Giter Club home page Giter Club logo

oracle-database-19c-cis-baseline's Introduction

Oracle 19c CIS Automated Compliance Validation Profile

InSpec profile to validate the secure configuration of Oracle Database 19c against the Oracle Database 19c Benchmark version 1.0.0 CIS

Oracle 19c CIS Benchmark Overview

The CIS Oracle Database 19c Benchmark(https://www.cisecurity.org/cis-benchmarks/) is intended to address the recommended security settings for Oracle Database 19c. Future Oracle Database 19c critical patch updates (CPUs) may impact the recommendations included in this document.

For more information see CIS Benchmarks FAQ

This InSpec profile automates the validation of Oracle Database 19c against the equivalent CIS Benchmark.

Getting Started

Requirements

Oracle 19c

  • Oracle 19c Database
  • An account with at least SYSTEM-level role access to run SQL commands

Required software on InSpec Runner

Required software on target of evaluation

Setup Environment on Oracle Database machine

Install InSpec

Goto https://www.inspec.io/downloads/ and consult the documentation for your Operating System to download and install InSpec.

Ensure InSpec version is most recent ( > 4.23.X )

inspec --version

How to execute this instance

This profile can be executed against a remote target using the ssh transport, docker transport, or winrm transport of InSpec. Profiles can also be executed directly on the host where InSpec is installed (see https://www.inspec.io/docs/reference/cli/).

Required Inputs

You must specify inputs in an inputs.yml file. See example_inputs.yml in the profile root folder for a sample. Each input is required for proper execution of the profile.

user: 'SYSTEM'
password: 'password'
host: '127.0.0.1'
service: 'ORCLCDB'
sqlplus_bin: 'sqlplus'
listener_file: /opt/oracle/product/19c/dbhome_1/network/admin/listener.ora
multitenant: false
version: '19.0.0.0.0'
listeners: ['LISTENER']

Some default values have been added to inspec.yml, but can be overridden by defining new values in inputs.yml. No default values have been given for database-specific connection variables like the password or the service name; these must be specified in the input file.

Note

Environment variables will not be interpreted correctly in inputs.yml or inspec.yml. Example:

listener_file: $ORACLE_HOME/network/admin/listener.ora # $ORACLE_HOME will not be expanded out correctly!

Execute a single control in the profile

inspec exec <path to profile on runner> --input-file=inputs.yml --controls=oracle19c-1.1 -t <target>

Execute a single control in the profile and save results as JSON

inspec exec <path to profile on runner> --input-file=inputs.yml --controls=<control id> -t <target> --reporter cli json:results.json

Execute all controls in the profile

inspec exec <path to profile on runner> --input-file=inputs.yml -t <target>

Execute all controls in the profile and save results as JSON

inspec exec <path to profile on runner> --input-file=inputs.yml -t <target> --reporter cli json:results.json

Execute the profile directly on the Oracle database host

inspec exec <path to profile on the host> --input-file=inputs.yml --reporter cli json:results.json

oracle-database-19c-cis-baseline's People

Contributors

hookwitz avatar karikarshivani avatar ssayed118 avatar wdower avatar

Stargazers

avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

neatnerdprime

oracle-database-19c-cis-baseline's Issues

Add inputs for exceptions from baseline rules for privilege revocation

Several baseline rules (5.2.5, 5.2.6, 5.2.8, probably more) require revocation of privileges from all non-admin accounts.

Some databases need exemptions to this. Ex. AWS RDS databases have an RDSADMIN account that actually does need admin privs. We need to add an input to the profile that allows for exempt accounts.

Handle extra spaces in AUDIT_TRAIL value

The benchmark requires that the AUDIT_TRAL value be set to one of an accepted list of values. One such value is "DB,Baseline", which could also be valid when set as "DB,Baseline" but the InSpec code only handles the version with no whitespace.

Make test output more descriptive

A bunch of the tests return correct, but hard to read output -- they don't print what the current incorrect value is. Need to make them more descriptive.

Any control of the form:

describe "Query" do
    subject { parameter }
    it { should be_empty }
  end

should print whatever the current misconfiguration is on a fail.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.