Upload
others
View
20
Download
0
Embed Size (px)
Citation preview
Rob Zoeteweij
1
Rob Zoeteweij◦ Working with Oracle Technology since 1985
◦ Development / DBA / Consulting
◦ Last 6 Years
Oracle Expert Service (Oracle The Netherlands)
Focus on OEM GRID Control / RAC - ASM
Independent Oracle Consultant
Implementation of OEM GRID Control
Rabobank
Shell
ING Bank
2
Is about implementation of Security Compliance in OEM GRID Control
Covers OEM 10.2.0.4 – 10.2.0.5
Shows How to … / How it works
Is based on real Project experiences
3
Security at Customer’s Site
Policy Rules
Policy Groups
Q & A
4
Needed to implement ◦ SOX
Sarbanes-Oxley Act of 2002 (Wikipedia)
Public Company Accounting Reform and Investor Protection Act of 2002
AKA – Sarbanes-Oxley, Sarbox or SOX
Sponsors: Senator Paul Sarbanes and Representative Michael G. Oxley
In response to a number of major corporate and accounting scandals incl Enron, Tyco International, Adelphia, Peregrine Systems and WorldCom
5
SOX◦ Not a static List
◦ Not a standard List
◦ Actual measurements can be different per Company
◦ Both organisational and technical
6
SOX◦ Measurements to keep compliant with Customer Security Rules◦ Separation of facilities for Development, Testing and Production Developers / testers don’t have access to Production servers …
◦ Backups need to be available and tested Will be located on other location then source Need to be accessible for authorized employees only
◦ Audit logs need to be created All user actions must be logged and fully traceable to an
individual …
◦ System access Based on “Least privilege” and “Need to know”
◦ ...
7
To identify the importance level of a an automated System
AIC code◦ Availability – Integrity – Confidentiality◦ A - [1-3], I – [1-3], C – [1-3] Impact 1 – Low, 2 – Middle, 3 - High
Example I = 2 Financial Transactions that can be reversed without any
(Image) damage I = 3 Financial Transactions that can not be reversed without
any (Image) damage
8
AIC code◦ Needs to be applied to Systems
Applications
Application Servers
Servers (Hosts)
Database Listeners
Databases
9
AIC – codes in use at Customer’s Site◦ 222 – 232 – 233 – 322 – 332 – 333
10
Security at Customer’s Site
Policy Rules
Policy Groups
Q & A
11
Policies◦ Policies define the desired behaviour or
characteristics of systems
◦ A Policy is compliant if is determined that a target meets the desired state
Example: Oracle Home Executable Files Permission
Ensure that all files in the ORACLE_HOME directories (except for ORACLE_HOME/bin) do not have public read, write and execute permissions
If a Target does not meet this state, the Policy is violated
12
Policies – other examples◦ Ensure database auditing is enabled
Each activity in the database should be traceable
◦ Default passwords
Ensure there are no default passwords for known accounts
◦ Open TCP/IP Ports
Ensure that no unintended ports are left open
◦ …
13
14
Based on AIC codes in use, create:◦ Monitoring Templates
Only Policy Rules included
STP – <Target Type> - AIC<code>
STP – Listener – AIC332
STP – HTTP Server – AIC223
STP – Cluster Database – AIC322
…
15
16
Use Groups to apply the Templates to the Targets
Group organisation◦ PG-<Target Type>_AIC<Code>_<Phase (Dev, Tst,
Acc, Prd)>
PG-Cluster_Databases_AIC233_Test
PG-Database_Instances_AIC333_Prod
…
17
18
Group PG-Cluster_Databases_AIC332_Test
Includes all Cluster Databases for which AIC code 332 apply
19
20
21
22
23
Policy Rules◦ “Real Time” evaluation
Each 24 hours (Default)
◦ Will be evaluated right after application to a Target
◦ Violation shown in
EM Console Homepage
Target Homepage
Group / System Homepage
◦ Create your own
User Defined Policies
24
Security at Customer’s Site
Policy Rules
Policy Groups
Q & A
25
Policy Groups◦ Compliance
◦ Logical Group of Policies
10.2.0.4 – 3 Out of Box Groups
Secure Configuration for Oracle Database
Secure Configuration for Oracle Listener
Secure Configuration for Oracle Real Application Cluster
10.2.0.5 – Create your own
26
27
Policy Group
Rule 1
Rule 2
Rule n
Group
Target 1
Target 2
Target n
Evaluation Schedule
28
29
30
31
32
33
34
35
Policy Groups◦ Logically grouped
◦ Instead of Monitoring Templates
◦ Evaluation based on schedule
◦ Compliancy Score (should move to 100%)
◦ Trend (is it getting better?)
36
37