Skip Headers
Oracle® Audit Vault Auditor's Guide
Release 10.2.3.2

Part Number E14460-07
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

What's New in Oracle Audit Vault for Auditors?

This section describes new features in Oracle Audit Vault that affect auditors, and provides pointers to additional information. These new features reflect changes since Release 10.2.3.1.

This section contains:

Oracle Audit Vault Release 10.2.3.2 New Features

This section contains:

Near Real Time Activity Monitoring

Starting with this release, the Oracle Audit Vault data warehouse automatically refreshes, because Audit Vault can send thousands of audit records continuously to the repository. This feature enables the reports to reflect the up-to-the-latest collection point of the audit data content.

See Chapter 4, "Oracle Audit Vault Data Warehouse Schema," for more information about the data warehouse.

User Entitlement Audit Data

This release introduces a new set of reports called entitlement reports. These reports capture privilege-related audit data from Oracle source databases, such as the types of privileges users have been granted, user account information, the system privileges that have been used in a source database, and so on.

To view the entitlement information, you retrieve it from the source databases, similar to retrieving audit policies from source databases. Each time the entitlement content is retrieved from the Oracle database, it creates a snapshot of the entitlement information, which records the state of the entitlement data at the time of retrieval. With this information, you can compare the snapshots of the entitlement content to see how it has changed over time. For example, you can find out how a user's set of privileges were changed, or what object privileges were modified, between snapshots.

See the following sections for more information:

E-Mail Notifications for Alerts and Reports

E-mail notifications have been integrated into the Oracle Audit Vault alerts and reports. This provides the ability to e-mail you and your security team when an alert has been triggered in Oracle Audit Vault. This way, you and your team can proactively review violations in the business processes or malicious activity. In addition, you can notify managers that a report is ready for their review of database activity performed by their database administrative team. The notification contains a link to the report from the Oracle Audit Vault console, or you can directly attach the report to the notification in PDF format.

See the following sections for more information:

Trouble Ticket Notifications for Alerts

You now can configure Oracle Audit Vault alerts to automatically generate trouble ticket notifications. Currently, you can use this feature for BMC Remedy Service Management trouble ticketing systems.

See the following sections for more information:

Annotating and Attesting Alerts and Reports

When you schedule a report, you can optionally assign other auditors to attest to the report. While reviewing the report in Oracle Audit Vault, you, the auditor, can annotate the report with comments that will remain until the report is deleted. This enables you to create a record of all notes and attestations for the report in one place, with the most recent note and attestation listed first.

In addition to a record of all annotations and attestations, you can find additional detailed information about alerts and reports.

See the following sections for more information:

More Functionality for Advanced Alerts

When you create an alert, you can create either a basic alert or an advanced alert. The advanced alert enables you to create a condition that can trigger the alert. In this release, you can incorporate more SQL functionality in the advanced alert condition that provides the ability to compare a list of valid values to incoming audit data content. For example, you can compare if the database activity was performed on a trusted host. You also can create PL/SQL functions that help you to retrieve more data to be used as a basis for triggering the alert. And, as described elsewhere in this section, you can configure the alert to be automatically sent to other users or to trigger a trouble ticket.

See Section 2.12.5 for more information.

Scheduling Reports to be Sent to Other Users in PDF Format

You now can schedule reports to be generated in PDF format and then send it to a list of recipient users and to other auditors to attest. You can design the report so that it only captures data within a specified window of time based on when the report is run, and set formatting standards such as header and footer information, and whether the report will appear in portrait or landscape orientation.

See Section 3.6 for more information.

Additional and Changed Reports

This release of Oracle Audit Vault provides many additional compliance reports and entitlement reports, which are designed to help meet compliance regulations that were established by the Sarbanes-Oxley Act (SOX) and Health Insurance Portability and Accountability Act (HIPAA).

The following table describes how the reports have changed for this release.

