|Oracle® Audit Vault Administrator's Guide
Part Number E13841-02
An indicator signifying that a particular metric condition has been encountered. The following conditions trigger alerts:
A metric threshold is reached.
The availability of a monitored service changes. For example, the availability of the host changes from up to down.
A metric-specific condition occurs. For example, an error message is written to a database alert log file.
A rule in an audit policy setting that specifies an audit condition or other abnormal condition that raises an alert. An alert rule is based on the data in a single audit record.
audit data source
See source database.
A data store within Oracle Audit Vault that stores processed audit data from the raw audit data store. Auditors can access this data by generating the Oracle Audit Vault reports.
See also data warehouse.
A rule in a audit setting that specifies the action to be audited (for example, a logon attempt or a user accessing a table).
A set of rules that specifies which audit events should be collected in Oracle Audit Vault, and how each audit event should be evaluated after it is inserted into the raw audit data store. The types of rules in an audit setting include alert rules, audit rules, and capture rules. An audit setting can be composed of two or more sets of rules known as a composite audit setting.
A user granted the
AV_ADMIN role, and is the audience for this manual. This user configures and manages collectors, collection agents, and warehouse settings and scheduling. This user also configures sources, enables and disables systemwide alerts, views audit event categories, and monitors audit errors.
A user granted the
AV_AUDITOR role. This user monitors audit event categories for alert activity to detect security risks, creates detail and summary reports of events across systems, and manages the reports. This user also manages audit policies that create alerts and evaluate alert scenarios, and manage audit settings. This user can use the data warehouse services to further review the audit data and look for trends, intrusions, anomalies, and other items of interest. See Oracle Audit Vault Auditor's Guide for more information about the auditor's duties.
Audit Vault IBM DB2 Database (AVDB2DB)
Audit Vault Configuration Assistant, a command-line utility that you use to manage various Oracle Audit Vault components, manage collection agents (adding, altering, or dropping), secure communication between the Audit Vault Server and Audit Vault collection agent, set warehouse scheduling and audit data retention settings, and create a wallet and certificates for the collection agent, as needed. See Chapter 6, "Audit Vault Configuration Assistant (AVCA) Reference," for more information.
Audit Vault Control, a command-line utility that you use to manage the Oracle Audit Vault components, such as starting and stopping collection agents, collectors, the Audit Vault Console, and OC4J. See Chapter 7, "Audit Vault Control (AVCTL) Reference," for more information.
Audit Vault IBM DB2 Database, a command-line utility that you use to configure Oracle Audit Vault to retrieve audit data from an IBM DB2 database. The process entails adding the source database and configuring the DB2DB collector. See Chapter 11, "Audit Vault IBM DB2 (AVDB2DB) Utility Commands," for more information.
Audit Vault Microsoft SQL Server Database, a command-line utility that you use to configure Oracle Audit Vault to retrieve audit data from a SQL Server database The configuration process entails adding the source database and configuring the MSSQLDB collector. See Chapter 9, "Audit Vault Microsoft SQL Server (AVMSSQLDB) Utility Commands," for more information.
Audit Vault Oracle Database, a command-line utility that you use to configure Oracle Audit Vault to retrieve audit data from an Oracle database. The configuration process entails adding the source database and configuring the appropriate collector (DBAUD collector, OSAUD collector, or REDO collector). See Chapter 8, "Audit Vault Oracle Database (AVORCLDB) Utility Commands," for more information.
Oracle Audit Vault Sybase ASE Database, a command-line utility that you use to configure Oracle Audit Vault to retrieve audit data from a Sybase ASE database. The configuration process entails adding the source database and configuring the SYBDB collector. See Chapter 10, "Audit Vault Sybase ASE (AVSYBDB) Utility Commands," for more information.
A rule in an audit policy setting that specifies an audit event that is sent to Oracle Audit Vault.
A digitally signed statement by a certificate authority (CA), saying that it has certified the identity of an entity in some way. Upon request, the CA verifies the identity of the entity, and signs and grants a certificate, with a private key. This indicates that the certificate has been checked for data integrity and authenticity, where integrity means that data has not been modified or tampered with, and authenticity means that data comes from the entity claiming to have created and signed it.
A certificate is a digital identification of an entity that contains the following:
SSL public key of the server
Information about the server
Digital signature by the issuer of the certificate, used to verify the authenticity of the certificate
A process in which collectors run. A collection agent defines the connection between the collector and the audit service, and interacts with the management service to manage and monitor collectors. See Section 1.3.3 for detailed information about collection agents.
A component that collects audit data for a source and sends the audit records to Audit Vault. Each of the supported source database products has one or more associated collectors. See Table 1-4 for detailed information about the available collectors.
See audit setting.
