Oracle Audit Slurp help - Audit Vault(Archived)

All,
I am in need of a sample Audit data ingestion database to model.
Can someone point me in the correct path? 

Audit Vault automates the secure storage of audit information collected by existing database audit mechanisms and redo logs.
As stated, without version information, or information about what audit information, has no context with respect to Audit Vault.
You can learn more about Audit Vault at OTN. More about database auditing, including FGA, at http://tahiti.oracle.com.
If this does not satisfy your need then you need to clearly state precisely what it is you are trying to achieve based on which specific auditing methods and tools, including full version information.

Related

Is the Database Vault portion of Audit Vault only for the Audit Vault DB?

Hi all, first of thanks in advance.
I am doing a bit of research in order to fulfill some security system requirements for an upcoming project. In summary the requirement states that DBAs should not have the ability to view personal health information stored in the database.
My initial thought was to use Oracle Label Security but recall that SYS is exempt from the OLS policies. Next I looked into Oracle Database Vault and the product appears to meet the requirements. However another part of the requirement states that we must prevent undetectable data tampering - which to me sounds like we need to have an auditing product in place not only to audit access and data changes but also to make sure that audit logs can't be tampered with. It seems like Oracle Audit Vault should meet the requirement. When looking into Audit Vault it mentions it comes with Oracle Database Vault and there is some wording which makes me believe that the Oracle Database Vault component is only for the Audit Vault database. Short of installing the product I thought I would post a message to see if my assumption is correct.
If the assumption is correct it sounds like we would need to purchase both Audit Vault and Database Vault to fully meet the requirement. Can anyone think of any reason we need to include OLS as well?
Once again, thanks in advance.
Cheers,
Eric 
Adding my 2 cents:
Database Vault can be configured without Audit Vault. However, AV comes bundled with DV. Using DV, you would be able to protect the db objects (eg. health system table), however to protect the data (rows) within the table, you require OLS. 
If I've not mistaken, OLS is prerequesite for DV. 
I imagine you are dealing with the HIPAA compliance requirements and facing the same issue faced by many others.
To audit who has viewed data ... SELECT statements ... you can use Fine Grained Auditing (FGA).
To meet the government's auditing requirements, as well as those for hospital accreditation Audit Vault will do the trick.
Keeping DBAs out of the data can be done by a number of means but the issue often comes down to the applications you have purchased and the quality of the vendors. One major source of hospital software in the US, for example, has installed thousands of systems with the exact same password for the schema owner ... and that schema owner has DBA privs.
So before your run too far down the road of closing the back door ... make sure the front door isn't wide open. 
Yeah, it's the EU equivalent to the HIPAA. It sounds as if the EU has more strict requirements compared to the US.
What we do know is there isn't one single solution to address all the requirements for auditing, encryption, and access control - it appears to be a multi-vendor approach.
Thank you for feedback, I appreciate your insight and had a laugh about the thousands of systems with the same password for the schema owner comment. It's funny because I used to do consulting on a certain Retek product and every client I went to had never changed the default password for the product's schema owner :)
Thanks!
Eric 
Thanks, that is what I gathered too. What I had hoped was that by purchasing Audit Vault you wouldn't have to purchase the separate Database Vault license which would be installed on the Production database system.
Thanks for you feedback, very much appreciated!
Cheers,
Eric 
It appears you are in Minnesota which is why I assumed HIPAA.
The US is considerd by the EU an unsafe harbor and in truth it is. Our level of data security is not even close to the EU standard.
That said you can solve the entire problem with Oracle by combining Data Vault with Audit Vault, FGAC, and FGA.
In the case of the US vendor of which I am aware ... if you change their default password you void their warranty and, I understand, break their software. So once you purchase their system, by default, you agree to a violation of the law. 
deleted
Message was edited by:
user609804
Message was edited by:
user609804 
A couple of points of order Ignacio.
1. What you posted is irrelevant spam promoting your company and is inappropriate and in violation of your agreement with OTN.
2. If your company is an Oracle partner, after viewing your web site, you could certainly fool me. A search of your website shows the only reference to Oracle is pushing a competitive solution. I have also checked here: http://www.oracle.com/partnerships/index.html and found no mention of your firm. I am therefore reporting what appears to be your misrepresentation to Oracle legal.
Thank you for not misusing this resource in the future.

