|Oracle® Audit Vault Administrator's Guide
Part Number E11059-03
An indicator signifying that a particular metric condition has been encountered. An alert is triggered when one of the following conditions is true:
A metric threshold is reached.
The availability of a monitored service changes. For example, the availability of the host changes from up to down.
A metric-specific condition occurs. For example, an alert is triggered whenever an error message is written to a database alert log file.
A rule in an audit policy setting that specifies an audit condition or other abnormal condition that causes an alert to be raised. An alert rule is based on the data in a single audit record.
The database instance running on a computer. Because multiple instances of databases can run on the same computer, there may be multiple sources.
The audit data source consists of databases, applications, or systems that generate audit data. For the current release of Oracle Audit Vault, audit data sources are Oracle Database instances, and Microsoft SQL Server database instances running on the same or different computers, and potentially giving rise to multiple sources on the same system. Audit data from audit sources represents a variety of audit formats. Each audit source is categorized by its source type, which represents a class of audit sources. For example, Oracle Database audit sources with the same audit formats, audit events, and collection mechanisms represent an audit source type and will have a DBAUD collector, an OSAUD collector, and a REDO collector. All Oracle Database 10g audit sources must have these collectors. Microsoft SQL Server database audit sources must have a MSSQLDB collector.
A data store that stores within Audit Vault a translated or processed set of audit data from the raw audit data store that is of interest to audit administrators for data analysis and from which administrative and custom reports can be generated.
See also data warehouse.
A rule in a audit setting that specifies the action to be audited, for example, a logon attempt or a user accessing a table.
A set of rules that specifies what audit events should be collected in Audit Vault, and how each audit event should be evaluated after it is inserted into the raw audit data store. The types of rules in an audit setting include alert rules, audit rules, and capture rules. An audit setting can be composed of two or more sets of rules known as a composite audit setting.
A user granted the AV_ADMIN role. This user configures and manages collectors, collection agents, and warehouse settings and scheduling. This user also configures sources, enables and disables systemwide alerts, views audit event categories, and monitors audit errors.
A user granted the AV_AGENT role. This user is created prior to an Audit Vault Collection Agent installation. This user must be created before a collection agent is added to Audit Vault and before a collection agent is initialized.
A user granted the AV_ARCHIVER role. This is an internal user role used to run back-end archiving jobs.
A user granted the AV_AUDITOR role. This user monitors audit event categories for alert activity to detect security risks, creates detail and summary reports of events across systems, and manages the reports. This user also manages audit policies that include creating alerts and evaluating alert scenarios, and managing audit settings. This user can use the data warehouse services to further analyze the audit data to assist in looking for trends, intrusions, anomalies, and other items of interest.
A user granted the AV_SOURCE role. This user is automatically created when a source is registered (added) to Audit Vault. This user is used to connect to the source and to set up the source's collectors.
Audit Vault Configuration Assistant. A command-line utility that enables the Audit Vault administrator to manage various Oracle Audit Vault components, manage collection agents (add/alter/drop), secure communication between the Audit Vault Server and Audit Vault Collection Agent, set warehouse scheduling and audit data retention settings, and as needed create a wallet and certificates on the collection agent.
Audit Vault Control. A command-line utility that enables the Audit Vault administrator granted the AV_ADMIN role to manage Audit Vault components, such as collection agents (start/stop/show status), collectors (start/stop/show status), Audit Vault Console (start/stop), and collection agent OC4J (start/stop).
Audit Vault Microsoft SQL Server Database. A command-line utility that provides the ability to configure sources (add/alter/drop), configure collectors (add/alter/drop), and verify that the source is compatible with its collector, and setup the source user credentials and database alias for the source user in the wallet and verify the connection to the source using the wallet.
Audit Vault Oracle Database. A command-line utility that provides the ability to configure sources (add/alter/drop), configure collectors (add/alter/drop), verify that the source is compatible with its collector, and setup the source user credentials and database alias for the source user in the wallet and verify the connection to the source using the wallet.
A rule in an audit policy setting that specifies an audit event that is sent to Audit Vault.
A digitally signed statement by a Certificate Authority (CA), saying that the identity of an entity is certified in some way. When an entity requests certification, the CA verifies its identity and grants a certificate, which is signed with the CA's private key. A digitally signed certificate is verified to have been checked for data integrity and authenticity, where integrity means that data has not been modified or tampered with, and authenticity means data indeed comes from the entity claiming to have created and signed it.