The Oracle Audit Vault metadata (stored within Oracle Audit Vault) that describes how to process and control the audit data as it passes through the Oracle Audit Vault system.
A relational database that is designed for query and analysis rather than transaction processing. A data warehouse usually contains historical data that is derived from transaction data, but it can include data from other sources. It separates the analysis workload from the transaction workload and enables a business to consolidate data from several sources. In Oracle Audit Vault, the data warehouse stores audit data that has been inserted into the data warehouse tables. From there, an Oracle Audit Vault auditor can see this data by generating the Oracle Audit Vault reports. See Oracle Audit Vault Auditor's Guide for more information.
IBM DB2 audit log collector. This collector extracts and collects IBM DB2 (releases 8 and 9.5) audit records from the audit trail logged in the ASCII text files generated by the source database. The DB2DB collector belongs to the DB2DB collector type.
Oracle Database DB audit log collector. This collector collects audit data from the Oracle Database
SYS.AUD$ table and the Oracle Database Vault audit trail
DVSYS.AUDIT_TRAIL$ table. The DBAUD collector belongs to the ORCLDB_DBAUD collector type.
A table in a star schema that contains facts. A fact table typically has two types of columns: columns that contain facts and columns that are foreign keys to dimension tables. The primary key of a fact table is usually a composite key composed of all of its foreign keys.
A fact table might contain either detail level facts or facts that have been aggregated (fact tables that contain aggregated facts are often called summary tables). A fact table usually contains facts with the same level of aggregation.
In Oracle Audit Vault, the audit data warehouse tables are in a star schema.
Hypertext Transmission Protocol, Secure. The use of Secure Sockets Layer (SSL) as a sublayer under the regular HTTP application layer.
A repository that includes the following:
Certificates identifying trusted entities. When a keystore contains only certificates of trusted entities, it can be called a trust store.
Private key and the matching certificate. This certificate is sent as a response to SSL authentication challenges.
A key and certificate management utility that Oracle Audit Vault uses to generate the keystore. It enables users to self-authenticate by administering their own public and private key pairs and associated certificates or data integrity and authentication services, using digital signatures. The
keytool utility is located at
For Oracle Audit Vault, you must run the
keytool utility to generate a keystore file if you want to configure HTTPS communication for Audit Vault. See Section 5.5 for more information.
Logical change record. This is a message with a specific format that describes a database change.
The definition of the relationship and data flow between source database and target objects.
Microsoft SQL Server Database audit log collector. This collector extracts and collects Microsoft SQL Server Database (SQL Server 2000 and SQL Server 2005) (for Windows platforms) audit records from the Windows Event logs, Server-side Traces, and C2 auditing logs. The MSSQLDB collector belongs to the MSSQLDB collector type.
See DBAUD collector.
See OSAUD collector.
See REDO collector.
Oracle Database OS audit log collector. This collector parses operating system (OS) log file entries into audit records. The OSAUD collector belongs to the ORCLDB_OSAUD collector type.
On Microsoft Windows, the OS audit trail depends on the
AUDIT_TRAIL parameter setting:
If the setting is
OS, the OS audit trail is the Windows event log.
If the setting is XML, then the OS audit trail is the XML file.
The OSAUD collector automatically extracts and collects audit records from either audit trail.
Public key infrastructure. This information security technology uses the principles of public key cryptography to encrypt and decrypt information using a shared public and private key pair. It provides for secure, private communications within a private network.
The first location in which Oracle Audit Vault places audit data it collects from a source database. It stores this unprocessed audit data in partitioned tables based on timestamp, and in unpartitioned tables based on source ID. Oracle Audit Vault then sends this data to the data warehouse, where it is organized into tables. Auditors access this data by generating audit reports.
Oracle Database redo log collector. This collector translates logical change records (LCRs) into audit records. The REDO collector belongs to the ORCLDB_REDO collector type.
A database instance that has been configured to send audit data to Oracle Audit Vault.
The audit data source consists of databases, applications, or systems that generate audit data. For the current release of Oracle Audit Vault, the following database products are audit data sources:
Microsoft SQL Server
These databases can run on the same or different computers, potentially resulting in multiple source databases on the same system. Audit data from audit sources represent a variety of audit formats. Source types represent a class of audit sources. For example, Oracle Database audit sources with the same audit formats, audit events, and collection mechanisms represent an audit source type. Table 1-4 lists the collectors that are associated with these database products.
A relational schema whose design represents a multidimensional data model. The star schema consists of one or more fact tables and one or more dimension tables that are related through foreign keys.
Sybase ASE Database audit log collector. This collector extracts and collects Sybase ASE (ASE 12.5.4 and ASE 15.0.2) audit records from the audit trail logged in audit tables in the
sybsecurity database. The SYBDB collector belongs to the SYBDB collector type.