TPOCS Technical Training

UBO/UBU Conference - TPOCS - 22-25 March 20101

TPOCS Technical Training

UBO/UBU Conference - TPOCS - 22-25 March 20102

Database Security

TPOCS Technical Training

UBO/UBU Conference - TPOCS - 22-25 March 20103

• Security Vulnerabilities• Vulnerability Management System (VMS)• IAVA Process for Helpdesk

TOPICS

Database Security

TPOCS Technical Training

UBO/UBU Conference - TPOCS - 22-25 March 20104

Security Vulnerabilities

Whenever any vendor, be it Microsoft, Oracle, Veritas,

or any other product used on the TPOCS and CCE

servers, releases a vulnerability report or hotfix it is first

tested in our lab environment

Database Security

TPOCS Technical Training

UBO/UBU Conference - TPOCS - 22-25 March 20105

Security Vulnerabilities

Once the IAVA-A, IAVA-B, or IAVA-T status is

announced, the fix is applied into the ATIC

production environment

Database Security

TPOCS Technical Training

UBO/UBU Conference - TPOCS - 22-25 March 20106

Security Vulnerabilities

Once the fix and IAVA status are confirmed, the

information is released both in a spreadsheet report to

the Service Managers and also as an update to the

ATIC assets in the VMS system

Database Security

TPOCS Technical Training

UBO/UBU Conference - TPOCS - 22-25 March 20107

QUESTIONS

Security Vulnerabilities

TPOCS Technical Training

UBO/UBU Conference - TPOCS - 22-25 March 20108

Vulnerability Management System (VMS)

TPOCS Technical Training

UBO/UBU Conference - TPOCS - 22-25 March 20109

Vulnerability Management System (VMS)

• The ATIC production system is listed as an MTF in

the Vulnerability Management System

• When updates or hot-fixes are approved and applied

to the ATIC production system it will be reflected in

the VMS

Database Security

TPOCS Technical Training

UBO/UBU Conference - TPOCS - 22-25 March 201010

Vulnerability Management System (VMS)

• IAVA notices that are Not Applicable to the TPOCS

and CCE systems are listed as such in the VMS

• This information should be visible to site

administrators with VMS access

Database Security

TPOCS Technical Training

UBO/UBU Conference - TPOCS - 22-25 March 201011

Vulnerability Management System (VMS)

• VMS report are accessed from the VMS

Home page. To access the VMS website:

https://vms.disa.mil• DISA provides VMS training, implementation and

operational support to VMS users.

Database Security

TPOCS Technical Training

UBO/UBU Conference - TPOCS - 22-25 March 201012

QUESTIONS

Vulnerability Management System (VMS)

TPOCS Technical Training

UBO/UBU Conference - TPOCS - 22-25 March 201013

IAVA Process for Tier3 Helpdesk

TPOCS Technical Training

UBO/UBU Conference - TPOCS - 22-25 March 201014

IAVA Processing

1. IAVA report initiated by DHSS

2. IAVA reviewed for relevance by CCE/TPOCS Tier3 Analyst.

3. If IAVA references a software package not loaded on CCE/TPOCS servers it is marked as N/A CCE/TPOCS does not use application.

4. If IAVA references a software package loaded on CCE/TPOCS servers, determination is made if the IAVA directly affects the CCE/TPOCS applications.

TPOCS Technical Training

UBO/UBU Conference - TPOCS - 22-25 March 201015

5. If the application referenced in the IAVA is loaded on CCE/TPOCS servers, but does not interact with CCE/TPOCS application (i.e., MS-Word, MS-Excel, Adobe Acrobat Reader, Windows 2000 Server) it is marked Apply Patch, Does not affect CCE/TPOCS.

IAVA Processing

TPOCS Technical Training

UBO/UBU Conference - TPOCS - 22-25 March 201016

6. If the application referenced in the IAVA is loaded on CCE/TPOCS servers and directly affects the CCE/TPOCS application (i.e. Oracle Database, MS-SQL Database), the IAVA is referred to the proper analyst for installation and testing to verify the patch does not “Break” CCE/TPOCS. If the patch does not “Break” CCE/TPOCS, it is marked Apply Patch, Does not affect CCE/TPOCS. If the patch does “Break” CCE/TPOCS, RITPO is informed not to apply the patch until a fix is in place for CCE/TPOCS.

IAVA Processing

TPOCS Technical Training

UBO/UBU Conference - TPOCS - 22-25 March 201017

QUESTIONS

IAVA Processing

TPOCS Technical Training

UBO/UBU Conference - TPOCS - 22-25 March 201018

Oracle 10g/11g Server Patches

TPOCS Technical Training

UBO/UBU Conference - TPOCS - 22-25 March 201019

Oracle 10g/11g Server Patches Installation

• Oracle releases patches every 3 months• PSI will evaluate Oracle patches released. If it

is compatible with TPOCS IAVA will instruct the local SA to apply the patch.

• The administrator/BOC on each TPOCS server site is responsible to install the patch.

TPOCS Technical Training

UBO/UBU Conference - TPOCS - 22-25 March 201020

• Client can be grabbed from http://www.oracle.com/technology/software/index.html

• Select “Runtime (218mb)” on installation.• Copy tnsnames.ora and SQLnet.ora files from an existing

TPOCS workstation and paste to the same folder from your workstation to connect to the Oracle server.

• Test connection using TPOCS or Oracle’s “Net Configuration Assistant”.

• If a user is not in the Administrator Group and needs to run TPOCS, the user must be grant read/write access to every node in C:\Oracle\ tree and C:\Program Files\Oracle\ tree.

Oracle 10g Client Installation

TPOCS Technical Training

UBO/UBU Conference - TPOCS - 22-25 March 201021

Oracle 10g Server Patches Installation

QUESTIONS

TPOCS Technical Training

UBO/UBU Conference - TPOCS - 22-25 March 201022

Thanks for Attending TPOCS Technical Training