Customers have the option to assess their Oracle multitenant databases for compliance via the container database (CDB). For this, customers simply select the option "Is CDB" in the Oracle authentication record. There is no longer a need for customers to create individual records for each pluggable database in the CDB. Note that this option is supported for Policy Compliance scans only.
When “Is CDB” is selected in the Oracle record, the compliance scan will auto discover and assess all accessible Pluggable Databases (PDBs) within the container database (CDB). The assessment is performed through the CDB, which means there is no need for the scanner to connect directly to individual PDBs. This saves customers from having to create separate Oracle records for each PDB instance.
Identifying the Oracle database as a CDB in the Oracle record also ensures the right compliance checks are performed for multitenant technologies. We’ve rewritten compliance controls in order to assess the pluggable databases via the CDB.
For the most current list of supported authentication technologies and the versions that have been certified for VM and PC by record type, please refer to the following article:
Authentication Technologies Matrix
Here’s a sample container database with 3 pluggable databases. You’ll create one record for the entire CDB. There is no need to create separate records for each database instance.
In this sample:
IP address = 10.10.10.1
CDB instance = ORCL
PDB instances = PDB1, PDB2, PDB3
Create an Oracle record with these settings: IP=10.10.10.1, service name=ORCL, Is CDB=enabled
We’ll assess the CDB plus the 3 PDBs within the container database. Compliance evaluation data is collected across all of the database instances to determine the final posture. The data we collect across the instances is combined into a single Actual value that gets compared to the Expected value for the control to determine the Pass or Fail posture. See the sample policy report below.
Follow these steps to perform compliance assessment of your container database:
1) Set up a scan user account and privileges in the container database you want to scan with authentication. See Oracle Authentication (PC) for a set of scripts we’ve provided to help you set up the account and privileges for a multitenant container database scan.
2) Create an Oracle authentication record for the CDB. In the Oracle record, specify the scan user account from the first step, identify the target CDB (by SID or Service Name), select the “Is CDB” option, and add the IP address for the CDB.
3) Start a new compliance scan. When the Oracle record has the “Is CDB” option enabled, the scanner will auto discover and assess all accessible Pluggable Databases (PDBs) within the container database at scan time. The assessment is performed through the CDB; we will not connect directly to individual PDBs. The Appendix section of your Compliance Scan Results will indicate whether authentication was successful or not, under Oracle authentication. See sample scan results below.
4) Create a compliance policy. In the policy, select the Oracle multitenant technologies, the controls you want to assess on your CDB and PDBs, and an asset group containing the CDB IP address.
5) Run Policy Reports on your container database. The Evidence and Extended Evidence sections for each control will show the data collected on the CDB and across the PDBs within the container database. See the sample policy report below.
You’ll see the “Is CDB” option on the Target Configuration tab in your Oracle record.
This depends on whether the necessary privileges required for CDB assessment are granted to the scan user account defined in the record. If the necessary privileges are granted, then assessment will still happen and will be reported under the Oracle multitenant technology, however no PDBs will be enumerated in a non-Multitenant database instance. If the necessary privileges are not granted, then scan authentication will fail with insufficient privileges, highlighting which tables are lacking in privileges. The data reported will be the same for a non-Multitenant database instance whether “Is CDB” is selected or not. The only difference is the source of the retrieved data.
Please note that we cannot auto create Oracle authentication records for the CDB at this time. You can edit system records after they’ve been created to set the Is CDB option.
The Appendix section of your Compliance Scan Results will indicate whether authentication was successful or not, under Oracle authentication.
In the sample below, the control shows the PASSWORD_GRACE_TIME for the CDB as well as all the accessible pluggable databases within the CDB. With this feature, the CDB and the PDBs are assessed together with the same control. The Actual value for the control will list the PASSWORD_GRACE_TIME setting collected for the CDB and the PDBs that were assessed.
The Extended Evidence section will list the CDB and PDBs included in the control evaluation. The information shown in this section depends on the type of control being evaluated. For some controls, you’ll see all the PDBs discovered in the CDB. For other controls, you’ll see the CDB plus the PDBs that had a different setting than the CDB. For example, let’s say there are 5 PDBs discovered in a CDB but only 2 had a different setting than the CDB. In this case, the Extended Evidence will include 3 lines – one for the CDB and one for each PDB with a different setting. If all the PDBs have the same setting as the CDB, then only 1 line will appear in the Extended Evidence section for the CDB.
The column CON_NAME shows the name for each container database and the column CON_ID shows the container database ID. Here’s a look at CON_ID values:
- A value of 0 means the data pertains to the entire CDB.
- A value of 1 means the data pertains to the root.
- A value of 2 means the data pertains to the seed.
- A value of 3-254 means the data pertains to a PDB. Each PDB has its own container ID.
Database OS authentication record supports Oracle 12c, Oracle 18c, Oracle 19c. We have added Database OS authentication record support for Oracle 21c (Multitenant).
Note: Previous versions of Oracle database (12c, 18c, 19c) supported both non-multitenant and multitenant architectures, but accurate identification of the architecture is only possible after successful authentication to the database. However, Oracle 21c only supports the multitenant architecture, so if an OS authentication record with the appropriate preference key is provided, it can be identified as multitenant technology.