A digital identification of an entity that contains the following:
SSL public key of the server
Information about the server
Digital signature by the issuer of the certificate, used to verify the authenticity of the certificate
A process within which collectors run. A collection agent sets up the connection between the collector and the audit service and interacts with the management service to manage and monitor collectors. An example of a collection agent is the Oracle collection agent within which run the collectors for Oracle Database OS audit logs (OSAUD), Oracle Database DB audit logs (DBAUD), Oracle Database redo logs (REDO), and Microsoft SQL Server database audit logs (MSSQLDB).
A component that collects audit data for a source and sends the audit records to Audit Vault. Audit Vault uses the DBAUD collector, OSAUD collector for OS files, OSAUD collector for Windows event logs, and REDO collector to collect Oracle Database logical change records (LCRs) from redo logs; and the MSSQLDB collector to collect audit data from Microsoft SQL Server database audit trails.
See audit setting.
The Audit Vault metadata stored within Audit Vault that describes how to process and control the audit data as it passes through the Audit Vault system.
A relational database that is designed for query and analysis rather than transaction processing. A data warehouse usually contains historical data that is derived from transaction data, but it can include data from other sources. It separates analysis workload from transaction workload and enables a business to consolidate data from several sources.
See also audit data warehouse.
Oracle Database DB audit log collector. This collector converts Oracle Database SYS.AUD$ table rows and Oracle Database Vault audit trail DVSYS.AUDIT_TRAIL$ table rows into audit records. The DBAUD collector belongs to the ORCLDB_DBAUD collector type.
A table in a star schema that contains facts. A fact table typically has two types of columns: those that contain facts and those that are foreign keys to dimension tables. The primary key of a fact table is usually a composite key that is made up of all of its foreign keys.
A fact table might contain either detail level facts or facts that have been aggregated (fact tables that contain aggregated facts are often instead called summary tables). A fact table usually contains facts with the same level of aggregation.
Hypertext Transmission Protocol, Secure. The use of Secure Sockets Layer (SSL) as a sublayer under the regular HTTP application layer.
A repository that includes the following:
Certificates identifying trusted entities. When a key store contains only certificates of trusted entities, it can be called a trust store.
Private-key and the matching certificate. This certificate is sent as a response to SSL authentication challenges.
A key and certificate management utility used by Audit Vault located at $ORACLE_HOME/jdk/bin/keytool for generating the key store. With a key store and certificate in place at the Audit Vault Collection Agent, an Audit Vault administrator can issue an AVCA secure_av command on the Audit Vault Server to secure Audit Vault communications by enabling mutual authentication with the Audit Vault Collection Agent. Likewise, an Audit Vault administrator can issue an AVCA secure_agent command to enable mutual authentication with Audit Vault Server. This utility enables users to self-authenticate by administering their own public/private key pairs and associated certificates or data integrity and authentication services, using digital signatures.
A logical change record. This is a message with a specific format that describes a database change.
Microsoft SQL Server Database audit log collector. This collector extracts and collects Microsoft SQL Server Database (SQL Server 2000 and SQL Server 2005) (for Windows platforms) audit records from the Windows Event logs, Server-side Traces, and C2 auditing logs. The MSSQLDB collector belongs to the MSSQLDB collector type.
See DBAUD collector.
See OSAUD collector.
See REDO collector.
Oracle Database OS audit log collector. This collector parses operating system (OS) log file entries into audit records. The OSAUD collector belongs to the ORCLDB_OSAUD collector type.
On Windows, the OS audit trail is the Windows event log if the
AUDIT_TRAIL parameter is set to OS, or an XML file if the
AUDIT_TRAIL parameter is set to XML. The OSAUD collector will automatically extract and collect audit records from either audit trail.
A public key infrastructure. This information security technology uses the principles of public key cryptography. Public key cryptography involves encrypting and decrypting information using a shared public and private key pair. It provides for secure, private communications within a private network.
The sole repository of Audit Vault. It stores unprocessed audit data in partitioned tables based on time stamp, and in unpartitioned tables based on source ID.
Oracle Database redo log collector. This collector translates logical change records (LCRs) into audit records. The REDO collector belongs to the ORCLDB_REDO collector type.
A data warehouse with greatly reduced Administrator user role access. It contains Audit Vault audit data for query and analysis.
Traditionally, a tall, cylindrical tower used to store grain or fodder on a farm. In information management, a silo system is vertical, isolated, independent, and incapable of reciprocal operations with other, related management systems. The result of this independence and isolation is that multiple versions of the same data are stored.
A relational schema whose design represents a multidimensional data model. The star schema consists of one or more fact tables and one or more dimension tables that are related through foreign keys.
See key store.