Is the Database Vault portion of Audit Vault only for the Audit Vault DB? - Audit Vault(Archived)

Hi all, first of thanks in advance.
I am doing a bit of research in order to fulfill some security system requirements for an upcoming project. In summary the requirement states that DBAs should not have the ability to view personal health information stored in the database.
My initial thought was to use Oracle Label Security but recall that SYS is exempt from the OLS policies. Next I looked into Oracle Database Vault and the product appears to meet the requirements. However another part of the requirement states that we must prevent undetectable data tampering - which to me sounds like we need to have an auditing product in place not only to audit access and data changes but also to make sure that audit logs can't be tampered with. It seems like Oracle Audit Vault should meet the requirement. When looking into Audit Vault it mentions it comes with Oracle Database Vault and there is some wording which makes me believe that the Oracle Database Vault component is only for the Audit Vault database. Short of installing the product I thought I would post a message to see if my assumption is correct.
If the assumption is correct it sounds like we would need to purchase both Audit Vault and Database Vault to fully meet the requirement. Can anyone think of any reason we need to include OLS as well?
Once again, thanks in advance.
Cheers,
Eric 

Adding my 2 cents:
Database Vault can be configured without Audit Vault. However, AV comes bundled with DV. Using DV, you would be able to protect the db objects (eg. health system table), however to protect the data (rows) within the table, you require OLS. 

If I've not mistaken, OLS is prerequesite for DV. 

I imagine you are dealing with the HIPAA compliance requirements and facing the same issue faced by many others.
To audit who has viewed data ... SELECT statements ... you can use Fine Grained Auditing (FGA).
To meet the government's auditing requirements, as well as those for hospital accreditation Audit Vault will do the trick.
Keeping DBAs out of the data can be done by a number of means but the issue often comes down to the applications you have purchased and the quality of the vendors. One major source of hospital software in the US, for example, has installed thousands of systems with the exact same password for the schema owner ... and that schema owner has DBA privs.
So before your run too far down the road of closing the back door ... make sure the front door isn't wide open. 

Yeah, it's the EU equivalent to the HIPAA. It sounds as if the EU has more strict requirements compared to the US.
What we do know is there isn't one single solution to address all the requirements for auditing, encryption, and access control - it appears to be a multi-vendor approach.
Thank you for feedback, I appreciate your insight and had a laugh about the thousands of systems with the same password for the schema owner comment. It's funny because I used to do consulting on a certain Retek product and every client I went to had never changed the default password for the product's schema owner :)
Thanks!
Eric 

Thanks, that is what I gathered too. What I had hoped was that by purchasing Audit Vault you wouldn't have to purchase the separate Database Vault license which would be installed on the Production database system.
Thanks for you feedback, very much appreciated!
Cheers,
Eric 

It appears you are in Minnesota which is why I assumed HIPAA.
The US is considerd by the EU an unsafe harbor and in truth it is. Our level of data security is not even close to the EU standard.
That said you can solve the entire problem with Oracle by combining Data Vault with Audit Vault, FGAC, and FGA.
In the case of the US vendor of which I am aware ... if you change their default password you void their warranty and, I understand, break their software. So once you purchase their system, by default, you agree to a violation of the law. 

deleted
Message was edited by:
user609804
Message was edited by:
user609804 

A couple of points of order Ignacio.
1. What you posted is irrelevant spam promoting your company and is inappropriate and in violation of your agreement with OTN.
2. If your company is an Oracle partner, after viewing your web site, you could certainly fool me. A search of your website shows the only reference to Oracle is pushing a competitive solution. I have also checked here: http://www.oracle.com/partnerships/index.html and found no mention of your firm. I am therefore reporting what appears to be your misrepresentation to Oracle legal.
Thank you for not misusing this resource in the future.

