implementing security compliance using polocy …...2009/10/12 · security at customer’s site...
TRANSCRIPT
![Page 1: Implementing Security Compliance using Polocy …...2009/10/12 · Security at Customer’s Site Policy Rules Policy Groups Q & A 25 Policy Groups Compliance Logical Group of Policies](https://reader033.vdocuments.us/reader033/viewer/2022060407/5f0fbc537e708231d445a0f9/html5/thumbnails/1.jpg)
Rob Zoeteweij
1
![Page 2: Implementing Security Compliance using Polocy …...2009/10/12 · Security at Customer’s Site Policy Rules Policy Groups Q & A 25 Policy Groups Compliance Logical Group of Policies](https://reader033.vdocuments.us/reader033/viewer/2022060407/5f0fbc537e708231d445a0f9/html5/thumbnails/2.jpg)
Rob Zoeteweij◦ Working with Oracle Technology since 1985
◦ Development / DBA / Consulting
◦ Last 6 Years
Oracle Expert Service (Oracle The Netherlands)
Focus on OEM GRID Control / RAC - ASM
Independent Oracle Consultant
Implementation of OEM GRID Control
Rabobank
Shell
ING Bank
2
![Page 3: Implementing Security Compliance using Polocy …...2009/10/12 · Security at Customer’s Site Policy Rules Policy Groups Q & A 25 Policy Groups Compliance Logical Group of Policies](https://reader033.vdocuments.us/reader033/viewer/2022060407/5f0fbc537e708231d445a0f9/html5/thumbnails/3.jpg)
Is about implementation of Security Compliance in OEM GRID Control
Covers OEM 10.2.0.4 – 10.2.0.5
Shows How to … / How it works
Is based on real Project experiences
3
![Page 4: Implementing Security Compliance using Polocy …...2009/10/12 · Security at Customer’s Site Policy Rules Policy Groups Q & A 25 Policy Groups Compliance Logical Group of Policies](https://reader033.vdocuments.us/reader033/viewer/2022060407/5f0fbc537e708231d445a0f9/html5/thumbnails/4.jpg)
Security at Customer’s Site
Policy Rules
Policy Groups
Q & A
4
![Page 5: Implementing Security Compliance using Polocy …...2009/10/12 · Security at Customer’s Site Policy Rules Policy Groups Q & A 25 Policy Groups Compliance Logical Group of Policies](https://reader033.vdocuments.us/reader033/viewer/2022060407/5f0fbc537e708231d445a0f9/html5/thumbnails/5.jpg)
Needed to implement ◦ SOX
Sarbanes-Oxley Act of 2002 (Wikipedia)
Public Company Accounting Reform and Investor Protection Act of 2002
AKA – Sarbanes-Oxley, Sarbox or SOX
Sponsors: Senator Paul Sarbanes and Representative Michael G. Oxley
In response to a number of major corporate and accounting scandals incl Enron, Tyco International, Adelphia, Peregrine Systems and WorldCom
5
![Page 6: Implementing Security Compliance using Polocy …...2009/10/12 · Security at Customer’s Site Policy Rules Policy Groups Q & A 25 Policy Groups Compliance Logical Group of Policies](https://reader033.vdocuments.us/reader033/viewer/2022060407/5f0fbc537e708231d445a0f9/html5/thumbnails/6.jpg)
SOX◦ Not a static List
◦ Not a standard List
◦ Actual measurements can be different per Company
◦ Both organisational and technical
6
![Page 7: Implementing Security Compliance using Polocy …...2009/10/12 · Security at Customer’s Site Policy Rules Policy Groups Q & A 25 Policy Groups Compliance Logical Group of Policies](https://reader033.vdocuments.us/reader033/viewer/2022060407/5f0fbc537e708231d445a0f9/html5/thumbnails/7.jpg)
SOX◦ Measurements to keep compliant with Customer Security Rules◦ Separation of facilities for Development, Testing and Production Developers / testers don’t have access to Production servers …
◦ Backups need to be available and tested Will be located on other location then source Need to be accessible for authorized employees only
◦ Audit logs need to be created All user actions must be logged and fully traceable to an
individual …
◦ System access Based on “Least privilege” and “Need to know”
◦ ...
