
Values
3
2
1
Importance
High
Normal
Low
CS Compliance Score
Rule Compliance Standard Rule. There are 3 rules: Rule1, Rule2 and Rule3
I1: importance for Rule1
I2: importance for Rule2
I3: importance for Rule3
S1: compliance score for rule1-target
S2: compliance score for rule2-target
S3: compliance score for rule3-target
iCS2
CS2
23
iCS1
CS1
CF
Values
3
2
1
Importance
High
Normal
Low
CF Compliance Framework
CS1: compliance score 1
CS2: compliance score 2
iCS1: importance for CS1
iCS2: importance for CS2
iCS3: importance for CS3
ST1: compliance score for CS1-t1
ST2: compliance score for CS1-t2
ST3: compliance score for CS2-t3
Warning = 61-80
Compliant = 81-100
24
Critical = 0-60
Default Thresholds
Since Warning
is 80, the score
of 87 shows
Compliant for
this single
target
25
Click OK.
2.
3.
4.
1.
Custom rules
Global Exceptions
2.
3.
User SYSMAN
will no longer
generate a
violation for this
rule on ANY
target.
26
Click OK.
2.
3.
4.
5.
1.
3.
2.
4.
1.
User SYSMAN
will no longer
generate a
violation for this
target ONLY.
27
Compliance Related
Roles and Privileges
28
administrator or owner of
any target.
Not necessarily an
and Facets
Compliance Designer
administrator or owner of
any target.
Typically not an
across datacenter
Standards developed by
Designer
Compliance Officer
owner of targets.
Typically an administrator or
Standards created by
Designer
Associates targets to
DBA, Administrator
Using this role you can view compliance framework definitions and results.
Description
Allows you to create compliance standards, compliance standard rules, and Real-time
Monitoring facets
Allows you to edit and delete compliance standards and compliance standard rules
Allows you to view compliance framework definition and results
Description
Ability to associate compliance standard to the target
View the compliance results of a target
EM_COMPLIANCE_OFFICER
View
Using this role you can create, modify, and delete compliance standards, compliance
standard rules, and Real-time Monitoring facets.
EM_COMPLIANCE_DESIGNER
29
Description
Role
30
CREATE_COMPLIANCE_ENTITY privilege
VIEW_ANY_COMPLIANCE_FWK privilege
FULL_ANY_COMPLIANCE_ENTITY privilege
VIEW_ANY_COMPLIANCE_FWK privilege
EM_COMPLIANCE_DESIGNER role
EM_COMPLIANCE_OFFICER role
MANAGE_TARGET_COMPLIANCE privilege
EM_COMPLIANCE_DESIGNER role
EM_COMPLIANCE_OFFICER role
EM_COMPLIANCE_DESIGNER role
EM_COMPLIANCE_DESIGNER role
Task
31
Operational Aspects of
Compliance
Availability Job
Status
Events
Target Down
Compliance Other
events:
Standard
Violations
Application Applications
Servers
Hosts/VMs Databases
Enterprise Manager
Metric
Alerts
Events
32
Space
Performance
Incidents
EM Administrator
Manage by Incidents
Significant events
Combination of events related to the same issue
(e.g. events raised from database, host, storage
indicating lack of space)
Centralized incident management console
View, manage, diagnose and resolve incidents
from one location
Support for incident lifecycle operations
Assign, acknowledge, prioritize, track status,
escalate, suppress
Notify and open helpdesk ticket
Integrated Oracle expertise
Access to My Oracle Support (MOS) knowledge
base
Accelerates incident and problem diagnosis and
resolution
33
Violation
Violation
Events Available:
notification.
Proactive Compliance
34
Associate
(management settings)
Template
Collection
(Lifecycle Status
=Production)
Administration
Group PROD
Template Collections
Set of management settings (monitoring
templates, compliance standards, cloud
policies)
Associated with administration groups
Administration Groups
Auto-deploys management settings to targets
when they join the group
Defined by membership criteria
35
FINANCE
HCM
SALES
PRODUCTION
FINANCE
NonPROD
HCM
SALES
Line of
Business
Lifecycle
Status
TARGETS
One administration group hierarchy per Enterprise Manager site
Membership criteria:
Lifecycle Status =
Production AND
Line of Business =
Finance
Membership criteria:
Lifecycle Status =
Production
ALL TARGETS in
Admin Group
36
bundles Compliance
Standards.
