Documente Academic
Documente Profesional
Documente Cultură
S317045
Real-World Deployment and Best Practices with Oracle Audit Vault
Tammy Bednar, Sr. Principal Product Manager, Oracle
Mike McClure , Sr. Database Administrator, Amazon
Program Agenda
Why Audit?
Oracle Audit Vault Reports
Implementing Audit Vault at Amazon
Best Practices
Q&A
Why Audit?
Its all about protecting sensitive data, maintaining
customer trust, and protecting the business
Trust-but-verify that your employees are only
performing operations required by the business
Detective controls to monitor what is really going on
Reduce the curiosity seekers from looking at data
Compliance demands that privileged users be
monitored
Know what is going on before others tell you
HR Data
CRM Data
ERP Data
Audit
Data
Databases
Alerts
Built-in
Reports
Custom
Reports
Policies
Auditor
10
10
Versions
Audit Locations
Oracle Database
IBM DB2
Sybase ASE
12.5.4 - 15.0.x
11
11
10.2.2
10.2.3
10.2.3.2
12
Audit Vault at
Amazon
13
Michael Mcclure
Database
Administrator
Global Financial
Systems
Amazon.com
14
15
16
17
Auditing Challenges
We have lots of different RDBMS systems; They all
audit differently
Policies/mechanisms for auditing are different across
the organization
Dealing with our audit data
Watching the watchers who do you trust?
18
19
Concerns
1.
2.
3.
4.
Performance / Impact
Resource utilization
Scalability
Fault Tolerance / BCP / DR
20
Generation
1.
audit_trail = db*
2.
audit_trail = xml*
3.
redo
Collection
1.
2.
3.
21
22
23
24
26
27
Listener.ora
1.
LISTENER =
(DESCRIPTION_LIST =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1))
(ADDRESS = (PROTOCOL = TCP)(HOST = <YOUR HOST NAME>) (PORT = 1521))
)
)
2.
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST = <YOUR HOST NAME> )(PORT = 5707))
(Presentation=HTTP)(Session=RAW)
)
SID_LIST_LISTENER =
(SID_LIST =
(SID_DESC =
(SID_NAME = PLSExtProc)
(ORACLE_HOME = /opt/app/oracle/product/10.2.3.1/avserver)
(PROGRAM = extproc)
)
(SID_DESC =
(SID_NAME = <YOUR DBNAME>)
(ORACLE_HOME = /opt/app/oracle/product/10.2.3.1/avserver)
(global_dbname = <sid>.<domain> )
)
28
29
Validate that Audit Vault works on the standby AV Server by logging into the
application and looking around
Shutdown the Audit Vault server application
Delete the database from the standby machine
Bring over the init.ora and listener.ora modifications in Slide #15 to the
standby, but change the machine name to that of the standby server.
Bring over the password file from the primary.
Restore a backup of your AV primary to your standby server and create a
standby controlfile for it.
startup managed recovery
Implement FSFO
Validate that FSFO is working and the AV Web Application is working
Turn Database Vault back on
Troubleshoot in-house scripts that break as a result of Database Vault being
turned back on
30
31
32
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
Get local collection working on the source database server following the Audit Vault
documentation.
Using avca on the AV Server, add a new agent mapped to the primary collector server(s).
Run the OUI to install the Audit Vault Agent software on each primary remote collector
providing the new agent created in Step #2 to the installation dialog.
Using avorcldb on the AV Server, add a new source using the flip-tolerant host name.
Using avorcldb on the AV Server, add new collectors for the source created in #4 tied to the
agents created in #3.
Using avorcldb on the remote collector server, run setup to create the wallet and tnsnames
entries for passwordless connection from the primary remote collector to the source db.
Modify the source db tnsnames.ora entry created in #7 to change the source db entry from
the flip-tolerant host name to the node specific host name.
If audit_trail = xml*, create identical audit trail directories on the remote collector.
If doing XML generation, sync the audit trail directories created in Step #6 between the
source db server and the remote collector, and create job to sync them regularly.
Stop the collectors created in Step #1, and startup the newly modified collector and validate
that it is collecting the syncd files.
33
34
35
Conclusion
36
Best Practices
37
Database
Audit Requirements
SOX
PCI
DSS
HIPAA/
HITECH
Basel II
FISMA
GLBA
38
38
Native Auditing
Performance Guidelines
Original workload CPU 50% for 250 audit
records/sec
Audit Trail
Setting
Additional
Throughput Time
OS
1.39%
1.75%
XML
1.70%
3.51%
XML, Extended
3.70%
5.36%
DB
4.57%
8.77%
DB, Extended
14.09%
15.79%
*Internal testing: Source: 4x 3.40 GHz Intel Xeons , 4 GB RAM, x86_64 Linux Oracle Database 11.2.0.1
Oracle Confidential
39
39
Database
1) Transfer audit trail data
3) Delete older
audit records
Oracle Confidential
40
40
Access Control
Oracle Database Vault
Oracle Label Security
41
MS 103
Tuesday:
12:30 pm: Real-World Deployment and Best Practices : Oracle Audit Vault
MS 306
2:00 pm: Real-World Deployment and Best Practices : Oracle Advanced Security
2:00 pm: Best Practices for Ensuring the Highest Enterprise Database Security
3:30 pm: Database Security Event Management : Oracle Audit Vault and ArcSight
5:00 pm: Real-World Deployment and Best Practices :Oracle Database Vault
MS 303
MS 300
MS 304
MS 300
Wednesday:
10:00 am: Protect Data and Save Money: Aberdeen
MS 306
11:30 am: Preventing Database Attacks With Oracle Database Firewall
MS 306
4:45 pm: Centralized Key Management and Performance :Oracle Advanced Security
MS 306
Thursday:
10:30 am: Deploying Oracle Database 11g Securely on Oracle Solaris
MS 104
MS = Moscone South
42
Check Availability
Check Availability
Tuesday:
Database Security 11:00AM | Marriott Marquis, Salon 10 / 11
Check Availability
Thursday
Advanced Security 12:00PM | Marriott Marquis, Salon 10 / 11
Audit Vault 1:30PM | Marriott Marquis, Salon 10 / 11
Check Availability
Check Availability
43
Tuesday, September 21
Wednesday, September 22
Oracle OpenWorld
45
Oracle OpenWorld
Beijing 2010
December 1316, 2010
46
Oracle Store
Buy Oracle license and support
online today at
oracle.com/store
47