Secure your Oracle Database Configuration using

Industry Standard CIS Benchmark

Oracle Enterprise Manager

Amol Chiplunkar, Senior Manager, Software Development

Harish Niddagatta, Senior Principal Product Manager

Timothy Mooney, Product Marketing Director

Copyright © 2020, Oracle and/or its affiliates |

Safe harbor statement

The following is intended to outline our general product direction. It is intended for information
purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any
material, code, or functionality, and should not be relied upon in making purchasing decisions. The
development, release, timing, and pricing of any features or functionality described for Oracle’s
products may change and remains at the sole discretion of Oracle Corporation.

2
Copyright © 2020, Oracle and/or its affiliates |
Best Practices For Security Compliance Using Enterprise Manager

We have worked with many companies to help secure database assets and ensure compliance with
security policies, and have compiled these steps for on-going compliance.

• Setup security standard for your Oracle Database parameters to enforce your security policy

• Continuous monitoring and reporting of security violations for your Oracle Database environment

• Analyze and remediate security violations

3
Copyright © 2020, Oracle and/or its affiliates |
Agenda

1 Enterprise Manager Overview

2 Security Challenges
3 Secure Compliance Management
4 Demo: Secure Oracle Database with CIS Benchmark
5 Q&A

4
Copyright © 2020, Oracle and/or its affiliates |
Monitoring, Management and Control for Oracle Database and
Engineered Systems: Enterprise Manager

Comprehensive management
for Oracle Database and
Oracle Engineered Systems

Fleet-wide automation and

visibility across Oracle cloud
and on-premises assets

Centralized control of
integrated diagnostic, tuning
and lifecycle activities

5
Copyright © 2020, Oracle and/or its affiliates |
Database Lifecycle Management Pack Overview

Comprehensive solution that helps

database, system and application Provision
administrators automate the
processes required to manage the
Oracle Database Lifecycle. Multitenant Patch
Eliminates manual and time
consuming tasks related to Change Upgrade
discovery, initial provisioning,
patching, configuration
management, and ongoing change DB Lifecycle Mgmt
management. Compliance Clone

Configure
6 Copyright © 2020, Oracle and/or its affiliates. All rights reserved.
Today’s Security Challenges
Unknown Security Vulnerabilities
• Undetected insecure configuration
changes increase the risk of security
exposure
• Limited visibility into compliance status
Unprotected Data
• Thousands of databases with unprotected
sensitive data
• Lack of security policies to protect tables
with sensitive data elevates vulnerability
7
Weak account controls and audits
• Insecure user accounts, no limits on
privileges and roles leads to accessing
restricted tables
• Lack of auditing database activities
means no visibility into compliance
Lack of Enterprise-wide Tools
• Complexity in monitoring and assessing
databases for security posture
• Hard to remediate non-compliance
Copyright © 2020, Oracle and/or its affiliates |
Security Compliance Demands
CISO, CIO, CFO, Auditors
How do I know databases are
Complaint with Security policy?
Is the compliance posture
sufficiently improving?
What do I need to do to fix
SLAs Violations?
8
Information Security Officer Administrator or IT Compliance
Analyst
Am I meeting my LOB compliance What violations do I need to
SLAs for Finance and HR specific remediate at this moment?
database instances?
Current security posture of What vulnerability do I fix next
database instances? based on prioritization & risk
level?
Are my resources deployed
effectively to ensure How do I remediate violations?
compliance?
Copyright © 2020, Oracle and/or its affiliates |
Security Compliance Management with Enterprise Manager

Continuous Security
Compliance At Scale Automated Ready to use
Management Remediation Standards

9
Copyright © 2020, Oracle and/or its affiliates |
Ready to Use Compliance Security Standards

• Out of the box Security Standards

- CIS Benchmark Standards for Oracle 12c Database
- STIG Standards Oracle Databases 11g and 12c
- Oracle’ best practices and Security recommendations

