Enterprise Manager STIG Compliance Standards for Oracle Database 11gR2

This is the second of the two posts I wanted to copy from Dave Wolf’s web site. As I mentioned in the first of these two posts, Dave is a colleague of mine who used to own the DBLM area as far as the Enterprise Manager product management team is concerned. However, he has moved to another area in Oracle and I have inherited his responsibilities for change management, compliance management and configuration management, so I want to make sure this material remains available. This post was originally written in April, 2015, and relates to the STIG compliance standards for Oracle Database 11gR2. I’ll be updating this material with another blog in the next month or so with information on the latest STIG compliance standards, so stayed tuned for that! But here’s Dave’s earlier post:

Last Friday [Note from Pete: April 10, 2015], Oracle released new Enterprise Manager compliance standards based on DISA’s Security Technical Information Guide ( STIG ) for Oracle Database 11.2g Version 1 Release 2. These standards are specifically for use with Oracle Database 11g Release 2, both single instance and RAC.

This is actually the second compliance content update since February. The previous one included an update to the Oracle Database 11g STIG standard bringing support from Release 8 to 11.

Both updates were made available via Enterprise Manager’s Self-Update feature. To download them, go to Setup->Extensibility->Self Update. Select ‘Compliance Content’ which will take you to the ‘Compliance Content Updates’ page. Here you should see the compliance standards in either Available, Downloaded or Applied state. Simply select the row and click Download to retrieve the standard. When download has completed, click Apply to make it available in the compliance library.

stigr21

After applying both compliance standards, you should see six STIG related standards in the Compliance Library.

stigr23

If you are currently using one of the ‘Security Technical Implementation Guide (STIG Version 1.8)’ standards you should move to one of the updated versions. Which new version to use depends on the version of each database. For 11gR1 databases use the updated ‘STIG Version 8 Release 1.11’ standard. For 11gR2 databases, you should use the new ‘Oracle 11.2g Database STIG – Version 1, Release 2’ standards.

To migrate, simply associate the targets to new standard and unassociate them from the old version. You could even run both in parallel until you are comfortable with the new results.

If you were not previously using the STIG standards but planning to start, I suggest first reviewing my original blog on this topic which gives a quick overview of these standards and contains a link to a compliance overview screenwatch.

Documentation on these and other Oracle Database Compliance standards can be found in the Oracle Database Compliance Standards reference guide on OTN.

Pete

After 22 years of working at Oracle in just about every role except Marketing and Support, I am now working as a Senior Managed Services Consultant with Red Stack Tech, specializing in Oracle Database technology, High Availability and Disaster Recovery solutions. I am also a member of the OakTable Network, and have presented at RMOUG Training Days, Hotsos Symposia, Oracle OpenWorld conferences, and other user group events. I have co-authored the Expert Oracle Enterprise Manager 12c and Practical Oracle Database Appliance books published by Apress, and am one of the authors of the Building Database Clouds in Oracle Database 12c book published by Addison Wesley.

2 Comments:

  1. christopher peterson

    Pete, we have run into an issue when STIGing against the ORACLE 12c STIG checklist provided by DISA. it seems that there are no longer an scripts or automated process available to check the compliance of our various 12c databases. we have several sites world wide and are trying to develop a baseline DB that can go out, with an automated tool that various site personnel can use to check for compliance. I was wondering if Enterprise Manager had been updated with the 12c automated scripts and sql commands. Respectfully, Chris

Comments are closed