Related

APEX is opted out due to SOX Policy

Friends,
I have been working in my project for the past 3 months(BR,Design and Architect) and now we are into development stage where our Sr.Tehnical Architects say that we need to chose a different development environment instead of Apex because of some packages which are against SOX policy. Here is the mail from the architecture team :
We have been battling with the installation of the Oracle HTTP components. To summarize, the installation scripts appear to be building the web server from source code. This requires the installation of a number of development packages that not allowed on production systems under SOX policy. As well, there appear to be a number of dependencies on workstation software (desktop control panel, screen saver, etc.) that would not normally be installed on a server and, in fact, may also be against policy to install on a server.
All of this brings into serious question, for me at least, whether Oracle HTTP, and potentially Oracle Application Express, are production-ready products. We need to understand what is driving these dependencies, why Oracle does not distribute a binary package for this component, and whether or not they are willing to correct any deficiencies in these areas.
As well, the application team needs to begin to consider alternatives to Oracle HTTP and possibly to Oracle Apex. This goes beyond any simple SOX policy or production operations rule. The presence of these dependencies indicate to me that Oracle HTTP is not ready for prime time and may not even be appropriate for a production server environment.
I would like to know whether this is a serious issue in every Apex development projects or SOX policy is defined differently for each individual company due to which my company policy is not able to support ApEx.
I need some expert's advice so that I might convince the team here.
Your inputs are valuable to me and they definitely help in driving this project. Also I am the only Apex Developer in my project and so I have to ultimately rely on forums.
Thanks,
Raj. 
Hi Raj,
I'd like to understand your issues a bit more, and maybe I can help.
>> To summarize, the installation scripts appear to be building the web server from source code.
Te be precise, a page view in any Application Express application is dynamically produced from the server. You could say .NET, Java, PHP, Ruby, CGI programming all have this same "fault". The generation of the page in APEX is done, in part, with the application definition stored in the database.
>> This requires the installation of a number of development packages that not allowed on production systems under SOX policy.
New in Application Express 3.1 is the ability to install a runtime version of the Application Express engine. The minimum number of database objects are created and minimum number of database privileges are granted in order to run Application Express applications. But there is no development interface. No one except a DBA will be able to modify the applications in a runtime instance, and they will be limited to exclusively a command-line interface of SQL*Plus (no Web development interface).
http://download.oracle.com/docs/cd/E10513_01/doc/install.310/e10496/install.htm#CHDHIJGE
I think I'd like to get your feedback on these two points before I address any of your other questions about corrections and potential deficiencies. I am most interested if this now mitigates the SOX-compliance concerns of your Sr. Technical Architect.
Joel 
Friends,
I have been working in my project for the past 3
months(BR,Design and Architect) and now we are into
development stage where our Sr.Tehnical Architects
say that we need to chose a different development
environment instead of Apex because of some packages
which are against SOX policy. Here is the mail from
the architecture team :
We have been battling with the installation of the
Oracle HTTP components. To summarize, the
installation scripts appear to be building the web
server from source code. This requires the
installation of a number of development packages that
not allowed on production systems under SOX policy.
As well, there appear to be a number of dependencies
on workstation software (desktop control panel,
screen saver, etc.) that would not normally be
installed on a server and, in fact, may also be
against policy to install on a server.
ll of this brings into serious question, for me at
least, whether Oracle HTTP, and potentially Oracle
Application Express, are production-ready products.
We need to understand what is driving these
dependencies, why Oracle does not distribute a binary
package for this component, and whether or not they
are willing to correct any deficiencies in these
areas.
s well, the application team needs to begin to
consider alternatives to Oracle HTTP and possibly to
Oracle Apex. This goes beyond any simple SOX policy
or production operations rule. The presence of these
dependencies indicate to me that Oracle HTTP is not
ready for prime time and may not even be appropriate
for a production server environment.
I would like to know whether this is a serious issue
in every Apex development projects or SOX policy is
defined differently for each individual company due
to which my company policy is not able to support
ApEx.
I need some expert's advice so that I might convince
the team here.
Your inputs are valuable to me and they definitely
help in driving this project. Also I am the only Apex
Developer in my project and so I have to ultimately
rely on forums.
Thanks,
Raj.Where are there desktop dependances with APEX?? if you have a browser, you can develop and access the application? Whomeve is coming up with the garbage is just spiouting FUD again..
What do they want you to use ?? .NET??? There is a stable enviroment (Joking here folks..)
The package that id delivered is a pl/sql package.. what is the issue with that?
I know of companies that are using APEX and have been told it meets the requirements for SOX, and the accountatnts love the applications that APEX can build!
Sounds lik ethe folks that are telling you it doesn't meet these qualifications have another product in mind, and don't have REAL reasons to not use APEX..