• 1,000s of checks in Compliance Library

• Automated remediation with corrective actions

• Customizable to meet Internal best practices

- Leverage Oracle provided rules matching your own
- Tailor Oracle provided rules with known exceptions
- Build custom rules to exactly match requirement

10 Copyright © 2020, Oracle and/or its affiliates |

Oracle Provided DB Compliance Content Compliance Standards
• Pluggable Database
- Storage Best Practices for Pluggable Database
- Configuration Best Practices for Pluggable Database
- Basic Security Configuration for Pluggable Database
• Single Instance Database Instance (and RAC
Instance)
- DISA Security STIG for Oracle Database
- Certification for Oracle Database
- Storage Best Practices for Oracle Database
- Configuration Best Practices for Oracle Database
- Basic Security Configuration for Oracle Database
- High Security Configuration for Oracle Database
- Patchable Configuration for Oracle Database
- Storage Best Practices for Oracle Database
- Support Policy for Oracle Database
11
500+
• Cluster Database
- DISA Security STIG for Oracle Database
- Basic Security Configuration for Oracle Cluster Database Instance
- High Security Configuration for Oracle Cluster Database Instance
- Certification for RAC Database
- Configuration Best Practices for Oracle RAC Database
- Patchable Configuration for RAC Database
- Storage Best Practices for Oracle RAC Database
- Support Policy for RAC Database
• Listener
- Basic Security Configuration for Oracle Listener
- High Security Configuration for Oracle Listener
Individual Compliance Rules
Copyright © 2020, Oracle and/or its affiliates |
CIS Benchmark Standards for Oracle Database 12c

Standard for Oracle 12c

Database Center for • Best practices for the secure configuration of DB 12c
Internet Security (CIS)
• All rules are agent side rules
• 117 individual checks for RDBMS profile
• Sub-controls provides best practices for
- Continuous vulnerability management
- Secure configuration of database instances
- Minimize administrative privileges
- Audit administrative privileges
- Analysis of audit logs
12
Copyright © 2020, Oracle and/or its affiliates |
CIS Benchmark Standards for Oracle Database 12c

Oracle Database Installation and Patching Requirements

• Ensure default passwords are changed
• Ensure all sample data and users have been removed
• CIS provides comprehensive configuration
Oracle Parameter Settings
• Listener settings
coverage for Oracle database across:
• Database settings - Installation
Oracle Connection and Login Restrictions - Parameters
• Block unauthorized access to data and services by setting access rules
- Connectivity
Oracle User Access and Authorization Restrictions
• Default public privileges for packages and object types - User Privileges
• Revoke non-default privileges for packages and object types
• Revoke excessive system privileges
- Auditing
• Revoke role privileges
• Revoke excessive table and view privileges

Audit/Logging Policies and Procedures

• Traditional auditing
• Unified auditing

13
Copyright © 2020, Oracle and/or its affiliates |
User Access and Authorization Restrictions
• Principle of least privilege
- Grant required privileges only for job to get done
- Restrict *ANY*, EXP* and IMP* privileges to users
who need them
• Enterprise Manager compliance framework
- Checks to ensure user access and authorization
restrictions are in place
- Flags any violations
- Provides interface to define auto-remediation for each
violation
• Enterprise Manager compliance checks can be used
to monitor
- Excessive System, Object and Role Privileges
- Excessive Table and View Privileges
14
• Audit trail (SYS.AUD$) contains all audit
records for the database
• CIS best practice recommendation:
Ensure 'ALL' Is Revoked from Unauthorized 'GRANTEE'
on 'AUD$’
- Permitting non-privileged users the
authorization to manipulate the SYS.AUD$
table can allow distortion of the audit records,
hiding unauthorized activities.
• Use SQL statement & remediation steps so
unauthorized grantee doesn’t have access to
SYS.AUD$ table
Copyright © 2020, Oracle and/or its affiliates
Auditing

