Implementing Security Compliance using Polocy Groups · 2009. 11. 4. · Policy Groups • Policy...
Transcript of Implementing Security Compliance using Polocy Groups · 2009. 11. 4. · Policy Groups • Policy...
![Page 1: Implementing Security Compliance using Polocy Groups · 2009. 11. 4. · Policy Groups • Policy Groups • Compliance • Logical Group of Policies •10.2.0.4 –3 Out of Box Groups](https://reader034.fdocuments.in/reader034/viewer/2022052103/603d63c6893c4e3e1d4da629/html5/thumbnails/1.jpg)
1
Implementing
Security Compliance
using Policy Groups
Rob Zoeteweij
Copyright – 2009 Zoeteweij Consulting
![Page 2: Implementing Security Compliance using Polocy Groups · 2009. 11. 4. · Policy Groups • Policy Groups • Compliance • Logical Group of Policies •10.2.0.4 –3 Out of Box Groups](https://reader034.fdocuments.in/reader034/viewer/2022052103/603d63c6893c4e3e1d4da629/html5/thumbnails/2.jpg)
This Presentation…
• Is pretty technical
• Includes several (many) Screen dumps
• Covers OEM 10.2.0.4 – 10.2.0.5
• Gives you an insight overview of: How to … / How it
works
• Is about how we do this at Rabobank
2
![Page 3: Implementing Security Compliance using Polocy Groups · 2009. 11. 4. · Policy Groups • Policy Groups • Compliance • Logical Group of Policies •10.2.0.4 –3 Out of Box Groups](https://reader034.fdocuments.in/reader034/viewer/2022052103/603d63c6893c4e3e1d4da629/html5/thumbnails/3.jpg)
3
Agenda
• Security at Rabobank
• Policy Rules
• Policy Groups
• Q & A
![Page 4: Implementing Security Compliance using Polocy Groups · 2009. 11. 4. · Policy Groups • Policy Groups • Compliance • Logical Group of Policies •10.2.0.4 –3 Out of Box Groups](https://reader034.fdocuments.in/reader034/viewer/2022052103/603d63c6893c4e3e1d4da629/html5/thumbnails/4.jpg)
4
Security at Rabobank
• SOX
• Sarbanes-Oxley Act of 2002 (Wikipedia)
• Public Company Accounting Reform and Investor Protection
Act of 2002
• AKA – Sarbanes-Oxley, Sarbox or SOX
• Sponsors: Senator Paul Sarbanes and Representative
Michael G. Oxley
• In response to a number of major corporate and accounting
scandals incl Enron, Tyco International, Adelphia, Peregrine
Systems and WorldCom
![Page 5: Implementing Security Compliance using Polocy Groups · 2009. 11. 4. · Policy Groups • Policy Groups • Compliance • Logical Group of Policies •10.2.0.4 –3 Out of Box Groups](https://reader034.fdocuments.in/reader034/viewer/2022052103/603d63c6893c4e3e1d4da629/html5/thumbnails/5.jpg)
5
Security at Rabobank
• SOX
• Not a static List
• Not a standard List
• Actual measurements can be different per Company
• Both organisational and technical
![Page 6: Implementing Security Compliance using Polocy Groups · 2009. 11. 4. · Policy Groups • Policy Groups • Compliance • Logical Group of Policies •10.2.0.4 –3 Out of Box Groups](https://reader034.fdocuments.in/reader034/viewer/2022052103/603d63c6893c4e3e1d4da629/html5/thumbnails/6.jpg)
6
Security at Rabobank• SOX
• Measurements to keep compliant with RABO Security Rules
• Separation of facilities for Development, Testing and Production
• Developers / testers don’t have access to Production servers
• …
• Backups need to be available and tested
• Will be located on other location then source
• Need to be accessible for authorized employees only
• Audit logs need to be created
• All user actions must be logged and fully traceable to an individual
• …
• System access
• Based on “Least privilege” and “Need to know”
• ...
