Skip Headers
Oracle® Enterprise Manager Concepts
10g Release 3 (10.2.0.3)

Part Number B31949-01
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Master Index
Master Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
View PDF

8 Managing Compliance

This chapter explains how Enterprise Manager Grid Control verifies that applications in your enterprise comply with preestablished standards. This chapter contains the following sections:

8.1 Compliance Overview

To have your enterprise run efficiently, it must adhere to standards that promote the best practices for security, configuration, and storage. Once these standards are developed, you can apply and test for these standards throughout your organization; that is, test for compliance. Compliance is the conformance to standards, or requirements, or both.

Using Enterprise Manager Grid Control, you can test the conformance of your targets for security standards, and configuration and storage requirements.

By continually testing your systems, services, and targets, you are ensuring the best possible protection and performance your system can have.

Compliance is two-fold: evaluating the compliance of your targets, and the policy group lifecycle management. The following sections describe these two concepts.

Note:

To view the compliance features:
  1. Navigate to the Grid Control Home page.

  2. Click the Compliance tab to access information regarding the policies, policy groups, and security statistics for your enterprise.

8.2 Compliance Management

Oracle provides two types of compliance management: policies and policy groups. Policies and policy groups define the optimal configurations of systems.

Policies and policy groups are similar in purpose, that is, they both provide rules against which managed entities are evaluated. However, there are differences:

Whether you use the out-of-box policies and policy groups defined by Oracle or customize policies to meet your particular system requirements, any deviations to your systems or applications are reported. Examples of deviations include inappropriate settings and incorrect system configurations.

This section contains the following subsections:

8.2.1 Accessing Compliance Management Pages in Grid Control

To access compliance management pages in Grid Control:

  • Click the Compliance tab to view violations associated with policies and policy groups.

    • Click the Policies tab for a roll-up view of all policy violations across all targets. From this tab, you can also access policy associations, the policy library, and errors.

    • Click the Policy Groups tab to view the list of policy groups against which there are violations. From this tab, you can also access the library of policy groups and policy group evaluation errors.

    • Click the Security At a Glance tab for a roll-up view of security statistics across the enterprise.

  • Navigate to the Home page for a particular target. The links in the Policy Violations section display the number of policy violations according to severity level. Click the links to drill down to critical, warning, and informational policy violations for that target.

8.2.2 Investigating Compliance Violations

Here are a few suggestions for investigating compliance violations. Attend to the most critical violations or those that have the biggest impact on your enterprise.

  • Study the statistics on the Enterprise Manager Grid Control Home page. In particular, look at the statistics in the All Targets Policy Violations section. The policy violations with "Critical" severity should be dealt with first.

  • Study the security-related violations reported in the Security Policy Violations section. Non-compliance with these policy rules can greatly impact the security of your enterprise.

  • Address targets that have the lowest compliance scores.

  • For the policy violations of a particular target, examine the home page for that target. The Policy Violations section provides overview information, but it also gives you access to the Policy Trend Overview for that target.

  • To deal with policies regardless of the target, navigate to the Compliance tab and then click Policies. Using this tab, you have access to all the policy violations for the enterprise, the policy associations, the policy rule library which lists all the policies, and policy evaluation errors.

    • Navigate to the Policy Violations page and enter an appropriate value in the "Most Recent Violation within n days" filter.

    • Suppress violations if you want to handle the violations at a later time.

  • To deal with policy groups regardless of the target, click Policy Groups. Using this tab, you have access to all the evaluation results for the enterprise, the policy group library, and policy group evaluation errors.

    • Navigate to the Evaluation Results page for a particular policy group. In the navigation tree, click the name of the policy group and a summary page lists all the targets along with the number of violations.

    • Navigate to the Trend Overview page to see charts relating to the number of targets evaluated, the average violation count per target, number of targets by compliance score, and the average compliance score.

See Also:

"About Policies" and "About Policy Groups" in the Grid Control online help for an overview of policies and policy groups and pointers to more information about viewing and managing policies and policy groups.

8.2.3 Assessing Security

Security policies are available for many targets, including Host, Database Instance, Cluster Database, Listener, OC4J, Oracle HTTP Server, and Web Cache.

Security policy groups are available for Database Instance, Cluster Database, and Listener.

Because security is crucial to the stability of your enterprise, security statistics are displayed prominently in Grid Control. On the Enterprise Manager Grid Control Home page, and many target home pages, there is a separate section displaying the security statistics for the target. This allows you to pay close attention to the security health of the enterprise.

In addition, the Security At a Glance feature provides an overview of the security health of the enterprise for all the targets or specific groups. This helps you to quickly focus on security issues by showing statistics about security policy violations and noting the critical security patches that have not been applied.

