1

<Insert Picture Here>

S317045 Real-World Deployment and Best Practices with Oracle Audit Vault
Tammy Bednar, Sr. Principal Product Manager, Oracle Mike McClure , Sr. Database Administrator, Amazon

The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.

3

Program Agenda

• • • • •

Why Audit? Oracle Audit Vault Reports Implementing Audit Vault at Amazon Best Practices Q&A

<Insert Picture Here>

4

maintaining customer trust. and protecting the business • Trust-but-verify that your employees are only performing operations required by the business – Detective controls to monitor what is really going on – Reduce the curiosity seekers from looking at data – Compliance demands that privileged users be monitored • Know what is going on before others tell you 5 .Why Audit? • Its all about protecting sensitive data.

Oracle Audit Vault Automated Activity Monitoring & Audit Reporting HR Data ! Audit Data Alerts Built-in Reports Custom Reports Policies CRM Data ERP Data Databases Auditor • Consolidate audit data into secure repository • Detect and alert on suspicious activities • Out-of-the box compliance reporting • Centralized audit policy management 6 .

Audit Vault Reports 7 .

8 8 .

9 9 .

printing. emailing.Any of the Audit Vault reports can be scheduled to run automatically and archived in the Audit Vault repository for viewing. and attestation 10 10 .

9. Unix. or SYSLOG •Before/after values and DDL changes from redo log •Database Vault specific audit records •Server side trace – set specific audit event •Windows event audit – specific events viewed by windows event viewer •C2 . Windows 12. 2005.Oracle Audit Vault Database Audit Support RDBMS Oracle Database Versions Oracle Database 9iR2. Oracle Database 11g Audit Locations •Audit Tables for standard and fine-grained auditing •Oracle audit trail from OS files written in XML. 2008 IBM DB2 Sybase ASE 8. Oracle Database 10g.automatically sets all auditable events •Binary OS files written by the audit facility •Sybsecurity database tables Microsoft SQL Server 2000.15.5.2.0.4 .1 & 9.x 11 11 . text file.5 on Linux.

.2.) Reports (PDF.2.3. IBM DB2 LUW. Customization) Reports (Scheduling.2 12 .) Entitlement reports (users.Oracle Audit Vault Features by Release Feature Oracle Database Support SQL Server. HIPAA.2. Sybase ASE Out-of-the-Box Reports Open Schema Alerts Policy Manager for Oracle Audit Trail Clean-Up Compliance reports (PCI.2 10. …. Attestation. Notification) Alerts Email and Remedy Integration ArcSight & Q1 Labs Integration 10.3 10. privileges…..

Audit Vault at Amazon 13 .

Michael Mcclure Database Administrator Global Financial Systems Amazon.com 14 .

Oracle Audit Vault Catching the Big Bad Wolf 15 .

or Not To Be…? That is the Question…. 16 .To Be.

HIPPA. PCI/DSS+ and other compliance reporting • Cross Database compatibility • Separation of Duties • More efficient audit policy management • Catch the Big Bad Wolf 17 .Why Audit Vault? • Reduce Cost/Increase efficiency related to S-Ox.

They all audit differently • Policies/mechanisms for auditing are different across the organization • “Dealing with” our audit data • Watching the watchers – who do you trust? 18 .Auditing Challenges • We have lots of different RDBMS systems.

Oracle Audit Vault Architecture 19 .

3. 4. 2.Concerns 1. Performance / Impact Resource utilization Scalability Fault Tolerance / BCP / DR 20 .

2. 2. DBAUD Collector Collection OSAUD Collector REDO Collector 21 . 3. audit_trail = db* audit_trail = xml* redo Collection 1.Generation 1. 3.

Which did we choose? We liked the OSAUD collector from the XML audit trail 22 .

A Closer look at XML Audit Trail Generation and Collection 23 .

Audit Vault Low Impact / Fault Tolerant Architecture 24 .

AV Server & Dataguard w/FSFO 1) Using the OUI. 3) Turn off Database Vault 4) Force Logging in your primary database 5) Modify init.ora for Dataguard and AV compatibility 6) Other cleanup of standardized AV install 7) Delete the database on your chosen standby server 8) Instantiate a DG standby on your standby server 9) Create and enable FSFO configuration 25 . 2) Choose one machine to be your primary machine and validate that AV works by logging into the web app.ora parms and listener. install the AV Server application on two different machines using the same SID.

Startup the database 4.mk dv_off cd $ORACLE_HOME/bin relink oracle 3. Shutdown the database 2. alter user to avsys. 26 . Recompile the oracle executable with Database Vault off: cd $ORACLE_HOME/rdbms/lib make -f ins_rdbms.Disabling Database Vault 1. Grant the following: grant create user.

