1

<Insert Picture Here>

S317045
Real-World Deployment and Best Practices with Oracle Audit Vault
Tammy Bednar, Sr. Principal Product Manager, Oracle
Mike McClure , Sr. Database Administrator, Amazon
The following is intended to outline our general
product direction. It is intended for information
purposes only, and may not be incorporated into any
contract. It is not a commitment to deliver any
material, code, or functionality, and should not be
relied upon in making purchasing decisions.
The development, release, and timing of any
features or functionality described for Oracles
products remains at the sole discretion of Oracle.

3
Program Agenda

Why Audit? <Insert Picture Here>

Oracle Audit Vault Reports

Implementing Audit Vault at Amazon
Best Practices
Q&A

4
 Why Audit?

Its all about protecting sensitive data, maintaining

customer trust, and protecting the business
Trust-but-verify that your employees are only
performing operations required by the business
Detective controls to monitor what is really going on
Reduce the curiosity seekers from looking at data
Compliance demands that privileged users be
monitored
Know what is going on before others tell you

5
Oracle Audit Vault
Automated Activity Monitoring & Audit Reporting

HR Data ! Alerts

Built-in
CRM Data Reports
Audit
Data Custom
ERP Data Reports

Databases Policies
Auditor

Consolidate audit data into secure repository

Detect and alert on suspicious activities
Out-of-the box compliance reporting
Centralized audit policy management

6
Audit Vault Reports

7
8 8
9 9
 Any of the Audit Vault
reports can be
scheduled to run
automatically and
archived in the Audit
Vault repository for
viewing, printing,
emailing, and
attestation

10 10
 Oracle Audit Vault
Database Audit Support

RDBMS Versions Audit Locations

Oracle Database Oracle Database 9iR2, Audit Tables for standard and fine-grained
Oracle Database 10g, auditing
Oracle Database 11g Oracle audit trail from OS files written in
XML, text file, or SYSLOG
Before/after values and DDL changes from
redo log
Database Vault specific audit records

Microsoft SQL Server 2000, 2005, 2008 Server side trace set specific audit event
Windows event audit specific events
viewed by windows event viewer
C2 - automatically sets all auditable events
IBM DB2 8.2, 9.1 & 9.5 on Linux, Binary OS files written by the audit facility
Unix, Windows
Sybase ASE 12.5.4 - 15.0.x Sybsecurity database tables

11 11
 Oracle Audit Vault
Features by Release
Feature 10.2.2 10.2.3 10.2.3.2
Oracle Database Support
SQL Server, IBM DB2 LUW, Sybase ASE
Out-of-the-Box Reports
Open Schema
Alerts
Policy Manager for Oracle
Audit Trail Clean-Up
Compliance reports (PCI, HIPAA, ..)
Entitlement reports (users, privileges..)
Reports (PDF, Customization)
Reports (Scheduling, Attestation, Notification)
Alerts Email and Remedy Integration
ArcSight & Q1 Labs Integration

12
Audit Vault at
Amazon

13
Michael Mcclure
Database
Administrator
Global Financial
Systems
Amazon.com
14
Oracle Audit Vault
Catching the Big Bad Wolf

15
To Be, or Not To Be?

That is the Question.

16
 Why Audit Vault?

Reduce Cost/Increase efficiency related to S-Ox,

HIPPA, PCI/DSS+ and other compliance reporting
Cross Database compatibility
Separation of Duties
More efficient audit policy management
Catch the Big Bad Wolf

17
 Auditing Challenges

We have lots of different RDBMS systems; They all

audit differently
Policies/mechanisms for auditing are different across
the organization
Dealing with our audit data
Watching the watchers who do you trust?

18
Oracle Audit Vault Architecture

19
 Concerns

1. Performance / Impact
2. Resource utilization
3. Scalability
4. Fault Tolerance / BCP / DR

20
 Generation
1. audit_trail = db*
2. audit_trail = xml*
3. redo

Collection
1. DBAUD Collector Collection
2. OSAUD Collector
3. REDO Collector

21
 Which did we choose?

We liked the OSAUD collector from the XML audit

trail

22
A Closer look at XML Audit Trail
Generation and Collection

23
Audit Vault Low Impact / Fault Tolerant
Architecture

24
 AV Server & Dataguard w/FSFO
1) Using the OUI, install the AV Server application on two
different machines using the same SID.
2) Choose one machine to be your primary machine and
validate that AV works by logging into the web app.
3) Turn off Database Vault
4) Force Logging in your primary database
5) Modify init.ora parms and listener.ora for Dataguard and AV
compatibility
6) Other cleanup of standardized AV install
7) Delete the database on your chosen standby server
8) Instantiate a DG standby on your standby server
9) Create and enable FSFO configuration

25
 Disabling Database Vault

1.Shutdown the database

2.Recompile the oracle executable
with Database Vault off:
cd $ORACLE_HOME/rdbms/lib
make -f ins_rdbms.mk dv_off
cd $ORACLE_HOME/bin
relink oracle
3. Startup the database
4. Grant the following:
grant create user, alter user to avsys;

26
 Force logging for Dataguard

1. Force logging at the database level:

SQL> alter database force logging;
2. Force logging for each tablespace:
SQL> select 'alter tablespace '||
tablespace_name || ' force logging;' from
dba_tablespaces where contents =
'PERMANENT';

Cut/paste output into your sqlplus

window.