![Page 7: Implementing Security Compliance using Polocy Groups · 2009. 11. 4. · Policy Groups • Policy Groups • Compliance • Logical Group of Policies •10.2.0.4 –3 Out of Box Groups](https://reader034.fdocuments.in/reader034/viewer/2022052103/603d63c6893c4e3e1d4da629/html5/thumbnails/7.jpg)
7
Security at Rabobank
• BIV code• Availability – Integrity – Confidentiality
• B - [1-3], I – [1-3], V – [1-3]
• Impact
• 1 – Low, 2 – Middle, 3 - High
• Example
• I = 2
• Financial Transactions that can be reversed without any (Image) damage
• I = 3
• Financial Transactions that can not be reversed without any (Image) damage
![Page 8: Implementing Security Compliance using Polocy Groups · 2009. 11. 4. · Policy Groups • Policy Groups • Compliance • Logical Group of Policies •10.2.0.4 –3 Out of Box Groups](https://reader034.fdocuments.in/reader034/viewer/2022052103/603d63c6893c4e3e1d4da629/html5/thumbnails/8.jpg)
8
Security at Rabobank
• BIV code
• Availability – Integrity – Confidentiality
• Applied to Systems
• Applications
• Application Servers
• Servers (Hosts)
• Database Listeners
• Databases
![Page 9: Implementing Security Compliance using Polocy Groups · 2009. 11. 4. · Policy Groups • Policy Groups • Compliance • Logical Group of Policies •10.2.0.4 –3 Out of Box Groups](https://reader034.fdocuments.in/reader034/viewer/2022052103/603d63c6893c4e3e1d4da629/html5/thumbnails/9.jpg)
9
Security at Rabobank
• BIV – codes in use
• 222 – 232 – 233 – 322 – 332 – 333
![Page 10: Implementing Security Compliance using Polocy Groups · 2009. 11. 4. · Policy Groups • Policy Groups • Compliance • Logical Group of Policies •10.2.0.4 –3 Out of Box Groups](https://reader034.fdocuments.in/reader034/viewer/2022052103/603d63c6893c4e3e1d4da629/html5/thumbnails/10.jpg)
10
Security implementation in OEM
Policy Rules
• Policies
• Policies define the desired behaviour or characteristics of
systems
• A Policy is compliant if is determined that a target meets the
desired state
• Example: Oracle Home Executable Files Permission
• Ensure that all files in the ORACLE_HOME
directories (except for ORACLE_HOME/bin) do not
have public read, write and execute permissions
• If a Target does not meet this state, the Policy is violated
![Page 11: Implementing Security Compliance using Polocy Groups · 2009. 11. 4. · Policy Groups • Policy Groups • Compliance • Logical Group of Policies •10.2.0.4 –3 Out of Box Groups](https://reader034.fdocuments.in/reader034/viewer/2022052103/603d63c6893c4e3e1d4da629/html5/thumbnails/11.jpg)
11
Security implementation in OEM
Policy Rules
• Policies – other examples
• Ensure database auditing is enabled
• Each activity in the database should be traceable
• Default passwords
• Ensure there are no default passwords for known accounts
• Open Ports
• Ensure that no unintended ports are left open
• …
![Page 12: Implementing Security Compliance using Polocy Groups · 2009. 11. 4. · Policy Groups • Policy Groups • Compliance • Logical Group of Policies •10.2.0.4 –3 Out of Box Groups](https://reader034.fdocuments.in/reader034/viewer/2022052103/603d63c6893c4e3e1d4da629/html5/thumbnails/12.jpg)
12
![Page 13: Implementing Security Compliance using Polocy Groups · 2009. 11. 4. · Policy Groups • Policy Groups • Compliance • Logical Group of Policies •10.2.0.4 –3 Out of Box Groups](https://reader034.fdocuments.in/reader034/viewer/2022052103/603d63c6893c4e3e1d4da629/html5/thumbnails/13.jpg)