27 . Force logging at the database level: SQL> alter database force logging.Force logging for Dataguard 1. Cut/paste output into your sqlplus window. Force logging for each tablespace: SQL> select 'alter tablespace '|| tablespace_name || ' force logging.' from dba_tablespaces where contents = 'PERMANENT'. 2.

ora parms for DG/AV compatibility Init. LISTENER = (DESCRIPTION_LIST = (DESCRIPTION = (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1)) (ADDRESS = (PROTOCOL = TCP)(HOST = <YOUR HOST NAME>) (PORT = 1521)) ) (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = <YOUR HOST NAME> )(PORT = 5707)) (Presentation=HTTP)(Session=RAW) ) ) 2.Init.ora 1.3.1/avserver) (global_dbname = <sid>. dispatchers='(DISPATCHERS=2)(PROTOCOL=TCP)(SERVICE=${ORACLE_SID}XDB)(LISTENER=(DESCRIPTION=(ADDRE SS=(PROTOCOL=tcp)(HOST=<YOUR HOST NAME>)(PORT=1521))))‘ Listener. SID_LIST_LISTENER = (SID_LIST = (SID_DESC = (SID_NAME = PLSExtProc) (ORACLE_HOME = /opt/app/oracle/product/10.ora 1.3.1/avserver) (PROGRAM = extproc) ) (SID_DESC = (SID_NAME = <YOUR DBNAME>) (ORACLE_HOME = /opt/app/oracle/product/10.2.2.ora and listener.<domain> ) ) ) 28 .

fal_* entries and local_listener to use your database listeners in preparation for implenting Dataguard. Move datafiles.General database cleanup 1. Multiplex online redo and controlfiles across controllers 3. Setup log_archive_dest_1 to use something other than the AV install default 6. Appropriately size your SGA for your server 5. controlfile. online redo to better locations 2. Decide whether or not you want auto-extensible data files 10. Move the flashback directory from the default of $ORACLE_BASE/flash_recovery_area to a better location and clean up the archivelogs backed up via rman to the old flash_recovery_area directory 9. Setup log_archive_config. Setup log_archive_dest_2 to point to your standby database server 7. 8. db_unique_name. Increase the number of redolog groups 4.ora parameters you like at your organization 11.Set whatever other init.Install backups / crontab / scripts / monitors to your company standard 29 .

ora modifications in Slide #15 to the standby.ora and listener. Validate that Audit Vault works on the standby AV Server by logging into the application and “looking around” Shutdown the Audit Vault server application Delete the database from the standby machine Bring over the init. 5. 6. 8. 3. Restore a backup of your AV primary to your standby server and create a standby controlfile for it. 7. 11.Setting up the DG Standby and FSFO 1. 30 . Bring over the password file from the primary. startup managed recovery Implement FSFO Validate that FSFO is working and the AV Web Application is working Turn Database Vault back on Troubleshoot in-house scripts that break as a result of Database Vault being turned back on 2. but change the machine name to that of the standby server. 4. 10. 9.

If you use an XML audit trail. 3.Other Dataguard / FSFO Considerations 1.ora to include the value. 31 .ora NAMES. If you customize your sqlnet. you’ll want to move your aud$ and fga_log$ tables to a non-system tablespace. you’re going to have to manually modify every entry in the Audit Vault tnsnames. You’ll also have to modify the tns configuration on the collector machines (whether they be source db servers or collector machines similar to slide #12). If you use a DB audit trail. you may want to move your audit directories to faster files systems 2.DEFAULT_DOMAIN.

• Collector – The RDBMS specific process that knows how to get audit data from the source database. DB2. • In an Audit Vault. It “manages” the collectors. there is only 1 source. the combination of Source and Collector is unique.Definitions and Context • Source – The database you are getting your audit data from. 32 . • A collector is tied to a source. MS Sql. There are collectors that talk to Oracle. and Sybase. it “collects” from that source. an Agent connects to the Audit Vault Server to insert the audit trail data into the database. • Agent – Tied to a single server. Multiple collectors can use the same agent to deposit all audit data into the same Audit Vault repository. Regardless of how many nodes there are in your dataguard config.

9. and startup the newly modified collector and validate that it is collecting the sync’d files. add new collectors for the source created in #4 tied to the agents created in #3. Modify the source db tnsnames. sync the audit trail directories created in Step #6 between the source db server and the remote collector.Setting up remote XML collection 1. Run the OUI to install the Audit Vault Agent software on each primary remote collector providing the new agent created in Step #2 to the installation dialog. run setup to create the wallet and tnsnames entries for passwordless connection from the primary remote collector to the source db. 7. add a new agent mapped to the primary collector server(s). and create job to sync them regularly. 8. 10. 4. Get local collection working on the source database server following the Audit Vault documentation. Using avorcldb on the AV Server. 5. 33 . add a new source using the “flip-tolerant” host name. Using avorcldb on the remote collector server. Stop the collectors created in Step #1. 3. Using avca on the AV Server. 2. 6.ora entry created in #7 to change the source db entry from the “flip-tolerant” host name to the node specific host name. Using avorcldb on the AV Server. If audit_trail = xml*. create identical audit trail directories on the remote collector. If doing XML generation.