27
 Init.ora and listener.ora parms for
DG/AV compatibility
Init.ora
1. dispatchers='(DISPATCHERS=2)(PROTOCOL=TCP)(SERVICE=${ORACLE_SID}XDB)
(LISTENER=(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=<YOUR HOST NAME>)(PORT=1521))))

Listener.ora
1. LISTENER =
(DESCRIPTION_LIST =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1))
(ADDRESS = (PROTOCOL = TCP)(HOST = <YOUR HOST NAME>) (PORT = 1521))
)
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST = <YOUR HOST NAME> )(PORT = 5707))
(Presentation=HTTP)(Session=RAW)
)
)
2. SID_LIST_LISTENER =
(SID_LIST =
(SID_DESC =
(SID_NAME = PLSExtProc)
(ORACLE_HOME = /opt/app/oracle/product/10.2.3.1/avserver)
(PROGRAM = extproc)
)
(SID_DESC =
(SID_NAME = <YOUR DBNAME>)
(ORACLE_HOME = /opt/app/oracle/product/10.2.3.1/avserver)
(global_dbname = <sid>.<domain> )
)
)

28
 General database cleanup
1. Move datafiles, controlfile, online redo to better locations
2. Multiplex online redo and controlfiles across controllers
3. Increase the number of redolog groups
4. Appropriately size your SGA for your server
5. Setup log_archive_dest_1 to use something other than the AV install default
6. Setup log_archive_dest_2 to point to your standby database server
7. Setup log_archive_config, db_unique_name, fal_* entries and local_listener to use
your database listeners in preparation for implenting Dataguard.
8. Move the flashback directory from the default of
$ORACLE_BASE/flash_recovery_area to a better location and clean up the
archivelogs backed up via rman to the old flash_recovery_area directory
9. Decide whether or not you want auto-extensible data files
10.Set whatever other init.ora parameters you like at your organization
11.Install backups / crontab / scripts / monitors to your company standard

29
 Setting up the DG Standby and FSFO

1. Validate that Audit Vault works on the standby AV Server by logging into the
application and looking around
2. Shutdown the Audit Vault server application
3. Delete the database from the standby machine
4. Bring over the init.ora and listener.ora modifications in Slide #15 to the
standby, but change the machine name to that of the standby server.
5. Bring over the password file from the primary.
6. Restore a backup of your AV primary to your standby server and create a
standby controlfile for it.
7. startup managed recovery
8. Implement FSFO
9. Validate that FSFO is working and the AV Web Application is working
10. Turn Database Vault back on
11. Troubleshoot in-house scripts that break as a result of Database Vault being
turned back on

30
 Other Dataguard / FSFO
Considerations
1. If you use an XML audit trail, you may want to move
your audit directories to faster files systems
2. If you use a DB audit trail, youll want to move your
aud$ and fga_log$ tables to a non-system tablespace.
3. If you customize your sqlnet.ora
NAMES.DEFAULT_DOMAIN, youre going to have to
manually modify every entry in the Audit Vault
tnsnames.ora to include the value. Youll also have to
modify the tns configuration on the collector machines
(whether they be source db servers or collector
machines similar to slide #12).

31
 Definitions and Context
Source The database you are getting your audit data from.
Regardless of how many nodes there are in your dataguard config,
there is only 1 source.
Agent Tied to a single server, an Agent connects to the Audit Vault
Server to insert the audit trail data into the database. It manages the
collectors.
Collector The RDBMS specific process that knows how to get audit
data from the source database. There are collectors that talk to Oracle,
MS Sql, DB2, and Sybase. Multiple collectors can use the same agent
to deposit all audit data into the same Audit Vault repository.

A collector is tied to a source; it collects from that source.

In an Audit Vault, the combination of Source and Collector is unique.

32
 Setting up remote XML collection

1. Get local collection working on the source database server following the Audit Vault
documentation.
2. Using avca on the AV Server, add a new agent mapped to the primary collector server(s).
3. Run the OUI to install the Audit Vault Agent software on each primary remote collector
providing the new agent created in Step #2 to the installation dialog.
4. Using avorcldb on the AV Server, add a new source using the flip-tolerant host name.
5. Using avorcldb on the AV Server, add new collectors for the source created in #4 tied to the
agents created in #3.
6. Using avorcldb on the remote collector server, run setup to create the wallet and tnsnames
entries for passwordless connection from the primary remote collector to the source db.
7. Modify the source db tnsnames.ora entry created in #7 to change the source db entry from
the flip-tolerant host name to the node specific host name.
8. If audit_trail = xml*, create identical audit trail directories on the remote collector.
9. If doing XML generation, sync the audit trail directories created in Step #6 between the
source db server and the remote collector, and create job to sync them regularly.
10. Stop the collectors created in Step #1, and startup the newly modified collector and validate
that it is collecting the syncd files.

