1 Copyright 2012, Oracle and/or its affiliates.

All rights
reserved.
 The following is intended to outline our general product
direction. It is intended for information purposes only, and
may not be incorporated into any contract. It is not a
commitment to deliver any material, code, or functionality,
and should not be relied upon in making purchasing
decisions. The development, release, and timing of any
features or functionality described for Oracles products
remains at the sole discretion of Oracle.

2 Copyright 2012, Oracle and/or its affiliates. All rights

reserved.
 11g Database Security Workshop
Implement Detective and Preventive Controls with
Oracle Audit Vault and Database Firewall
David Evora | Sales Consulting Manager
3 Copyright 2012, Oracle and/or its affiliates. All rights
reserved.
Agenda
Agenda
 Oracle Audit Vault and Database Firewall
New Solution for Oracle and Non-Oracle Databases
Database Firewall
Users
Allow
Log
Alert
Applications Substitute
Block

Firewall Events

Auditor
Reports
Audit Data
Alerts !
Security
Manager Policies
OS, Directory, File System &
Custom Audit Logs
Audit Vault

6 Copyright 2012, Oracle and/or its affiliates. All rights reserved.

 Oracle Audit Vault and Database Firewall
Comprehensive Enterprise Audit and Log Consolidation

Databases: Oracle, SQL Server, DB2 LUW, Sybase ASE

New Audit Sources
Operating Systems: Microsoft Windows, Solaris
Directory Services: Active Directory
File Systems: Oracle ACFS

Audit Collection Plugins for Custom Audit Sources

XML file maps custom audit elements to canonical audit elements
Collect and map data from XML audit file and database tables

7 Copyright 2012, Oracle and/or its affiliates. All rights reserved.

 Oracle Audit Vault and Database Firewall
Audit and Event Repository

Based on proven Oracle Database technology

Includes compression, partitioning, scalability, high availability, etc.
Open schema for flexible reporting

Information lifecycle management for target specific data retention

Centralized web console for easy administration
Command line utility for automation and scripting

8 Copyright 2012, Oracle and/or its affiliates. All rights reserved.

 Oracle Audit Vault and Database Firewall
Audit and Event Data Security

Software appliance based on hardened OS and pre-

configured database
Fine-grained administrative groups
Sources can be grouped for access authorization
Individual auditor reports limited to data from the grouped sources

Separation of duties
Powerful multi-event alerting with thresholds and group-by

9 Copyright 2012, Oracle and/or its affiliates. All rights reserved.

 Reports
Entitlement Reports
Snapshot of Oracle database users, roles, privileges, and profiles
Compare changes in settings
Compliance Reports
Meet compliance
in the areas of Credit Card, Financial
Materiality, and Health Care data
activity
Customization to define your
compliance report and filter data
Schedule, print, and save
reports in PDF format
Attest and add review notes

10 Copyright 2012, Oracle and/or its affiliates. All rights reserved.

 Oracle Audit Vault and Database Firewall
Single Administrator Console

11 Copyright 2012, Oracle and/or its affiliates. All rights reserved.

 Oracle Audit Vault and Database Firewall
Default Reports

12 Copyright 2012, Oracle and/or its affiliates. All rights reserved.

 Oracle Audit Vault and Database Firewall
Out-of-the Box Compliance Reporting

13 Copyright 2012, Oracle and/or its affiliates. All rights reserved.

 Oracle Audit Vault and Database Firewall
Report with Data from Multiple Source Types

14 Copyright 2012, Oracle and/or its affiliates. All rights reserved.

 Oracle Audit Vault and Database Firewall
Extensive Audit Details

15 Copyright 2012, Oracle and/or its affiliates. All rights reserved.

 Oracle Audit Vault and Database Firewall
Performance and Scalability

Audit Vault
Supports monitoring and auditing multiple hundreds of heterogeneous
database and non-database targets
Supports wide range of hardware to meet load requirements

Database Firewall
Decision time is independent of the number of rules in the policy
Multi-device / multi-process / multi-core scalability
8 core can handle between 30K 60K transactions/second

16 Copyright 2012, Oracle and/or its affiliates. All rights reserved.

 Oracle Audit Vault
Audit Trail Clean-Up: DBMS_AUDIT_MGMT
Automatically deletes Oracle audit trails from target
after they are securely inserted into Audit Vault
Reduces DBA manageability challenges with audit trails

Database
1) Transfer audit trail data

3) Delete older 2) Update last inserted record

audit records

17
Agenda
 Oracle Audit Vault and Database Firewall
Lab Exercises
LAB CONFIGURATION SETUP OF THE AUDIT VAULT AND DATABASE FIREWALL
ENVIRONMENT

