[EDIT 20170420: Upgraded script to version 1.1. No functionality changes, but added instructions to download+install unlimited strength policy .jar files to allow the use of even stronger ciphersuites such as TLS_RSA_WITH_AES_256_CBC_SHA256.]
This post releases a new script, secure_agent_ciphersuites.sh, which uses EMCLI to set the SSLCipherSuites agent property on all EM13c R2 agents to the value “SSL_RSA_WITH_3DES_EDE_CBC_SHA”, in order to lock agent endpoints down to HIGH strength ciphersuites. By default, EM13c R2 agents allow two MEDIUM strength ciphersuites in addition to the one HIGH strength: SSL_RSA_WITH_RC4_128_MD5:SSL_RSA_WITH_RC4_128_SHA. If you login to EMCLI as SYSMAN and have preferred host credentials configured, then run this script, it will identify all of your agents, set SSLCipherSuites as needed, and restart agents to bring them into compliance.
This script supplements my existing script to lock down EM13c agents to TLSv1.2 and configured your agents in a way that passes the security checks implemented in my EM13c R2 security checkup script.
Pingback: Securing Oracle Enterprise Manager 13cR2 | Pardy DBA
Hi Brian, had you ever deal with Oracle CIS 12c benchmark compliance?
I wonder if this can be done via Grid Control 13c….
I have not. I have only spent some time on PCI and STIG compliance, both of which come with some pre-built compliance frameworks in the EM12c/EM13c distribution. I’m not very familiar with the CIS benchmark details, but based on a quick skim of a PDF I found from some web searching (https://security.uri.edu/uploads/CIS_Oracle_Database_12c_Benchmark_v1.0.0.pdf), I do believe that one could manually create their own compliance standard and framework that would cover most, if not all of the standards CIS defines. A lot of the checks specified in that PDF (like revoking EXECUTE access for the PUBLIC role on various DBMS_* and UTL_* packages) already exist as compliance standard rules out of the box in EM13c (like the “Execute Privileges on DBMS_JOB to PUBLIC” rule), so you wouldn’t be starting from scratch if you attempted to implement it. I wrote a blog post 4.5 years ago about configuring compliance standards in EM12c (https://pardydba.wordpress.com/2013/07/09/using-em12c-compliance-rules-standards-and-frameworks/) and most of the functionality works pretty much the same in 13c, so if you did a gap analysis of the canned checks available against those CIS requires, there might not really be that many rules you would need to add.
If you do pull off something like this, I bet there are many other OEM admins who would benefit from it if you are free to share the details with others. I would absolutely link to it.
Thanks for quick reply, I will check the option to create custom one compliance.
I have emailed CIS guys, lets see what they have to say for their defense 😉