7
![Page 8: Implementing Security Compliance using Polocy …...2009/10/12 · Security at Customer’s Site Policy Rules Policy Groups Q & A 25 Policy Groups Compliance Logical Group of Policies](https://reader033.vdocuments.us/reader033/viewer/2022060407/5f0fbc537e708231d445a0f9/html5/thumbnails/8.jpg)
To identify the importance level of a an automated System
AIC code◦ Availability – Integrity – Confidentiality◦ A - [1-3], I – [1-3], C – [1-3] Impact 1 – Low, 2 – Middle, 3 - High
Example I = 2 Financial Transactions that can be reversed without any
(Image) damage I = 3 Financial Transactions that can not be reversed without
any (Image) damage
8
![Page 9: Implementing Security Compliance using Polocy …...2009/10/12 · Security at Customer’s Site Policy Rules Policy Groups Q & A 25 Policy Groups Compliance Logical Group of Policies](https://reader033.vdocuments.us/reader033/viewer/2022060407/5f0fbc537e708231d445a0f9/html5/thumbnails/9.jpg)
AIC code◦ Needs to be applied to Systems
Applications
Application Servers
Servers (Hosts)
Database Listeners
Databases
9
![Page 10: Implementing Security Compliance using Polocy …...2009/10/12 · Security at Customer’s Site Policy Rules Policy Groups Q & A 25 Policy Groups Compliance Logical Group of Policies](https://reader033.vdocuments.us/reader033/viewer/2022060407/5f0fbc537e708231d445a0f9/html5/thumbnails/10.jpg)
AIC – codes in use at Customer’s Site◦ 222 – 232 – 233 – 322 – 332 – 333
10
![Page 11: Implementing Security Compliance using Polocy …...2009/10/12 · Security at Customer’s Site Policy Rules Policy Groups Q & A 25 Policy Groups Compliance Logical Group of Policies](https://reader033.vdocuments.us/reader033/viewer/2022060407/5f0fbc537e708231d445a0f9/html5/thumbnails/11.jpg)
Security at Customer’s Site
Policy Rules
Policy Groups
Q & A
11
![Page 12: Implementing Security Compliance using Polocy …...2009/10/12 · Security at Customer’s Site Policy Rules Policy Groups Q & A 25 Policy Groups Compliance Logical Group of Policies](https://reader033.vdocuments.us/reader033/viewer/2022060407/5f0fbc537e708231d445a0f9/html5/thumbnails/12.jpg)
Policies◦ Policies define the desired behaviour or
characteristics of systems
◦ A Policy is compliant if is determined that a target meets the desired state
Example: Oracle Home Executable Files Permission
Ensure that all files in the ORACLE_HOME directories (except for ORACLE_HOME/bin) do not have public read, write and execute permissions
If a Target does not meet this state, the Policy is violated
12
![Page 13: Implementing Security Compliance using Polocy …...2009/10/12 · Security at Customer’s Site Policy Rules Policy Groups Q & A 25 Policy Groups Compliance Logical Group of Policies](https://reader033.vdocuments.us/reader033/viewer/2022060407/5f0fbc537e708231d445a0f9/html5/thumbnails/13.jpg)
Policies – other examples◦ Ensure database auditing is enabled
Each activity in the database should be traceable
◦ Default passwords
Ensure there are no default passwords for known accounts
◦ Open TCP/IP Ports
Ensure that no unintended ports are left open
◦ …
13
![Page 14: Implementing Security Compliance using Polocy …...2009/10/12 · Security at Customer’s Site Policy Rules Policy Groups Q & A 25 Policy Groups Compliance Logical Group of Policies](https://reader033.vdocuments.us/reader033/viewer/2022060407/5f0fbc537e708231d445a0f9/html5/thumbnails/14.jpg)
14
![Page 15: Implementing Security Compliance using Polocy …...2009/10/12 · Security at Customer’s Site Policy Rules Policy Groups Q & A 25 Policy Groups Compliance Logical Group of Policies](https://reader033.vdocuments.us/reader033/viewer/2022060407/5f0fbc537e708231d445a0f9/html5/thumbnails/15.jpg)
Based on AIC codes in use, create:◦ Monitoring Templates
Only Policy Rules included
STP – <Target Type> - AIC<code>
STP – Listener – AIC332
STP – HTTP Server – AIC223
STP – Cluster Database – AIC322
…
15