LAB EXERCISE 00 ORACLE AUDIT VAULT OVERVIEW

LAB EXERCISE 01 EFFECTIVELY MANAGING DATABASE AUDIT POLICY

LAB EXERCISE 02 REDUCE TIME TO COMPLIANCE USING ORACLE AUDIT VAULT

REPORTING

LAB EXERCISE 03 GAIN REAL-TIME DATABASE ACTIVITY MONITORING USING

AUDIT VAULT ALERTING

19
To deactivate and remove the Audit Vault Agent:
1.Stop all audit trails being collected by the Audit Vault Agent.
1.In the Audit Vault Server console, click the Hosts tab, then click Audit Trails.
2.Select the audit trails being collected by this Audit Vault Agent, and then click Stop
2.Stop the Audit Vault Agent by running the following command on the host computer:
agentctl stop
3.Deactivate the Audit Vault Agent on the host computer:
1.In the Audit Vault Server console, click the Hosts tab.
2.Select the host name, and then click Deactivate.
3.Optionally, drop the host by selecting it, and then clicking Delete.
4.Delete the Audit Vault Agent home directory on the host computer.
Here is a summary of the users and their functions that will be used
throughout this lab exercise.
DBA_DEBRA Database Administrator Account
avadmin/Oracle123 Audit Vault Administrator
avauditor/Oracle123 Auditor
 LAB EXERCISE 01 EFFECTIVELY MANAGING DATABASE AUDIT
POLICY
During this lab you will:
1. Demonstrate native Oracle database auditing and the audit settings
configured for this environment.
i) Create a table, configure auditing on that table then confirm that the audit
records are being generated successfully

2. Review the Oracle Database Secure Configuration Best Practice

audit policies
3. Configure the DB06 database with Secure Configuration Best
Practice Audit Policy
4. Execute an automated workload generation SQL Script to test the
audit policies and confirm that the audit data is being collected by
Audit Vault
 Understanding Statement Auditing

Statement auditing audits SQL statements by type of statement,

not by the specific schema objects on which the statement
operates. These statements are in the following categories :
(a) Data definition statements (DDL). For example, AUDIT TABLE audits all CREATE TABLE and
DROP TABLE statements. AUDIT TABLE tracks several DDL statements regardless of the table on
which they are issued. You can also set statement auditing to audit selected users or every user in
the database.
(b) Data manipulation statements (DML). For example, AUDIT SELECT TABLE audits all SELECT ...
FROM TABLE or SELECT ... FROM VIEW statements, regardless of the table or view
 Understanding Object Auditing

Schema object auditing is the auditing of specific statements on a particular schema

object, such as AUDIT SELECT ON HR.EMPLOYEES
(a) For example, object auditing can audit all SELECT and DML statements permitted by object privileges, such as
SELECT or DELETE statements on a given table. The GRANT and REVOKE statements that control those privileges are
also audited.
(b) Object auditing lets you audit the use of powerful database commands that enable users to view or delete very
sensitive and private data. You can audit statements that reference tables, views, sequences, standalone stored
procedures or functions, and packages.
(c) Oracle Database and Oracle Audit Vault always set schema object audit options for all users of the database. You
cannot set these options for a specific list of users.
 Understanding Privilege Auditing

Privilege auditing is the auditing of SQL statements that use a system privilege. You can audit the
use of any system privilege
(a)For example, if you enable AUDIT SELECT ANY TABLE, Oracle Database audits all SELECT tablename statements issued by
users who have the SELECT ANY TABLE privilege. This type of auditing is very important for the Sarbanes-Oxley (SOX) Act
compliance requirements.
(b) Privilege auditing audits the use of powerful system privileges enabling corresponding actions, such as AUDIT CREATE TABLE
(c) Privilege auditing does not occur if the action is already permitted by the existing owner and schema object privileges.
(d) Privilege auditing is more focused than statement auditing for the following reasons:
a. It audits only a specific type of SQL statement, not a related list of statements.
b. It audits only the use of the target privilege
 Understanding Fine-Grained Auditing

Fine-grained auditing (FGA) enables you to create a policy that defines specific
conditions that must take place for the audit to occur. For example, fine-grained
auditing lets you audit the following types of activities:
(a) An IP address from outside the corporate network being used
(b) A table being accessed between 9 p.m. and 6 a.m. or on Saturday and Sunday.
(c) A table column being selected or updated
(d) A value in a table column being modified