• Regulatory compliance requirement

DBAs
• Enterprise Manager compliance standards provides
Standard Oracle audit controls for object, statement
and privilege auditing
- USER object: audits all activities and requests to
create, drop or alter a user, including a user changing
their own password
- ROLE object: audits all attempts, successful or not, to Applications
create, drop, alter or set roles
- Enable 'ALL' Audit Option on 'SYS.AUD$’: audits any
activities that may indicate unauthorized attempts to
access the audit trail

15
Copyright © 2020, Oracle and/or its affiliates |
Automated Database Security Assessment with CIS Benchmark

Oracle 12c Database CIS v2.1.0 Oracle 12c Database CIS v2.1.0
DBA is required to assess 12c database for Oracle Cluster Database for Oracle Database
targets against CIS Benchmarks
• Select CIS Benchmark Standard for Cluster or
Single Instance
• Review CIS rule definition for each category
• Modify rule definition using SQL Query
provided, if required
• Associate Single Instance targets to Standard
• Compliance check is initiated once association
is confirmed
• Reviews results and violations
• Remediate violations or suppress for a given
duration

16
Copyright © 2020, Oracle and/or its affiliates |
 Continuous Compliance Auditing

• Validate conformance to standards or benchmarks using

discrete logic
• Best for Industry and internal standards (STIG, CIS, Custom)

• Review target compliance scorecard & rules evaluated

• Violations: validate conformance to CIS Standards
• Remediate with SQL query for each rule violation

17
Copyright © 2020, Oracle and/or its affiliates |
 Demo: Secure Oracle Database with CIS Benchmark

• Assessment of database targets for CIS benchmark

compliance
• Introduction to compliance framework and
standard
Compliance Check CIS Benchmark Best Practice
• Association of database target to CIS benchmark UTL_FILE user PUBLIC should not be able to execute
standard
UTL_INADDR user PUBLIC should not be able to execute
• Review compliance results for database target
UTL_TCP user PUBLIC should not be able to execute
• Analyze violations for 3 compliance checks in
User Access and Authorization Restrictions
category
• Review successful remediation of these 3
violations

18
Copyright © 2020, Oracle and/or its affiliates |
19
 What Questions
Blog: Enterprise Manager CIS Benchmark
Certification Eases Adoption of Secure
Database Best Practices

Do You Have?
https://blogs.oracle.com/oem/enterprise
Visit us online -manager-cis-benchmark-certification-
http://www.oracle.com/manageability eases-adoption-of-secure-database-
blogs.oracle.com/oem best-practices-v2
youtube.com/OracleEnterpriseMgr
twitter.com/Oracle_Mgmt

https://www.oracle.com/corporate/events/enterprise-
manager-webcast-series.html

20 Copyright © 2020, Oracle and/or its affiliates. All rights reserved.

Oracle Enterprise Manager 13.4

Manage on-premises and cloud Oracle

software at scale with less effort

• Increased Visibility and

Intelligent Analytics

• Comprehensive Lifecycle
Automation and Control

• Enterprise-Grade Management Platform:

Secure, Accessible and Extensible

21 Copyright © 2020, Oracle and/or its affiliates. All rights reserved.

Enterprise Manager in Oracle Cloud Marketplace

Test drive the most current EM

• Full install in less then 1 hour
• Latest Enterprise Manager updated quarterly
• Database 19.5 for Oracle Management Repository
• Oracle Linux 7.6 host

Deploy best-practice production EMs

• Many OCI Shapes for different environment sizes
• HA and MAA (multi-host) EM configurations
• Cloud Database for OMR

Learn more: http://blogs.oracle.com/oem

cloudmarketplace.oracle.com/marketplace > Search for Oracle Enterprise Manager

22 Copyright © 2020,
Copyright © 2019, Oracle
Oracle and/orand/or its All
its affiliates. affiliates. All rights reserved.
rights reserved.
Thank you

23
Copyright © 2020, Oracle and/or its affiliates |