In a recent post, I announced the release of some sample code that created two new compliance standards for DISA’s Oracle Database 12c Security Technical Implementation Guide. The sample code includes details on how to install the compliance standards, but I wanted to walk you through an example of installing it with screenshots and more commentary than is in the sample code. So let’s start off with some of the assumptions you need to be aware of.
Sample Code Prerequisite Assumptions
As I mentioned in the post announcing the sample code, there are some inbuilt assumptions when using this sample code:
- Just to reiterate, sample code has limitations. Specifically, sample code is provided for educational purposes or to assist your development or administration efforts. Your use rights and restrictions for each sample code item are described in the applicable license agreement. Except as may be expressly stated in the applicable license agreement or product documentation, sample code is provided “as is” and is not supported by Oracle.
- The sample code creates a user in the repository database called STIGTOOL, and provides a variety of fairly basic privileges to that user (CREATE TABLE, CREATE PROCEDURE, and SELECT access to various management views) The exact listing is in either the stigtool_grants_EM13_v1_3.sql file or the stigtool_grants_EM12_v1_3.sql file (depending on the version you are installing the sample code in). Obviously, this means that you must not have a user called STIGTOOL. 🙂
- The sample code also grants an unlimited quota on the USERS tablespace to the STIGTOOL user, and creates a number of objects in that tablespace. If you don’t have a USERS tablespace, you will need to either create one (it only needs to be fairly small) or edit the SQL scripts that create the different objects.
- The code was written and tested against Oracle Database 12c databases running on Linux. As documented in section 22.4.1 of the EM13c Oracle Compliance Standards Reference manual (the equivalent section in the 12c documentation is section 7.4 of the Oracle Database Compliance Standards manual), there are limitations where some STIG checks are not implemented against Windows databases. Largely this is because the checks are not able to be automated in a Windows environment.
Downloading the Sample Code
Enough with the assumptions, it’s time to kick the tyres (or tires for my American friends!) on this puppy! The first thing you need to do is download the sample code. Click this link to go directly to the Enterprise Manager sample code downloads page:
Before you can download the sample code, you will need to accept the license agreement by clicking the “Accept License Agreement” radio button. You can then click the file name in the “Download” column to download the sample code:
UPDATE: I believe the file stored by Oracle has been changed. The original copy if you want it is located here.
Save the file to a location where you can access it, and unzip it. Drilldown to the OEM_STIG_Sample_v1_3_2/OEM_STIG_Sample_v1_3/Sample12cSTIG directory, and unzip the 12cSTIG.zip file as well. Now you can move on to the actual installation.
Installing the Oracle Database 12c STIG Compliance Framework
NOTE: In this walkthrough, I am using EM 13.2. The screenshots will obviously look a little but different if you are using EM12c.
The first step you need to take is to import the configuration extensions that have been created as part of the 12c STIG compliance framework. To do this, select the “Enterprise” menu, followed by “Configuration” then “Configuration Extensions”:
On the “Configuration Extensions” page, select “Import” from the “Actions” dropdown menu:
Click the “Choose file” button to select the file you want to import:
Navigate to the location you unzipped the 12cSTIG.zip file to earlier, select the “Oracle Database 12c Single Instance Database STIG Configuration.xml” file and click “Open”:
Click the “Import” button:
Repeat the same process to import the “Oracle Database 12c PDB STIG Configuration.xml” file. Once you have imported both files, you should see the two new configuration extensions listed on the “Configuration Extensions” page:
The next step is to import the compliance framework itself. To do this, select the “Enterprise” menu, followed by “Compliance” and “Library”:
Again, select “Import” from the “Actions” dropdown menu:
Click the “Choose file” button and navigate to the same folder as before. This time, select the “gcc.xml” file and click “Open”:
Click “OK” to import the compliance framework:
NOTE: It may take a minute or so to upload the file depending on your network connectivity.
Once the file is uploaded and imported, you should see a confirmation message that the compliance content imported successfully, and the Oracle 12c Database STIG framework will now be listed along with the other compliance frameworks. Click the “OK” button to remove the confirmation window:
Once the import is complete, the installation of the Oracle Database 12c STIG compliance framework is done. Next we can associate our 12c databases with the relevant compliance standards. That will be the subject of another blog post, so stay tuned for more on that!