![Page 16: Implementing Security Compliance using Polocy …...2009/10/12 · Security at Customer’s Site Policy Rules Policy Groups Q & A 25 Policy Groups Compliance Logical Group of Policies](https://reader033.vdocuments.us/reader033/viewer/2022060407/5f0fbc537e708231d445a0f9/html5/thumbnails/16.jpg)
16
![Page 17: Implementing Security Compliance using Polocy …...2009/10/12 · Security at Customer’s Site Policy Rules Policy Groups Q & A 25 Policy Groups Compliance Logical Group of Policies](https://reader033.vdocuments.us/reader033/viewer/2022060407/5f0fbc537e708231d445a0f9/html5/thumbnails/17.jpg)
Use Groups to apply the Templates to the Targets
Group organisation◦ PG-<Target Type>_AIC<Code>_<Phase (Dev, Tst,
Acc, Prd)>
PG-Cluster_Databases_AIC233_Test
PG-Database_Instances_AIC333_Prod
…
17
![Page 18: Implementing Security Compliance using Polocy …...2009/10/12 · Security at Customer’s Site Policy Rules Policy Groups Q & A 25 Policy Groups Compliance Logical Group of Policies](https://reader033.vdocuments.us/reader033/viewer/2022060407/5f0fbc537e708231d445a0f9/html5/thumbnails/18.jpg)
18
Group PG-Cluster_Databases_AIC332_Test
Includes all Cluster Databases for which AIC code 332 apply
![Page 19: Implementing Security Compliance using Polocy …...2009/10/12 · Security at Customer’s Site Policy Rules Policy Groups Q & A 25 Policy Groups Compliance Logical Group of Policies](https://reader033.vdocuments.us/reader033/viewer/2022060407/5f0fbc537e708231d445a0f9/html5/thumbnails/19.jpg)
19
![Page 20: Implementing Security Compliance using Polocy …...2009/10/12 · Security at Customer’s Site Policy Rules Policy Groups Q & A 25 Policy Groups Compliance Logical Group of Policies](https://reader033.vdocuments.us/reader033/viewer/2022060407/5f0fbc537e708231d445a0f9/html5/thumbnails/20.jpg)
20
![Page 21: Implementing Security Compliance using Polocy …...2009/10/12 · Security at Customer’s Site Policy Rules Policy Groups Q & A 25 Policy Groups Compliance Logical Group of Policies](https://reader033.vdocuments.us/reader033/viewer/2022060407/5f0fbc537e708231d445a0f9/html5/thumbnails/21.jpg)
21
![Page 22: Implementing Security Compliance using Polocy …...2009/10/12 · Security at Customer’s Site Policy Rules Policy Groups Q & A 25 Policy Groups Compliance Logical Group of Policies](https://reader033.vdocuments.us/reader033/viewer/2022060407/5f0fbc537e708231d445a0f9/html5/thumbnails/22.jpg)
22
![Page 23: Implementing Security Compliance using Polocy …...2009/10/12 · Security at Customer’s Site Policy Rules Policy Groups Q & A 25 Policy Groups Compliance Logical Group of Policies](https://reader033.vdocuments.us/reader033/viewer/2022060407/5f0fbc537e708231d445a0f9/html5/thumbnails/23.jpg)
23
![Page 24: Implementing Security Compliance using Polocy …...2009/10/12 · Security at Customer’s Site Policy Rules Policy Groups Q & A 25 Policy Groups Compliance Logical Group of Policies](https://reader033.vdocuments.us/reader033/viewer/2022060407/5f0fbc537e708231d445a0f9/html5/thumbnails/24.jpg)
Policy Rules◦ “Real Time” evaluation
Each 24 hours (Default)
◦ Will be evaluated right after application to a Target
◦ Violation shown in
EM Console Homepage
Target Homepage
Group / System Homepage
◦ Create your own
User Defined Policies
24
![Page 25: Implementing Security Compliance using Polocy …...2009/10/12 · Security at Customer’s Site Policy Rules Policy Groups Q & A 25 Policy Groups Compliance Logical Group of Policies](https://reader033.vdocuments.us/reader033/viewer/2022060407/5f0fbc537e708231d445a0f9/html5/thumbnails/25.jpg)
Security at Customer’s Site
Policy Rules
Policy Groups
Q & A
25
![Page 26: Implementing Security Compliance using Polocy …...2009/10/12 · Security at Customer’s Site Policy Rules Policy Groups Q & A 25 Policy Groups Compliance Logical Group of Policies](https://reader033.vdocuments.us/reader033/viewer/2022060407/5f0fbc537e708231d445a0f9/html5/thumbnails/26.jpg)
