11g Audit Vault

7/17/2019 11g Audit Vault

1/47

1


2/47

S317045Real-World Deployent and !est Practices "it# $racle %udit &ault

Tammy Bednar, Sr. Principal Product Manager, OracleMike McClure , Sr. Database Administrator, Amazon


3/47

3

Te !ollo"ing is intended to outline our generalproduct direction. #t is intended !or in!ormationpurposes only, and may not be incorporated into anycontract. #t is not a commitment to deli$er any

material, code, or !unctionality, and sould not berelied upon in making purcasing decisions.Te de$elopment, release, and timing o! any!eatures or !unctionality described !or Oracle%s

products remains at te sole discretion o! Oracle.


4/47

4

Pro'ra %'enda

&y Audit'

Oracle Audit (ault )eports

#mplementing Audit (ault at Amazon

Best Practices *+A


5/47

5

W#y %udit(

#ts allabout protecting sensiti$e data, maintainingcustomer trust, and protecting te business

Trustbut$eri!ytat your employees are onlyper!orming operations re-uired by te business

Detecti$e controls to monitor "at is really going on )educe te curiosity seekers !rom looking at data

Compliance demands tat pri$ileged users bemonitored

no""at is going on be!ore oters tell you


6/47

)

$racle %udit &ault%utoated %cti*ity +onitorin' , %udit Reportin'

/ Consolidate audit data into secure repository

/ Detect and alert on suspicious acti$ities/ Outo!te bo0 compliance reporting

/ Centralized audit policy management

C)M Data

1)P Data

Databases

2) Data

%uditData

Policies

Builtin)eports

Alerts

Custom)eports

%uditor


7/477

%udit &ault Reports


8/47. 3


9/47/ 4


10/4710 56

%ny o t#e %udit &aultreports can e

sc#eduled to runautoatically and

arc#i*ed in t#e %udit&ault repository or*ie"in'2 printin'2

eailin'2 andattestation

%ny o t#e %udit &aultreports can e

sc#eduled to runautoatically and

arc#i*ed in t#e %udit&ault repository or*ie"in'2 printin'2

eailin'2 andattestation


11/4711

55

$racle %udit &aultDataase %udit Support

)DBMS (ersions Audit 7ocationsOracle Database Oracle Database 4i)8,

Oracle Database 56g,Oracle Database 55g

/Audit Tables !or standard and !inegrainedauditing

/Oracle audit trail !rom OS !iles "ritten in9M7, te0t !ile, or S:S7O;

/Be!ore set speci!ic audit e$ent

/&indo"s e$ent audit > speci!ic e$ents$ie"ed by "indo"s e$ent $ie"er

/C8 automatically sets all auditable e$ents

#BM DB8 3.8, 4.5 + 4.= on 7inu0,?ni0, &indo"s

/Binary OS !iles "ritten by te audit !acility

Sybase AS1 58.=.@ 5=.6.0 /Sybsecurity database tables


12/471

$racle %udit &aulteatures y Release

eature 10 103 103

$racle Dataase Support

S6 Ser*er2 I!+ D! 8W2 Syase %S9

$ut-o-t#e-!o: Reports

$pen Sc#ea

%lerts

Policy +ana'er or $racle

%udit ;rail lean-8p

opliance reports =PI2 HIP%%2 ?

9ntitleent reports =users2 pri*ile'es?

Reports =PD2 ustoi@ation?

Reports =Sc#edulin'2 %ttestation2 Aotiication?

%lerts 9ail and Reedy Inte'ration

%rcSi'#t , 61 as Inte'ration


13/4713

%udit &ault at%a@on


14/4714

Michael McclureDatabase

Administrator

Global Financial

SystemsAmazon.com


15/4715

Oracle Audit Vault

Catching the Big Bad Wolf


16/471)

;o !e2 or Aot ;o !e(

That is the Question.


17/47

17

W#y %udit &ault(

)educe Cost


18/47

1.