Was the DBA involved with this conversation against APEX? r was it some paper pushers who don't know applications development?
Thank you,
Tony Miller
Webster, TX
PS: Used to live & work in Seattle area up until last year.. What company is this for, if I may ask? 
Raj,
Tony does bring up a very good point. If this assertion:
"As well, there appear to be a number of dependencies on workstation software (desktop control panel, screen saver, etc.) that would not normally be installed on a server and, in fact, may also be against policy to install on a server."
is emanating from the Senior Technical Architect who is raising these objections, then I suspect they have minimal understanding and zero practical use of Oracle Application Express. Oracle Application Express never has and probably never will have any dependency on the desktop control panel, screen saver, etc.
Maybe they're confusing Oracle Application Express with something else they read in a trade magazine (in all seriousness)?
Joel 
I'm going to assume this is on Linux (or another Unix variant) based on a few of the comments. So far his comments seem to have nothing to do with APEX, and are just focused on the Oracle HTTP Server or OHS (based on Apache).
The desktop components he's likely referring to are xscreensaver and gnome-libs. These are mainly for the installer itself, but they are also requirements for the database install. So, if this is the reason OHS is not ready for prime time, then neither is the database.
As far as "building from source", the HTTP Server requires make and gcc to be installed, but so does the database. If this is the reason OHS is not ready for prime time, then neither is the database.
I'm 99% sure you could remove these packages post-install, but that's something you'd have to confirm with support and test on your own.
From a security perspective, I'd be a lot more worried about encrypted backups, physical access, separation of duties, and SQL Injection than having make installed on my server, but hey, what do I know. Also, if you'd like to post the URL of any of your web apps based on other technologies, the community would be happy to "evaluate" the security of those applications ;)
Thanks,
Tyler
http://tylermuth.wordpress.com 
Joel/Tony/Tyler,
Thanks for your replies.
Well, yes as Tyler thought, the issue is installing Oracle HTTP Server as a separate installation on Linux. I have no much experience on installing Apex & HTTP on Linux but what the issue seems is that there are certain packages(not pl/sql) that needs to be installed for HTTP Server which is against to the SOX Policy. Also the application we are building is not only for the internal but also for the external users who login through the internet. Due to which there are some stringent company security policies.
Yes, DBA is part of all these exercise and they say its the first time they are doing HTTP as a separate installation from Apex. Earlier we have developed one internal dashboard project and it went into production but that has Apex and HTTP installed as a bundled software from oracle. But they say as this new project is exposed to outside world it has to pass the SOX policy and as per SOX Oracle HTTP Server installs some files which are against to the policy.
I have asked the SR# to my DBA and as soon as I get, post it here which would probably help in identifying the issue.
Thanks,
Raj. 
SR# 6842208.993 
I respect that company's have to create policies but more often than not - and this is yet another example - the policies make absolutely no sense. If it's not the policy, in many cases it's that the policies are interpreted incorrectly.
As a person who has spoke at SOX conferences to CIO's and the like, I can say that screen saver applications have never come up as part of any policy. Furthermore, having worked with the auditors who sign off on such matters, the real issues have little to do with having installed compilers or for that matter Apache HTTP servers or even a specific application. Everyone recognizes that those things have to exist and no one has ever pretended that Enron could have been avoided had only the HTTP server been installed without the compiler!
SOX, like HIPAA and many other regulations seen and to be seen, is often abused and misused. They simply act as an excuse that people are latching on to in order to achieve some other agenda. It's being abused everywhere. It's important to call that out and not pursue the false technically misguided ramblings of some uninformed person trying to make a name for themselves.
SOX is about managing and implementing controls on information that has material impact on accurate financial disclosure. SOX is about cooking the books, insider trading, lack of accountability and proper oversight. Hello? Anyone who takes that and extrapolates it to the end stated by customer's email is either very creative or living in an alternate reality.
OK, so it's a red hearing, now what? My suggestion is to re-ask about what the company policy is specifically. There is a good chance that the wording is being misinterpreted or exaggerated. Someone has the alternate agenda to throw out Oracle. Not sure why. But this much is clear. Apparently, the best they could do is come up with this.
Finally, from a security/vulnerability perspective (which is not at all what SOX is about), there are many things people can do to decrease their risks especially in Internet facing applications. There are a plethora of IDS, IPS and Tripwire-types of things folks can use to allow things to work in a supported fashion and still protect themselves.
For SOX, people need to focus on the core issues that Tyler mentioned - Segregation of Duty, Provisioning, auditing, etc. The email posting and the thinking in it is completely misguided and the reason no one else has brought this up before is because there is no issue here.
Another good perspective on the issue can be found in Effective Oracle Database 10g Security By Design. I know the author well. 
I know I shouldn't do this, but I can't resist... Is IIS an accepted standard in your organization? If so, this is probably worth a read.
Tyler 
The thing here is that SOX is just like any other regulatory agency. They all provide guidelines and requirements but it is for the company to determine what policies they implement to meets those directives. The three most stringent agencies to work with on Information Systems are:
