Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
OracleDatabaseLifecycleManagement DatabaseSTIGCompliance BobBun6ng MasterPrincipalSo;wareConsultant OraclePublicSectorSo;ware [email protected] Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved.| Oracle Safe Harbor Statement The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle. 2 Copyright © 2012, Oracle and/or its affiliates. All rights reserved. Topics • Oracle Enterprise Manager Overview – Introduction and Overview – Architecture • Oracle Database Lifecycle Management Pack and STIG • Monitoring and Managing STIG Compliance Demo • Creating Custom Standards and Adding Rules • Enterprise Manager Reporting • Self Update • Database Lifecycle Management Pack Summary • More Discussion and Q&A 3 Copyright © 2012, Oracle and/or its affiliates. All rights reserved. TotalCloudControl CompleteCloudLifecycle Management Self-ServiceIT IntegratedCloudStack Management | SimpleandAutomated Business-DrivenApplica6on Management | Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved.| BusinessDriven Efficiency:End-to-EndManagement EnterpriseManager Management insideeach layer ü Performance&Availability ü ConfiguraPonManagement ü LifecycleManagement ü QualityManagement ü MyOracleSupport Management acrosslayers Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved.| 5 Efficiency:ApplicaPonsManagement Deep,Integrated,Business-Driven • ApplicaPon-centricperformance, userexperience,configuraPon andlifecyclemanagement • Integratedbusiness-ITview • Integratedwithfull-stack managementcapabiliPes Op6mizedfor:FusionApplicaPons,e-Business suite,Siebel,PeopleSo[,JDE,ORCLverPcalapps Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved.| OracleConfidenPal–Internal/Restricted/HighlyRestricted 6 Efficiency:MiddlewareManagement Deep,Integrated,Zero-Overhead • Cross-TierJavaDiagnosPcs • SOAGovernance • ConfiguraPonandLifecycle Managementforlargeestates • EncouragesDevOpsiniPaPves Op6mizedfor:WebLogic,SOA,WebCenter,IdM, BI,Coherence,GoldenGate,Exalogic,ExalyPcs Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved.| OracleConfidenPal–Internal/Restricted/HighlyRestricted 7 Efficiency:DatabaseManagement Industry-Leading,Built-In • “Alwayson”diagnosPcs • Guidedanalysisandself-tuning • AutomatedCompliance, Provisioning,Patching,Upgrades • DataSecurity,Masking,Subsecng Op6mizedfor:Database,Exadata,Database Appliance,BigDataAppliance Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved.| OracleConfidenPal–Internal/Restricted/HighlyRestricted 8 Efficiency:InfrastructureManagement TightlyCoupled,Large-ScaleAutoma@on • MaximizeDataCenterEfficiency • ControlVirtualizaPonSprawl • PatchOS,UpdateFirmware, MaintainCompliance • MyOracleSupport“PhoneHome”& RemoteAdministraPon Op6mizedfor:OracleVM,Solaris,OracleLinux, SuperCluster,EngineeredSystems,SunSystems Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved.| OracleConfidenPal–Internal/Restricted/HighlyRestricted 9 Efficiency:EnterpriseManagerEcosystem DeliveringProductsandServicesfortheCloud 145+Extensions • OracleEnterpriseManager ExtensibilityExchange • NewExtensibilityDevelopmentKit andPartner-BuiltPlug-Ins 800+Partners • EnterpriseManagement SpecializaPon • ApplicaPonQualityManagement SpecializaPon Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved.| 10 EM 12c: Database Lifecycle Management Discovery and Initial Provisioning Discover Assets and Provision Software on them Ongoing Change Management End to End Management of patches, upgrades, and schema changes Continuous Configuration and Compliance Management Track inventory, configuration drifts and compliance Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved. NISTRiskManagementFramework(RMF) • CategorizeinformaPonandinformaPonsystems Categorizethe InformaPon System – FIPS199,NISTSP800-60 • Selectappropriatesecuritycontrols MonitorSecurity Controls (ConPnuous) SelectSecurity Controls – FIPS200,NISTSP800-53,CNSSI1253,DISASRG • ImplementsecuritycontrolsintheinformaPonsystem – NISTSP800Series,DISASTIG • AssesstheeffecPvenessofthesecuritycontrols – NISTSP800-53A,DISASTIG Authorize InformaPon System Implement SecurityControls Assess SecurityControls • AuthorizetheinformaPonsystemforprocessing – NISTSP800-37 • MonitorthesecuritycontrolsonaconPnuousbasis – NISTSP800-137and800-53A,DISASTIG Reference:hnp://csrc.nist.gov/groups/SMA/fisma/framework.html Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.