%uditin' #allen'es

&e a$e lots o! di!!erent )DBMS systems Tey allaudit di!!erently

Policies "o do you trust'


19/47

1/

$racle %udit &ault %rc#itecture


20/47

0

oncerns

5. Per!ormance < #mpact

8. )esource utilization

E. Scalability@. Fault Tolerance < BCP < D)


21/47

1

Beneration

1 auditCtrail dE

auditCtrail :lE

3 redo

1 D!%8D ollector ollection

$S%8D ollector

3 R9D$ ollector

ollection


22/47

We liFed t#e $S%8D collector ro t#e G+ audittrail

W#ic# did "e c#oose(


23/47

3

% loser looF at G+ %udit ;railBeneration and ollection


24/47

4

%udit &ault o" Ipact ault ;olerant%rc#itecture


25/47

5

%& Ser*er , Data'uard "S$

1) Using the OUI, install the AV er!er a""lication on t#odifferent $achines using the sa$e I%.

&) Choose one $achine to 'e (our "ri$ar( $achine and!alidate that AV #ors '( logging into the #e' a"".

*) Turn off %ata'ase Vault

+) orce -ogging in (our "ri$ar( data'ase

) /odif( init.ora "ar$s and listener.ora for %ataguard and AVco$"ati'ilit(

0) Other cleanu" of standardied AV install

2) %elete the data'ase on (our chosen stand'( ser!er

3) Instantiate a %4 stand'( on (our stand'( ser!er

5) Create and ena'le O configuration


26/47

)

Disalin' Dataase &ault

1.Shutdown the database

2.Recompile the oracle executablewith Database ault o!"

cd $R%9CH$+9rdsliaFe - insCrdsF d*Cocd $R%9CH$+9inrelinF oracle

3 Startup t#e dataase

4 Brant t#e ollo"in'J'rant create user2 alter user to a*sysK


27/47

7

orce lo''in' or Data'uard

1 orce lo''in' at t#e dataase le*elJS6> alter dataase orce lo''in'K

orce lo''in' or eac# talespaceJS6> select Lalter talespace LMMtalespaceCnae MM L orce lo''in'KL rodaCtalespaces "#ere contents LP9R+%A9A;LK

utpaste output into your sNlplus"indo"


28/47

.

Initora and listenerora pars orDB%& copatiility

1 dispatc#ersL=DISP%;H9RS?=PR$;$$;P?=S9R&I9O$R%9CSIDGD!?=IS;9A9R=D9SRIP;I$A=%DDR9SS=PR$;$$tcp?=H$S;?=P$R;151????

1 IS;9A9R =D9SRIP;I$ACIS;

=D9SRIP;I$A =%DDR9SS =PR$;$$ IP?=9Q 9G;PR$1??=%DDR9SS =PR$;$$ ;P?=H$S; ? =P$R; 151??

?(DESCRIPTION =

(ADDRESS = (PROTOCOL = TCP)(HOST = )(PORT = 5707))(Presentat!n=HTTP)(Sess!n=RA")

)?

SIDCIS;CIS;9A9R =SIDCIS;

=SIDCD9S =SIDCA%+9 PS9:tProc?=$R%9CH$+9 optapporacleproduct1031a*ser*er?=PR$BR%+ e:tproc?

?(SID#DESC =

(SID#NAME = )(ORACLE#HOME = %!&t%a&&%!ra'e%&r!*'t%+0,-,.,+%a/ser/er)(!1a#1na2e = , )

) ?

Initora

istenerora


29/47

/

Beneral dataase cleanup

5. Mo$e data!iles, control!ile, online redo to better locations

8. Multiple0 online redo and control!iles across controllers

E. #ncrease te number o! redolog groups

@.Appropriately size your S;A !or your ser$er

=. Setup logGarci$eGdestG5 to use someting oter tan te A( install de!ault

H. Setup logGarci$eGdestG8 to point to your standby database ser$er

I. Setup logGarci$eGcon!ig, dbGuni-ueGname, !alGJ entries and localGlistener to useyour database listeners in preparation !or implenting Dataguard.

3. Mo$e te !lasback directory !rom te de!ault o!KO)AC71GBAS1

4. Decide "eter or not you "ant autoe0tensible data !iles

56.Set "ate$er oter init.ora parameters you like at your organization55.#nstall backups < crontab < scripts < monitors to your company standard


30/47

30

Settin' up t#e DB Standy and S$

5. (alidate tat Audit (ault "orks on te standby A( Ser$er by logging into teapplication and looking around

8. Sutdo"n te Audit (ault ser$er application

E. Delete te database !rom te standby macine

@. Bring o$er te init.ora and listener.ora modi!ications in Slide L5= to testandby, but cange te macine name to tat o! te standby ser$er.

=. Bring o$er te pass"ord !ile !rom te primary.

H. )estore a backup o! your A( primary to your standby ser$er and create astandby control!ile !or it.

I. startup managed reco$ery

3. #mplement FSFO

4. (alidate tat FSFO is "orking and te A( &eb Application is "orking56. Turn Database (ault back on

55. Troublesoot inouse scripts tat break as a result o! Database (ault beingturned back on


31/47

31

$t#er Data'uard S$onsiderations

5. #! you use an 9M7 audit trail, you may "ant to mo$eyour audit directories to !aster !iles systems

8. #! you use a DB audit trail, you%ll "ant to mo$e youraudK and !gaGlogK tables to a nonsystem tablespace.

E. #! you customize your s-lnet.oraAM1S.D1FA?7TGDOMA#, you%re going to a$e tomanually modi!y e$ery entry in te Audit (aulttnsnames.ora to include te $alue. :ou%ll also a$e to

modi!y te tns con!iguration on te collector macinesN"eter tey be source db ser$ers or collectormacines similar to slide L58.


32/47

3

Deinitions and onte:t

Source > Te database you are getting your audit data !rom.

)egardless o! o" many nodes tere are in your dataguard con!ig,tere is only 5 source.

Agent > Tied to a single ser$er, an Agent connects to te Audit (aultSer$er to insert te audit trail data into te database. #t manages tecollectors.

Collector > Te )DBMS speci!ic process tat kno"s o" to get auditdata !rom te source database. Tere are collectors tat talk to Oracle,MS S-l, DB8, and Sybase. Multiple collectors can use te same agent todeposit all audit data into te same Audit (ault repository.

A collector is tied to a source it collects !rom tat source. #n an Audit (ault, te combination o! Source and Collector is uni-ue.


33/47

33

Settin' up reote G+ collection

5. ;et local collection "orking on te source database ser$er !ollo"ing te Audit (aultdocumentation.

8. ?sing a$ca on te A( Ser$er, add a ne" agent mapped to te primary collector ser$erNs.

E. )un te O?# to install te Audit (ault Agent so!t"are on eac primary remote collectorpro$iding te ne" agent created in Step L8 to te installation dialog.

@. ?sing a$orcldb on te A( Ser$er, add a ne" source using te !liptolerant ost name.=. ?sing a$orcldb on te A( Ser$er, add ne" collectors !or te source created in L@ tied to te

agents created in LE.

H. ?sing a$orcldb on te remote collector ser$er, run setup to create te "allet and tnsnamesentries !or pass"ordless connection !rom te primary remote collector to te source db.

I. Modi!y te source db tnsnames.ora entry created in LI to cange te source db entry !romte !liptolerant ost name to te node speci!ic ost name.

3. #! auditGtrail 0mlJ, create identical audit trail directories on te remote collector.

4. #! doing 9M7 generation, sync te audit trail directories created in Step LH bet"een tesource db ser$er and te remote collector, and create Qob to sync tem regularly.

56. Stop te collectors created in Step L5, and startup te ne"ly modi!ied collector and $alidatetat it is collecting te sync%d !iles.


34/47

34

Ae" %'ent +appin'


35/47

35

Source ollector +ap


36/47

3)

onclusion #n a "orld o! compliance auditing, li!e can be easy or it

can be ard Audit data is Qust as important as production data and

sould be treated as suc

#n some "ays, te stakes are igerR #! "e mess up,market cap plummets, companies !ail and people go toQail.

2o" Big a ;ambler are :O?'

