Oracle PDB scanning in CCS

Products

Control Compliance Suite Control Compliance Suite Standards Server

Issue/Introduction

Control Compliance Suite (CCS)

You would like to scan Oracle PDB databases using CCS.

Environment

Release: CCS 12.6.X

NOTE: Data Collection on Oracle PDB assets can only be collected by agentless method

Prerequisites:

1) Network ports for agentless data collection:

Windows scanning: 135 / 137 / 138 / 139 / 445 / 389, Ephemeral port range
Unix\Linux server scanning: 22
CCS Oracle agentless target (default) : 1521
- If Oracle listens on other ports other than the default port, those are needed to be open as well

2) Required Permissions for agentless Oracle and OS scanning:

Required Oracle permissions (see attached CCS DB Privileges Guide for required Oracle permissions)
Requires root access on the Unix\Linux servers
- If you don’t want to give root access, see the KB on how to configure SUDO on your manager(s) and Unix\Linux servers. See KB https://knowledge.broadcom.com/external/article/178691/configuration-for-ccs-agentless-data-col.html

3) Install the Oracle Database 19c Client (32-bit) on each CCS manager in the ‘Data Collector’ role.

Starting with Security Content Update (SCU) 2022-3, the Oracle Database 19c Client (32-bit) is required if you want to perform data collection on the Oracle Database assets.

The Oracle Database 19c Client must be installed on the CCS Manager with the data collection role.

NOTE: If you are already running an Oracle 12c Client on your CCS Manager, make sure to uninstall it, restart the CCS Manager Service, and then install the Oracle Database 19c Client.

To install Oracle Database 19c Client to perform data collection on the Oracle Database assets

Download Oracle Database 19c Client (19.3) for Microsoft Windows (32-bit) with the file name NT_193000_client.zip from the Oracle product support website.
Extract the contents of the package to a directory at a known location.
Run the installer for the Oracle Data Provider for .NET and provide the required data.
Select the Oracle Data Provider for .NET option.
After the installation of the ODP.NET client is complete, navigate to the install location.
1. Copy the file Oracle.DataAccess.dll to the CCS Manager’s install directory at "…\Symantec\CCS\Reporting and Analytics\DPS".
  Note: The typical path for "Oracle.DataAccess.dll" is "...\client\administrator\product\19.0.0\client_1\odp.net\bin\4"
Restart the Symantec CCS Manager Service.

Documentation: Installing Oracle Database 19c Client (32-bit) for the data collection on Oracle assets (2022-3)

Resolution

Data Collection for Oracle PDB assets

Data Collection on Oracle PDB assets can only be collected by agentless method. Also you cannot import PDB Oracle assets by running the Asset Import Job in the CCS console. You have to add the PDB manually by adding each PDB asset individually, or by using the CSV or the ODBC asset import functionality to add multiple assets.

NOTE: While importing the PDB Oracle assets, assets attributes such as Database Name Type, Database Version, Operating System, and OS Type must be updated for successful data collection.
The Database Name Type asset property must be updated to Service Name, and not as a System ID (SID).

How to add an Oracle PDB asset

Additional information how to use Add Asset functionality in CCS: https://techdocs.broadcom.com/us/en/symantec-security-software/information-security/control-compliance-suite/12-x/policy-management-v122966579-d8e87449/add-assets-provide-asset-information-v123213506-d8e237665.html

Add the Oracle PDB asset using 'Add Asset'

The Asset Type would be 'Oracle Configured Databases' and
- For single assets use the 'Add Assets Classification' and fill out the required information for a single asset (you will need to have the required information listed in the Note section above to create the PDB asset).
- If you have multiple assets to create, you can use the second option to use a csv (**in the required format, see bullet point below to generate the csv file with headers) file or ODBC to give the information.
  - **To get the headers for the csv file, go to Asset System -> Assets -> Asset Tasks dropdown -> Export CSV Headers and choose 'Oracle Configured Databases'. (Information on the required headers are in the top of the csv file once created).
Configure a Common Credential or Asset Credentials for CCS to use for the Oracle data collection.
- CCS Common credentials - Documentation on CCS Common Credentials
- CCS Asset credentials - Documentation on CCS Asset credentials
Run an Oracle data collection or CER job on the newly created Oracle Asset(s).

Attachments

1630415486825__Control Compliance Suite Data Collection Privileges Guide.pdf get_app