Security Compliance
using Policy Groups
Rob Zoeteweij
1
This Presentation…
• Is pretty technical
• Includes several (many) Screen dumps
• Covers OEM 10.2.0.4 – 10.2.0.5
• Gives you an insight overview of: How to … / How it
works
• Is about how we do this at Rabobank
2
Agenda
• Security at Rabobank
• Policy Rules
• Policy Groups
• Q&A
3
Security at Rabobank
• SOX
• Sarbanes-Oxley Act of 2002 (Wikipedia)
• Public Company Accounting Reform and Investor Protection
Act of 2002
• AKA – Sarbanes-Oxley, Sarbox or SOX
• Sponsors: Senator Paul Sarbanes and Representative
Michael G. Oxley
• In response to a number of major corporate and accounting
scandals incl Enron, Tyco International, Adelphia, Peregrine
Systems and WorldCom
4
Security at Rabobank
• SOX
• Not a static List
• Not a standard List
• Actual measurements can be different per Company
• Both organisational and technical
5
Security at Rabobank
• SOX
• Measurements to keep compliant with RABO Security Rules
• Separation of facilities for Development, Testing and Production
• Developers / testers don’t have access to Production servers
• …
• Backups need to be available and tested
• Will be located on other location then source
• Need to be accessible for authorized employees only
• Audit logs need to be created
• All user actions must be logged and fully traceable to an individual
• …
• System access
• Based on “Least privilege” and “Need to know”
• ...
6
Security at Rabobank
• BIV code
• Availability – Integrity – Confidentiality
• B - [1-3], I – [1-3], V – [1-3]
• Impact
• 1 – Low, 2 – Middle, 3 - High
• Example
• I=2
• Financial Transactions that can be reversed without
any (Image) damage
• I=3
• Financial Transactions that can not be reversed
without any (Image) damage
7
Security at Rabobank
• BIV code
• Availability – Integrity – Confidentiality
• Applied to Systems
• Applications
• Application Servers
• Servers (Hosts)
• Database Listeners
• Databases
8
Security at Rabobank
9
Security implementation in OEM
Policy Rules
• Policies
• Policies define the desired behaviour or characteristics of
systems
• A Policy is compliant if is determined that a target meets the
desired state
• Example: Oracle Home Executable Files Permission
• Ensure that all files in the ORACLE_HOME
directories (except for ORACLE_HOME/bin) do not
have public read, write and execute permissions
• If a Target does not meet this state, the Policy is violated
10
Security implementation in OEM
Policy Rules
• Policies – other examples
• Ensure database auditing is enabled
• Each activity in the database should be traceable
• Default passwords
• Ensure there are no default passwords for known accounts
• Open Ports
• Ensure that no unintended ports are left open
• …
11
12
Security implementation in OEM
Policy Rules
13
14
Security implementation in OEM
Policy Rules
15
Group PG-Cluster_Databases_BIV332_Test
Includes all Cluster Databases for which BIV code 332 apply
16
17
18
19
20
21
Security implementation in OEM
Policy Groups
• Policy Groups
• Compliance
• Logical Group of Policies
• 10.2.0.4 – 3 Out of Box Groups
• Secure Configuration for Oracle Database
• Secure Configuration for Oracle Listener
• Secure Configuration for Oracle Real Application Cluster
• 10.2.0.5 – Create your own
22
Security implementation in OEM
Policy Groups
Policy Group
Evaluation Rule 1
Schedule
Rule 2
Target 1
Rule n
Target 2 Group
Target n
23
24
25
26
27
28
29
30
31
Q&A
32