This is the second of the two posts I wanted to copy from Dave Wolf’s web site. As I mentioned in the first of these two posts, Dave is a colleague of mine who used to own the DBLM area as far as the Enterprise Manager product management team is concerned. However, he has moved to another area in Oracle and I have inherited his responsibilities for change management, compliance management and configuration management, so I want to make sure this material remains available. This post was originally written in April, 2015, and relates to the STIG compliance standards for Oracle Database 11gR2. I’ll be updating this material with another blog in the next month or so with information on the latest STIG compliance standards, so stayed tuned for that! But here’s Dave’s earlier post:
Last Friday [Note from Pete: April 10, 2015], Oracle released new Enterprise Manager compliance standards based on DISA’s Security Technical Information Guide ( STIG ) for Oracle Database 11.2g Version 1 Release 2. These standards are specifically for use with Oracle Database 11g Release 2, both single instance and RAC.
This is actually the second compliance content update since February. The previous one included an update to the Oracle Database 11g STIG standard bringing support from Release 8 to 11.
Both updates were made available via Enterprise Manager’s Self-Update feature. To download them, go to Setup->Extensibility->Self Update. Select ‘Compliance Content’ which will take you to the ‘Compliance Content Updates’ page. Here you should see the compliance standards in either Available, Downloaded or Applied state. Simply select the row and click Download to retrieve the standard. When download has completed, click Apply to make it available in the compliance library.
After applying both compliance standards, you should see six STIG related standards in the Compliance Library.
If you are currently using one of the ‘Security Technical Implementation Guide (STIG Version 1.8)’ standards you should move to one of the updated versions. Which new version to use depends on the version of each database. For 11gR1 databases use the updated ‘STIG Version 8 Release 1.11’ standard. For 11gR2 databases, you should use the new ‘Oracle 11.2g Database STIG – Version 1, Release 2’ standards.
To migrate, simply associate the targets to new standard and unassociate them from the old version. You could even run both in parallel until you are comfortable with the new results.
If you were not previously using the STIG standards but planning to start, I suggest first reviewing my original blog on this topic which gives a quick overview of these standards and contains a link to a compliance overview screenwatch.
Documentation on these and other Oracle Database Compliance standards can be found in the Oracle Database Compliance Standards reference guide on OTN.