Pre requisites for Oracle Audit vault or Database vault

Hello All
I am an internal auditor and trying to find how the audit vault works. For audit or database vault to be functional, do we first need to turn on the logging in the oracle database?
Thanks
Rukmani 
Oracle Database Vault is a security option for Oracle Database Enterprise Edition that provides strong access controls inside the database to prevent access to application data from privileged users, including the DBA.
Oracle Audit Vault monitors the enterprise-wide database activity, helping address compliance and insider threat challenges by collecting and consolidating audit data from multiple databases. Oracle Audit Vault helps enforce the trust-but-verify security principle and is part of Oracle's overall defense-in-depth security strategy.
Oracle Database Vault controls the “Who, What, When, Where and How” of the database activity, while Oracle Audit Vault tells you about the “Who, What, When, Where and How” of the database activity.
For more information on Database Vault, take a look at the OTN site:
http://www.oracle.com/technology/deploy/security/database-security/database-vault/index.html
Audit Vault OTN site:
http://www.oracle.com/technology/products/audit-vault/index.html
Thanks Tammy 
Audit Vault captures, and secures, audit records created by normal database audit tools such as the AUDIT command and Fine Grained Auditing with DBMS_FGA. Additionally it can capture REDO logs.
With Oracle it is impossible to turn logging off so I am not sure if what you are asking is what you intend to ask. Perhaps what you mean is do we need to turn on redo log archiving. If that is indeed what you are asking the answer is no ... as long as you do not wish to store redo log information.
I should, however, point out to you that any Oracle database that does not have archive logging enabled is roughly the equivalent of New Orleans. I can't tell you when a cat 5 hurricane is going to strike ... but I can tell you one will ... and when it does there will be a horrible disaster. If your people are running a production Oracle database without archive logging they need to be trained or terminated. 
Hi, I need to choose a product to monitor server accesses and also database accesses, but to monitor our databases I should start audit on them (so I need to stop and start our database) and collect many transactions just to let that tool to read the DBA_AUDIT_TRAIL table, get those informations over the net, insert them into the tool's database (another Oracle database) and then delete them from our databases... !!!
I've read this thread and also this one ( Oracle Audit Vault vs Third Party Tools )
It seems that with Audit Vault I need to enable audit on all our databases and then it will collect audit informations from a central machine, is it right ? Is there no way to collect those informations, reading them from archivelog or in another way ? How much does audit impact over performances on a OLTP database ?
Instead Database Vault seems to provide ONLY :) strong access control, but it seems it doesn't use AUDIT table... is this right ?
What are pros and cons comparing these products ?

How to AUDIT Oracle Audit Vault

Does Oracle Audit Vault produce a "syslog" or logfile output that I can monitor from another application?
Thank you, 
Please consider reading the concepts and other documentation on what Audit Vault is.
Also study the concept of "separation of duties." 
Hi damorgan,
I'm studying and downloaded the following pdf:
Collection Agent Installation Guide, e13839.pdf
Auditor's Guide, e13842.pdf
Server Installation Guide for Linux x86, e13840.pdf
Administrator's Guide, e13841.pdf
but of course I've not already finished...
I was wondering...
I need to collect auditing data coming from several databases into my future Audit Vault machine, but also I need to collect some sensible data as they are (I need to copy into the Audit Vault I image) into the same Audit Vault machine, because they need to be view only by authorized external users.
Is this possible ?
Moreover... and this is why I'm replying to this thread... once authorized users have seen the sensible data... are all their selects audited ?
This is another requirements my boss is asking to me...
Thanks 
I am still unclear as to what you are asking but what is audited depends on what you, in your target database, ask to be audited. You have three different collectors to work with and can define Fine Grained Auditing and other audit policies as you wish.
What to audit is not a decision that should ever be made by IT. It should be made by legal, financial, and your outside auditors. 
.
Edited by: user614758 on May 13, 2009 1:00 PM 
I apologize if my questions are not clear.. I try again... going into depth.
To be compliant to our new government rules we need to arrange a room where authorized users (policeman for example) can view sensible data and this data come from our production database (that one you called target database).
Our government rules say also:
1. sensible data in production environment must be available up to six months back and all movements must be audited and collected (this is easy.. turn on audit, setup a collector on this target machine, collect all the informations into the NEW Audit Vault server machine)
2. All data from production database older than 6 months must be deleted on production, but available (for a max period of 24 months) to be consulted on a closed room and audited again when authorized users are consulting.
I wa thinking to simply move production data (in an encrypted way) into the Audit Vault server... and then I was asking.. is it possible to audit the imported data directly on the new machine ???
Can you help me ? 
Knowing the rules helps.
Audit Vault is a perfect solution for handling and managing the audit data. What you need is a solution to dropping the data older than six months from production but still making it available.
My recommendation would be to use Enterprise Edition with partitioning and partition by month. Put each partition into a separate tablespace and then use datapump with transportable tablespaces to detach older data from the production system and attach it to the archival system. 
Thanks for your reply.
The solution you provide is that one I'd like to realize.
I was wondering... When you say to attach my 7 month old partition to the archival system .. what do you mean ? I mean... my new Audit Vault system.. Do you mean "another" database machine where to put the old tablespaces and to install a new collector on it ?
This is why I was asking How can I Audit "Audit Vault system" ?
Is it possible to use the "same" database of Audit Vault system to load, of course in a different schema, the old production tablespaces and, at the same time, collect auditing data when some authorized users ask for older informations ? Because I still need to audit data for "transported" tablespaces...
In this way I don't know exactly what is the right context.

