Implementing Security Compliance using Policy Groups Rob Zoeteweij Copyright – 2009 Zoeteweij Consulting 1
This Presentation… • • • •
Is pretty technical Includes several (many) Screen dumps Covers OEM 10.2.0.4 – 10.2.0.5 Gives you an insight overview of: How to … / How it works • Is about how we do this at Rabobank
2
Agenda • • • •
Security at Rabobank Policy Rules Policy Groups Q&A
3
Security at Rabobank • SOX • Sarbanes-Oxley Act of 2002 (Wikipedia) • Public Company Accounting Reform and Investor Protection Act of 2002 • AKA – Sarbanes-Oxley, Sarbox or SOX • Sponsors: Senator Paul Sarbanes and Representative Michael G. Oxley • In response to a number of major corporate and accounting scandals incl Enron, Tyco International, Adelphia, Peregrine Systems and WorldCom
4
Security at Rabobank • SOX • • • •
Not a static List Not a standard List Actual measurements can be different per Company Both organisational and technical
5
Security at Rabobank • SOX • Measurements to keep compliant with RABO Security Rules • Separation of facilities for Development, Testing and Production • Developers / testers don’t have access to Production servers • … • Backups need to be available and tested • Will be located on other location then source • Need to be accessible for authorized employees only • Audit logs need to be created • All user actions must be logged and fully traceable to an individual • … • System access • Based on “Least privilege” and “Need to know” • ... 6
Security at Rabobank • BIV code • Availability – Integrity – Confidentiality • B - [1-3], I – [1-3], V – [1-3] • Impact • 1 – Low, 2 – Middle, 3 - High • Example • I=2 • Financial Transactions that can be reversed without any (Image) damage • I=3 • Financial Transactions that can not be reversed without any (Image) damage 7
Security at Rabobank • BIV code • Availability – Integrity – Confidentiality • Applied to Systems • Applications • Application Servers • Servers (Hosts) • Database Listeners • Databases 8
Security at Rabobank • BIV – codes in use • 222 – 232 – 233 – 322 – 332 – 333
9
Security implementation in OEM Policy Rules • Policies • Policies define the desired behaviour or characteristics of systems • A Policy is compliant if is determined that a target meets the desired state • Example: Oracle Home Executable Files Permission • Ensure that all files in the ORACLE_HOME directories (except for ORACLE_HOME/bin) do not have public read, write and execute permissions • If a Target does not meet this state, the Policy is violated 10
Security implementation in OEM Policy Rules • Policies – other examples • Ensure database auditing is enabled • Each activity in the database should be traceable • Default passwords • Ensure there are no default passwords for known accounts • Open Ports • Ensure that no unintended ports are left open • …
11
12
Security implementation in OEM Policy Rules • Based on BIV codes in use • Monitoring Templates • Only Policy Rules included • STP –
- BIV • STP – Listener – BIV332 • STP – HTTP Server – BIV223 • STP – Cluster Database – BIV 322 • … 13
14
Security implementation in OEM Policy Rules • Use Groups to apply the Templates to the Targets • Group organisation • PG-_BIV_ • PG-Cluster_Databases_BIV233_Test • PG-Database_Instances_BIV333_Prod • …
15
Group PG-Cluster_Databases_BIV332_Test
Includes all Cluster Databases for which BIV code 332 apply
16
17
18
19
20
21
Security implementation in OEM Policy Groups • Policy Groups • Compliance • Logical Group of Policies • 10.2.0.4 – 3 Out of Box Groups • Secure Configuration for Oracle Database • Secure Configuration for Oracle Listener • Secure Configuration for Oracle Real Application Cluster • 10.2.0.5 – Create your own 22
Security implementation in OEM Policy Groups Policy Group
Evaluation Schedule
Rule 1 Rule 2
Target 1 Target 2
Rule n Group
Target n 23
24
25
26
27
28
29
30
31
Q&A
32