| 12 ConPnuousComplianceHasBroadApplicability Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.| 13 ApprovedSTIGsforOracleTechnologies • OracleDatabase11gR1 • OracleDatabase11gR2 Version8,Release1.12 Version1,Release2 • OracleWebLogicServer12c Version1,Release1 • OracleLinux5 • OracleLinux6 Version1,Release1 Version1,Release1 • OracleSolaris10 Version1,Release10 • OracleSolaris11 • OracleDatabase12cR1 Version1,Release2 Version1,Release1 • OracleHTTPServer12c Planned Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.| OracleConfidenPal–InternalUseOnly 14 14 OracleEnterpriseManager Lifecycle(Con6nuous)Compliance ConPnuous ConfiguraPon Monitoring Real-TimeFile IntegrityMonitoring CloudScale Readytouse Standards Copyright©2015Oracleand/oritsaffiliates.Allrightsreserved.| OracleConfidenPal–Internal/Restricted/HighlyRestricted 15 15 EnterpriseManagerArchitecture My Oracle Support Offline Mode (direct connect to support) Option to Manually Push Agents Host 1 Agent Oracle and 3rd Party Plug-Ins Database, WebLogic, Fusion Apps, … DB Plug-In Configuration discovery, comparison and topology Job system, scheduling and blackouts Database Auto-Push Management Services Metric collection, thresholds, notification User authentication and access control Oracle Enterprise Manager Components 16 Copyright © 2012, Oracle and/or its affiliates. All rights reserved. WLS Plug-In Extensible Framework Web Logic Host 2 Agent WLS Plug-In WebLogic FA Plug-In Fusion Apps ComplianceManagement EnsurealltheDatabasesarecompliant WithoutEnterpriseManager Lengthymanualauditsof configura6on,repeatedeachaudit period ChallengesandProblems EnterpriseManager12cSolu6ons OutoftheBoxComplianceLibrary MonitorandManageCompliance HighCost HighRisk AdheretoComplianceandGenerate Reports Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved. • ComplianceFramework–ReusableHierarchy ComplianceFramework – CollecPonofComplianceStandards ComplianceManager, – ComplianceStandardscanbeofdifferentTarget SecurityAuditors Types – MapConfiguraPonStandardstoreal-worldstructure ofComplianceFrameworks(PCI,COBIT,HIPAA,CIS, etc) • ComplianceStandard ComplianceFrameworks ComplianceStandards – CollecPonofComplianceRules – SpecifictoSingleTargetType • ComplianceRule – DiscreetCheckorTest – SpecifictoTargetType DBAs,Admins, ITManagers – ResultsinViolaPon Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved. ComplianceRules ComplianceValidaPon–MulPpleOpPons ValidateCollected Configura6oninEM Repository • RepositoryRule – Evaluatedagainstrepositorydata – ValidatedwhentargetconfiguraPonchanges • Real-PmeRule – DetecPonofrealPmeacPviPes(fileacPons, schemaacPons,processacPons) CaptureChangesin RealTimeusingEM Agent – DetecPonof“unauthorized”changesthrough automatedcorrelaPonagainstChange Management • Agent-SideRule – TightIntegraPonwithConfiguraPonExtensions – ValidaPonlogiconlyreturnsviolaPons – Recommendedforcustomcompliance Agent-Side Checkexecutedby EMAgent Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved. OracleProvidedDBComplianceContent ComplianceStandards – ClusterDatabase – PluggableDatabase(NEW) • StorageBestPracPcesforPluggableDatabase • ConfiguraPonBestPracPcesforPluggableDatabase • BasicSecurityConfiguraPonforPluggableDatabase – SingleInstanceDatabaseInstance(andRAC Instance) • • • • • • • • • DISASecurityTechnicalImplementaPonGuide(STIG)V1.8 CerPficaPonforOracleDatabase StorageBestPracPcesforOracleDatabase ConfiguraPonBestPracPcesforOracleDatabase BasicSecurityConfiguraPonforOracleDatabase HighSecurityConfiguraPonforOracleDatabase PatchableConfiguraPonforOracleDatabase