Report Name                              Category of Report                              Change for This Release                      
Audit Setting Changes Report All compliance reports Previously called the Changes to Audit Report
Before/After Values Report All compliance reports Previously called the Data Change Report
Changes to Audit Report Default compliance reports Now called the Audit Setting Changes Report
Credit Card Related Data Access Report Credit card compliance reports New for this release
Data Change Report Default compliance reports Now called the Before/After Values Report
Database Failed Logins Report All compliance reports Previously called the Login Failures Report. Mostly the same as in earlier releases except that the report varies depending whether it is a credit card, financial, or health care compliance report.
Database Login/Logoff Report All compliance reports Previously called the Login/Logoff Report. Mostly the same as in earlier releases except that the report varies depending whether it is a credit card, financial, or health care compliance report.
Database Logoff Report All compliance reports Contains the user logoff information from the Login/Logoff Report. Mostly the same as in earlier releases except that the report varies depending whether it is a credit card, financial, or health care compliance report.
Database Logon Report All compliance reports Contains the user logon information from the Login/Logoff Report. Mostly the same as in earlier releases except that the report varies depending whether it is a credit card, financial, or health care compliance report.
Database Roles by Source Report Default entitlement reports New for this release
Database Roles Report Default entitlement reports New for this release
Database Startup/Shutdown Report All compliance reports New for this release
Data Change Report Default compliance reports Now called the Program Changes Report
DDL Report Default compliance reports Now called the Schema Changes Report
Deleted Objects Report All compliance reports Mostly the same as in earlier releases except that the report varies depending whether it is a credit card, financial, or health care compliance report
EPHI Related Data Access Report Health care compliance report New for this release
Financial Related Data Access Report Financial compliance reports New for this release
Financial Related Data Modifications Report Financial compliance reports New for this release
Login Failures Report Default compliance reports Now called the Database Failed Logins Report
Login/Logoff Report Default compliance reports Now called the Database Login/Logoff Report
Object Privileges by Source Report Default entitlement reports New for this release
Object Privileges Report Default entitlement reports New for this release
Privileged Users by Source Report Default entitlement reports New for this release
Privileged Users Report Default entitlement reports New for this release
Program Changes Report All compliance reports Previously called the Data Change Report. Mostly the same as in earlier releases except that the report varies depending whether it is a credit card, financial, or health care compliance report.
Schema Changes Report All compliance reports Previously called the DDL Report. Mostly the same as in earlier releases except that the report varies depending whether it is a credit card, financial, or health care compliance report.
System Events Report All compliance reports New for this release
System Privileges by Source Report Default entitlement reports New for this release
System Privileges Report Default entitlement reports New for this release
User Accounts by Source Report Default entitlement reports New for this release
User Accounts Report Default entitlement reports New for this release
User Privilege Change Activity Report All compliance reports New for this release
User Privileges by Source Report Default entitlement reports New for this release
User Privileges Report Default entitlement reports New for this release
User Profiles by Source Report Default entitlement reports New for this release
User Profiles Report Default entitlement reports New for this release

See the following sections for more information about the new reports:

New and Changed Audit Events

This section contains:

New and Changed Oracle Database Audit Events

This section contains:

New Audit Events for Oracle Database 11g Release 2 (11.2)

Starting with this release, Oracle Audit Vault supports the following new audit events that were added to Oracle Database 11g Release 2 (11.2).

Event Name Description Source Event Oracle Audit Vault Category
ALTER ASSEMBLY 217 Application Management
ALTER FLASHBACK ARCHIVE 219 System Management
ALTER EDITION 213 Object Management
ALTER MINING MODEL 130 Object Management
ALTER PUBLIC SYNONYM 134 Object Management
ALTER SYNONYM 192 Object Management
CREATE ASSEMBLY 216 Application Management
CREATE FLASHBACK ARCHIVE 218 System Management
CREATE EDITION 212 Object Management
CREATE MINING MODEL 133 Object Management
DROP ASSEMBLY 215 Application Management
DROP EDITION 214 Object Management
DROP FLASHBACK ARCHIVE 220 System Management
SELECT MINING MODEL 131 Data Access
SUPER USER TRANSACTION CONTROL 20000 System Management

See Appendix A, "Oracle Database Audit Events," for more information.

Oracle Label Security Audit Events for All Supported Oracle Database Releases

You can use the following Oracle Label Security-specific audit events for all supported Oracle Database Releases.

Event Name Description Source Event Oracle Audit Vault Category
APPLY TABLE OR SCHEMA POLICY 500 Object Management
OBJECT EXISTS ERRORS 505 Role and Privilege Management
PRIVILEGED ACTION 506 Role and Privilege Management
REMOVE TABLE OR SCHEMA POLICY 501 Object Management
SET USER OR PROGRAM UNIT LABEL 502 Role and Privilege Management

See Appendix A, "Oracle Database Audit Events," for more information.

Changed Oracle Database Audit Events

The following Oracle Database source events have changed:

Event Name Description Previous Source Event New Source Event
SHUTDOWN 216 20005
STARTUP 215 20004
SUPER USER DDL 213 20002
SUPER USER DML 214 20003
SUPER USER LOGON 212 20001
SUPER USER UNKNOWN 217 20006

See Appendix A, "Oracle Database Audit Events," for more information.

New Microsoft SQL Server Audit Events

For Microsoft SQL Server 2008, the following new events have been added to the User Session Events category.

Event Name Description Source Event Audit Vault Event
Audit Database Mirroring Login Event DATABASE MIRRORING LOGIN:LOGIN SUCCESS

DATABASE MIRRORING LOGIN:LOGIN PROTOCOL ERROR

DATABASE MIRRORING LOGIN:MESSAGE FORMAT ERROR

DATABASE MIRRORING LOGIN:NEGOTIATE FAILURE

DATABASE MIRRORING LOGIN:AUTHENTICATION FAILURE

DATABASE MIRRORING LOGIN:AUTHORIZATION FAILURE

LOGON

See Section B.14 for more information.

Oracle Audit Vault Console User Interface Enhancements

The Audit Vault Console has the following new enhancements:

New PL/SQL Package to Find Before and After Values in Redo Logs

This release introduces the AVSYS.AV$DW_BEFORE_AFTER PL/SQL package, which you can use to include before and after values collected by the REDO collector in your queries.

See Section 4.7 for more information.

Oracle Audit Vault Release 10.2.3.1 New Features

This section contains:

Audit Events for Sybase ASE and IBM DB2 Databases

Starting with this release, you can generate reports that have audit events for Sybase Adaptive Server (ASE) and IBM DB2 databases. The supported releases for these two database products are as follows:

See the following sections for more information: