Oracle11g Audit Vault

1

<Insert Picture Here>

S317045Real-World Deployment and Best Practices with Oracle Audit Vault

Tammy Bednar, Sr. Principal Product Manager, OracleMike McClure , Sr. Database Administrator, Amazon

3

The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions.The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.

4

<Insert Picture Here>

Program Agenda

• Why Audit?• Oracle Audit Vault Reports• Implementing Audit Vault at Amazon• Best Practices• Q&A

5

Why Audit?

• Its all about protecting sensitive data, maintaining customer trust, and protecting the business• Trust-but-verify that your employees are only

performing operations required by the business– Detective controls to monitor what is really going on– Reduce the curiosity seekers from looking at data– Compliance demands that privileged users be

monitored• Know what is going on before others tell you

6

Oracle Audit VaultAutomated Activity Monitoring & Audit Reporting

• Consolidate audit data into secure repository

• Detect and alert on suspicious activities

• Out-of-the box compliance reporting

• Centralized audit policy management

CRM Data

ERP Data

Databases

HR Data

Audit Data

Audit Data

PoliciesPolicies

Built-inReportsBuilt-inReports

AlertsAlerts

CustomReportsCustomReports

!

AuditorAuditor

7

Audit Vault Reports

8 8

9 9

10 10

Any of the Audit Vault reports can be

scheduled to run automatically and

archived in the Audit Vault repository for viewing, printing,

emailing, and attestation

Any of the Audit Vault reports can be

scheduled to run automatically and

archived in the Audit Vault repository for viewing, printing,

emailing, and attestation

11 11

Oracle Audit VaultDatabase Audit Support

RDBMS Versions Audit Locations

Oracle Database Oracle Database 9iR2, Oracle Database 10g, Oracle Database 11g

•Audit Tables for standard and fine-grained auditing•Oracle audit trail from OS files written in XML, text file, or SYSLOG•Before/after values and DDL changes from redo log•Database Vault specific audit records

Microsoft SQL Server

2000, 2005, 2008 •Server side trace – set specific audit event •Windows event audit – specific events viewed by windows event viewer•C2 - automatically sets all auditable events

IBM DB2 8.2, 9.1 & 9.5 on Linux, Unix, Windows

•Binary OS files written by the audit facility

Sybase ASE 12.5.4 - 15.0.x •Sybsecurity database tables

12

Oracle Audit VaultFeatures by Release

Feature 10.2.2 10.2.3 10.2.3.2

Oracle Database Support

SQL Server, IBM DB2 LUW, Sybase ASE

Out-of-the-Box Reports

Open Schema

Alerts

Policy Manager for Oracle

Audit Trail Clean-Up

Compliance reports (PCI, HIPAA, …..)

Entitlement reports (users, privileges…..)

Reports (PDF, Customization)

Reports (Scheduling, Attestation, Notification)

Alerts Email and Remedy Integration

ArcSight & Q1 Labs Integration

13

Audit Vault at Amazon

14

Michael McclureDatabase

Administrator

Global Financial Systems

Amazon.com

15

Oracle Audit Vault

Catching the Big Bad Wolf

16

To Be, or Not To Be…?

That is the Question….

17

Why Audit Vault?

• Reduce Cost/Increase efficiency related to S-Ox, HIPPA, PCI/DSS+ and other compliance reporting• Cross Database compatibility• Separation of Duties • More efficient audit policy management• Catch the Big Bad Wolf

18

Auditing Challenges

• We have lots of different RDBMS systems; They all audit differently• Policies/mechanisms for auditing are different across

the organization• “Dealing with” our audit data• Watching the watchers – who do you trust?

19

Oracle Audit Vault Architecture

20

Concerns

1. Performance / Impact

2. Resource utilization

3. Scalability

4. Fault Tolerance / BCP / DR

21

Generation

1. audit_trail = db*

2. audit_trail = xml*

3. redo

1. DBAUD Collector Collection2. OSAUD Collector3. REDO Collector

Collection

22

We liked the OSAUD collector from the XML audit trail

Which did we choose?

23

A Closer look at XML Audit Trail Generation and Collection

24

Audit Vault Low Impact / Fault Tolerant Architecture

25

AV Server & Dataguard w/FSFO

1) Using the OUI, install the AV Server application on two different machines using the same SID.

2) Choose one machine to be your primary machine and validate that AV works by logging into the web app.

3) Turn off Database Vault

4) Force Logging in your primary database

5) Modify init.ora parms and listener.ora for Dataguard and AV compatibility

6) Other cleanup of standardized AV install

7) Delete the database on your chosen standby server

8) Instantiate a DG standby on your standby server

9) Create and enable FSFO configuration

26

Disabling Database Vault

1.Shutdown the database

2.Recompile the oracle executable with Database Vault off:cd $ORACLE_HOME/rdbms/lib make -f ins_rdbms.mk dv_off cd $ORACLE_HOME/bin relink oracle

3. Startup the database

4. Grant the following:grant create user, alter user to avsys;

27

Force logging for Dataguard

1. Force logging at the database level:SQL> alter database force logging;

2. Force logging for each tablespace:SQL> select 'alter tablespace '|| tablespace_name || ' force logging;' from dba_tablespaces where contents = 'PERMANENT';

Cut/paste output into your sqlplus window.

28

Init.ora and listener.ora parms for DG/AV compatibility

1. dispatchers='(DISPATCHERS=2)(PROTOCOL=TCP)(SERVICE=${ORACLE_SID}XDB)(LISTENER=(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=<YOUR HOST NAME>)(PORT=1521))))‘

1. LISTENER = (DESCRIPTION_LIST = (DESCRIPTION = (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1)) (ADDRESS = (PROTOCOL = TCP)(HOST = <YOUR HOST NAME>) (PORT = 1521)) ) (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = <YOUR HOST NAME> )(PORT = 5707))

(Presentation=HTTP)(Session=RAW) ) )

2. SID_LIST_LISTENER = (SID_LIST = (SID_DESC = (SID_NAME = PLSExtProc) (ORACLE_HOME = /opt/app/oracle/product/10.2.3.1/avserver) (PROGRAM = extproc) ) (SID_DESC = (SID_NAME = <YOUR DBNAME>) (ORACLE_HOME = /opt/app/oracle/product/10.2.3.1/avserver) (global_dbname = <sid>.<domain> ) ) )

Init.ora

Listener.ora

29

General database cleanup

1. Move datafiles, controlfile, online redo to better locations

2. Multiplex online redo and controlfiles across controllers

3. Increase the number of redolog groups

4. Appropriately size your SGA for your server

5. Setup log_archive_dest_1 to use something other than the AV install default

6. Setup log_archive_dest_2 to point to your standby database server

7. Setup log_archive_config, db_unique_name, fal_* entries and local_listener to use your database listeners in preparation for implenting Dataguard.

8. Move the flashback directory from the default of $ORACLE_BASE/flash_recovery_area to a better location and clean up the archivelogs backed up via rman to the old flash_recovery_area directory

9. Decide whether or not you want auto-extensible data files

10.Set whatever other init.ora parameters you like at your organization

11.Install backups / crontab / scripts / monitors to your company standard

30

Setting up the DG Standby and FSFO

1. Validate that Audit Vault works on the standby AV Server by logging into the application and “looking around”

2. Shutdown the Audit Vault server application

3. Delete the database from the standby machine

4. Bring over the init.ora and listener.ora modifications in Slide #15 to the standby, but change the machine name to that of the standby server.

5. Bring over the password file from the primary.

6. Restore a backup of your AV primary to your standby server and create a standby controlfile for it.

7. startup managed recovery

8. Implement FSFO

9. Validate that FSFO is working and the AV Web Application is working

10. Turn Database Vault back on

11. Troubleshoot in-house scripts that break as a result of Database Vault being turned back on

31

Other Dataguard / FSFO Considerations

1. If you use an XML audit trail, you may want to move your audit directories to faster files systems

2. If you use a DB audit trail, you’ll want to move your aud$ and fga_log$ tables to a non-system tablespace.

3. If you customize your sqlnet.ora NAMES.DEFAULT_DOMAIN, you’re going to have to manually modify every entry in the Audit Vault tnsnames.ora to include the value. You’ll also have to modify the tns configuration on the collector machines (whether they be source db servers or collector machines similar to slide #12).

32

Definitions and Context

• Source – The database you are getting your audit data from. Regardless of how many nodes there are in your dataguard config, there is only 1 source.

• Agent – Tied to a single server, an Agent connects to the Audit Vault Server to insert the audit trail data into the database. It “manages” the collectors.

• Collector – The RDBMS specific process that knows how to get audit data from the source database. There are collectors that talk to Oracle, MS Sql, DB2, and Sybase. Multiple collectors can use the same agent to deposit all audit data into the same Audit Vault repository.

• A collector is tied to a source; it “collects” from that source.• In an Audit Vault, the combination of Source and Collector is unique.

33

Setting up remote XML collection

1. Get local collection working on the source database server following the Audit Vault documentation.

2. Using avca on the AV Server, add a new agent mapped to the primary collector server(s).

3. Run the OUI to install the Audit Vault Agent software on each primary remote collector providing the new agent created in Step #2 to the installation dialog.

4. Using avorcldb on the AV Server, add a new source using the “flip-tolerant” host name.

5. Using avorcldb on the AV Server, add new collectors for the source created in #4 tied to the agents created in #3.

6. Using avorcldb on the remote collector server, run setup to create the wallet and tnsnames entries for passwordless connection from the primary remote collector to the source db.

7. Modify the source db tnsnames.ora entry created in #7 to change the source db entry from the “flip-tolerant” host name to the node specific host name.

