| Oracle® Audit Vault Auditor's Guide 10g Release 2 (10.2.2) Part Number B28853-02 |
|
|
View PDF |
| Oracle® Audit Vault Auditor's Guide 10g Release 2 (10.2.2) Part Number B28853-02 |
|
|
View PDF |
As auditor, you can generate reports of activity and alerts from systems monitored by Oracle Audit Vault. To do this, you start from the Audit Vault Dashboard, described in Chapter 1.
This chapter includes the following sections:
From the Dashboard page, you click Activity Reports at the top of the page to go directly to the Activity Reports page, shown in Figure 3-1.
In the Activity Reports page, you can:
Click the plus sign (+) icon to expand or open the hierarchical view to show the Activity Overview Report link and the individual Activity Reports links.
Click the Activity Overview Report link in the Report column to view the Activity Overview Report page.
Click any audit event category Activity Report link in the Report column to view its report. A brief description of each type of audit event category activity report is provided in the Description column.
The Activity Overview Report page displays all audit trail records created based on their audit event time. The data is sorted by time in descending order. Specify or select filter criteria to generate a report.
Table 3-1 describes how to use each of the report fields and the filter criteria.
Table 3-1 Report Fields and Filter Criteria on the Activity Overview Report Page
| Field | Description |
|---|---|
|
Audit Source |
Enter Audit Source criteria or click the search icon for the Audit Source field. An audit source is where events are created. At the Search and Select: Audit Source page, you can filter the list or search for a specific item by entering text in the text field for the Source field, Source Host field, and the Source Host IP field, then click Go to see the items that are returned. Next, you can select one or more of the returned items by clicking individual check boxes for each item listed, or click Select All to select all items. You can also click Select None to deselect all selected items and begin again. After making your selections, click Select to populate the Audit Source field with your selected filter criteria, and return to the Activity Overview Report page. |
|
User |
Enter User criteria or click the search icon for the User field. A user is someone associated with an event. At the Search and Select: User page, you can filter the list or search for a specific item by entering text in the text field for the User field, then click Go to see the items that are returned. Next, you can select one or more of the returned items by clicking individual check boxes for each item listed, or click Select All to select all items. You can also click Select None to deselect all selected items and begin again. After making your selections, click Select to populate the User field with your selected filter criteria, and return to the Activity Overview Report page. |
|
Audit Event Category |
Enter Audit Event Category criteria or click the search icon for the Audit Event Category field. At the Search and Select: Audit Event Category page, you can filter the list or search for a specific item by entering text in the text field for the Audit Event Category field, then click Go to see the items that are returned. Next, you can select one or more of the returned items by clicking individual check boxes for each item listed, or click Select All to select all items. You can also click Select None to deselect all selected items and begin again. After making your selections, click Select to populate the Audit Event Category field with your selected filter criteria, and return to the Activity Overview Report page. |
|
Audit Event |
Enter Audit Event criteria or click the search icon for the Event field. An audit event is the encapsulation into an audit record of some action in the audit data source. At the Search and Select: Audit Event page, you can filter the list or search for a specific item by entering text in the text field for the Audit Event field and the Audit Event Category field, then click Go to see the items that are returned. Next, you can select one or more of the returned items by clicking individual check boxes for each item listed, or click Select All to select all items. You can also click Select None to deselect all selected items and begin again. After making your selections, click Select to populate the Audit Event field with your selected filter criteria, and return to the Activity Overview Report page. |
|
Object |
Enter Object criteria or click the search icon for the Object field. An object is the entity on which an event is performed. At the Search and Select: Object page, you can filter the list or search for a specific item by entering text in the text field for the Owner field and the Object field, then click Go to see the items that are returned. Next, you can select one or more of the returned items by clicking individual check boxes for each item listed, or click Select All to select all items. You can also click Select None to deselect all selected items and begin again. After making your selections, click Select to populate the Object field with your selected filter criteria, and return to the Activity Overview Report page. |
|
Client Host |
Enter Client Host criteria or click the search icon for the Client Host field. A client host is the host system on which the event occurred. At the Search and Select: Client Host page, you can filter the list or search for a specific item by entering text in the text field for the Host field and the IP Address field, then click Go to see the items that are returned. Next, you can select one or more of the returned items by clicking individual check boxes for each item listed, or click Select All to select all items. You can also click Select None to deselect all selected items and begin again. After making your selections, click Select to populate the Client Host field with your selected filter criteria, and return to the Activity Overview Report page. |
|
Client Tool |
Enter Client Tool criteria or click the search icon for the Client Tool field. A client tool is the tool used on the client system to connect to the audit source associated with the event. At the Search and Select: Client Tool page, you can filter the list or search for a specific item by entering text in the text field for the Client Tool field, then click Go to see the items that are returned. Next, you can select one or more of the returned items by clicking individual check boxes for each item listed, or click Select All to select all items. You can also click Select None to deselect all selected items and begin again. After making your selections, click Select to populate the Client Tool field with your selected filter criteria, and return to the Activity Overview Report page. |
|
Privilege |
Enter Privilege criteria or click the search icon for the Privilege field. A privilege represents the privileges used during the event. At the Search and Select: Privilege page, you can filter the list or search for a specific item by entering text in the text field for the Privilege field, then click Go to see the items that are returned. Next, you can select one or more of the returned items by clicking individual check boxes for each item listed, or click Select All to select all items. You can also click Select None to deselect all selected items and begin again. After making your selections, click Select to populate the Privilege field with your selected filter criteria, and return to the Activity Overview Report page. |
|
Audit Event Status |
Select the Audit Event Status field to be Success, Failure, or Both by clicking the option preceding each field. |
|
Audit Event Time |
Select the Audit Event Time field as being either during the Last 24 hours, Last One Week, Last One Month, or by The Period by clicking the option preceding each field. If you select The Period, you must enter a From date and a To date. |
When you have made your filter criteria selections, click Go to generate the report.