1. Food and Drug Administration (FDA) (and International Variants)
2. Securities Exchange Commission (SEC)
3. Sarbanes-Oxley (SOX)
Having seen the level of work it takes to get systems compliant to each of these agencies I can tell you that a) the FDA is usually the most stringent, and b) the other two usually take their lead from the FDA (maybe a few months behind). Apex is being used with OHS and OAS (Oracle Application Server) in companies that have to comply with all three at once and so long as you take, and document, resonable precautions then none of them will have an issue. These agencies do not prescribe technology they talk about safegaurds. It is for each company to deliver and defend their policies of compliance.
That being said, if they have issues with your setup then there are any number of ways that you can harden the setup. The forums can help with that, too. Fact of the matter is that I am more trusting of the products from APEX in a regulated environment than any of the technologies that have come before (ASP, .NET being some of them). This is mostly due to the fact that with the components residing within the database means that if someone wants to monkey with them directly then they have a lot of work to get there in the first place. If you take the precautions that you ca with APEX then you can be reassured that compliance can be achieved.
As far as what is exposed on you app server that is on the outside. Look through some of the postings by jes on this forum and he talks about how you can use redirects that will pass the user from the outside through to your app in a more secure fashion. Also check the blogs to find this information too. That's what they are there for.
Jason Aughenbaugh (aka. WileECoyote)
My Fledgling Blog: http://citemreh.spaces.live.com 
Teku,
This is an interesting thread in several ways.
First, it shows that there is tremendous disagreement in the interpretation many organizations have about being SOX compliant. It really seems that most organizatons incorrectly interpret SOX, the company you work for being one of them.
Part of this is due to management not knowing what they are telling IT to implement. Part of this is due to outside auditors not really having any kind of technical background, and therefore being clueless about what they are doing/suggesting. Another part is busy DBA's and system architects, who are so busy they don't have the time to properly research basic core documents to find out if what they are being told is in fact correct.
The above replies have some very sound advice about both technical issues (security concerns and resolutions) and non-technical issues (educating your management and 'security' teams/DBA's).
Your organization shouldn't be running much in the way of 'sensitive' applications (and of course the 'sensitive data') from a publicly accessible server. These types of apps should be placed behind a firewall or two, and only accessible internally after proper authentication and authorization to a 'Menu' application, which in turn would redirect to the appropriate application. For those rare cases where the application/data does need to be publically accessible, then the above still aplies, but with additional security. Do as Joel suggests and only install the runtime version. Require public 'hits' to login to a generic menu application, which in turn would perform redirects to read-only versions of the application (which also would require a login), usually through database links for an additional layer of database security.
Most, if not all, of the 'issues' your "Technical Architects" have problems with can be easily solved with some basic technical knowledge. If they don'y know about the Oracle Forums, show them. Let them ask their questions here (and in the other forums). They will usually get correct answers very quickly and realize that their assumptions are easily put to rest.
Having worked on *nix systems myself, I rarely was able to get binaries for anything. Almost everything came as 'source code' which needed to be compiled and linked with the libraries specific for that hardware/software (OS) platform. How are they getting their 'binaries' that run on the production server? Are they compiling them on a different machine and then moving them over to the production server? Are they compiling them on the production server, then removing what isn't neccessary? The same process should be able to be applied to the Oracle Application Server.
This also brings up the question of which Oracle Appl;ication Server. Is it the one that comes with Oracle 10.xxx (Apache 1.2-based) or the Oracle Application Server that is available with Oracle 11g (Apache 2.0-based). That may alleviate some security concerns by itself. I 'think' the 11g Oracle Application Server will still allow access to 10g databases. I'd be surprised if it didn't.
The email from your "Sr. Technical Architect" seems to me that he has very little comprehension on what Oracle is or how it does it, and that therefore they have a gap in their technical expertise. Perhaps if they would access the Oracle Forums, they would find out many of their assertions are incorrect or easily corrected.
Management's interpretation of SOX is a different subject though. That is a battle that can only be overcome through numerous meetings (with people that actually know what they are talking about) so management can be properly educated. But, management usually doesn't like to admit they don't know what they're talking about, which really slows down this part of the process.
Good luck.
Bill Ferguson 
Thanks for your concerns and opinions on this thread.
I agree there are few technical gaps in understanding what and how Apex works by our Sr.Architects and DBAs due to which is leading to this chaos.
We have already logged an SR (6842208.993) and the issue is being followed up with Oracle Support team. I am sure this SR would definitely clear up all the hitches in my organization in developing future projects in Apex.
I appreciate your prompt responses and generous opinions in this regard.
I would keep you posted on the resolution.
-Raj