StorageBestPracPcesforOracleDatabase SupportPolicyforOracleDatabase • DISASecurityTechnicalImplementaPonGuide(STIG)V1.8 • BasicSecurityConfiguraPonforOracleClusterDatabase Instance • HighSecurityConfiguraPonforOracleClusterDatabase Instance • CerPficaPonforRACDatabase • ConfiguraPonBestPracPcesforOracleRACDatabase • PatchableConfiguraPonforRACDatabase • StorageBestPracPcesforOracleRACDatabase • SupportPolicyforRACDatabase – Listener • BasicSecurityConfiguraPonforOracleListener • HighSecurityConfiguraPonforOracleListener 400+ IndividualComplianceRules Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved. ImprovingRequirementsTraceability Map Technical Controls ToPolicy Source:DODDefenseInformaPonSystemsAgency Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved. OracleProvidedOracleDB11gSTIGStandard § Includes both Oracle Database and Oracle Home Checklists § Almost all “Scripted” defined checks have been automated. § ~20% Manual/Interview checks automated. § Remaining require manual Attestation. Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved. BothOracleDatabaseandOracleHomeChecks Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved. QueriesmirrorSTIGChecklist Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved. SummaryReporPng § Results viewable: § Across Databases § For single DB § For single Check § Historical trend and score information Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved. PermanentlyorTemporarilySuppressFindings § Finding ( Violations) can be permanently or temporarily suppressed § Allows Exception § Grace Periods § Suppressed Violations no longer degrade score § Can still be reported on § User and reason captured Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved. Non-AutomatableChecksRequireAnestaPon § Non-Automatable checks ( Manual ) must be manually cleared ( Attested ) after initial association § Permanent or Temporarily § User and reason captured Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved. Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved. RefreshCollecPon Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved. CustomizeRulesforYourEnvironmentLabSteps • Createacustomcompliancestandard–CREATELIKE – Removesomerules – Addrules Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved. OracleConfidenPal–Internal/Restricted/HighlyRestricted 30 CustomizeRulesforYourEnvironmentLabSteps • AddConfiguraPonExtensions • TestandPreview Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved. OracleConfidenPal–Internal/Restricted/HighlyRestricted 31 CustomizeRulesforYourEnvironmentLabSteps • CreateanAgentSideRules • Testtherules • AddRuletotheCustomStandard Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved. OracleConfidenPal–Internal/Restricted/HighlyRestricted 32 • AssociateTarget • ReviewinDashboard Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved. OracleConfidenPal–Internal/Restricted/HighlyRestricted 33 Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved. OpPonalLabExercises • IncidentManagement – CreateanIncidentRuletocreateanIncidentfromanEvent – AddCommentsandnotestotheIncident – ClosetheIncident • PerformtheintegraPonwithBIPublisher – Loginandrunreports – ExperimentwithcreaPngyourownreports Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved. CreateaIncidentRuleSet Setup->Incidents-IncidentRules Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved. OracleConfidenPal–Internal/Restricted/HighlyRestricted 36 CreatetheRuletoCreateorUpdatetheIncident Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved. OracleConfidenPal–Internal/Restricted/HighlyRestricted 37 ReviewandCommentontheIncidents Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved. OracleConfidenPal–Internal/Restricted/HighlyRestricted 38 Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved. Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved. Ques6ons Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved. Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved.