anas-dbcloud: Securing Oracle Database with Industry Standards and Best Practices

Introduction:

Oracle Enterprise Manager (OEM) provides solution to secure and ensure compliance with security policies defined by security officers and auditors.
With Audit for Compliance feature, you can secure the entire stack from databases, underlying Linux hosts and Exadata infrastructure with out-of-box security controls.
For Oracle Databases 12c, 19c, and 23ai, CIS Benchmark is an industry compliance standards that is available out-of-the-box. Besides that, Department of Defense (DoD) Security Technical Implementation Guide (STIG) standard is available out-of-the-box for regulatory requirements.

Importance & Benefit:

Establish consistent and measurable security baselines.
Maintain continuous compliance across all Oracle environments.
Provide audit-ready documentation for regulators and stakeholders.
Support secure operations and reduce configuration drift.

In this blog, I'll demonstrate how to leverage CIS Benchmark for Oracle Database 19c to secure Pluggable Databases.

Prerequisites:

Oracle OEM 13.5.0.21 or higher
Oracle 19.23 multitenant database discovered by OEM

Task: Securing Pluggable Database with CIS Benchmarks

1. Once logged in OEM, navigate to Enterprise > Compliance > Library

2. Click Compliance Standards tab. To list CIS Benchmarks, search for "Oracle 19c Database CIS".

Select "Pluggable Database" from the "Applicable To" drop list item, then click Search.

3. Select the row "Oracle 19c Database CIS V1.1.0 - Level 1 - RDBMS using Unified Auditing for Oracle Pluggable Database", then click Associate Targets.

4. Click Add and Select hr.subnet.vcn.oraclevcn.com_FINANCE PDB.

CIS security controls is getting processed and it will take approximately few minutes to complete.

5. To analyze compliance results, navigate to Enterprise > Compliance > Dashboard

6. At the bottom of the page, you will see Compliance Summary section. Click on Standards tab to see the results of CIS Benchmark assessment.

Click on Non-Compliant Targets number (1 in this demo), pop-up window shows Targets showing the Compliance Score. This indicates pluggable database hr.subnet.vcn.oraclevcn.com_FINANCE Compliance score is only 41% against the CIS benchmark baseline.

7. To analyze severity, Click on Critical number (92), you will see unique violations for this target.

8. To see compliance results, click on "Oracle 19c Database CIS V1.1.0 - Level 1 - RDBMS using Unified Auditing". You will see the main CIS categories along with their corresponding CIS control rules and any violations.

The Target Scorecard pie chart displays the overall compliance evaluation status of the monitored target, summarizing its adherence to defined CIS benchmark security policies.

The Rule Evaluations pie chart represents a summary of each rule evaluation status compliant, critical, warning, minor warning, and error in terms of the percentage of rules.

Click on one of the Violation Count numbers. Violation dialog box appears, you can export to Excel for offline analysis. Click Back and Close.

9. Select Violation tab. This table provides comprehensive details for each rule, target name, applicable pluggable database, and violation severity with keywords. You can select an individual violation to view its detailed statement and recommended actions for quick remediation.

You will find Event details on violated rule information, violation details, and a guided resolution option for recommendations.

Click on Corrective actions. You will see the Corrective Actions pop-up window.

10. select the row labeled CORRECTIVE_ACTION_REVOKE_DBA_ROLE_PRIVILEGE. Choose preferred credentials and click Submit.

11. You will be presented with a pop-up window for Corrective action. Click to view execution details.

12. You will notice that the DBA role job was successfully revoked.

13. Now we will view the remediated status for the pluggable database.

Navigate to Targets > Databases. Select hr.subnet.vcn.oraclevcn.com_FINANCE pluggable database. You will be navigated to PDB database home page.