Oracle Audit Vault vs Third Party Tools

Hi,
Please post your experience in using or evaluating third-party tools to monitor database activities and performing vulnerability assessments. I am currently evaluating tools such as Guardium, DBProtect, and IPLocs and need feedback from the members of this forum of their experiences and pros and cons…
Edited by: rizviqa on Feb 2, 2009 4:17 AM 
All of these tools are positives and negatives but there are three things Audit Vault can do that none of its competitors can touch.
1. Fully supported by Oracle and will be in the future. No other product can make that guarantee.
2. Has access to Oracle internals so, for example, some of these products can monitor network traffic but it is easy for someone to run something on the server, inside the database, that produces zero network traffic.
3. Guaranteed to work with all current and future Oracle security features.
<just a personal opinion>
As I look at what some of these products do I am, quite frankly, amazed Oracle hasn't sued them. Some of these products seem to have reverse engineered Oracle in violation of the license terms and it is possible, at any point in time, for Oracle to slam the door on them.
</just a personal opinion> 
Thanks!!!! I agree with your points.
What product do you use or recommend to perform Vulnerability Assessments? Does Audit Vault offer a mechanism to run periodic vulnerability assessments? 
OEM Grid Control is a good place to start.
But the best place is with Pete Finnigan's blog.
http://www.petefinnigan.com/
No one knows Oracle security as well as Pete: Not even Oracle.
His website contains gem after gem after gem. It is better than any product. 
I have used DBProtect for a number of years. It depends on what you really want to do with your audits.
DBProtect offers both a vulnerability module and an auditing module -- they have rolled both into one product now.
If you do NOT have an externally facing database and your main issue is to keep a basic eye on your databases this system does basic monitoring and you can tailor it further if you don't mind the clunky customizing interface and can make it do what you want. They have an upgrade process even they don't fully trust....but it is supposedly getting better. Overall they are improving -- they now have Oracle host-based sensors for Unix and finally for Windows. I'm not sure how reliable the one for Windows is yet. Not that it's bad, just haven't been using it long. Forget about the network-based sensors as they are troublesome and if you have a web-based app where the web&app servers are on the same box with the database it can't detect anything as there is No network traffic directly to the database.....of course only small systems would be configured this way.
While DBProtect is not terrible it is wise to see what else is out there besides it and Audit Vault as the Oracle product is much more expensive....so it depends on your exposure, your auditors requirements, your database and organization size and budget and assorted other concerns. In the end you have to leap in and choose, try it out and see if it fits for you and then change it if necessary (always a painful thought -- financially and technically) -- Good Luck.....I'm keeping my eyes open myself so if you find anything good please recommend on-line. 
we tried to setup audit vault and it was far from easy, had a huge overhead, and on top of it all had vulnerabilities. There's a new product in the market that we're now looking at and looks very impressive IMHO. it's called Core Audit from Blue Core Research.
Pros: it's an easy setup. took us 5 mins to set it this up and start collecting as opposed to Audit Vault which took hours. It's low overhead.
Cons: No Sqlserver support yet. They only support oracle database.
good luck

