Perform Compliance Assessment of Oracle Multitenant Databases via Container Database

Customers have the option to assess their Oracle multitenant databases for compliance via the container database (CDB). For this, customers simply select the option "Is CDB" in the Oracle authentication record. There is no longer a need for customers to create individual records for each pluggable database in the CDB. Note that this option is supported for Policy Compliance scans only.

How it works

When “Is CDB” is selected in the Oracle record, the compliance scan will auto discover and assess all accessible Pluggable Databases (PDBs) within the container database (CDB). The assessment is performed through the CDB, which means there is no need for the scanner to connect directly to individual PDBs. This saves customers from having to create separate Oracle records for each PDB instance.

Identifying the Oracle database as a CDB in the Oracle record also ensures the right compliance checks are performed for multitenant technologies. We’ve rewritten compliance controls in order to assess the pluggable databases via the CDB.

We support these Oracle multitenant database technologies:

- Oracle 12c Multitenant
- Oracle 18c Multitenant
- Oracle 19c Multitenant

Multitenant Container Database Architecture

Here’s a sample container database with 3 pluggable databases. You’ll create one record for the entire CDB. There is no need to create separate records for each database instance.

Multitenant Container Database Architecture

In this sample:
IP address = 10.10.10.1
CDB instance = ORCL
PDB instances = PDB1, PDB2, PDB3

Create an Oracle record with these settings: IP=10.10.10.1, service name=ORCL, Is CDB=enabled

We’ll assess the CDB plus the 3 PDBs within the container database. Compliance evaluation data is collected across all of the database instances to determine the final posture. The data we collect across the instances is combined into a single Actual value that gets compared to the Expected value for the control to determine the Pass or Fail posture. See the sample policy report below.

What are the steps?

Follow these steps to perform compliance assessment of your container database:

1) Set up a scan user account and privileges in the container database you want to scan with authentication. See Oracle Authentication (PC) for a set of scripts we’ve provided to help you set up the account and privileges for a multitenant container database scan.   

2) Create an Oracle authentication record for the CDB. In the Oracle record, specify the scan user account from the first step, identify the target CDB (by SID or Service Name), select the “Is CDB” option, and add the IP address for the CDB.

3) Start a new compliance scan. When the Oracle record has the “Is CDB” option enabled, the scanner will auto discover and assess all accessible Pluggable Databases (PDBs) within the container database at scan time. The assessment is performed through the CDB; we will not connect directly to individual PDBs. The Appendix section of your Compliance Scan Results will indicate whether authentication was successful or not, under Oracle authentication. See sample scan results below.

4) Create a compliance policy. In the policy, select the Oracle multitenant technologies, the controls you want to assess on your CDB and PDBs, and an asset group containing the CDB IP address.

5) Run Policy Reports on your container database. The Evidence and Extended Evidence sections for each control will show the data collected on the CDB and across the PDBs within the container database. See the sample policy report below.

Your Oracle Record

You’ll see the “Is CDB” option on the Target Configuration tab in your Oracle record.

Oracle record for CDB

What happens if the option “Is CDB” is selected for a non-Multitenant database instance?

This depends on whether the necessary privileges required for CDB assessment are granted to the scan user account defined in the record. If the necessary privileges are granted, then assessment will still happen and will be reported under the Oracle multitenant technology, however no PDBs will be enumerated in a non-Multitenant database instance. If the necessary privileges are not granted, then scan authentication will fail with insufficient privileges, highlighting which tables are lacking in privileges. The data reported will be the same for a non-Multitenant database instance whether “Is CDB” is selected or not. The only difference is the source of the retrieved data.

About system created authentication records

Please note that we cannot auto create Oracle authentication records for the CDB at this time. You can edit system records after they’ve been created to set the Is CDB option.

Sample Scan Results

The Appendix section of your Compliance Scan Results will indicate whether authentication was successful or not, under Oracle authentication.  

Sample scan results

Sample Policy Report

In the sample below, the control shows the PASSWORD_GRACE_TIME for the CDB as well as all the accessible pluggable databases within the CDB. With this feature, the CDB and the PDBs are assessed together with the same control. The Actual value for the control will list the PASSWORD_GRACE_TIME setting collected for the CDB and the PDBs that were assessed.

Sample policy report

Extended Evidence

The Extended Evidence section will list the CDB and PDBs included in the control evaluation. The information shown in this section depends on the type of control being evaluated. For some controls, you’ll see all the PDBs discovered in the CDB. For other controls, you’ll see the CDB plus the PDBs that had a different setting than the CDB. For example, let’s say there are 5 PDBs discovered in a CDB but only 2 had a different setting than the CDB. In this case, the Extended Evidence will include 3 lines – one for the CDB and one for each PDB with a different setting. If all the PDBs have the same setting as the CDB, then only 1 line will appear in the Extended Evidence section for the CDB.

The column CON_NAME shows the name for each container database and the column CON_ID shows the container database ID. Here’s a look at CON_ID values:

- A value of 0 means the data pertains to the entire CDB.

- A value of 1 means the data pertains to the root.

- A value of 2 means the data pertains to the seed.

- A value of 3-254 means the data pertains to a PDB. Each PDB has its own container ID.