13
Security implementation in OEM
Policy Rules
• Based on BIV codes in use
• Monitoring Templates
• Only Policy Rules included
• STP – <Target Type> - BIV<code>
• STP – Listener – BIV332
• STP – HTTP Server – BIV223
• STP – Cluster Database – BIV 322
• …
![Page 14: Implementing Security Compliance using Polocy Groups · 2009. 11. 4. · Policy Groups • Policy Groups • Compliance • Logical Group of Policies •10.2.0.4 –3 Out of Box Groups](https://reader034.fdocuments.in/reader034/viewer/2022052103/603d63c6893c4e3e1d4da629/html5/thumbnails/14.jpg)
14
![Page 15: Implementing Security Compliance using Polocy Groups · 2009. 11. 4. · Policy Groups • Policy Groups • Compliance • Logical Group of Policies •10.2.0.4 –3 Out of Box Groups](https://reader034.fdocuments.in/reader034/viewer/2022052103/603d63c6893c4e3e1d4da629/html5/thumbnails/15.jpg)
15
Security implementation in OEM
Policy Rules
• Use Groups to apply the Templates to the Targets
• Group organisation
• PG-<Target Type>_BIV<Code>_<Phase (Dev, Tst, Stg, Prd)>
• PG-Cluster_Databases_BIV233_Test
• PG-Database_Instances_BIV333_Prod
• …
![Page 16: Implementing Security Compliance using Polocy Groups · 2009. 11. 4. · Policy Groups • Policy Groups • Compliance • Logical Group of Policies •10.2.0.4 –3 Out of Box Groups](https://reader034.fdocuments.in/reader034/viewer/2022052103/603d63c6893c4e3e1d4da629/html5/thumbnails/16.jpg)
16
Group PG-Cluster_Databases_BIV332_Test
Includes all Cluster Databases for which BIV code 332 apply
![Page 17: Implementing Security Compliance using Polocy Groups · 2009. 11. 4. · Policy Groups • Policy Groups • Compliance • Logical Group of Policies •10.2.0.4 –3 Out of Box Groups](https://reader034.fdocuments.in/reader034/viewer/2022052103/603d63c6893c4e3e1d4da629/html5/thumbnails/17.jpg)
17
![Page 18: Implementing Security Compliance using Polocy Groups · 2009. 11. 4. · Policy Groups • Policy Groups • Compliance • Logical Group of Policies •10.2.0.4 –3 Out of Box Groups](https://reader034.fdocuments.in/reader034/viewer/2022052103/603d63c6893c4e3e1d4da629/html5/thumbnails/18.jpg)
18
![Page 19: Implementing Security Compliance using Polocy Groups · 2009. 11. 4. · Policy Groups • Policy Groups • Compliance • Logical Group of Policies •10.2.0.4 –3 Out of Box Groups](https://reader034.fdocuments.in/reader034/viewer/2022052103/603d63c6893c4e3e1d4da629/html5/thumbnails/19.jpg)
19
![Page 20: Implementing Security Compliance using Polocy Groups · 2009. 11. 4. · Policy Groups • Policy Groups • Compliance • Logical Group of Policies •10.2.0.4 –3 Out of Box Groups](https://reader034.fdocuments.in/reader034/viewer/2022052103/603d63c6893c4e3e1d4da629/html5/thumbnails/20.jpg)
20
![Page 21: Implementing Security Compliance using Polocy Groups · 2009. 11. 4. · Policy Groups • Policy Groups • Compliance • Logical Group of Policies •10.2.0.4 –3 Out of Box Groups](https://reader034.fdocuments.in/reader034/viewer/2022052103/603d63c6893c4e3e1d4da629/html5/thumbnails/21.jpg)
21
![Page 22: Implementing Security Compliance using Polocy Groups · 2009. 11. 4. · Policy Groups • Policy Groups • Compliance • Logical Group of Policies •10.2.0.4 –3 Out of Box Groups](https://reader034.fdocuments.in/reader034/viewer/2022052103/603d63c6893c4e3e1d4da629/html5/thumbnails/22.jpg)
Security implementation in OEM
Policy Groups
