Oracle Enterprise Landing Zones are frameworks within Oracle Cloud Infrastructure (OCI) designed to create secure and scalable cloud environments for enterprises. They include various versions such as OELZ v1, OELZ v1 Lite, OELZ v2, and CIS OCI Landing Zone, each offering different levels of security, compliance, and complexity to accommodate organizational needs. OELZ v2 is the most comprehensive for advanced enterprise setups, while CIS focuses on stringent security. Selecting a landing zone depends on your enterprise's priorities such as scalability, security compliance, or industry-specific requirements. Deployment is facilitated through Terraform scripts, and a GitHub repository is available for quick deployment.

The CIS OCI Landing Zone is a publicly available reference architecture for creating the foundations of a secure tenancy on OCI following best practices from the CIS Benchmark for OCI; along with best practices developed in OCI for our own Oracle PaaS, SaaS, and IT services. In addition to the reference architecture, the Landing Zone includes easy-to-deploy Terraform code (Quick Start) that automates the creation of a secure tenancy and a compliance checking script that can be used on new or existing tenancies that validates configuration in the tenancy for compliance with the CIS benchmark recommendations.

if you have read anything about them before the confusion starts quickly. Landing Zone V1 or V2? CIS or non CIS?

Oracle OCI Landing Zones provide structured environments to set up Oracle Cloud Infrastructure (OCI) following best practices and compliance standards.

Which one?

https://docs.public.oneportal.content.oci.oraclecloud.com/en-us/iaas/Content/cloud-adoption-framework/technology-implementation.htm#how-do-i-choose

Oracle Enterprise Landing Zone (OELZ) v1

Purpose and Scope:

• The initial version is designed to provide a foundational setup for enterprises on OCI.

• Focused on establishing a secure and scalable environment.

Key Features:

• Standardized Architecture: Provides a predefined architecture based on Oracle’s best practices.

• Security and Compliance: Basic security controls and compliance measures.

• Automated Deployment: Uses Terraform scripts for automated setup.

• Networking: Basic network configuration including VCNs, subnets, and security lists.

• IAM: Implements foundational IAM policies and compartments.

• Monitoring and Logging: Basic integration with OCI monitoring and logging services.

• Cost Management: Initial cost management practices included.

Oracle Enterprise Landing Zone (OELZ) v1 Lite

Purpose and Scope:

• A simplified version of OELZ v1, designed for smaller organizations or initial cloud adoption phases.

• Focused on providing a quick and straightforward setup.

Key Features:

• Simplified Architecture: Provides a minimal viable architecture to get started on OCI.

• Basic Security Controls: Essential security measures to protect the environment.

• Automated Deployment: Uses Terraform scripts for easy deployment.

• Networking: Basic network setup with essential components.

• IAM: Implements necessary IAM policies and compartments.

• Monitoring and Logging: Basic monitoring and logging configurations.

• Cost Management: Basic cost management practices.

Oracle Enterprise Landing Zone (OELZ) v2

Purpose and Scope:

• Designed for enterprises looking for a comprehensive cloud environment setup.

• Provides a scalable and secure architecture that adheres to Oracle’s best practices.

Key Features:

• Modular Design: Allows for customization and scalability based on organizational needs.

• Security and Compliance: Built-in security controls and compliance with various regulations (e.g., GDPR, HIPAA).

• Automated Deployment: Uses Terraform scripts for automated provisioning and configuration.

• Networking: Configures a robust network architecture with VCN, subnets, security lists, and DRG.

• Identity and Access Management (IAM): Implements IAM policies and compartments to segregate and control access.

• Monitoring and Logging: Integrated with OCI monitoring and logging services for visibility and troubleshooting.

• Cost Management: Incorporates tagging and cost management best practices.

CIS OCI Landing Zone

Purpose and Scope:

• Developed by the Center for Internet Security (CIS) to provide a secure foundation for OCI based on CIS Benchmarks.

• Focused primarily on security hardening and compliance.

Key Features:

• Security Hardening: Aligns with CIS OCI Foundations Benchmark to implement stringent security measures.

• Compliance: Ensures compliance with CIS standards, often a requirement for regulated industries.

• Automated Deployment: Utilizes Terraform scripts for quick deployment of a compliant OCI environment.

• Networking and IAM: Configures secure network architecture and IAM policies as per CIS recommendations.

• Auditing and Monitoring: Enables auditing and logging to track compliance and detect security incidents.

Other OCI Landing Zones

1. OCI Well-Architected Framework (WAF) Landing Zone:

   • Purpose: Implements OCI best practices based on the Well-Architected Framework.

   • Features: Focuses on reliability, security, cost optimization, performance efficiency, and operational excellence.

