Oracle Database 12c STIG Compliance Standard sample code is here!

One of the most requested features in the compliance management area has been a compliance standard for Oracle Database 12c. As most of you would know, Oracle Database 12c has been out for quite some time, and indeed Larry Ellison has just announced at OOW2016 availability of Oracle Database 12cR2 in Oracle’s public cloud offering. However, as I discussed in another post earlier this year, creating a new STIG compliance standard is not a simple matter. In fact, we are still working on integrating the DISA Oracle Database 12c compliance standard into Enterprise Manager Cloud Control 13c.

So if we’re still integrating it, why am I announcing it’s available now? You might think it’s because Oracle always announces products before they’re shipped. 🙂 Well, you’re wrong! What I’m announcing is the availability of not one but TWO Oracle Database 12c STIG compliance standards and a compliance report as sample code – one is for standard architecture and the other is for multitenant architecture. Bob Bunting, Gary Jensen and team from our Public Sector sales consulting team have been working hard to produce these standards, and we are now publishing them on the OTN sample code page (scroll down and find the Enterprise Manager category, or use the direct link instead). DBLM provides views to enable custom reporting. The sample code provides an example of using those views to report on the status of each STIG rule. The sample populates a table with the status of each STIG rule by target and STIG. The sample code also creates XML in the STIGViewer Checklist format.

The code actually contains two versions – one for EM12c and the other for EM13c. The EM12c version has been tested on and (it may well work on earlier versions but we haven’t tested that at all). Please note the installation scripts ARE version specific. There was a minor change we needed to make to the code for EM13c that means the EM12c version does NOT work on EM13c, and vice versa.

Sample code, of course, does come with some provisos. As listed on the OTN sample code page, it is provided for educational purposes or to assist your development or administration efforts. Your use rights and restrictions for each sample code item are described in the applicable license agreement. Except as may be expressly stated in the applicable license agreement or product documentation, sample code is provided “as is” and is not supported by Oracle.

You might also ask why it takes longer to “productize” these standards than it does to produce them as sample code. Well, the reason is straightforward. “Productizing” something requires a much more rigorous process. It requires, among other things, the following:

  • Rigorous quality assurance testing – To add functionality to an existing product, you may need to build new quality assurance tests, run them at volume, identify and fix any bugs.
  • Documentation – Any new functionality must of course be documented, both in the online documentation set and the online help.
  • Minimization or removal of assumptions – as an example, sample code may create objects in the USERS tablespace (and in fact the Oracle Database 12c STIG compliance standards do just that). What happens if the repository database you’re using doesn’t even have a USERS tablespace? In sample code, you can just say, “Well, just edit this SQL file and replace the USERS tablespace with your own.” In production code, you would probably parameterize this in the SQL, so the installing DBA is prompted for the name of the tablespace to create the objects in.

And on it goes. As you can tell, there is a lot more rigour to product code development than there is sample code development. However, sample code can still be useful for allowing you to test new functionality before it becomes available as part of the product, and that’s why we’re announcing the release of the Oracle Database 12c STIG compliance standard sample code now.

I hope I’ve whet your appetite enough to make you want to have a look at this sample code. Over the next couple of posts, I’ll walk you through downloading and installing the code, as well as using the new compliance standards against your Oracle Database 12c targets. Don’t forget those sample code restrictions though! 🙂

Update 1: Here’s the first post on installing the sample code.

Update 2: And here’s the second post, on associating Oracle Database 12c databases with the STIG framework.


After 22 years of working at Oracle in just about every role except Marketing and Support, in December 2016 I moved to a new role with a small company called archTIS, based out of Barton in the ACT, Australia. My new role is the technical architect for the company and I own the product technical solutions for the products produced by archTIS. archTIS has developed strategic architecture and solution services to enable the rapid implementation and accreditation of secure information management and sharing capabilities for both the enterprise and the smaller communities of interest. You can find out more about the company at our web site, I am also a member of the OakTable Network, and have presented at RMOUG Training Days, Hotsos Symposia, Oracle OpenWorld conferences, and other user group events. I have co-authored the Expert Oracle Enterprise Manager 12c and Practical Oracle Database Appliance books published by Apress, and am one of the authors of the Building Database Clouds in Oracle Database 12c book published by Addison Wesley.

Leave a Reply

Your email address will not be published. Required fields are marked *