• Policy Groups
• Compliance
• Logical Group of Policies
• 10.2.0.4 – 3 Out of Box Groups
• Secure Configuration for Oracle Database
• Secure Configuration for Oracle Listener
• Secure Configuration for Oracle Real Application Cluster
• 10.2.0.5 – Create your own
22
![Page 23: Implementing Security Compliance using Polocy Groups · 2009. 11. 4. · Policy Groups • Policy Groups • Compliance • Logical Group of Policies •10.2.0.4 –3 Out of Box Groups](https://reader034.fdocuments.in/reader034/viewer/2022052103/603d63c6893c4e3e1d4da629/html5/thumbnails/23.jpg)
Security implementation in OEM
Policy Groups
23
Policy Group
Rule 1
Rule 2
Rule n
Group
Target 1
Target 2
Target n
Evaluation
Schedule
![Page 24: Implementing Security Compliance using Polocy Groups · 2009. 11. 4. · Policy Groups • Policy Groups • Compliance • Logical Group of Policies •10.2.0.4 –3 Out of Box Groups](https://reader034.fdocuments.in/reader034/viewer/2022052103/603d63c6893c4e3e1d4da629/html5/thumbnails/24.jpg)
24
![Page 25: Implementing Security Compliance using Polocy Groups · 2009. 11. 4. · Policy Groups • Policy Groups • Compliance • Logical Group of Policies •10.2.0.4 –3 Out of Box Groups](https://reader034.fdocuments.in/reader034/viewer/2022052103/603d63c6893c4e3e1d4da629/html5/thumbnails/25.jpg)
25
![Page 26: Implementing Security Compliance using Polocy Groups · 2009. 11. 4. · Policy Groups • Policy Groups • Compliance • Logical Group of Policies •10.2.0.4 –3 Out of Box Groups](https://reader034.fdocuments.in/reader034/viewer/2022052103/603d63c6893c4e3e1d4da629/html5/thumbnails/26.jpg)
26
![Page 27: Implementing Security Compliance using Polocy Groups · 2009. 11. 4. · Policy Groups • Policy Groups • Compliance • Logical Group of Policies •10.2.0.4 –3 Out of Box Groups](https://reader034.fdocuments.in/reader034/viewer/2022052103/603d63c6893c4e3e1d4da629/html5/thumbnails/27.jpg)
27
![Page 28: Implementing Security Compliance using Polocy Groups · 2009. 11. 4. · Policy Groups • Policy Groups • Compliance • Logical Group of Policies •10.2.0.4 –3 Out of Box Groups](https://reader034.fdocuments.in/reader034/viewer/2022052103/603d63c6893c4e3e1d4da629/html5/thumbnails/28.jpg)
28
![Page 29: Implementing Security Compliance using Polocy Groups · 2009. 11. 4. · Policy Groups • Policy Groups • Compliance • Logical Group of Policies •10.2.0.4 –3 Out of Box Groups](https://reader034.fdocuments.in/reader034/viewer/2022052103/603d63c6893c4e3e1d4da629/html5/thumbnails/29.jpg)
29
![Page 30: Implementing Security Compliance using Polocy Groups · 2009. 11. 4. · Policy Groups • Policy Groups • Compliance • Logical Group of Policies •10.2.0.4 –3 Out of Box Groups](https://reader034.fdocuments.in/reader034/viewer/2022052103/603d63c6893c4e3e1d4da629/html5/thumbnails/30.jpg)
30
![Page 31: Implementing Security Compliance using Polocy Groups · 2009. 11. 4. · Policy Groups • Policy Groups • Compliance • Logical Group of Policies •10.2.0.4 –3 Out of Box Groups](https://reader034.fdocuments.in/reader034/viewer/2022052103/603d63c6893c4e3e1d4da629/html5/thumbnails/31.jpg)
31
![Page 32: Implementing Security Compliance using Polocy Groups · 2009. 11. 4. · Policy Groups • Policy Groups • Compliance • Logical Group of Policies •10.2.0.4 –3 Out of Box Groups](https://reader034.fdocuments.in/reader034/viewer/2022052103/603d63c6893c4e3e1d4da629/html5/thumbnails/32.jpg)
Q & A
32