How to AUDIT Oracle Audit Vault

Does Oracle Audit Vault produce a "syslog" or logfile output that I can monitor from another application?
Thank you, 
Please consider reading the concepts and other documentation on what Audit Vault is.
Also study the concept of "separation of duties." 
Hi damorgan,
I'm studying and downloaded the following pdf:
Collection Agent Installation Guide, e13839.pdf
Auditor's Guide, e13842.pdf
Server Installation Guide for Linux x86, e13840.pdf
Administrator's Guide, e13841.pdf
but of course I've not already finished...
I was wondering...
I need to collect auditing data coming from several databases into my future Audit Vault machine, but also I need to collect some sensible data as they are (I need to copy into the Audit Vault I image) into the same Audit Vault machine, because they need to be view only by authorized external users.
Is this possible ?
Moreover... and this is why I'm replying to this thread... once authorized users have seen the sensible data... are all their selects audited ?
This is another requirements my boss is asking to me...
Thanks 
I am still unclear as to what you are asking but what is audited depends on what you, in your target database, ask to be audited. You have three different collectors to work with and can define Fine Grained Auditing and other audit policies as you wish.
What to audit is not a decision that should ever be made by IT. It should be made by legal, financial, and your outside auditors. 
.
Edited by: user614758 on May 13, 2009 1:00 PM 
I apologize if my questions are not clear.. I try again... going into depth.
To be compliant to our new government rules we need to arrange a room where authorized users (policeman for example) can view sensible data and this data come from our production database (that one you called target database).
Our government rules say also:
1. sensible data in production environment must be available up to six months back and all movements must be audited and collected (this is easy.. turn on audit, setup a collector on this target machine, collect all the informations into the NEW Audit Vault server machine)
2. All data from production database older than 6 months must be deleted on production, but available (for a max period of 24 months) to be consulted on a closed room and audited again when authorized users are consulting.
I wa thinking to simply move production data (in an encrypted way) into the Audit Vault server... and then I was asking.. is it possible to audit the imported data directly on the new machine ???
Can you help me ? 
Knowing the rules helps.
Audit Vault is a perfect solution for handling and managing the audit data. What you need is a solution to dropping the data older than six months from production but still making it available.
My recommendation would be to use Enterprise Edition with partitioning and partition by month. Put each partition into a separate tablespace and then use datapump with transportable tablespaces to detach older data from the production system and attach it to the archival system. 
Thanks for your reply.
The solution you provide is that one I'd like to realize.
I was wondering... When you say to attach my 7 month old partition to the archival system .. what do you mean ? I mean... my new Audit Vault system.. Do you mean "another" database machine where to put the old tablespaces and to install a new collector on it ?
This is why I was asking How can I Audit "Audit Vault system" ?
Is it possible to use the "same" database of Audit Vault system to load, of course in a different schema, the old production tablespaces and, at the same time, collect auditing data when some authorized users ask for older informations ? Because I still need to audit data for "transported" tablespaces...
In this way I don't know exactly what is the right context.

Loss of support due to addition of views?

