Rob Zoeteweij

1

Rob Zoeteweij◦ Working with Oracle Technology since 1985

◦ Development / DBA / Consulting

◦ Last 6 Years

Oracle Expert Service (Oracle The Netherlands)

Focus on OEM GRID Control / RAC - ASM

Independent Oracle Consultant

Implementation of OEM GRID Control

Rabobank

Shell

ING Bank

2

Is about implementation of Security Compliance in OEM GRID Control

Covers OEM 10.2.0.4 – 10.2.0.5

Shows How to … / How it works

Is based on real Project experiences

3

Security at Customer’s Site

Policy Rules

Policy Groups

Q & A

4

Needed to implement ◦ SOX

Sarbanes-Oxley Act of 2002 (Wikipedia)

Public Company Accounting Reform and Investor Protection Act of 2002

AKA – Sarbanes-Oxley, Sarbox or SOX

Sponsors: Senator Paul Sarbanes and Representative Michael G. Oxley

In response to a number of major corporate and accounting scandals incl Enron, Tyco International, Adelphia, Peregrine Systems and WorldCom

5

SOX◦ Not a static List

◦ Not a standard List

◦ Actual measurements can be different per Company

◦ Both organisational and technical

6

SOX◦ Measurements to keep compliant with Customer Security Rules◦ Separation of facilities for Development, Testing and Production Developers / testers don’t have access to Production servers …

◦ Backups need to be available and tested Will be located on other location then source Need to be accessible for authorized employees only

◦ Audit logs need to be created All user actions must be logged and fully traceable to an

individual …

◦ System access Based on “Least privilege” and “Need to know”

◦ ...

7

To identify the importance level of a an automated System

AIC code◦ Availability – Integrity – Confidentiality◦ A - [1-3], I – [1-3], C – [1-3] Impact 1 – Low, 2 – Middle, 3 - High

Example I = 2 Financial Transactions that can be reversed without any

(Image) damage I = 3 Financial Transactions that can not be reversed without

any (Image) damage

8

AIC code◦ Needs to be applied to Systems

Applications

Application Servers

Servers (Hosts)

Database Listeners

Databases

9

AIC – codes in use at Customer’s Site◦ 222 – 232 – 233 – 322 – 332 – 333

10

Security at Customer’s Site

Policy Rules

Policy Groups

Q & A

11

Policies◦ Policies define the desired behaviour or

characteristics of systems

◦ A Policy is compliant if is determined that a target meets the desired state

Example: Oracle Home Executable Files Permission

Ensure that all files in the ORACLE_HOME directories (except for ORACLE_HOME/bin) do not have public read, write and execute permissions

If a Target does not meet this state, the Policy is violated

12

Policies – other examples◦ Ensure database auditing is enabled

Each activity in the database should be traceable

◦ Default passwords

Ensure there are no default passwords for known accounts

◦ Open TCP/IP Ports

Ensure that no unintended ports are left open

◦ …

13

14

Based on AIC codes in use, create:◦ Monitoring Templates

Only Policy Rules included

STP – <Target Type> - AIC<code>

STP – Listener – AIC332

STP – HTTP Server – AIC223

STP – Cluster Database – AIC322

…

15

16

Use Groups to apply the Templates to the Targets

Group organisation◦ PG-<Target Type>_AIC<Code>_<Phase (Dev, Tst,

Acc, Prd)>

PG-Cluster_Databases_AIC233_Test

PG-Database_Instances_AIC333_Prod

…

17

18

Group PG-Cluster_Databases_AIC332_Test

Includes all Cluster Databases for which AIC code 332 apply

19

20

21

22

23

Policy Rules◦ “Real Time” evaluation

Each 24 hours (Default)

◦ Will be evaluated right after application to a Target

◦ Violation shown in

EM Console Homepage

Target Homepage

Group / System Homepage

◦ Create your own

User Defined Policies

24

Security at Customer’s Site

Policy Rules

Policy Groups

Q & A

25

Policy Groups◦ Compliance

◦ Logical Group of Policies

10.2.0.4 – 3 Out of Box Groups

Secure Configuration for Oracle Database

Secure Configuration for Oracle Listener

Secure Configuration for Oracle Real Application Cluster

10.2.0.5 – Create your own

26

27

Policy Group

Rule 1

Rule 2

Rule n

Group

Target 1

Target 2

Target n

Evaluation Schedule

28

29

30

31

32

33

34

35

Policy Groups◦ Logically grouped

◦ Instead of Monitoring Templates

◦ Evaluation based on schedule

◦ Compliancy Score (should move to 100%)

◦ Trend (is it getting better?)

36

37