Why Automation Matters : Keep Your Auditors Happy

We were having some of our systems audited recently. I’ve been part of this sort of things a few times over the years, but I was pleasantly surprised by a number of the questions that were being asked during this most recent session. I’ll paraphrase some of their questions and my answers.

  • How do you document your build processes? We have silent build scripts (where possible). The same build scripts are used for each build, with the differences just being environment variables. If a silent build is not possible, we do a semi-silent build, and use screen grabs for the manual bits.
  • How do you keep control of your builds and configuration? Everything goes into a cloud-based Git repository, and we have a local git server as a backup of the cloud service.
  • How do you manage change through your systems? Requests, Incidents, Enhancements, Tasks are raised and placed in a Task Board, which is kind-of like a Kanban board, in Service Now. Progression of changes to production require a Change Request (CR), which may need to be agreed by the Change Advisory Board (CAB), depending on the nature of the change.
  • Are changes applied manually, or using automation? This was followed by a long discussion about what we can and can’t automate because of our internal company structure and politics. It also covered the differences between automation of changes to infrastructure and in the development process. 🙂

There was a lot more than this, but this is enough to make my point.

The reactions to the answers can be summarised as follows.

  • When we had a repeatable automated process we got a thumbs up.
  • When we had a process that was semi-automated, because full automation was impractical (because of additional constraints), we got a thumbs up.
  • When we had a manual process, we got a thumbs down, because maintaining consistency and preventing human error is really hard when using manual processes.

In a sentence I guess I could say, if you are using DevOps you pass. If you are not using DevOps you fail. 🙂

Now I am coming to this with a certain level of bias in favour of DevOps, and that bias may be skewing my interpretation of the situation somewhat, but that is how it felt to me.

As I said earlier, I was pleasantly surprised by this angle. It’s nice to see the auditors giving me some extra leverage, and it certainly feels like automation is a good way to keep the auditors happy! 🙂

Check out the rest of the series here.



PS. This is just one part of the whole auditing process.

Auditing Enhancements (Audit Policies and Unified Audit Trail) in Oracle Database 12c

security_image1_smallA little over a year ago I was at the BGOUG Spring Conference and I watched a session by Maja Veselica about auditing in Oracle Database 12c. At the time I noted that I really needed to take a look at this new functionality, as is was quite different to what had come before. Fast forward a year and I’ve finally got around to doing just that. 🙂

I’ve tried to keep the article quite light and fluffy. The Oracle documentation on this subject is really pretty good, so you should definitely invest some time reading it, but if you need a quick overview to get you started, my article might help. 🙂

My 12c learning experience continues…



Oracle License Audit

I found out yesterday that we have an Oracle license audit in January, so I spent yesterday having a look at everything we have to check what features we are using…

Our licensing situation is a little different to anywhere I’ve worked before, in that they are based on the number of Full Time Employees (FTEs), not on named users or processors. As a result, we don’t need to worry about the number of installations we have. We just need to make sure we are not using features we are not licensed for.

Database Licenses

The database side is quite easy because we have FTE licenses for Enterprise Edition, Diagnostics and Tuning Pack and Partitioning. I checked the DBA_FEATURE_USAGE_STATISTICS view on each server and everything looks OK.

WebLogic Licenses

On the WebLogic front things are a little trickier. Since many of the licenses were bought in the Oracle Application Server era, we have to make sure we are only using features applicable for the WebLogic Server Basic license, which we have an FTE license for also. There is an overview of the restrictions in the Restricted Primary Services in WebLogic Server document. Also, there is a really handy MOS note, WebLogic Server Basic License Feature Usage Measurement Script (Doc ID 885587.1), which includes a WLST script that checks which features you are using and reports non-compliance with the WebLogic Server Basic license. It’s pretty simple to use. Just do the following for each domain on your server.

$ export MW_HOME=/u01/app/oracle/middleware
$ export DOMAIN_HOME=$MW_HOME/user_projects/domains/ClassicDomain
$ . $DOMAIN_HOME/bin/setDomainEnv.sh

$ java weblogic.WLST ./wls_basic_measurement.py

You are prompted for the AdminServer connection details.

  • Username: weblogic
  • Password: mypassword
  • Admin URL: t3://myserver.example.com:7001

It then chucks out a page of output with errors listed for any non-compliance.

Developer/Programmer Licenses

We have people using Oracle Forms, JDeveloper and Pro*C, which we have Named User Plus licenses for. We’ve recently gone through a desktop refresh in our department, so many people have their old PCs hanging about (just in case). The department used to be bigger, so even with the extra PCs hanging around we are over-licensed really, but this will be a good opportunity to convince people to wipe and let go of their old PCs. 🙂

So after my initial panic, everything looks OK, but I will be interested to see what the license police make of it all. 🙂



Update: I guess I was not very clear about the purpose of this post. I am not suggesting this is all that is necessary to prepare for an Oracle license audit. I was not suggesting you don’t need the help of  licensing specialists. I currently work for a University, which negotiates its licenses as part of a large group of Universities. As a result, the licensing is very broad. It is quite different to the process individual companies have to go through. This was just a quick fact-finding mission for me, so I didn’t get any nasty surprises in the new year. 🙂

Thank you to those that commented to pointing out how this post could be misinterpreted. 🙂

Update 2: We passed the audit with no issues.

Oracle Auditing: Something I should have known…

I wrote about some new bits of 11gR2 auditing a while ago. Well actually it’s a bit of audit vault functionality that was included in 11gR2.

While answering a question today I confidently proclaimed that while you can move the AUD$ and $FGA_LOGS tables to another tablespace, it’s not a great idea and could make things go bang when you come to patch/upgrade the system. Whilst looking up some links for further reading to send to the poster, I noticed note 731908.1, which says the DBMS_AUDIT_MGMT package has been backported to 10gR2.

It’s not included in the database documentation until 11gR2, but it is available from the patches listed in the note if you need it.

Pesky Oracle improving older releases… 🙂