SCAP Supported Standards

21 SCAP Supported Standards

Enterprise Manager supports Security Content Automation Protocol (SCAP) enabled compliance standards. SCAP is a multi-purpose framework of specifications that supports automated configuration, vulnerability and patch checking, technical control compliance activities, and security measurement.

Note:

OSCAP is not part of Enterprise Manager or an Oracle product. It's part of the OpenScap initiative.

OSCAP consumes a compliance standard Extensible Configuration Checklist Description Format (XCCDF) payload is delivered via Oracle Linux. It can then be imported into Enterprise Manager using EM CLI verb upload_compliance_standard, and manage the compliance of managed targets against your policies. For more information see: Import XCCDF based standards using EMCLI. By using Enterprise Manager, this allows a way to mass-deploy the payload (XCCDF and OVAL files) to be consumed by OSCAP already installed on the hosts.

Note:

Enterprise Manager cannot resolve compatibility issues if the payload is incompatible with the OSCAP installed on the hosts. It can only report these errors.

SCAP Prerequisites

In order to upload and use SCAP supported standards, OSCAP (Open SCAP) needs to be installed in the agent targets using the install method of your choice (RPM, YUM, DNF). To download OSCAP see: https://www.open-scap.org/download/.

Note:

If you are using Oracle Linux make sure that the LibXML PERL module is installed. To install use the following code:

yum install "perl(XML::LibXML)"

Before using SCAP supported standards, the Database Lifecycle Management Pack for Oracle Database is required. For more information see: Database Lifecycle Management Pack for Oracle Database.

For information on how to install binaries in Oracle Linux using YUM see: Installing Software from Oracle Linux Yum Server.

SCAP Best Practices

Ensure the OSCAP command runs with the desired XCCDF STIG profile on a few reference hosts. (Outside of Enterprise Manager)
Ensure the other hosts where you intend to run OSCAP are identical to the reference hosts.
Ensure the latest OSCAP version is installed on all hosts. (YUM or RPM install)

Once all these best practice pre-requisites are met, you can now:

Associate all the Enterprise Manager host targets to the newly created SCAP compliance standard.
Upload SCAP standards by uploading the XCCDF file containing the desired SCAP standards, this will create a new standard in the Compliance library.

SCAP Standards Available for Oracle Linux 7

The following is a list of SCAP Standards included in Oracle Enterprise Manager 24.1:

Health Insurance Portability and Accountability Act (HIPAA): The HIPAA Security Rule establishes US national standards to protect individuals' electronic personal health information that is created, received, used or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information. This profile configure Oracle Linux 7 to the HIPAA Security Rule for securing electronic protected health information. (V0.1.72).

For more information on securing Linux configuration for HIPAA compliance see: https://complianceascode.github.io/content-pages/guides/ssg-ol7-guide-hipaa.html.

DISA STIG For Oracle Linux 7: This profile contains configuration checks that align to DISA STIG for Oracle Linux V1R1. (V0.1.72).

For more information see: https://complianceascode.github.io/content-pages/guides/ssg-ol7-guide-stig.html

PCI-DSS v3.2.1 Control Baseline for Oracle Linux 7: Ensures PCI-DSS v3.2.1 related security configuration settings are applied. (V0.1.72).

For more information see: https://complianceascode.github.io/content-pages/guides/ssg-ol7-guide-pci-dss.html

Standard System Security Profile for Oracle Linux 7: This profile contains rule to ensure standard security baseline of an Oracle Linux 7 system. (V0.1.72).

For more information see: https://complianceascode.github.io/content-pages/guides/ssg-ol7-guide-standard.html

SCAP Standards Available for Oracle Linux 8

The following is a list of SCAP Standards included in Oracle Enterprise Manager 24.1:

Health Insurance Portability and Accountability Act (HIPAA): The HIPAA Security Rule establishes US national standards to protect individuals' electronic personal health information that is created, received, used or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information. This profile configure Oracle Linux 8 to the HIPAA Security Rule for securing electronic protected health information. (V0.1.72). For more information on securing Linux configuration for HIPAA compliance see: https://complianceascode.github.io/content-pages/guides/ssg-ol8-guide-hipaa.html.

DISA STIG for Oracle Linux 8: This profile contains configuration checks that align to DISA STIG for Oracle Linux 8. (V0.1.72).

For more information see: https://complianceascode.github.io/content-pages/guides/ssg-ol8-guide-stig.html.

PCI-DSS v3.2.1 Control Baseline Draft for Oracle Linux 8: Ensures PCI-DSS v3.2.1 related security configuration settings are applied. (V0.1.72).

For more information see: https://complianceascode.github.io/content-pages/guides/ssg-ol8-guide-pci-dss.html.

Standard System Security Profile for Oracle Linux 8: his profile contains rule to ensure standard security baseline of an Oracle Linux 8 system. (V0.1.72).

For more information see: https://complianceascode.github.io/content-pages/guides/ssg-ol8-guide-standard.html.

SCAP Standards Available for Oracle Linux 9

The following is a list of SCAP Standards included in Oracle Enterprise Manager 24.1:

Health Insurance Portability and Accountability Act (HIPAA): The HIPAA Security Rule establishes US national standards to protect individuals' electronic personal health information that is created, received, used or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information. This profile configure Oracle Linux 9 to the HIPAA Security Rule for securing electronic protected health information. (V0.1.69). For more information on securing Linux configuration for HIPAA compliance see: https://complianceascode.github.io/content-pages/guides/ssg-ol9-guide-hipaa.html.

DISA STIG for Oracle Linux 9: This profile contains configuration checks that align to DISA STIG for Oracle Linux 9. (V0.1.69).

For more information see: https://complianceascode.github.io/content-pages/guides/ssg-ol9-guide-stig.html.

PCI-DSS v3.2.1 Control Baseline Draft for Oracle Linux 9: Ensures PCI-DSS v4.0 related security configuration settings are applied. (V0.1.69).

For more information see: https://complianceascode.github.io/content-pages/guides/ssg-ol9-guide-pci-dss.html.

Standard System Security Profile for Oracle Linux 9: his profile contains rule to ensure standard security baseline of an Oracle Linux 8 system. (V0.1.69).

For more information see: https://complianceascode.github.io/content-pages/guides/ssg-ol9-guide-standard.html.

Import XCCDF based standards using EMCLI

SCAP XCCDF standards that are not included by default can be imported into enterprise manager with the EM CLI verb upload_compliance_standard and a -file parameter with the XML data stream file containing one or more standards.

Example:

$ emcli upload_compliance_standard -file="ssg-ol8-ds.xml"