From the filtered report that appears, you can click the Detail icon in the Detail column for the desired row to see a detailed report for the audit record data representing that selected row.
Click Next 25 to view the next 25 listed items returned or click Previous to view the previous 25 listed items.
Click Save as CSV to save the report as a comma-separated values (CSV) file format. The CSV file format is a delimited data format that has fields separated by the comma character and records separated by newlines.
Click Save Definition to go to the Report Generation page to create a report and save it as a report definition. At the Report Generation page, the Audit Event Status and Audit Event Time fields are populated with values specified from the event category report page from which the report save operation was initiated. Perform the following tasks:
Enter a name for the compliance category type to create a new compliance category type or click the flashlight icon to the right of the Compliance Category field to search for an existing name of a compliance category type. At the Compliance Category Search page, enter the name of the compliance category to search for, then click Go. Click the respective check box in the Select column, then click Select to select the compliance category of interest that is listed in the Compliance Category column.
Enter a description in the Compliance Category Description field.
Enter a report title in the Report Title field.
Enter a short report description in the Short Report Description field.
Enter a more detailed report description in the Detail Report Description field.
Check all entries, then click Create Report to create the report.
After creating the event category report, you are returned to the event category page from which you started. To view the complete list of event report types, including any newly created event report types, click the Activity Reports tab to go to the Activity Reports page. All created event report types are listed in the Type column on the Activity Reports page. Click the plus sign (+) icon for any event report type to expand its view of activity reports. See Section 3.1.5 for more information about creating customized reports and for examples of how to do this.
The audit trail records are categorized based on the type of record generated. Each of the reports can be filtered by various fields based on the type of category. This section describes features common to all audit event activity reports.
Table 3-2 describes how to use each of the report fields and filter criteria for all categories of audit event.
Table 3-2 Report Fields and Filter Criteria on Audit Event Activity Report Pages
When you have made your filter criteria selections, click Go to generate the report.
Click Next 25 to view the next 25 listed items returned or click Previous to view the previous 25 listed items.
Click Save as CSV to save the report as a comma-separated values (CSV) file format. The CSV file format is a delimited data format that has fields separated by the comma character and records separated by newlines.
You can click the Detail icon in the Detail column for the desired row to see a Detail Report for the audit record data representing that selected row.
From any of the audit record event reports, you can click the Detail icon in the Detail column for the desired row to see a Detail report for the audit record data representing that selected row.
Table 3-3 provides a brief description of each of the Detail report fields.
