TPOCS Technical Training
UBO/UBU Conference - TPOCS - 22-25 March 20103
• Security Vulnerabilities• Vulnerability Management System (VMS)• IAVA Process for Helpdesk
TOPICS
Database Security
TPOCS Technical Training
UBO/UBU Conference - TPOCS - 22-25 March 20104
Security Vulnerabilities
Whenever any vendor, be it Microsoft, Oracle, Veritas,
or any other product used on the TPOCS and CCE
servers, releases a vulnerability report or hotfix it is first
tested in our lab environment
Database Security
TPOCS Technical Training
UBO/UBU Conference - TPOCS - 22-25 March 20105
Security Vulnerabilities
Once the IAVA-A, IAVA-B, or IAVA-T status is
announced, the fix is applied into the ATIC
production environment
Database Security
TPOCS Technical Training
UBO/UBU Conference - TPOCS - 22-25 March 20106
Security Vulnerabilities
Once the fix and IAVA status are confirmed, the
information is released both in a spreadsheet report to
the Service Managers and also as an update to the
ATIC assets in the VMS system
Database Security
TPOCS Technical Training
UBO/UBU Conference - TPOCS - 22-25 March 20107
QUESTIONS
Security Vulnerabilities
TPOCS Technical Training
UBO/UBU Conference - TPOCS - 22-25 March 20108
Vulnerability Management System (VMS)
TPOCS Technical Training
UBO/UBU Conference - TPOCS - 22-25 March 20109
Vulnerability Management System (VMS)
• The ATIC production system is listed as an MTF in
the Vulnerability Management System
• When updates or hot-fixes are approved and applied
to the ATIC production system it will be reflected in
the VMS
Database Security
TPOCS Technical Training
UBO/UBU Conference - TPOCS - 22-25 March 201010
Vulnerability Management System (VMS)
• IAVA notices that are Not Applicable to the TPOCS
and CCE systems are listed as such in the VMS
• This information should be visible to site
administrators with VMS access
Database Security
TPOCS Technical Training
UBO/UBU Conference - TPOCS - 22-25 March 201011
Vulnerability Management System (VMS)
• VMS report are accessed from the VMS
Home page. To access the VMS website:
https://vms.disa.mil• DISA provides VMS training, implementation and
operational support to VMS users.
Database Security
TPOCS Technical Training
UBO/UBU Conference - TPOCS - 22-25 March 201012
QUESTIONS
Vulnerability Management System (VMS)
TPOCS Technical Training
UBO/UBU Conference - TPOCS - 22-25 March 201013
IAVA Process for Tier3 Helpdesk
TPOCS Technical Training
UBO/UBU Conference - TPOCS - 22-25 March 201014
IAVA Processing
1. IAVA report initiated by DHSS
2. IAVA reviewed for relevance by CCE/TPOCS Tier3 Analyst.
3. If IAVA references a software package not loaded on CCE/TPOCS servers it is marked as N/A CCE/TPOCS does not use application.
4. If IAVA references a software package loaded on CCE/TPOCS servers, determination is made if the IAVA directly affects the CCE/TPOCS applications.
TPOCS Technical Training
UBO/UBU Conference - TPOCS - 22-25 March 201015
5. If the application referenced in the IAVA is loaded on CCE/TPOCS servers, but does not interact with CCE/TPOCS application (i.e., MS-Word, MS-Excel, Adobe Acrobat Reader, Windows 2000 Server) it is marked Apply Patch, Does not affect CCE/TPOCS.
IAVA Processing
TPOCS Technical Training
UBO/UBU Conference - TPOCS - 22-25 March 201016
6. If the application referenced in the IAVA is loaded on CCE/TPOCS servers and directly affects the CCE/TPOCS application (i.e. Oracle Database, MS-SQL Database), the IAVA is referred to the proper analyst for installation and testing to verify the patch does not “Break” CCE/TPOCS. If the patch does not “Break” CCE/TPOCS, it is marked Apply Patch, Does not affect CCE/TPOCS. If the patch does “Break” CCE/TPOCS, RITPO is informed not to apply the patch until a fix is in place for CCE/TPOCS.
IAVA Processing
TPOCS Technical Training
UBO/UBU Conference - TPOCS - 22-25 March 201018
Oracle 10g/11g Server Patches
TPOCS Technical Training
UBO/UBU Conference - TPOCS - 22-25 March 201019
Oracle 10g/11g Server Patches Installation
• Oracle releases patches every 3 months• PSI will evaluate Oracle patches released. If it
is compatible with TPOCS IAVA will instruct the local SA to apply the patch.
• The administrator/BOC on each TPOCS server site is responsible to install the patch.
TPOCS Technical Training
UBO/UBU Conference - TPOCS - 22-25 March 201020
• Client can be grabbed from http://www.oracle.com/technology/software/index.html
• Select “Runtime (218mb)” on installation.• Copy tnsnames.ora and SQLnet.ora files from an existing
TPOCS workstation and paste to the same folder from your workstation to connect to the Oracle server.
• Test connection using TPOCS or Oracle’s “Net Configuration Assistant”.
• If a user is not in the Administrator Group and needs to run TPOCS, the user must be grant read/write access to every node in C:\Oracle\ tree and C:\Program Files\Oracle\ tree.
Oracle 10g Client Installation
TPOCS Technical Training
UBO/UBU Conference - TPOCS - 22-25 March 201021
Oracle 10g Server Patches Installation
QUESTIONS