A fine-grained audit policy provides granular auditing of select,

insert, update, and delete operations
 Understanding Capture Rules

You can create a capture rule to track changes in the database redo
log files. The capture rule specifies DML and DDL changes that should
be checked when Oracle Database scans the database redo log. You
can apply the capture rule to an individual table, a schema, or globally
to the entire database. Unlike statement, object, privilege, and fine-
grained audit policies, you do not retrieve and activate capture rule
settings from a source database, because you cannot create them
there. You only can create the capture rule in the Audit Vault Console
 LAB EXERCISE 02 REDUCE TIME TO COMPLIANCE USING
ORACLE AUDIT VAULT REPORTING

1. Generate a variety of reports available in Audit Vault including:

i. Data Access Report
ii. Database Vault Audit Report
iii. System Management
iv. Entitlement Snapshot
v. Compliance Reports
 REDUCE TIME TO COMPLIANCE USING ORACLE AUDIT VAULT
REPORTING
Once you determine what you need to audit, you will have a better understanding of
the requirements to which reports are need to demonstrate compliance to the
various requirements. In this exercise, we will demonstrate how to generate useful
reports to these Database Audit Requirements
 LAB EXERCISE 03 GAIN REAL-TIME DATABASE ACTIVITY
MONITORING USING AUDIT VAULT AND DATABASE FIREWALL
ALERTING

During this lab you will:

1. Modify the email template for Audit Vault Alerts

2. Add a new Audit Vault Alert Status
3. Create an Audit Vault Alert with the Web Interface
4. Test that the alert is functioning
5. View the near real-time nature of alert functionality
 Oracle Audit Vault and Database Firewall
Exercises
LAB CONFIGURATION ORACLE DATABASE FIREWALL

LAB EXERCISE 00 ORACLE DATABASE FIREWALL OVERVIEW

LAB EXERCISE 01 CONFIGURE ORACLE DATABASE FIREWALL TO MONITOR
AND PROTECT DATABASES

LAB EXERCISE 02 USE ORACLE DATABASE FIREWALL TO CONFIGURE POLICIES AND

BLOCK UNAUTHORIZED TRAFFIC

LAB EXERCISE 03 ORACLE DATABASE FIREWALL GAIN VISIBILITY AND SATISFY

REQUIREMENTS THROUGH REPORTING

LAB EXERCISE 04 ORACLE DATABASE FIREWALL USING WHITELISTS TO PREVENT

SQL INJECTION ATTACKS
 LAB EXERCISE 01 CONFIGURE ORACLE DATABASE
FIREWALL TO MONITOR AND PROTECT DATABASES
In this lab exercise, you will accomplish the following:
1. Pair your Firewall with your Audit Vault Server
2. Setup the Firewall to act as a Proxy
3. Create and setup an enforcement point in Oracle Database
Firewall
4. Generate simulated database activity on expected authorized
traffic
5. Monitor Oracle Database traffic in the Database Firewall
Management console
6. Prepare to train the Database Firewall with acceptable and
expected behavior
Be sure DB06 is up and running and that you can log into the Audit
Vault Server
Log in to your Firewall as FWADMIN/Oracle123
(Note: The username must be UPPERCASE in the hosted image and
LOWERCASE in the Virtualbox Machines
 LAB EXERCISE 02 USE ORACLE DATABASE FIREWALL TO
CONFIGURE POLICIES AND BLOCK UNAUTHORIZED TRAFFIC
Developing a policy consists of these main steps:
1. Create a firewall policy in the Audit Vault Server.
2. Design your policy by setting policy actions and rules.
3. Publish the policy to make it available for applying to secured targets.
4. Assign the policy to selected secured targets.

In this lab exercise, you will accomplish the following:

1. Complete an iterative development cycle of the baseline
2. Develop and deploy a Firewall policy
3. Modify and re-deploy the Firewall policy
4. Verify that policy is enforced and ensure that unseen traffic is blocked
 LAB EXERCISE 03 ORACLE DATABASE FIREWALL GAIN
VISIBILITY AND SATISFY REQUIREMENTS THROUGH
REPORTING

In this lab exercise you will accomplish the following:

1. Review Reports that contain only data captured by the Firewall
2. Review Reports that contain both native Audit data and network
traffic
 LAB EXERCISE 04 ORACLE DATABASE FIREWALL USING
WHITELISTS TO PREVENT SQL INJECTION ATTACKS

In this lab exercise you will accomplish the following:

1. Allow Unseen Activity for a New Application to develop the whitelist
2. Update the Whitelist Policy with new activity

HR application Logon
Username: hradmin
Password: abcd1234
Agenda
38 Copyright 2012, Oracle and/or its affiliates. All rights
reserved.
39 Copyright 2012, Oracle and/or its affiliates. All rights
reserved.