Having covered Manual rules in the last blog post now it is time to look at Agent Rules. Agent Rules have been designed to take away some of the complexity in defining custom compliance checks in 12c OEM.
Developing compliance checks in 220.127.116.11 takes a standard approach:
- select the data based that you want to check – Configuration Extension
- select the selected data and check if it is a violation – Compliance Rule
Here is a 18.104.22.168 example:
We are going to check that the SYSTEM account is locked.
First the configuration extension:
select account_status from dba_users where username in ('SYSTEM')
This data then gets stored in the table within 12c OEM.
MGMT$CCS_DATA s3 ,
s2gen1.TARGET_GUID = s2.TARGET_GUID
AND s2gen1.ECM_SNAPSHOT_ID = s3.ECM_SNAPSHOT_ID
AND s2.TARGET_TYPE = 'oracle_database'
AND s2gen1.SNAPSHOT_TYPE = 'ccs_c_FF69ABA6C57800C4E0431EDFF569E26D' – KEY IDENTIFIER
AND s3.data_source_name = 't7' – ALIAS IN CONFIG EXTENSION
Each column that is generated by a configuration extensions is stored as two columns by 12c. It stores the attribute and the value. The attribute is the column name of your extensions and the value is the value of that attribute.
TARGET GUID VALUE ATTR
A0885F27EF10114EFBD33B3ACEFE7DB0 OPEN ACCOUNT_STATUS
So to define the violation in 12c you know that the violation is when VALUE=OPEN. In 12c OEM it will look like this.
Here is a 22.214.171.124 example:
We are going to check that the SYSTEM account is locked. In this example we are going to use an Agent Side Rule and here you can see the reduced work in creating a custom compliance rule.
First of all we create a configuration extension to return the specific violation we are seeking, a requirement of agent sides rules is that they are single column.
Then we can create the agent side rule.
The big difference here is that you just select your configuration extension. We can test this against the target. There is a known bug which is that the test score shows 100% compliance unless there is more than one violation, however this isn’t the case when it is applied to the target. The addition benefit of agent side rules is that the underlying configuration extension will be applied to the target when the compliance rule is applied, i.e. you don’t need to deploy configurations separately or via monitoring templates.