Académique Documents
Professionnel Documents
Culture Documents
S317045 Real-World Deployment and Best Practices with Oracle Audit Vault
Tammy Bednar, Sr. Principal Product Manager, Oracle Mike McClure , Sr. Database Administrator, Amazon
The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracles products remains at the sole discretion of Oracle.
Program Agenda
Why Audit? Oracle Audit Vault Reports Implementing Audit Vault at Amazon Best Practices Q&A
Why Audit?
Its all about protecting sensitive data, maintaining customer trust, and protecting the business Trust-but-verify that your employees are only performing operations required by the business Detective controls to monitor what is really going on Reduce the curiosity seekers from looking at data Compliance demands that privileged users be monitored Know what is going on before others tell you
!
Audit Data
CRM Data
ERP Data
Databases
Auditor
Consolidate audit data into secure repository Detect and alert on suspicious activities Out-of-the box compliance reporting
Any of the Audit Vault reports can be scheduled to run automatically and archived in the Audit Vault repository for viewing, printing, emailing, and attestation
10
10
Versions
Oracle Database 9iR2, Oracle Database 10g, Oracle Database 11g
Audit Locations
Audit Tables for standard and fine-grained auditing Oracle audit trail from OS files written in XML, text file, or SYSLOG Before/after values and DDL changes from redo log Database Vault specific audit records Server side trace set specific audit event Windows event audit specific events viewed by windows event viewer C2 - automatically sets all auditable events Binary OS files written by the audit facility Sybsecurity database tables
11
11
10.2.2
10.2.3
10.2.3.2
12
13
Michael Mcclure
Database Administrator Global Financial Systems Amazon.com
14
15
16
Why Audit Vault? Reduce Cost/Increase efficiency related to S-Ox, HIPPA, PCI/DSS+ and other compliance reporting Cross Database compatibility Separation of Duties More efficient audit policy management Catch the Big Bad Wolf
17
Auditing Challenges
We have lots of different RDBMS systems; They all audit differently Policies/mechanisms for auditing are different across the organization Dealing with our audit data Watching the watchers who do you trust?
18
19
Concerns
1. 2. 3. 4. Performance / Impact Resource utilization Scalability Fault Tolerance / BCP / DR
20
Generation
1. 2. 3. audit_trail = db* audit_trail = xml* redo
Collection
1. 2. 3. DBAUD Collector Collection OSAUD Collector REDO Collector
21
22
23
24
25
1. Shutdown the database 2. Recompile the oracle executable with Database Vault off:
cd $ORACLE_HOME/rdbms/lib make -f ins_rdbms.mk dv_off cd $ORACLE_HOME/bin relink oracle
3. Startup the database
26
1. Force logging at the database level: SQL> alter database force logging;
2. Force logging for each tablespace: SQL> select 'alter tablespace '|| tablespace_name || ' force logging;' from dba_tablespaces where contents = 'PERMANENT';
27
Listener.ora
1. LISTENER = (DESCRIPTION_LIST = (DESCRIPTION = (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1)) (ADDRESS = (PROTOCOL = TCP)(HOST = <YOUR HOST NAME>) (PORT = 1521)) )
(DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = <YOUR HOST NAME> )(PORT = 5707)) (Presentation=HTTP)(Session=RAW) )
) 2. SID_LIST_LISTENER = (SID_LIST = (SID_DESC = (SID_NAME = PLSExtProc) (ORACLE_HOME = /opt/app/oracle/product/10.2.3.1/avserver) (PROGRAM = extproc) )
28
29
2. 3. 4.
5. 6. 7. 8. 9. 10. 11.
30
1. 2. 3. 4. 5. 6. 7. 8. 9. 10.
Get local collection working on the source database server following the Audit Vault documentation. Using avca on the AV Server, add a new agent mapped to the primary collector server(s). Run the OUI to install the Audit Vault Agent software on each primary remote collector providing the new agent created in Step #2 to the installation dialog. Using avorcldb on the AV Server, add a new source using the flip-tolerant host name. Using avorcldb on the AV Server, add new collectors for the source created in #4 tied to the agents created in #3. Using avorcldb on the remote collector server, run setup to create the wallet and tnsnames entries for passwordless connection from the primary remote collector to the source db. Modify the source db tnsnames.ora entry created in #7 to change the source db entry from the flip-tolerant host name to the node specific host name. If audit_trail = xml*, create identical audit trail directories on the remote collector. If doing XML generation, sync the audit trail directories created in Step #6 between the source db server and the remote collector, and create job to sync them regularly. Stop the collectors created in Step #1, and startup the newly modified collector and validate that it is collecting the syncd files.
33
34
35
Conclusion
In a world of compliance auditing, life can be easy or it can be hard Audit data is just as important as production data and should be treated as such In some ways, the stakes are higher: If we mess up, market cap plummets, companies fail and people go to jail. How Big a Gambler are YOU? Oracle Audit Vault with Dataguard/FSFO and remote collection is a high performance, low impact, highly available solution that makes compliance reporting easy.
36
Best Practices
37
SOX
PCI DSS
HIPAA/ HITECH
Basel II
FISMA
GLBA
38
38
Native Auditing
Performance Guidelines Original workload CPU 50% for 250 audit records/sec
Audit Trail Setting OS XML XML, Extended DB DB, Extended Additional Throughput Time 1.39% 1.70% 3.70% 4.57% 14.09% Additional CPU Usage 1.75% 3.51% 5.36% 8.77% 15.79%
*Internal testing: Source: 4x 3.40 GHz Intel Xeons , 4 GB RAM, x86_64 Linux Oracle Database 11.2.0.1
Oracle Confidential
39
39
Oracle Confidential
40
40
Access Control
Oracle Database Vault
Oracle Label Security
41
Tuesday:
12:30 pm: Real-World Deployment and Best Practices : Oracle Audit Vault 2:00 pm: Real-World Deployment and Best Practices : Oracle Advanced Security 2:00 pm: Best Practices for Ensuring the Highest Enterprise Database Security 3:30 pm: Database Security Event Management : Oracle Audit Vault and ArcSight 5:00 pm: Real-World Deployment and Best Practices :Oracle Database Vault
Wednesday:
10:00 am: Protect Data and Save Money: Aberdeen 11:30 am: Preventing Database Attacks With Oracle Database Firewall 4:45 pm: Centralized Key Management and Performance :Oracle Advanced Security
Thursday:
10:30 am: Deploying Oracle Database 11g Securely on Oracle Solaris
MS = Moscone South
42
Check Availability
43
Monday, September 20
Tuesday, September 21 Wednesday, September 22
Oracle OpenWorld
45
Oracle OpenWorld
Beijing 2010
December 1316, 2010
46
Oracle Store
Buy Oracle license and support online today at oracle.com/store
47