   • Use Case: Suitable for organizations seeking a balanced approach across all cloud operation aspects.

2. Industry-Specific Landing Zones:

   • Purpose: Tailored for specific industries (e.g., healthcare, finance) with unique compliance and operational requirements.

   • Features: Customized configurations to meet industry standards and regulatory requirements.

3. Custom Landing Zones:

   • Purpose: Tailored to the specific needs of an organization.

   • Features: Can be built from scratch or by modifying existing landing zone templates to meet unique requirements.

Comparison Summary

Summary of Key Differences:

• OELZ v2 offers the most comprehensive and customizable setup, suitable for large enterprises with advanced needs.

• CIS OCI Landing Zone focuses on security hardening and compliance, ideal for organizations with strict security requirements.

• OELZ v1 provides a foundational setup for enterprises, less advanced than v2 but still robust.

• OELZ v1 Lite is a simplified version for smaller organizations or those starting their cloud journey.

• Other Landing Zones vary widely and can be tailored to specific industries or organizational needs.

Choosing the right landing zone depends on your organization's priorities, whether it's comprehensive enterprise architecture, stringent security compliance, or specific industry requirements.

Deploy from Github

Here is the official GitHub repo, the simplest way to get started is the Deploy to Oracle Cloud button.

https://github.com/oracle-quickstart/oci-cis-landingzone-quickstart

Click deploy to the landing zone, log in and you will have a terraform wizard prompt to fill out. The 2 important options are

Service Label: A unique label that gets prepended to all resources created by the Landing Zone. I used lz

Use an enclosing compartment? - uncheck to prevent the creation of a “top” compartment.

I recommend most of the other security options like vuln scanning, key vault etc. However, the service connector can generate enough logs to become billable.

1. Code Review and Peer Review

• NIST SP 800-218 (Secure Software Development Framework - SSDF): Mandates code review practices to identify security vulnerabilities.

• Action: Implement mandatory peer code reviews for all PL/SQL code. Ensure that the review process is documented and that reviewers check for security flaws, coding standards compliance, and logic correctness.

2. Static Code Analysis

• NIST SP 800-53 (Security and Privacy Controls for Information Systems and Organizations): Requires the use of automated tools to detect potential security issues in the code.

• CISA Guidance: Encourages the use of static analysis tools to identify vulnerabilities early in the development process.

• Action: Integrate static analysis tools (e.g., SonarQube, Fortify) into the development pipeline to automatically scan PL/SQL code for security vulnerabilities, code smells, and adherence to coding standards.

3. Automated Unit Testing

• Executive Order 14028 (Improving the Nation's Cybersecurity): Calls for robust testing practices, including automated testing, to ensure software security and reliability.

• NIST SP 800-218: Recommends the use of automated testing frameworks.

• Action: Use utPLSQL or similar frameworks to create and maintain comprehensive unit tests for all PL/SQL code. Ensure that these tests are automatically executed as part of the CI/CD pipeline.

4. Dynamic Application Security Testing (DAST)

• CISA and NIST SP 800-53: Highlight the importance of testing applications dynamically to detect security vulnerabilities during runtime.

• Action: Conduct DAST on the application environment where PL/SQL code is deployed to identify security issues that may only appear during execution, such as SQL injection or buffer overflows.

5. Continuous Integration and Continuous Deployment (CI/CD)

• NIST SP 800-218: Recommends the integration of automated security and quality checks within the CI/CD pipeline.

• Executive Order 14028: Emphasizes the use of automated tools and processes to enforce security throughout the software lifecycle.

• Action: Integrate PL/SQL code testing, static analysis, and security scanning into the CI/CD pipeline to ensure that code changes are automatically tested and verified before deployment.

6. Automated Code Formatting and Standards Enforcement

• NIST SP 800-218: Advocates for consistent coding practices to reduce errors and vulnerabilities.

• Action: Utilize automated tools for code formatting (e.g., SQLcl, PL/SQL Developer) and enforce coding standards such as the Trivadis PL/SQL & SQL Coding Guidelines. Ensure that code conforms to established guidelines and standards before it is committed to the codebase.

7. Security Testing and Vulnerability Management

• NIST SP 800-218 & SP 800-53: Stress the importance of identifying and remediating vulnerabilities in software.

• CISA Guidance: Promotes proactive vulnerability management through regular scanning and remediation efforts.

• Action: Conduct regular security testing, including vulnerability scans, penetration testing, and security audits on PL/SQL code. Remediate identified vulnerabilities promptly.

8. Configuration and Change Management

• NIST SP 800-53: Requires the implementation of configuration management to control changes to software code.

• Action: Implement strict version control and change management policies for PL/SQL code. Use tools like Git to track code changes and ensure that all modifications go through the appropriate review and approval process.