8.2.4 Viewing Compliance Evaluation Results

To view the results of an evaluation, use any or all of the following:

  • Use the Evaluation Results page accessed through the Policy Groups tab

  • Study the statistics in the Policy Violations section of the target's home page

  • Use the Policy Trend Overview page and the Trend Overview page available from the Evaluation Results page

  • Access the Security At a Glance page

8.2.5 Compliance Violations Reports

The Policy Violations reports and Policy Groups reports are available through the Reports feature. These reports deal with non-suppressed violations for all targets, groups, and a single target. The reports also deal with compliance summary for a group and target. In addition, suppressed violations are reported according to all targets, groups, and a single target.

8.3 Setting Up Compliance Evaluations

Compliance evaluation is the process of testing the policy and policy group rules against a target and recording any violations in the Oracle Management Repository.

8.3.1 Scheduling an Evaluation

For the evaluation to take place, you must enable the evaluation in one of two ways:

  • For a policy, use the Metric Thresholds option on the Metric and Policy Settings page

  • For a policy group, use the Policy Group Library page

8.3.2 Out-of-Box Policies and Policy Groups

Oracle provides a number of out-of-box policies (also known as policy rules) and policy groups for various targets.

When you add a target to Enterprise Manager, that target automatically uses predefined policy rules for that type of target. For example, Oracle provides security, configuration, and storage policy rules for the database instances and cluster databases. Security and configuration policy rules are provided for hosts.

Note:

Policy Groups are not automatically associated with targets.

8.3.3 Customizing Policies

You can customize policies by editing the existing policy rule settings. You can enable or disable a policy evaluation, change the importance for the compliance score calculation, assign a corrective action, prevent template override, override default parameter values (when possible), and exclude objects from a policy's evaluation (when possible).

See Also:

Online help for compliance scores

8.3.3.1 Defining Corrective Actions

One of the features of customizing policies is the ability to define corrective actions. Corrective Actions is a special type of job that executes automatically in response to a policy violation.

Corrective Actions utilize the Enterprise Manager Grid Control Job System and, like regular jobs, can consist of multiple steps, can be run with arbitrary host and target credentials, and reports its success or failure and its output to the Management Repository.

8.3.3.2 Using Templates for Monitoring

A monitoring template defines all Enterprise Manager parameters you would normally set to monitor a target.

Monitoring templates simplify the task of setting up monitoring for large numbers of targets by allowing you to specify the monitoring and policy settings once and applying them as often as needed. You can save, edit, and apply these templates across one or more targets or groups.

8.4 Policy Groups

Policy groups serve as standards by which targets are measured. Policy groups report deviations and enable closed loop remediation by optionally taking action to bring systems back into compliance. Oracle provides the following policy groups:

These standards represent best practices and allow you to maintain consistency across enterprise systems and configurations. The trend analysis feature allows fine grained tracking of compliance progress over time.

The following sections provide the highlights of each policy group.

8.4.1 Secure Configuration for Oracle Database

This policy group adheres to the security standards available for the Oracle Database. The categories deemed the most important for this policy group are:

  • Post Installation

    These rules ensure that a database is not compromised by having a default database server account left open that uses its default password.

  • Oracle Directory and File Permissions

    These rules ensure that access should be restricted, making it more difficult for an operating system user to attack the database.

  • Oracle Parameters Settings

    These rules ensure database initialization parameter settings are secure.

  • Database Password Profile Settings

    These rules ensure database profile settings are correctly defined. Oracle password management is controlled through the use of user profiles which are then assigned to database users, enabling greater control over database security.

  • Database Access Settings

    These rules ensure that access to and use of the database at the object level is restricted such that users are only given those privileges that are actually required to efficiently perform their jobs.

8.4.2 Secure Configuration for Oracle Real Application Cluster

This policy group adheres to the security standards available for the Oracle Cluster Database. The categories deemed the most important for this policy group are:

  • Post Installation

    These rules ensure that a database is not compromised by having a default database server account left open that uses its default password.

  • Oracle Directory and File Permissions

    These rules ensure that access should be restricted, making it more difficult for an operating system user to attack the database.

  • Database Password Profile Settings

    These rules ensure database profile settings are correctly defined. Oracle password management is controlled through the use of user profiles which are then assigned to database users, enabling greater control over database security.

  • Database Access Settings

    These rules ensure that access to and use of the database at the object level is restricted such that users are only given those privileges that are actually required to efficiently perform their jobs.

8.4.3 Secure Configuration for Oracle Listener

This policy group adheres to the security standards available for the Oracle Listener. The categories deemed the most important for this policy group are:

  • Oracle Directory and File Permissions

    These rules ensure that access should be restricted, making it more difficult for an operating system user to attack the database.

  • Network Configuration Settings

    These rules ensure that network configuration parameter settings are secure.