New Agent Mapping 34 .

Source Collector Map 35 .

market cap plummets.Conclusion • In a world of compliance auditing. the stakes are higher: If we mess up. • How Big a Gambler are YOU? • Oracle Audit Vault with Dataguard/FSFO and remote collection is a high performance. 36 . low impact. companies fail and people go to jail. highly available solution that makes compliance reporting easy. life can be easy or it can be hard • Audit data is just as important as production data and should be treated as such • In some ways.

Best Practices 37 .

UPDATE. Roles & GRANT changes Failed Logins and other Exceptions Privileged User Activity Access to Sensitive Data (SELECTs…) Data Changes (INSERT. …) Schema Changes (DROP. ALTER…) SOX PCI DSS ● HIPAA/ HITECH ● Basel II FISMA GLBA ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● 38 38 .What Do You Need To Audit? Database Audit Requirements Accounts.

0.1 Oracle Confidential 39 39 .40 GHz Intel Xeons . Extended DB DB.75% 3.70% 3.79% *Internal testing: Source: 4x 3. x86_64 Linux Oracle Database 11. Extended Additional Throughput Time 1.51% 5.57% 14.Native Auditing Performance Guidelines • Original workload CPU 50% for 250 audit records/sec Audit Trail Setting OS XML XML.77% 15.70% 4.09% Additional CPU Usage 1.2. 4 GB RAM.39% 1.36% 8.

Use Automatic Audit Trail Clean-Up • Automatically deletes audit trails from target after they are securely inserted into Audit Vault • Reduces DBA manageability challenges with audit trails Database 1) Transfer audit trail data 3) Delete older audit records 2) Update last inserted record Oracle Confidential 40 40 .

Oracle Database Security Defense-in-Depth Encryption and Masking • Oracle Advanced Security • Oracle Secure Backup • Oracle Data Masking Access Control • Oracle Database Vault • Oracle Label Security Auditing and Tracking • Oracle Audit Vault • Oracle Configuration Management • Oracle Total Recall Blocking and Monitoring • Oracle Database Firewall 41 .

More Oracle Database Security Presentations • Monday: – 12:30 pm: Making a Business Case for Information Security – 3:30 pm: Oracle Database 11g Release 2 Security: Defense-in-Depth MS 300 MS 103 MS 306 MS 300 MS 304 MS 300 MS 303 MS 306 MS 306 MS 306 MS 104 • Tuesday: – – – – – 12:30 pm: Real-World Deployment and Best Practices : Oracle Audit Vault 2:00 pm: Real-World Deployment and Best Practices : Oracle Advanced Security 2:00 pm: Best Practices for Ensuring the Highest Enterprise Database Security 3:30 pm: Database Security Event Management : Oracle Audit Vault and ArcSight 5:00 pm: Real-World Deployment and Best Practices :Oracle Database Vault • Wednesday: – 10:00 am: Protect Data and Save Money: Aberdeen – 11:30 am: Preventing Database Attacks With Oracle Database Firewall – 4:45 pm: Centralized Key Management and Performance :Oracle Advanced Security • Thursday: – 10:30 am: Deploying Oracle Database 11g Securely on Oracle Solaris MS = Moscone South 42 .

Salon 10 / 11 – Database Vault 5:00PM | Marriott Marquis. Salon 10 / 11 Check Availability Check Availability Check Availability Check Availability Check Availability 43 . Salon 10 / 11 • Tuesday: – Database Security 11:00AM | Marriott Marquis.Oracle Database Security Hands-on-Labs • Monday: – Database Vault 11:00AM | Marriott Marquis. Salon 10 / 11 – Audit Vault 1:30PM | Marriott Marquis. Salon 10 / 11 • Thursday – Advanced Security 12:00PM | Marriott Marquis.

5:30 p.5:30 p. 9:45 a. 9:00 a.m. 44 .Oracle Database Security Demo Grounds Moscone West • • • • • • Oracle Database Firewall Oracle Database Vault Oracle Label Security Oracle Audit Vault Oracle Advanced Security Oracle Database 11g Release2 Security Exhibition Hours Monday. . September 21 Wednesday. September 20 Tuesday.m.m.4:00 p.m. . . September 22 9:45 a.m.m.

Oracle OpenWorld Latin America 2010 December 7–9. 2010 45 .

2010 46 .Oracle OpenWorld Beijing 2010 December 13–16.

Oracle Products Available Online Oracle Store Buy Oracle license and support online today at oracle.com/store 47 .

Sign up to vote on this title
UsefulNot useful