I had to build a script to do this as Compliance Standard Rules cannot be exported within the Cloud Control interface (or at least was not able to do it after selecting all rules).
The script I come up with is the following:
SELECT rule_dname,description,rationale,
target_type,
decode(SEVERITY,20,'Warning',25,'Critical',18,'Minor Warning') as Severity
FROM EM_RULE
WHERE target_type in ('oracle_database','oracle_listener','rac_database','oracle_pdb','oracle_dbmachine')
order by target_type, rule_dname;
A sample of the output (unformatted) looks like the below:
| RULE_NAME |
| "Domain Users" Group Member of local "Users" Group |
| $ORACLE_HOME/network/admin Directory Owner |
| $ORACLE_HOME/network/admin File Permission |
| $ORACLE_HOME/network/admin File Permission(Windows) |
| Access to *_CATALOG_* Roles |
| Access to ALL_SOURCE View |
| DESCRIPTION | |||||
| Ensures domain server local Users group does not have Domain Users group | |||||
| Ensures $ORACLE_HOME/network/admin ownership is restricted to the Oracle software set and DBA group | |||||
| Ensures the files in $ORACLE_HOME/network/admin ownership is restricted to the Oracle software set, group is restricted to DBA group and Public does not have write permission | |||||
| Ensures the files in $ORACLE_HOME/network/admin ownership is restricted to the Oracle software set, group is restricted to DBA group and Public does not have write permission | |||||
| Ensure grant of *_CATALOG_* is restricted | |||||
Ensures restricted access to ALL_SOURCE
view
|
| TARGET_TYPE | SEVERITY |
| oracle_database | Warning |
| oracle_database | Warning |
| oracle_database | Warning |
| oracle_database | Warning |
| oracle_database | Critical |
No comments:
Post a Comment