ioug collaborate 2014 auditing/security in em12c
TRANSCRIPT
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 121
Insert Picture HereEnterprise Manager 12c and Keys to the CastleKellyn Pot’VinConsulting Member of Technical TeamStrategic Customer Program
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 123
The following is intended to outline our general product direction. It is intended for information purposes only, and
may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality,
and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products
remains at the sole discretion of Oracle.
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 124
The Importance of Securing The EM12c Environment
IT environments are now more complex and dynamic. Financial implications and loss of goodwill coupled with stringent
regulatory requirements. Challenges due to introduction of distributed system management
applications.
What best practices are in place for system management products?
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 125 5
Focus on Security Groups, Roles and Auditing
Creating significant roles and then grant roles to users instead of granting privileges.
Take advantage of privilege propagation groups and systems to deter from resource demands
Treat the Repository as you would any other database. Use common sense and standard security best practices.
Enable auditing to retain information about actions in the repository and export to an external directory to retain limited information.
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 126 6
Do You Know Who Has the Power of the Force?
SELECT grantee FROM MGMT_PRIV_GRANTS
WHERE PRIV_NAME = ‘SUPER_USER’ ;
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 127 7
Entitlement Summary Info
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 128 8
Entitlement Summary
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 129 9
Entitlement Breakdown
• Also can include…• Contact info• Location and Department• Lifecycle and chargeback info• Note if user is super admin or not.
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 1210 10
Roles Assigned, Part II of Entitlement Summary
• Each Role is displayed• Total Roles granted displayed to far right• Each Role is a link to detail info on role
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 1211 11
Role Details
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 1212 12
Roles and Privileges to Roles… :)
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 1213 13
Entitlement Summary, Part III
• Assign individual targets• View any target, (different from accessing any)• Assign distinct privileges to any target
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 1214 14
Auditing
Allows you to track and validate actions performed in EM12c, By default, basic and infrastructure auditing is enabled. Over 150 auditing options are available in Enterprise Manager. Encompasses updates, downloads, OMS password changes and EM
key copy and removals from the repository. An enhanced page makes viewing data easy. Page can be accessed
via Setup Security Audit Data
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 1215 15
EM CLI Auditing Commands
List of commands Show auditing status info Enable Auditing Settings Update Auditing Settings How to externalize auditing data
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 1216 16
Inspecting Rights Internal
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 1217 17
View Audit Settings
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 1218 18
Enabling Audit Options To enable audit for a subset of audited operations, please use the
following EM CLI verb:
>emcli update_audit_settings -audit_switch="ENABLE/DISABLE" -
operations_to_enable="<insert operation name here or just say ALL>" -
operations_to_disable="<insert operation name here or just say ALL>"
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 1219 19
Updating Audit Settings
External file systems can be updated from the repository on a regular basis to externalize the service.
Tip- Ensure there is enough disk space for this operation, as log files can consume significant space.
>emcli update_audit_settings -file_prefix=<file_prefix> -
directory_name=<directory_name> -file_size = <file size> -data_retention_period=<period
in days>
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 1220 20
Example of audit data to external directory
We’ll retain the data in the Repository for 31 days Data will be exported to the external directory, (dba_directories) Each of the audit files will be prefixed with “em12c_audit” Files will be max size of 25M each
>emcli update_audit_settings -externalization_switch=ENABLE -file_prefix=em12c_audit -
directory=AUD_DMP -file_size=25000000 -data_retention_period=31
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 1221 21
Best Practices for Auditing
Plan carefully to ensure that you capture the data that you require to audit effectively.
Use and External audit service and secure the files created to retain audit data outside the repository in case of significant loss.
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 1222
Connect with me-
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 1223
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 1224