8. If audit_trail = xml*, create identical audit trail directories on the remote collector.

9. If doing XML generation, sync the audit trail directories created in Step #6 between the source db server and the remote collector, and create job to sync them regularly.

10. Stop the collectors created in Step #1, and startup the newly modified collector and validate that it is collecting the sync’d files.

34

New Agent Mapping

35

Source Collector Map

36

Conclusion• In a world of compliance auditing, life can be easy or it

can be hard• Audit data is just as important as production data and

should be treated as such• In some ways, the stakes are higher: If we mess up,

market cap plummets, companies fail and people go to jail.

• How Big a Gambler are YOU?• Oracle Audit Vault with Dataguard/FSFO and remote

collection is a high performance, low impact, highly available solution that makes compliance reporting easy.

37

Best Practices

38 38

What Do You Need To Audit?

DatabaseAudit Requirements

SOXPCI DSS

HIPAA/HITECH

Basel II FISMA GLBA

Accounts, Roles & GRANT changes ● ● ● ● ● ●

Failed Logins and other Exceptions ● ● ● ● ● ●

Privileged User Activity ● ● ● ● ● ●

Access to Sensitive Data (SELECTs…) ● ● ● ● ●

Data Changes (INSERT, UPDATE, …) ● ●

Schema Changes (DROP, ALTER…) ● ● ● ● ● ●

39

Native Auditing Performance Guidelines

• Original workload CPU 50% for 250 audit records/sec

Audit Trail Setting

Additional Throughput Time

Additional CPU Usage

OS 1.39% 1.75%

XML 1.70% 3.51%

XML, Extended 3.70% 5.36%

DB 4.57% 8.77%

DB, Extended 14.09% 15.79%

*Internal testing: Source: 4x 3.40 GHz Intel Xeons , 4 GB RAM, x86_64 Linux Oracle Database 11.2.0.1

Oracle Confidential 39

40

Use Automatic Audit Trail Clean-Up

• Automatically deletes audit trails from target after they are securely inserted into Audit Vault• Reduces DBA manageability challenges with audit trails

Database

2) Update last inserted record

1) Transfer audit trail data

3) Delete older audit records

Oracle Confidential 40

41

Oracle Database Security Defense-in-Depth

Access Control

• Oracle Database Vault

• Oracle Label Security

• Oracle Advanced Security

• Oracle Secure Backup

• Oracle Data Masking

Encryption and Masking

Auditing and Tracking

• Oracle Audit Vault

• Oracle Configuration Management

• Oracle Total Recall

• Oracle Database Firewall

Blocking and Monitoring

42

More Oracle Database Security Presentations

• Monday: – 12:30 pm: Making a Business Case for Information Security MS 300– 3:30 pm: Oracle Database 11g Release 2 Security: Defense-in-Depth MS 103

• Tuesday: – 12:30 pm: Real-World Deployment and Best Practices : Oracle Audit Vault MS 306– 2:00 pm: Real-World Deployment and Best Practices : Oracle Advanced Security MS 300– 2:00 pm: Best Practices for Ensuring the Highest Enterprise Database Security MS 304 – 3:30 pm: Database Security Event Management : Oracle Audit Vault and ArcSight MS 300– 5:00 pm: Real-World Deployment and Best Practices :Oracle Database Vault MS 303

• Wednesday: – 10:00 am: Protect Data and Save Money: Aberdeen MS 306– 11:30 am: Preventing Database Attacks With Oracle Database Firewall MS 306– 4:45 pm: Centralized Key Management and Performance :Oracle Advanced Security MS 306

• Thursday: – 10:30 am: Deploying Oracle Database 11g Securely on Oracle Solaris MS 104

MS = Moscone South

43

Oracle Database Security Hands-on-Labs

• Monday: – Database Vault 11:00AM | Marriott Marquis, Salon 10 / 11        Check Availability  – Database Vault 5:00PM | Marriott Marquis, Salon 10 / 11        Check Availability

   • Tuesday:

– Database Security 11:00AM | Marriott Marquis, Salon 10 / 11     Check Availability

• Thursday– Advanced Security 12:00PM | Marriott Marquis, Salon 10 / 11    Check Availability– Audit Vault 1:30PM | Marriott Marquis, Salon 10 / 11       Check Availability

44

Oracle Database Security Demo GroundsMoscone West

• Oracle Database Firewall• Oracle Database Vault• Oracle Label Security• Oracle Audit Vault• Oracle Advanced Security• Oracle Database 11g Release2 Security

  Exhibition Hours

Monday, September 20 9:45 a.m. - 5:30 p.m.

Tuesday, September 21 9:45 a.m. - 5:30 p.m.

Wednesday, September 22 9:00 a.m. - 4:00 p.m.

45

Oracle OpenWorld Latin America 2010

December 7–9, 2010

46

Oracle OpenWorld Beijing 2010

December 13–16, 2010

47

Oracle Products Available Online

Oracle Store

Buy Oracle license and support online today at

oracle.com/store