Implementing

Security Compliance
using Policy Groups

Rob Zoeteweij

Copyright – 2009 Zoeteweij Consulting

1
This Presentation…

• Is pretty technical
• Includes several (many) Screen dumps
• Covers OEM 10.2.0.4 – 10.2.0.5
• Gives you an insight overview of: How to … / How it
works
• Is about how we do this at Rabobank

2
Agenda

• Security at Rabobank
• Policy Rules
• Policy Groups
• Q&A

3
Security at Rabobank
• SOX
• Sarbanes-Oxley Act of 2002 (Wikipedia)
• Public Company Accounting Reform and Investor Protection
Act of 2002
• AKA – Sarbanes-Oxley, Sarbox or SOX
• Sponsors: Senator Paul Sarbanes and Representative
Michael G. Oxley
• In response to a number of major corporate and accounting
scandals incl Enron, Tyco International, Adelphia, Peregrine
Systems and WorldCom

4
Security at Rabobank

• SOX
• Not a static List
• Not a standard List
• Actual measurements can be different per Company
• Both organisational and technical

5
Security at Rabobank
• SOX
• Measurements to keep compliant with RABO Security Rules
• Separation of facilities for Development, Testing and Production
• Developers / testers don’t have access to Production servers
• …
• Backups need to be available and tested
• Will be located on other location then source
• Need to be accessible for authorized employees only
• Audit logs need to be created
• All user actions must be logged and fully traceable to an individual
• …
• System access
• Based on “Least privilege” and “Need to know”
• ...

6
Security at Rabobank
• BIV code
• Availability – Integrity – Confidentiality
• B - [1-3], I – [1-3], V – [1-3]
• Impact
• 1 – Low, 2 – Middle, 3 - High
• Example
• I=2
• Financial Transactions that can be reversed without
any (Image) damage
• I=3
• Financial Transactions that can not be reversed
without any (Image) damage
7
Security at Rabobank

• BIV code
• Availability – Integrity – Confidentiality
• Applied to Systems
• Applications
• Application Servers
• Servers (Hosts)
• Database Listeners
• Databases

8
Security at Rabobank

• BIV – codes in use

• 222 – 232 – 233 – 322 – 332 – 333

9
Security implementation in OEM
Policy Rules
• Policies
• Policies define the desired behaviour or characteristics of
systems
• A Policy is compliant if is determined that a target meets the
desired state
• Example: Oracle Home Executable Files Permission
• Ensure that all files in the ORACLE_HOME
directories (except for ORACLE_HOME/bin) do not
have public read, write and execute permissions
• If a Target does not meet this state, the Policy is violated

10
Security implementation in OEM
Policy Rules
• Policies – other examples
• Ensure database auditing is enabled
• Each activity in the database should be traceable
• Default passwords
• Ensure there are no default passwords for known accounts
• Open Ports
• Ensure that no unintended ports are left open
• …

11
12
Security implementation in OEM
Policy Rules

• Based on BIV codes in use

• Monitoring Templates
• Only Policy Rules included
• STP – <Target Type> - BIV<code>
• STP – Listener – BIV332
• STP – HTTP Server – BIV223
• STP – Cluster Database – BIV 322
• …

13
14
Security implementation in OEM
Policy Rules

• Use Groups to apply the Templates to the Targets

• Group organisation
• PG-<Target Type>_BIV<Code>_<Phase (Dev, Tst, Stg, Prd)>
• PG-Cluster_Databases_BIV233_Test
• PG-Database_Instances_BIV333_Prod
• …

15
Group PG-Cluster_Databases_BIV332_Test
Includes all Cluster Databases for which BIV code 332 apply

16
17
18
19
20
21
Security implementation in OEM
Policy Groups

• Policy Groups
• Compliance
• Logical Group of Policies
• 10.2.0.4 – 3 Out of Box Groups
• Secure Configuration for Oracle Database
• Secure Configuration for Oracle Listener
• Secure Configuration for Oracle Real Application Cluster
• 10.2.0.5 – Create your own

22
Security implementation in OEM
Policy Groups
Policy Group

Evaluation Rule 1
Schedule
Rule 2
Target 1
Rule n

Target 2 Group

Target n

23
24
25
26
27
28
29
30
31
Q&A

32