AV 10.3: Use of TDE within AV Repository

We have outsourced our DB hosting and management to a 3rd party. We have implemented DBV and ASO/TDE on the main database instance. We are using AV to collect the logs, and allow our security staff to monitor the main production instance.
The production instance, however, has sensitve data within it. We are using TDE to encrypt the data from the 3rd party DBAs. We would like to encrypt the AV repository, as we are auditing certain SQL statements, and they too will include sensitive information.
1) Is it supported to use TDE on the AV repository to ensure 3rd party DBAs cannot see the audit information, and
2) If it is supported, is it possible to get a DocID from MOS to identify how to do this?
Thank you. 
Hi:
Audit Vault has not been tested with TDE at this time. There's no specific reason why moving the AVSYS schema out of SYSAUX into another, encrypted tablespace would cause issues. However, from a certification perspective, that's not there today.

audit vault vs auditing of access

Can anyone help clarifying what is included in 11g and what is an extra cost? It sounds like AuditVault is an add-on product/cost?
But what about the audit settings I see here with DBMS_AUDIT_MGMT:
http://www.oracle-base.com/articles/11g/auditing-enhancements-11gr2.php
http://docs.oracle.com/cd/E14072_01/network.112/e10574/auditing.htm
It looks like any enterprise license already has the right to create logs with DBMS_AUDIT_MGMT for free/included. Is that correct? If so, what extra does auditvault give you? It looks like the reporting/alerting/etc...
But if I just send the raw/free audit logs to splunk for alerting/reporting, it looks like I can still do my own reporting without adding an extra oracle package. Does that sound right?
Thank you! 
You are correct in surmising that DBMS_AUDIT_MGMT is a database feature already included as part of the Enterprise Edition license for your database. It allows you to manage the audit trail generated by our database - how long to keep, when to delete, etc.
Audit Vault, on the other hand, is a heterogeneous solution aimed at assisting with regulatory compliance. It consolidates audit trails from multiple Oracle and non-Oracle databases, and allows you to report, analyze and alert on the events collected. You also get the ability to report on user entitlement data and manage audit settings across multiple Oracle databases. It is a separately licensed product. None of these features are available as part of your EE license.
Hope this helps. 
If so, what extra does auditvault give you? It looks like the reporting/alerting/etc...yes ,a GUI based product to setup auditing at database level and get alert,pdf report based on requirement.
it consolidate data from all source Once consolidated, Oracle Audit Vault removes audit data from the source systems where the audit data was generated, simplifying the management of auditing across the enterprise
http://www.oracle.com/technetwork/products/audit-vault/overview/index.html
But if I just send the raw/free audit logs to splunk for alerting/reporting, it looks like I can still do my own reporting without adding an extra oracle package. Does that sound right?yes, 
Hi:
The package DBMS_AUDIT_MGMT is already part of the Oracle database, whether you use Audit Vault or not. What Audit Vault does is integrate with it. DBMS_AUDIT_MGMT manages the audit trail that your database generates. It can delete audit records older than a certain date, for instance. If Audit Vault is being used, however, there's a handshake between it and DBMS_AUDIT_MGMT, so that DBMS_AUDIT_MGMT will not delete any audit records that have not already been collected by Audit Vault.

Categories

Resources