9. Logging and Monitoring

• NIST SP 800-92 (Guide to Computer Security Log Management): Recommends logging and monitoring of application activities for security purposes.

• Action: Ensure that PL/SQL code includes comprehensive logging of significant actions, errors, and security-related events. Implement monitoring systems to analyze these logs and alert on suspicious activities.

10. Compliance Auditing and Reporting

• NIST SP 800-53 & CISA: Recommend regular auditing and reporting to ensure compliance with security policies and standards.

• Action: Perform regular audits of PL/SQL code and its associated processes to ensure compliance with relevant standards and policies. Generate compliance reports to document adherence and identify areas for improvement.

11. Documentation and Traceability

• NIST SP 800-53: Stresses the importance of documentation for maintaining traceability and accountability.

• Action: Maintain detailed documentation for all PL/SQL code, including test cases, review logs, security assessments, and change histories. Ensure that documentation is easily accessible and kept up to date.

12. Supply Chain Security

• Executive Order 14028: Emphasizes the need to secure the software supply chain.

• Action: Verify that all third-party PL/SQL components or libraries comply with security standards. Conduct regular assessments of these components for vulnerabilities and maintain an inventory of all third-party dependencies.

Note: The ORDS docker image is using ORDS 24.1 but with Apex 23.2. You can build your own image with the latest version of Apex or update the ORDS container to host the new 24.1 Apex images. See this section for the latter.

I was able to modify my previous 21c docker setup with success.

Notable changes: no container registry login required, faster container runtime due to PDB being already set up, removal of Enterprise Manager. :(

I am using Ubuntu 22.04 fresh installation.

To start the container, we need to prepare a directory for the database files, which is mounted into the container and is persistent (so we can store and save everything, which is one of the basic things a database is used for). For this, I create a directory and set the userid and group id of the Oracle user (inside the container!)

Setup a user for the Oracle database

sudo groupadd --system --gid 54321 oracle
sudo adduser --system --shell /usr/sbin/nologin --gid 54321 --uid 54321 oracle

Create the required volume folders and permissions

mkdir ~/oracle
mkdir ~/oracle/db
mkdir ~/oracle/ords
mkdir ~/oracle/db/oradata
mkdir ~/oracle/ords/ords_config
mkdir ~/oracle/ords/ords_secrets
mkdir ~/oracle/db/startup
mkdir ~/oracle/db/setup
sudo chmod 777 ~/oracle -R
sudo chown oracle:oracle ~/oracle/db/oradata

Setup firewall

sudo ufw allow 1521
# sudo ufw allow 5500 # Enterprise Manager is disabled in 23c Free :(

Install Docker

sudo apt update

sudo apt install apt-transport-https ca-certificates curl software-properties-common
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt update
apt-cache policy docker-ce
sudo apt install docker-ce -y
sudo systemctl status docker
sudo usermod -aG docker ${USER}

# Reload shell then:
docker ps
# If prompting for sudo something is incorrect.

Install Docker Compose

## Compose

mkdir -p ~/.docker/cli-plugins/
curl -SL https://github.com/docker/compose/releases/download/v2.3.3/docker-compose-linux-x86_64 -o ~/.docker/cli-plugins/docker-compose
chmod +x ~/.docker/cli-plugins/docker-compose

docker compose version

Docker-compose.yaml

Replace <PASSWORD>, <EMAIL> below. If running for a CI/CD setup consider using the lite version 23.4.0.0-lite

The Lite image has a smaller storage footprint than the Full image (~80% image size reduction) and a substantial improvement in image pull time. This image is useful in CI/CD scenarios and for simpler use cases where advanced database features are not required.

version: '3'
services:
  database:
    image: container-registry.oracle.com/database/free:23.4.0.0
    volumes:
      - ~/oracle/db/oradata:/opt/oracle/oradata # persistent oracle database data.
      - ~/oracle/db/startup:/opt/oracle/scripts/startup # A volume with custom scripts to be run after database startup.
      - ~/oracle/db/setup:/opt/oracle/scripts/setup #  A volume with custom scripts to be run after database setup.
    ports:
      - 1521:1521
      - 2484:2484 #SSL port
    restart: unless-stopped
    environment:
      - ORACLE_PWD=<PASSWORD> # use for Sys, System users
    networks:
      - oracle_ntw
    ulimits:
      nofile:
        soft: 65536
        hard: 65536
  ords:
    image: container-registry.oracle.com/database/ords:24.2.2
    volumes:
      - ~/oracle/ords/ords_secrets:/opt/oracle/variables 
      - ~/oracle/ords/ords_config:/etc/ords/config/
    environment:
      - ORDS_PWD="<PASSWORD>"
      - APEX_ADMIN_EMAIL=<EMAIL>
      - APEX_ADMIN_PWD=<PASSWORD>
    ports:
      - 8181:8181
    depends_on:
      - database
    restart: unless-stopped
    networks:
      - oracle_ntw
networks:
    oracle_ntw:
        # use the bridge driver
        driver: bridge

