Oracle PDB scanning in CCS
Article ID: 222938
Updated On:
Products
Issue/Introduction
Control Compliance Suite (CCS)
You would like to scan Oracle PDB databases using CCS.
Environment
Release : CCS 12.5.x
NOTE: Data Collection on Oracle PDB assets can only be collected by agentless method
Prerequisites:
1) Network ports for agentless data collection:
- Windows scanning: 135 / 137 / 138 / 139 / 445 / 389, Ephemeral port range
- Unix\Linux server scanning: 22
- CCS Oracle agentless target (default) : 1521
- If Oracle listens on other ports other than the default port, those are needed to be open as well
2) Required Permissions for agentless Oracle and OS scanning:
- Required Oracle permissions (see attached CCS DB Privileges Guide for required Oracle permissions)
- Requires root access on the Unix\Linux servers
- If you don’t want to give root access, see the KB on how to configure SUDO on your manager(s) and Unix\Linux servers. See KB https://knowledge.broadcom.com/external/article/178691/configuration-for-ccs-agentless-data-col.html
3) The Oracle ODP.NET 4 (12.1.0.2.0) client needs to be installed on each manager in the ‘Data Collector’ role.
Oracle Client ODP.NET 4 (12.1.0.2.0) For data collection on Oracle assets, you must manually install the Oracle Client ODP.NET 4 on the CCS Manager. You can install it before or after you install CCS. This component is a part of the ODAC 12c Release 4 and Oracle Developer Tools for Visual Studio (12.1.0.2.4) installation package. You must download the package from the Oracle product support website, extract the contents of the .zip package, and then run the installer for the Oracle Data Provider for .NET 4 12.1.0.2.0
- Oracle Client ODP.NET 4 (12.1.0.2.4): https://www.oracle.com/database/technologies/dotnet-utilsoft-downloads.html
Resolution
Data Collection for Oracle PDB assets
Data Collection on Oracle PDB assets can only be collected by agentless method. Also you cannot import PDB Oracle assets by running the Asset Import Job in the CCS console. You have to add the PDB manually by adding each PDB asset individually, or by using the CSV or the ODBC asset import functionality to add multiple assets.
NOTE: While importing the PDB Oracle assets, assets attributes such as Database Name Type, Database Version, Operating System, and OS Type must be updated for successful data collection.
The Database Name Type asset property must be updated to Service Name, and not as a System ID (SID).
How to add an Oracle PDB asset
Additional information how to use Add Asset functionality in CCS: https://techdocs.broadcom.com/us/en/symantec-security-software/information-security/control-compliance-suite/12-x/policy-management-v122966579-d8e87449/add-assets-provide-asset-information-v123213506-d8e237665.html
Add the Oracle PDB asset using 'Add Asset'
- The Asset Type would be 'Oracle Configured Databases' and
- For single assets use the 'Add Assets Classification' and fill out the required information for a single asset (you will need to have the required information listed in the Note section above to create the PDB asset).
- If you have multiple assets to create, you can use the second option to use a csv (**in the required format, see bullet point below to generate the csv file with headers) file or ODBC to give the information.
- **To get the headers for the csv file, go to Asset System -> Assets -> Asset Tasks dropdown -> Export CSV Headers and choose 'Oracle Configured Databases'. (Information on the required headers are in the top of the csv file once created).
- Configure a Common Credential or Asset Credentials for CCS to use for the Oracle data collection.
- CCS Common credentials - Documentation on CCS Common Credentials
- CCS Asset credentials - Documentation on CCS Asset credentials
- Run an Oracle data collection or CER job on the newly created Oracle Asset(s).
Attachments
Feedback