Policy Groups◦ Compliance
◦ Logical Group of Policies
10.2.0.4 – 3 Out of Box Groups
Secure Configuration for Oracle Database
Secure Configuration for Oracle Listener
Secure Configuration for Oracle Real Application Cluster
10.2.0.5 – Create your own
26
![Page 27: Implementing Security Compliance using Polocy …...2009/10/12 · Security at Customer’s Site Policy Rules Policy Groups Q & A 25 Policy Groups Compliance Logical Group of Policies](https://reader033.vdocuments.us/reader033/viewer/2022060407/5f0fbc537e708231d445a0f9/html5/thumbnails/27.jpg)
27
Policy Group
Rule 1
Rule 2
Rule n
Group
Target 1
Target 2
Target n
Evaluation Schedule
![Page 28: Implementing Security Compliance using Polocy …...2009/10/12 · Security at Customer’s Site Policy Rules Policy Groups Q & A 25 Policy Groups Compliance Logical Group of Policies](https://reader033.vdocuments.us/reader033/viewer/2022060407/5f0fbc537e708231d445a0f9/html5/thumbnails/28.jpg)
28
![Page 29: Implementing Security Compliance using Polocy …...2009/10/12 · Security at Customer’s Site Policy Rules Policy Groups Q & A 25 Policy Groups Compliance Logical Group of Policies](https://reader033.vdocuments.us/reader033/viewer/2022060407/5f0fbc537e708231d445a0f9/html5/thumbnails/29.jpg)
29
![Page 30: Implementing Security Compliance using Polocy …...2009/10/12 · Security at Customer’s Site Policy Rules Policy Groups Q & A 25 Policy Groups Compliance Logical Group of Policies](https://reader033.vdocuments.us/reader033/viewer/2022060407/5f0fbc537e708231d445a0f9/html5/thumbnails/30.jpg)
30
![Page 31: Implementing Security Compliance using Polocy …...2009/10/12 · Security at Customer’s Site Policy Rules Policy Groups Q & A 25 Policy Groups Compliance Logical Group of Policies](https://reader033.vdocuments.us/reader033/viewer/2022060407/5f0fbc537e708231d445a0f9/html5/thumbnails/31.jpg)
31
![Page 32: Implementing Security Compliance using Polocy …...2009/10/12 · Security at Customer’s Site Policy Rules Policy Groups Q & A 25 Policy Groups Compliance Logical Group of Policies](https://reader033.vdocuments.us/reader033/viewer/2022060407/5f0fbc537e708231d445a0f9/html5/thumbnails/32.jpg)
32
![Page 33: Implementing Security Compliance using Polocy …...2009/10/12 · Security at Customer’s Site Policy Rules Policy Groups Q & A 25 Policy Groups Compliance Logical Group of Policies](https://reader033.vdocuments.us/reader033/viewer/2022060407/5f0fbc537e708231d445a0f9/html5/thumbnails/33.jpg)
33
![Page 34: Implementing Security Compliance using Polocy …...2009/10/12 · Security at Customer’s Site Policy Rules Policy Groups Q & A 25 Policy Groups Compliance Logical Group of Policies](https://reader033.vdocuments.us/reader033/viewer/2022060407/5f0fbc537e708231d445a0f9/html5/thumbnails/34.jpg)
34
![Page 35: Implementing Security Compliance using Polocy …...2009/10/12 · Security at Customer’s Site Policy Rules Policy Groups Q & A 25 Policy Groups Compliance Logical Group of Policies](https://reader033.vdocuments.us/reader033/viewer/2022060407/5f0fbc537e708231d445a0f9/html5/thumbnails/35.jpg)
35
![Page 36: Implementing Security Compliance using Polocy …...2009/10/12 · Security at Customer’s Site Policy Rules Policy Groups Q & A 25 Policy Groups Compliance Logical Group of Policies](https://reader033.vdocuments.us/reader033/viewer/2022060407/5f0fbc537e708231d445a0f9/html5/thumbnails/36.jpg)
Policy Groups◦ Logically grouped
◦ Instead of Monitoring Templates
◦ Evaluation based on schedule
◦ Compliancy Score (should move to 100%)
◦ Trend (is it getting better?)
36
![Page 37: Implementing Security Compliance using Polocy …...2009/10/12 · Security at Customer’s Site Policy Rules Policy Groups Q & A 25 Policy Groups Compliance Logical Group of Policies](https://reader033.vdocuments.us/reader033/viewer/2022060407/5f0fbc537e708231d445a0f9/html5/thumbnails/37.jpg)
37