Intended Audience: Oracle Enterprise Manager (OEM) Cloud Control Administrators

Purpose: This document provides a guideline for how to implement compliance monitoring in OEM 12c. It is not a detailed build document or cookbook. Its purpose is to provide experienced OEM administrators a quick start and avoid pitfalls.

Requirements

As with any implementation, knowing the requirements for compliance monitoring is critical. The ISSO should provide the major portion of the requirements. Documentation such as Secure Baselines can also be critical input to the process.

Summary

Setting up compliance monitoring has the following basic steps:

• Establish Compliance Standard Rules
• Establish Compliance Standards
• Establish Compliance Framework
• Add Compliance Standards to your Template Collections
• Reporting on Compliance Events
• Export/Import of Compliance Frameworks, Standards and Rules

 

Establish Compliance Standard Rules

Compliance Standard Rules are how you implement the compliance requirements. OEM 12c ships with almost 2,000 rules for you to choose from or you can create your own. Go to Enterprise/Compliance/Library/Compliance Standard Rules and then use the Advanced Search feature to find rules that you need. If you cannot find an exact match, find something close and use the Create Like feature to make a similar but different rule. Save the names of all the rules you need to implement the requirements. You may want to establish a naming convention for rules you create to distinguish them from the Oracle supplied rules.

Rules can be in either Development or Production Compliance Rule State. Development rules will not actually fire until you put them into production state.

Be sure to test the rules using the Test button before you put them in production state to be sure they do not return errors or otherwise do not work in the way you intended.

Even if you find an Oracle rule that matches your need exactly, make a copy of is using Create Like because you cannot import Oracle-supplied rules across environments.

Establish Compliance Standards

Compliance Standards are simply a grouping of rules for a given target type.

For example, if you were implementing compliance rules for databases and listeners, you would create two Compliance Standards, one for database rules and one for listener rules.

Go to Enterprise/Compliance/Compliance Standards.

When creating the Compliance Rules, simply right click on the name of the rule on the left navigation panel and you will have the option of adding your rules – this is why it is important to note the names of the rules from the previous step so it makes them easier to find.

If you want to get fancy you can also insert folder names and then create rules under them in a directory structure.

Compliance Standards, like Compliance Standard Rules also have a state of Development or Production that works the same way.

 

Establish Compliance Framework

A Compliance Framework is simply a collection of Compliance Standards.

Go to Enterprise/Compliance/Compliance Frameworks and create a framework. You can then add the Compliance Standards in the same way that you added Compliance Standard Rules to the Compliance Standards.

Note that Compliance Frameworks also have the Development and Production states.

 

Add Compliance Standards to Your Template Collections

Just as Monitoring Templates are grouped in Template Collections and the associated with your Administration Hierarchy, Compliance Standards work the same way. This ensure as new targets are discovered, the appropriate Compliance Standard is applied.

Go to Enterprise/Monitoring/Template Collections, choose or create a Template Collection, Click on the Compliance Standard tab, and add your Compliance Standards. It his Template Collection is already associated with the Admin Hierarchy, you are done; otherwise go to Setup/Add Target/Administration Groups, highlight the admin group you want to associate the template collection with then click on Associate Template Collection an choose the Template collection you just created or modified.

 

Reporting on Compliance Alerts

As compliance violations generally do not require critical attention, there is no need to create Incident Rules for them. Creating Incidents for these events may result in too may incidents and mask or make it more difficult to find more critical Incidents that may require more immediate action.  For the same reason, there is no reason to send out email notifications and therefore, no reason to create an Incident Rules for these types of events.

 

Export/Import of Compliance Frameworks, Standards and Rules

If you only have a single OEM installation for you entire enterprise, you can skip this section; otherwise, the Export/Import function will be important to you. If, for instance, you have a Dev, a Test and a Prod OEM and you want to keep them in synchronized, Export/Import is very useful (however, look out for the know issue below).

You can export at any level from the entire Framework, to a Standard or to a specific rule and then import at that same level to the next environment, This is a very easy and safe way to promote changes in your Compliance monitoring across your environments. 

 

Know Issue with Compliance Functionality in Version 12.1.0.3

 

You cannot import an Oracle-Supplied rule, only rules you have created. If you have no need to use export and import, then by all means simply add the Oracle-supplied rules you want directly to your Compliance Standards. However, if export/import is important, we'd suggest using create like to make an exact copy of the Oracle-supplied rule which will then have no export/import restrictions.