Plug-in
Frameworks
New or updated
Self Update
Updating Content
37
decommissioned.
Non-configurable.
Legacy Reports ( 7 )
Compliance Reporting
38
future releases.
Email delivery
Scheduled
Output format
Scope
Configurable
Existing Reports ( 3 )
Compliance Reporting
39
Custom Compliance
Methodology
40
YES!
Corporate
DB Standard
41
No
Yes
Compliance
Rule Exists?
Yes
Required
Data Collected?
No
Create Custom
Compliance Rule
Extend Target
Using Configuration
Extension
Add Compliance
Rule to Compliance
Standard
42
No
Yes
Compliance
Rule Exists?
Yes
Required
Data Collected?
No
Create Custom
Compliance Rule
Extend Target
Using Configuration
Extension
Add Compliance
Rule to Compliance
Standard
43
Go to : Enterprise->Compliance->Library
No
Yes
No
44
No
Yes
Compliance
Rule Exists?
Yes
Required
Data Collected?
No
Create Custom
Compliance Rule
Extend Target
Using Configuration
Extension
Add Compliance
Rule to Compliance
Standard
45
property names
No
Yes
No
46
No
Yes
Compliance
Rule Exists?
Yes
Required
Data Collected?
No
Create Custom
Compliance Rule
Extend Target
Using Configuration
Extension
Add Compliance
Rule to Compliance
Standard
47
SQL Query
OS Command Output
Entire File
>Configuration Extension
Go to Enterprise->Configuration-
No
Yes
No
48
No
Yes
Compliance
Rule Exists?
Yes
Required
Data Collected?
No
Create Custom
Compliance Rule
Extend Target
Using Configuration
Extension
Add Compliance
Rule to Compliance
Standard
49
Keywords
Recommendation
Rationale
Description
Go to Enterprise->Compliance->Library
No
Yes
No
50
for you!
No
Yes
No
51
No
Yes
Compliance
Rule Exists?
Yes
Required
Data Collected?
No
Create Custom
Compliance Rule
Extend Target
Using Configuration
Extension
Add Compliance
Rule to Compliance
Standard
52
Standard
Customize Compliance
Standards
No
Yes
No
53
54
Key attributes captured include user ID, process ID and time of action
What is captured?
Each item has unique actions that can be monitored (detailed later)
55
4.
5.
6.
7.
3.
http://docs.oracle.com/cd/E24628_01/em.121/e27046/install_realtime_ccc.htm#autoId7
a)
2.
1.
56
Telnet Login
SSH Login
SU Login
Sudo
RDP Login
Console Login
FTP Login
Content Modified
Delete
Rename
Create
Permission Change
Ownership Change
Read
Users
Files
Monitored Events
Stop
Start
Processes
57
Group
Attribute
Modify
Group Delete
Member
Delete
User Attrib
Modify
Create Value
Computer Delete
Group Create
Delete Value
User Delete
Delete Key
Computer Create
AD Groups
Member Add
User Create
Create Key
AD Computers
Modify Value
AD Users
Registry
Windows
Monitored Events
58
Insert
Select
Update
Delete
Create
Drop
Truncate
Alter
Comment
Rename
Lock
Grant
Revoke
Audit
NOAUDIT
Flashback
Views
Tables
Action
Materialized Views
59
NOAUDIT
usage
Truncate
Execute
Audit
Revoke
Analyze
Alter
Grant
Drop
Function
Create
Procedure
Select
Sequence
Index
Action
Package
Library
Trigger
Tablespace
Cluster
Link
Dimension
60
Create
Drop
Alter
Audit
NOAUDIT
usage
Logoff
Login
Truncate
Execute
Role/System
User
Role
Revoke
Type
Role/System
Synonym
Public Synonym
Grant
Select
Analyze
Public Link
Profile
Action
61
Entity
Define inclusion and exclusion
patterns in single facet
Select files from existing target
by Browsing
62
Entity
Choose Facet to define
WHAT to monitor
63
compliance score
Unaudited = No Effect on
Manually Authorization
Determine the default status of
observations which effect
compliance scoring.
64