ORACLE AUDIT VAULTOVERVIEW AND ANALYTICS

–Albert Einstein

“Imagination is more important than knowledge. For knowledge is limited to all we now know and understand, while imagination embraces the entire world, and all there ever will be to know and understand.”

ABOUT THE PRESENTER

• 14 Years Oracle Experience 4 Years MSSQL

• Coauthor with Michael McLaughlin on PL/SQL

• Principal Database Engineer at the LDS Church

• Database Security Enthusiast

• Database Nut

• john.maurice.harper@gmail.com

PRESENTATION CAVEATS

• We will cover Oracle Audit Vault installation, not the Oracle Firewall product

• Our examples will be Oracle centric

• The presenter/partners are available if you need help, including more advanced design and installation.

PERFORMANCEDATA RETENTION AND HARDWARE CONSIDERATIONS

MINIMUM REQUIREMENTS AV ONLY

• 125 GB disk space

• 1 NIC

• Java SE6+

• Mozilla 14, IE 8, Chrome 21, Safari 5

• Adobe Flash

• AV agents must have access to the OAV server

REALISTIC REQUIREMENTS AV ONLY

• 128 GB Ram

• (4) Processors - 12 Cores

• (4) FusionIO 1.6TB IOScale Devices

• (16) 600 GB SaS Disks

• 1 NIC

• Hardware must exist on Oracle’s hardware compatibility list

ARCHITECTUREAUDIT VAULT AND FIREWALL OVERVIEW & REMEDIATION PROCESS

Agent Communication

AlertingAudit DB Objects User EntitlementPolicy

ManagementAudit Vault

AgentAudit Data Lifecycle

Oracle Audit Vault

SQL Anywhere

MYSQL Oracle MSSQL Sybase DB2 SQL Anywhere

SQL Anywhere

...

Windows AD/LDAP

ORACLE AUDIT VAULT FEATURES (ORACLE ONLY)

• Automatic data collection

• Dozens of built-in, customizable reports & policies

• Custom alerting

• Java agent deployable across Windows and *NIX

• Logs DB audit trials and OS system logs

ORACLE AUDIT VAULT SERVER

• Secured, tightly hardened OS

• Same kernel as Oracle Exadata

• Oracle DB 11.2.0.3

• Install and update are easy*

!

*Beware: any customizations to /etc/fstab or system files will be negated when updates are performed. If you customize any of the system settings, be sure to script those changes for repeatability.

INSTALLATION & UPGRADE PROCESS

DEPLOYING AGENTS ON LINUX SERVERS

• Java Executable

• Download via OAV portal

• Can be suspended by complex queries

• A CRON process monitor might be helpful

• XML audit is cheaper than FGA_LOG$ and AUD$

• Limiting size of audit trail tables is recommended

ORACLE AUDIT VAULT USERS

• Administrator(avadmin): super administrator for management of AV portal components

• Auditor(avauditor): super auditor for report, policy, and alerting components

• Support(support): Linux OS user for ssh access

• Root(root): Linux OS root account — no ssh access

ORACLE AUDIT VAULT PASSWORDS

• First character must be alphabetical

• Specials cannot be more than (,.+:_)

• Upper, lower, numeric, and special characters required

• 8-30 characters long

• Cannot be the same as the username, reserved word, simple word.

• No repeating characters

POST-INSTALL TASKS: PASSWORDS

SETTING AV TIME & DNS

SETTING AV MAIL

AlertingAudit DB Objects User EntitlementPolicy

ManagementAudit Vault

AgentAudit Data Lifecycle

Oracle Audit Vault ...

Admin OPS Audit

HR/ Legal

APEX{

Admin

HR/LEGAL

OPS

AVAlert

Generated

CheckFinding to

Confirm Finding

ReportFinding to

Security OPS

ReportInvestigation

Analysis

FalsePositiveFound

ProvideGuideancewith Initial

Risk Assessment

InformData Steward

of Finding

CompleteDisciplinary

Forms/Evidence

PursueHR/Legal

Action

Complete RiskAssessment

Provide Short/Long Term Solutions

Imple-ment

Change

QUERYING THE EVENT LOGLIVE DEMONSTRATION

Thank You