We need the DB to start before ORDS so run docker compose up database

Wait until you see

oracle-database-1 | ######################### 
oracle-database-1 | DATABASE IS READY TO USE! 
oracle-database-1 | #########################

ORDS Setup

Create a conn_string.txt to load the credentials into ORDS. This file is deleted when the container starts, and must be replaced if wrong values are provided. Replace <PASSWORD>

Note: the default 23c SID is FREEPDB1

database is the service name from the docker-compose file

## ORDS

# mkdir ords_secrets ords_config
echo 'CONN_STRING=sys/<PASSWORD>@database:1521/FREEPDB1' > ~/oracle/ords/ords_secrets/conn_string.txt

If everything is correct then use docker compose up to start the remaining ORDS service.

Use the below login credentials for first-time login to APEX service: (Also found in the container logs)

Workspace: internal

User: ADMIN

Password: Welcome_1

Create your workspace and enjoy getting the basic's started. :)

Misc Commands

View ORDS logs:

docker exec -it oracle-ords-1 tail -f /tmp/install_container.log

View logs of the database, limit to last 1k:
docker logs oracle-database-1 -n 1000

To access the running container:

docker exec -it oracle-database-1 /bin/bash

Edit ORDS Config:

nano ords/ords_config/databases/default/pool.xml

Setup ORDS SSL:

## ORDS SSL
cd ~/oracle/ords
mkdir -p ords_config/ssl
cp cert_file.crt ords_config/ssl/cert.crt
cp key_file.key  ords_config/ssl/key.key

Update ORDS Apex images to 24.1

Since ORDS docker image has Apex bundled together you will have to point the ORDS config to look at new version 24.1 images. Otherwise you will be prompted of an error on login.

Run the standard Apex upgrade path to install the new Apex 24 schema. After installation, we have to update the images on the web server.

Download apex_latest.zip from the Oracle website, and mount the images directory in docker-compose file:

- ~/apex_latest/images/:/opt/oracle/apex_images/24/

Now edit the ORDS config to assign apex-images config variable to the path inside the container.

nano ords/ords_config/global/settings.xml

add entry:<entry key="apex-images">/opt/oracle/apex/images/24/</entry>

Restart the docker container

Most importantly, clear the browser cache. All new images and icons will be available.

References

https://blogs.oracle.com/coretec/post/oracle-database-with-docker

https://docs.oracle.com/en/database/oracle/oracle-database/21/deeck/index.html#GUID-375BBD63-755D-4477-AE2A-13384B7B1631

https://docs.oracle.com/en/operating-systems/oracle-linux/docker/docker-InstallingOracleContainerRuntimeforDocker.html#docker-install-storage-driver

https://datmt.com/backend/how-to-install-oracle-database-on-docker/

https://docs.oracle.com/en/operating-systems/oracle-linux/docker/docker-SecurityRecommendations.html#docker-security-images

In a world where "ORA-WTF??? What That Function?" resonates with too many of us, I've taken it upon myself to document and share the quirks and qualms of Oracle technology—sometimes more effectively than Oracle does. While my blog thrives on educational and informational content, it's worth noting that the views expressed here are entirely my own and do not reflect those of any entity I have been or will be associated with.

My journey in tech started when I was young, playing around with computer games. This early interest grew into real expertise across many areas of technology. I started modding games since the first game I played on PC as a kid.

On a professional front, my experiences are broad and deep. I've navigated the complexities of Oracle Database, Oracle Apex, E-Business Suite, Oracle Cloud Infrastructure, and Oracle Netsuite, along with cloud platforms like AWS, GCP, Azure, and Digital Ocean. My programming languages of choice—Java, Powershell, Python, and PL/SQL—reflect a versatile skill set honed over years of dedicated practice.

On the Cybersecurity side, I have been an early adopter of Zero Trust Architecture along with SMB experience as a cybersecurity consultant securing cloud and on-prem infrastructure. My background includes a BS in Computer Engineering Technology, and an MS in Cybersecurity and Informational Assurance.

Currently, my ambition stretches beyond the confines of technology itself; I'm passionately working towards integrating cybersecurity into SMBs, championing the belief that data is the new oil in today's digital economy. In this blog, I aim to share my knowledge and experiences and ignite a conversation about the importance of data security in the modern business landscape.

Feel free to reach out with any questions or feedback.