33
New Agent Mapping

34
Source Collector Map

35
 Conclusion
In a world of compliance auditing, life can be easy or it
can be hard
Audit data is just as important as production data and
should be treated as such
In some ways, the stakes are higher: If we mess up,
market cap plummets, companies fail and people go to
jail.
How Big a Gambler are YOU?
Oracle Audit Vault with Dataguard/FSFO and remote
collection is a high performance, low impact, highly
available solution that makes compliance reporting easy.

36
Best Practices

37
 What Do You Need To Audit?

Database PCI HIPAA/

SOX Basel II FISMA GLBA
Audit Requirements DSS HITECH

Accounts, Roles & GRANT changes

Failed Logins and other Exceptions

Privileged User Activity

Access to Sensitive Data (SELECTs)

Data Changes (INSERT, UPDATE, )

Schema Changes (DROP, ALTER)

38 38
 Native Auditing
Performance Guidelines

Original workload CPU 50% for 250 audit

records/sec
Audit Trail Additional Additional CPU Usage
Setting Throughput Time
OS 1.39% 1.75%
XML 1.70% 3.51%
XML, Extended 3.70% 5.36%
DB 4.57% 8.77%

DB, Extended 14.09% 15.79%

*Internal testing: Source: 4x 3.40 GHz Intel Xeons , 4 GB RAM, x86_64 Linux Oracle Database 11.2.0.1

Oracle Confidential 39 39
 Use Automatic Audit Trail Clean-Up

Automatically deletes audit trails from target after they

are securely inserted into Audit Vault
Reduces DBA manageability challenges with audit trails

Databas
e 1) Transfer audit trail data

3) Delete older 2) Update last inserted record

audit records

Oracle Confidential 40 40
Oracle Database Security
Defense-in-Depth
Encryption and Masking
Oracle Advanced Security
Oracle Secure Backup
Oracle Data Masking

Access Control
Oracle Database Vault
Oracle Label Security
Auditing and Tracking
Oracle Audit Vault
Oracle Configuration Management
Oracle Total Recall

Blocking and Monitoring

Oracle Database Firewall

41
 More Oracle Database Security Presentations

Monday:
12:30 pm: Making a Business Case for Information Security MS 300
3:30 pm: Oracle Database 11g Release 2 Security: Defense-in-Depth MS 103
Tuesday:
12:30 pm: Real-World Deployment and Best Practices : Oracle Audit Vault MS 306
2:00 pm: Real-World Deployment and Best Practices : Oracle Advanced Security MS 300
2:00 pm: Best Practices for Ensuring the Highest Enterprise Database Security MS 304
3:30 pm: Database Security Event Management : Oracle Audit Vault and ArcSight MS 300
5:00 pm: Real-World Deployment and Best Practices :Oracle Database Vault MS 303
Wednesday:
10:00 am: Protect Data and Save Money: Aberdeen MS 306
11:30 am: Preventing Database Attacks With Oracle Database Firewall MS 306
4:45 pm: Centralized Key Management and Performance :Oracle Advanced Security MS 306
Thursday:
10:30 am: Deploying Oracle Database 11g Securely on Oracle Solaris MS 104

MS = Moscone South

42
 Oracle Database Security Hands-on-Labs

Monday:
Database Vault 11:00AM | Marriott Marquis, Salon 10 / 11 Check Availability
Database Vault 5:00PM | Marriott Marquis, Salon 10 / 11 Check Availability

Tuesday:
Database Security 11:00AM | Marriott Marquis, Salon 10 / 11 Check Availability

Thursday
Advanced Security 12:00PM | Marriott Marquis, Salon 10 / 11 Check Availability
Audit Vault 1:30PM | Marriott Marquis, Salon 10 / 11 Check Availability

43
Oracle Database Security Demo Grounds
Moscone West

Oracle Database Firewall

Oracle Database Vault
Oracle Label Security
Oracle Audit Vault
Oracle Advanced Security
Oracle Database 11g Release2 Security

Exhibition Hours
Monday, September 20 9:45 a.m. - 5:30 p.m.
Tuesday, September 21 9:45 a.m. - 5:30 p.m.
Wednesday, September 22 9:00 a.m. - 4:00 p.m.

44
Oracle OpenWorld
Latin America 2010
December 79, 2010

45
Oracle OpenWorld
Beijing 2010
December 1316, 2010

46
Oracle Products Available Online

Oracle Store

Buy Oracle license and support

online today at
oracle.com/store

47