I'm working with a contractor who is hosting CM 13 and I need a view created for several reports. Their admin refuses to do anything because he's afraid they will lose support. Does anyone know which database modifications/additions will cause you to lose support? As far as I knew you cannot alter any procedures, functions or views that shipped with Contract Manager, everything else is fair game. Thanks.
Kevin 
Here's a thought: Add the view to a copy of your production database. Run your reports, etc. Make sure it works the way you expect. Document the addition and removal of the view, I.E. how it is added and how it is removed. Now add the view to production. If the system experiences any problems, remove the view and see if the problem goes away. Call Oracle if the problem persists (after you clear the transaction log.) Seems to me the burden of proof would be on Oracle to demonstrate you ever had a view in the first place. Since a new view you create is a read-only presentation of select data, I don't see any way possible you could be denied support if it's not present when you ask for help. I do see the possibility, however, that if you have an issue in the future, ask Oracle for help, and they see the view, that they may deny support to you because the view is present.
Data replication may be in order. Replicate the production CM database to a new database and add the view to the new database. Don't know if this is possible. Good luck. 
Thanks for your response. I have a feeling that replication on my own server will be the only way to go with this guy. He's afraid to do anything+ for fear of losing support. Over the past 6 years of managing Expedition & Contract Manager installations, Primavera support has proven themselves to be less than useful, so I'm not sure why he's afraid of losing a service that can't compare to a google search.
Are there moderators on here? I'd like an official answer from Oracle so I can show the Admin that he's needlessly living in fear of losing support (or that I'm wrong). A view or a scalar function that returns data from a select statement shouldn't cause any problems if it's well written. 
I would also like an answer to this question. In the past I have requested changes to the data base. I have documented these approaches and changes with a support ticket. I then use the support ticket as backup for the work on CM.
What kind of views are you trying to get created that you could not do with a join in Informaker? I can see that it would be helpful to add new views, but I have not come across an issue yet that I could not address with SQL. 
If the support issue is a concern, which in my experience it shouldn't be as long as you aren't messing with actual tables, triggers, procedures, performing inserts / updates, etc..., there is a simple workaround.
Depending on the database, either create a separate schema (Oracle), or a separate database (MS SQL) and create the view there. You'll just need to make sure that permissions are granted accordingly such that the view has access to the tables it needs and the login name used by CM has access to the view in the separate DB / schema. This way you are not changing the structure of the CM DB / schema at all. 
The situation here is difficult, in a normal case that would be the solution, however I don't have direct access to their servers, so the database would live in the cloud, and won't be able to be seen by the native reports. Its very frustrating. The administrator is checking to see if it's ok with Oracle if we setup remote access to the database so I can setup replication on my cloud server. He asks Oracle if it's ok to do anything first, so problems tend to take weeks to be resolved. I'm new to the company, but have a few years of experience using Contract Manager, so things are going a lot slower than I'm used to around here. Thanks for your responses. 
I am still not clear on what you are trying to accomplish. If you already have access to the database to run Infomaker why do you need additional views? 
I agree with Rick - set up a separate schema and give it read-only access to CM. I do not see how that would invalidate your support with Oracle.
Also - you can contact Oracle support directly and ask them. They do reply quickly, and you can then forward that reply to the admin. Why it takes weeks for him to get a response is beyond me!
Cheers,
Daniel 
#Daniel: The problem is the Sys Admin at PCM host side so advices of creating views or seperate databases is not a solution.
But what any Admin can give you is a report in infomaker in .csv format that will never breach the license agreement, so we can help you constructing report file that you would send you your friendly Admin...
Another workaround on depends what database they use (version), for example if they have (MS) reporting services you can just make a report that would be periodically sent to you via email as xml/excel file.
Let us know what data you need on the outcome.

file monitoring

Received a security gap analysis report, that indicated that file monitoring (e.g. assuming /var/log/messages, /etc/passwd, etc) is a requirement. Note yet entirely sure how the security reviewers define file monitoring, and what the basic requirements are. (all the servers I'm responsible for are Oracle Linux). In the meantime I'm looking at s/w such as logcheck and logstash, to Tripwire and OSSEC - Open Source being my requirement. Any comments or suggestions in this respect, what to consider s/w wise, and should be met minimum requirement wise, will be much appreciated. Thanks.
My intuition tells me that data content is gone but, then again, I've never encountered this issue before.  I asked Mister Google (look at the headers in the next email they send you: mr.google.com) and found this in the Linux Forums  http://www.linuxforums.org/forum/knoppix-linux/158562-solved-unable-mount-drive.html that was not obviously wrong or outdated. 
Why not configuring the Linux audit susbsystem to monitor specific files and directories? https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/chap-system_auditinghttps://docs.oracle.com/cd/E52668_01/E54670/html/ol7-audit-sec.html The use of the Audit system is also a requirement for a number of security-related certifications. As far as I'm aware, auditing is installed by default, but not necessarily configured. If you are looking for a central monitoring approach, Zabbix is a popular open source product.
Johan Louwers wrote a tutorial on this:  Johan Louwers - Tech blog: Oracle Linux - monitor file changes with auditd

Categories

Resources