Installing the Oracle Database 12c STIG Compliance Standard Sample Code

In a recent post, I announced the release of some sample code that created two new compliance standards for DISA’s Oracle Database 12c Security Technical Implementation Guide. The sample code includes details on how to install the compliance standards, but I wanted to walk you through an example of installing it with screenshots and more commentary than is in the sample code. So let’s start off with some of the assumptions you need to be aware of.

Sample Code Prerequisite Assumptions

As I mentioned in the post announcing the sample code, there are some inbuilt assumptions when using this sample code:

  • Just to reiterate, sample code has limitations. Specifically, sample code is provided for educational purposes or to assist your development or administration efforts. Your use rights and restrictions for each sample code item are described in the applicable license agreement. Except as may be expressly stated in the applicable license agreement or product documentation, sample code is provided “as is” and is not supported by Oracle.
  • The sample code creates a user in the repository database called STIGTOOL, and provides a variety of fairly basic privileges to that user (CREATE TABLE, CREATE PROCEDURE, and SELECT access to various management views) The exact listing is in either the stigtool_grants_EM13_v1_3.sql file or the stigtool_grants_EM12_v1_3.sql file (depending on the version you are installing the sample code in). Obviously, this means that you must not have a user called STIGTOOL. 🙂
  • The sample code also grants an unlimited quota on the USERS tablespace to the STIGTOOL user, and creates a number of objects in that tablespace. If you don’t have a USERS tablespace, you will need to either create one (it only needs to be fairly small) or edit the SQL scripts that create the different objects.
  • The code was written and tested against Oracle Database 12c databases running on Linux. As documented in section 22.4.1 of the EM13c Oracle Compliance Standards Reference manual (the equivalent section in the 12c documentation is section 7.4 of the Oracle Database Compliance Standards manual), there are limitations where some STIG checks are not implemented against Windows databases. Largely this is because the checks are not able to be automated in a Windows environment.

Downloading the Sample Code

Enough with the assumptions, it’s time to kick the tyres (or tires for my American friends!) on this puppy! The first thing you need to do is download the sample code. Click this link to go directly to the Enterprise Manager sample code downloads page:


Before you can download the sample code, you will need to accept the license agreement by clicking the “Accept License Agreement” radio button. You can then click the file name in the “Download” column to download the sample code:


UPDATE: I believe the file stored by Oracle has been changed. The original copy if you want it is located here.

Save the file to a location where you can access it, and unzip it. Drilldown to the OEM_STIG_Sample_v1_3_2/OEM_STIG_Sample_v1_3/Sample12cSTIG directory, and unzip the file as well. Now you can move on to the actual installation.

Installing the Oracle Database 12c STIG Compliance Framework

NOTE: In this walkthrough, I am using EM 13.2. The screenshots will obviously look a little but different if you are using EM12c.

The first step you need to take is to import the configuration extensions that have been created as part of the 12c STIG compliance framework. To do this, select the “Enterprise” menu, followed by “Configuration” then “Configuration Extensions”:


On the “Configuration Extensions” page, select “Import” from the “Actions” dropdown menu:


Click the “Choose file” button to select the file you want to import:


Navigate to the location you unzipped the file to earlier, select the “Oracle Database 12c Single Instance Database STIG Configuration.xml” file and click “Open”:


Click the “Import” button:


Repeat the same process to import the “Oracle Database 12c PDB STIG Configuration.xml” file. Once you have imported both files, you should see the two new configuration extensions listed on the “Configuration Extensions” page:


The next step is to import the compliance framework itself. To do this, select the “Enterprise” menu, followed by “Compliance” and “Library”:


Again, select “Import” from the “Actions” dropdown menu:


Click the “Choose file” button and navigate to the same folder as before. This time, select the “gcc.xml” file and click “Open”:


Click “OK” to import the compliance framework:


NOTE: It may take a minute or so to upload the file depending on your network connectivity.

Once the file is uploaded and imported, you should see a confirmation message that the compliance content imported successfully, and the Oracle 12c Database STIG framework will now be listed along with the other compliance frameworks. Click the “OK” button to remove the confirmation window:


Once the import is complete, the installation of the Oracle Database 12c STIG compliance framework is done. Next we can associate our 12c databases with the relevant compliance standards. That will be the subject of another blog post, so stay tuned for more on that!


After 22 years of working at Oracle in just about every role except Marketing and Support, I am now working as a Senior Managed Services Consultant with Data Intensity, specializing in Oracle Database technology, High Availability and Disaster Recovery solutions. I am also a member of the OakTable Network, and have presented at RMOUG Training Days, Hotsos Symposia, Oracle OpenWorld conferences, and other user group events. I have co-authored the Expert Oracle Enterprise Manager 12c and Practical Oracle Database Appliance books published by Apress, and am one of the authors of the Building Database Clouds in Oracle Database 12c book published by Addison Wesley.


  1. A good promotion.. Hopefully this will be adopted by many sites so a more standard approach will be used by more dba/sysadmin people. (Just like OFA in the old days, post v5 of the rdbms.)

  2. Hi,

    Can we use this code on an OEM, or does it needs to be OEM13

    • There are different scripts that need to be run for EM12 versus EM13, as I mentioned in the original post. Both sets of scripts are contained in the file linked to from the post, so just use whichever one is relevant to you. IIRC, none of this was tested on earlier than, but I did write this post nearly a year ago so I could be wrong! 🙂

      • Pete, Thank you for the time that you put into this blog. The sample code package has been replaced with a new package which contains only the older 11g Framework. Would you know where the zip file you referenced could still be found?

        • Thanks for letting me know, Kevin. Unfortunately, I have no access to Oracle material any more since I was made redundant from Oracle over a year ago. It does so happen, however, that I still have a copy of the file locally. 🙂 I’ll change the link on the page to this local copy.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.