Oracle Audit (ault "it Dataguard


37/47

37

!est Practices


38/47

3. E3

W#at Do Qou Aeed ;o %udit(

Dataase

%udit ReNuireentsS$G

PIDSS

HIP%%HI;9H

!asel II IS+% B!%

%ccounts2 Roles , BR%A; c#an'es T T T T T T

ailed o'ins and ot#er 9:ceptions T T T T T T

Pri*ile'ed 8ser %cti*ity T T T T T T

%ccess to Sensiti*e Data =S99;s? T T T T T

Data #an'es =IAS9R;2 8PD%;92 ? T T

Sc#ea #an'es =DR$P2 %;9R? T T T T T T


39/47

3/

Aati*e %uditin'Perorance Buidelines

/ $ri'inal "orFload P8 50U or 50 auditrecordssec

%udit ;railSettin'

%dditional;#rou'#put ;ie

%dditional P8 8sa'e

OS 5.E4 5.I=

9M7 5.I6 E.=5

9M7, 10tended E.I6 =.EH

DB @.=I 3.II

DB, 10tended [email protected] 5=.I4

EInternal testin'J SourceJ +6 *.+7 48 Intel 9eons , + 4B :A/, 630;0+ -inu6 Oracle %ata'ase 11.&.7.1

Oracle Con!idential E4


40/47

40

8se %utoatic %udit ;rail lean-8p

Automatically deletes audit trails !rom target a!ter teyare securely inserted into Audit (ault

)educes DBA manageability callenges "it audit trails

Database

?8pdate last inserted record

1?;ranser audit trail data

3?Delete older audit records

Oracle Con!idential @6


41/47

41

$racle Dataase SecurityDeense-in-Dept#

%ccess ontrol

/ $racle Dataase &ault/ $racle ael Security

/ $racle %d*anced Security

/ $racle Secure !acFup

/ $racle Data +asFin'

9ncryption and +asFin'

%uditin' and ;racFin'

/ $racle %udit &ault

/ $racle oni'uration +ana'eent

/ $racle ;otal Recall

/ $racle Dataase ire"all

!locFin' and +onitorin'


42/47

4

+ore $racle Dataase Security Presentations

MondayR 1J30 pJ +aFin' a !usiness ase or Inoration Security +S 300 3J30 pJ $racle Dataase 11' Release SecurityJ Deense-in-Dept# +S 103

TuesdayR 1J30 pJ Real-World Deployent and !est Practices J $racle %udit &ault +S 30)

J00 pJ Real-World Deployent and !est Practices J $racle %d*anced Security +S 300

J00 pJ !est Practices or 9nsurin' t#e Hi'#est 9nterprise Dataase Security +S 304

3J30 pJ Dataase Security 9*ent +ana'eent J $racle %udit &ault and %rcSi'#t +S 300

5J00 pJ Real-World Deployent and !est Practices J$racle Dataase &ault +S 303

&ednesdayR 10J00 aJ Protect Data and Sa*e +oneyJ %erdeen +S 30)

11J30 aJ Pre*entin' Dataase %ttacFs Wit# $racle Dataase ire"all +S 30)

4J45 pJ entrali@ed ey +ana'eent and Perorance J$racle %d*anced Security +S 30)

TursdayR 10J30 aJ Deployin' $racle Dataase 11' Securely on $racle Solaris +S 104

+S +oscone Sout#


43/47

43

$racle Dataase Security Hands-on-as

MondayR

Dataase &ault 11J00%+ M +arriott +arNuis2 Salon 10 11 #ecF %*ailaility Dataase &ault 5J00P+ M +arriott +arNuis2 Salon 10 11 #ecF %*ailaility

TuesdayR

Dataase Security 11J00%+ M +arriott +arNuis2 Salon 10 11 #ecF %*ailaility

Tursday

%d*anced Security 1J00P+ M +arriott +arNuis2 Salon 10 11 #ecF %*ailaility

%udit &ault 1J30P+ M +arriott +arNuis2 Salon 10 11 #ecF %*ailaility


44/47

44

$racle Dataase Security Deo Brounds+oscone West

$racle Dataase ire"all

$racle Dataase &ault

$racle ael Security

$racle %udit &ault $racle %d*anced Security

$racle Dataase 11' Release Security

9:#iition Hours+onday2 Septeer 0 4R@= a.m. =RE6 p.m.

;uesday2 Septeer 1 4R@= a.m. =RE6 p.m.

Wednesday2 Septeer 4R66 a.m. @R66 p.m.


45/47

45

Oracle Open&orldatin %erica 010

December I>4, 8656


46/47

4)

Oracle Open&orld!eiVin' 010

December 5E>5H, 8656


47/47

$racle Products %*ailale $nline

$racleStore

!uy $racle license and support

online today atoraclecostore

11g Audit Vault

Documents

Transcript of 11g Audit Vault