One of the most requested features in the compliance management area has been a compliance standard for Oracle Database 12c. As most of you would know, Oracle Database 12c has been out for quite some time, and indeed Larry Ellison has just announced at OOW2016 availability of Oracle Database 12cR2 in Oracle’s public cloud offering. However, as I discussed in another post earlier this year, creating a new STIG compliance standard is not a simple matter. In fact, we are still working on integrating the DISA Oracle Database 12c compliance standard into Enterprise Manager Cloud Control 13c.
So if we’re still integrating it, why am I announcing it’s available now? You might think it’s because Oracle always announces products before they’re shipped. 🙂 Well, you’re wrong! What I’m announcing is the availability of not one but TWO Oracle Database 12c STIG compliance standards and a compliance report as sample code – one is for standard architecture and the other is for multitenant architecture. Bob Bunting, Gary Jensen and team from our Public Sector sales consulting team have been working hard to produce these standards, and we are now publishing them on the OTN sample code page (scroll down and find the Enterprise Manager category, or use the direct link instead). DBLM provides views to enable custom reporting. The sample code provides an example of using those views to report on the status of each STIG rule. The sample populates a table with the status of each STIG rule by target and STIG. The sample code also creates XML in the STIGViewer Checklist format.
The code actually contains two versions – one for EM12c and the other for EM13c. The EM12c version has been tested on 22.214.171.124 and 126.96.36.199 (it may well work on earlier versions but we haven’t tested that at all). Please note the installation scripts ARE version specific. There was a minor change we needed to make to the code for EM13c that means the EM12c version does NOT work on EM13c, and vice versa.
Sample code, of course, does come with some provisos. As listed on the OTN sample code page, it is provided for educational purposes or to assist your development or administration efforts. Your use rights and restrictions for each sample code item are described in the applicable license agreement. Except as may be expressly stated in the applicable license agreement or product documentation, sample code is provided “as is” and is not supported by Oracle.
You might also ask why it takes longer to “productize” these standards than it does to produce them as sample code. Well, the reason is straightforward. “Productizing” something requires a much more rigorous process. It requires, among other things, the following:
- Rigorous quality assurance testing – To add functionality to an existing product, you may need to build new quality assurance tests, run them at volume, identify and fix any bugs.
- Documentation – Any new functionality must of course be documented, both in the online documentation set and the online help.
- Minimization or removal of assumptions – as an example, sample code may create objects in the USERS tablespace (and in fact the Oracle Database 12c STIG compliance standards do just that). What happens if the repository database you’re using doesn’t even have a USERS tablespace? In sample code, you can just say, “Well, just edit this SQL file and replace the USERS tablespace with your own.” In production code, you would probably parameterize this in the SQL, so the installing DBA is prompted for the name of the tablespace to create the objects in.
And on it goes. As you can tell, there is a lot more rigour to product code development than there is sample code development. However, sample code can still be useful for allowing you to test new functionality before it becomes available as part of the product, and that’s why we’re announcing the release of the Oracle Database 12c STIG compliance standard sample code now.
I hope I’ve whet your appetite enough to make you want to have a look at this sample code. Over the next couple of posts, I’ll walk you through downloading and installing the code, as well as using the new compliance standards against your Oracle Database 12c targets. Don’t forget those sample code restrictions though! 🙂
Update 1: Here’s the first post on installing the sample code.
Update 2: And here’s the second post, on associating Oracle Database 12c databases with the STIG framework.