Installing the Oracle Database 12c STIG Compliance Standard Sample Code

In a recent post, I announced the release of some sample code that created two new compliance standards for DISA’s Oracle Database 12c Security Technical Implementation Guide. The sample code includes details on how to install the compliance standards, but I wanted to walk you through an example of installing it with screenshots and more commentary than is in the sample code. So let’s start off with some of the assumptions you need to be aware of.

Sample Code Prerequisite Assumptions

As I mentioned in the post announcing the sample code, there are some inbuilt assumptions when using this sample code:

  • Just to reiterate, sample code has limitations. Specifically, sample code is provided for educational purposes or to assist your development or administration efforts. Your use rights and restrictions for each sample code item are described in the applicable license agreement. Except as may be expressly stated in the applicable license agreement or product documentation, sample code is provided “as is” and is not supported by Oracle.
  • The sample code creates a user in the repository database called STIGTOOL, and provides a variety of fairly basic privileges to that user (CREATE TABLE, CREATE PROCEDURE, and SELECT access to various management views) The exact listing is in either the stigtool_grants_EM13_v1_3.sql file or the stigtool_grants_EM12_v1_3.sql file (depending on the version you are installing the sample code in). Obviously, this means that you must not have a user called STIGTOOL. 🙂
  • The sample code also grants an unlimited quota on the USERS tablespace to the STIGTOOL user, and creates a number of objects in that tablespace. If you don’t have a USERS tablespace, you will need to either create one (it only needs to be fairly small) or edit the SQL scripts that create the different objects.
  • The code was written and tested against Oracle Database 12c databases running on Linux. As documented in section 22.4.1 of the EM13c Oracle Compliance Standards Reference manual (the equivalent section in the 12c documentation is section 7.4 of the Oracle Database Compliance Standards manual), there are limitations where some STIG checks are not implemented against Windows databases. Largely this is because the checks are not able to be automated in a Windows environment.

Downloading the Sample Code

Enough with the assumptions, it’s time to kick the tyres (or tires for my American friends!) on this puppy! The first thing you need to do is download the sample code. Click this link to go directly to the Enterprise Manager sample code downloads page:

stig01

Before you can download the sample code, you will need to accept the license agreement by clicking the “Accept License Agreement” radio button. You can then click the file name in the “Download” column to download the sample code:

stig02

Save the file to a location where you can access it, and unzip it. Drilldown to the OEM_STIG_Sample_v1_3_2/OEM_STIG_Sample_v1_3/Sample12cSTIG directory, and unzip the 12cSTIG.zip file as well. Now you can move on to the actual installation.

Installing the Oracle Database 12c STIG Compliance Framework

NOTE: In this walkthrough, I am using EM 13.2. The screenshots will obviously look a little but different if you are using EM12c.

The first step you need to take is to import the configuration extensions that have been created as part of the 12c STIG compliance framework. To do this, select the “Enterprise” menu, followed by “Configuration” then “Configuration Extensions”:

stig03

On the “Configuration Extensions” page, select “Import” from the “Actions” dropdown menu:

stig04

Click the “Choose file” button to select the file you want to import:

stig05

Navigate to the location you unzipped the 12cSTIG.zip file to earlier, select the “Oracle Database 12c Single Instance Database STIG Configuration.xml” file and click “Open”:

stig06

Click the “Import” button:

stig07

Repeat the same process to import the “Oracle Database 12c PDB STIG Configuration.xml” file. Once you have imported both files, you should see the two new configuration extensions listed on the “Configuration Extensions” page:

stig08

The next step is to import the compliance framework itself. To do this, select the “Enterprise” menu, followed by “Compliance” and “Library”:

stig09

Again, select “Import” from the “Actions” dropdown menu:

stig10

Click the “Choose file” button and navigate to the same folder as before. This time, select the “gcc.xml” file and click “Open”:

stig11

Click “OK” to import the compliance framework:

stig12

NOTE: It may take a minute or so to upload the file depending on your network connectivity.

Once the file is uploaded and imported, you should see a confirmation message that the compliance content imported successfully, and the Oracle 12c Database STIG framework will now be listed along with the other compliance frameworks. Click the “OK” button to remove the confirmation window:

stig13

Once the import is complete, the installation of the Oracle Database 12c STIG compliance framework is done. Next we can associate our 12c databases with the relevant compliance standards. That will be the subject of another blog post, so stay tuned for more on that!

Pete

After 22 years of working at Oracle in just about every role except Marketing and Support, in December 2016 I moved to a new role with a small company called archTIS, based out of Barton in the ACT, Australia. My new role is the technical architect for the company and I own the product technical solutions for the products produced by archTIS. archTIS has developed strategic architecture and solution services to enable the rapid implementation and accreditation of secure information management and sharing capabilities for both the enterprise and the smaller communities of interest. You can find out more about the company at our web site, www.archtis.com. I am also a member of the OakTable Network, and have presented at RMOUG Training Days, Hotsos Symposia, Oracle OpenWorld conferences, and other user group events. I have co-authored the Expert Oracle Enterprise Manager 12c and Practical Oracle Database Appliance books published by Apress, and am one of the authors of the Building Database Clouds in Oracle Database 12c book published by Addison Wesley.

2 Comments:

  1. A good promotion.. Hopefully this will be adopted by many sites so a more standard approach will be used by more dba/sysadmin people. (Just like OFA in the old days, post v5 of the rdbms.)

Leave a Reply

Your email address will not be published. Required fields are marked *