Table 3-3 Fields on the Detail Report Page
| Field | Description |
|---|---|
|
Source Type |
Name of the source type |
|
Source |
Name of the source |
|
Source Host |
Name of the host on which source resides |
|
Source Version |
Product version of the source |
|
Source Host IP |
Host IP address on which the source resides |
|
Event |
Event name |
|
Event Category |
Event category name to which the event belongs |
|
Event Status |
Status of the event |
|
Event Time |
Time the event occurred |
|
Collection Time |
Time the collection of events was made |
|
Object |
Name of the object |
|
Owner |
Owner of the object |
|
Associated Object |
Name of the associated object |
|
Associated Object Owner |
Name of the associated object owner |
|
New Object |
Name of the renamed object |
|
New Object Owner |
Name of the renamed object owner |
|
User GUID |
User's globally unique identifier of Oracle Internet Directory user (for EUS) |
|
User |
Name of the user |
|
OS User |
Operating system user name |
|
End User |
Name of the end user |
|
Terminal |
Name of the host terminal |
|
Host |
Name of the host system |
|
Host IP |
IP address of the host system |
|
Subnet |
Subnet address of the host system |
|
Domain |
Domain name of the host system |
|
SCN |
System change number |
|
FGA Policy |
Fine-grained audit trail policy name |
|
Authentication Method |
Name of the authentication method used |
|
Client Tool |
Name of the tool used on the client |
|
Client Application Method |
Method name of the client application |
|
Privilege |
Name of the privilege used |
|
Object Privilege |
Name of the privilege used on the object |
|
System Privilege |
Name of the system privilege used |
|
Grantee User |
Name of the user granted the privilege |
|
Statement ID |
Identifier of the SQL statement |
|
Object ID |
Identifier of the object |
|
Thread ID |
Server-side identifier of the thread |
|
Process ID |
Server-side identifier of the process |
|
Instance Number |
Number of the instance |
|
Audit Option |
Audit option used |
|
Admin Option |
Administrative option used |
|
Proxy Session ID |
Proxy user's session identifier |
|
Session CPU |
Number of the session CPU |
|
Session Actions |
The success or failure of operations in a session |
|
Row ID |
Identifier of the row |
|
Context |
Unique identifier for the context |
|
Sub Context |
Transaction ID for Oracle Database |
|
Parent Context |
Execution context ID for Oracle Database |
|
Transaction |
Transaction type |
|
SQL Bind |
Bind variables of the SQL statement |
|
SQL Text |
SQL text of the query |
|
Undo SQL text |
Text of the SQL statement to undo the transaction |
|
Comment Text |
Text comment on the audit trail entry. |
|
Logoff Dlock |
Deadlocks detected during the session |
|
Logoff Lread |
Logical reads for the session |
|
Logoff Lwrite |
Logical writes for the session |
|
Logoff Pread |
Physical reads for the session |
The system change number (SCN) is useful if the value has been changed more than once.
Use your browser's Back button to return to the Detail Report.
When you finish viewing the Detail Report, click Return to return to the previous event category page.
This section describes the report fields and filter criteria found in each type of audit event activity report.
This section includes the following topics:
The Account Management Activity report displays audit records in which account management operations such as alter profile, alter user, or drop are performed. You can sort the report data by clicking on the desired header.
The Account Management Activity report contains the following report fields and filter criteria:
Account Management Audit Event
The Application Management Activity report displays audit records in which application management operations such as alter function, alter Java, or alter package are performed. You can sort the report data by clicking on the desired header.
The Application Management Activity report contains the following report fields and filter criteria:
Application Management Audit Event
The Audit Command Activity report displays audit records in which operations such as audit default, audit object, or noaudit default are performed. You can sort the report data by clicking on the desired header.
The Audit Command Activity report contains the following report fields and filter criteria:
The Data Access Activity report displays audit records in which data manipulation operations such as delete, insert, or select are performed. You can sort the report data by clicking on the desired header.
The Data Access Activity report contains the following report fields and filter criteria:
Data Access Audit Event
From the Detail report for Data Access Activity, you can click Data Trace to view a Data Trace report, which shows each value that has been changed by an UPDATE statement. The Data Trace report lists the column name, old value, and new value with the corresponding information:
SCN information
SQL Text information
SQL Bind information
Object information
The Exception Activity report displays audit records in which errors and exceptions such as network errors have occurred. You can sort the report data by clicking on the desired header.
The Exception Activity report contains the following report fields and filter criteria:
The Invalid Audit Record Activity report displays audit records for events that could not be understood by Oracle Audit Vault. You can sort the report data by clicking on the desired header.
The Invalid Audit Record Activity report contains the following report fields and filter criteria:
The Object Management Activity report displays audit records in which operations such as alter dimension, alter index, or alter materialized view are performed. You can sort the report data by clicking on the desired header.
The Object Management Activity report contains the following report fields and filter criteria:
Object Management Audit Event
The Peer Association Activity report displays audit records in which operations such as create database link or drop database link are performed. You can sort the report data by clicking on the desired header.
The Peer Association Activity report contains the following report fields and filter criteria:
Peer Association Audit Event
The Role and Privilege Management Activity report displays audit records in which operations such as create role, drop role, or grant object are performed. You can sort the report data by clicking on the desired header.
The Role and Privilege Management Activity report contains the following report fields and filter criteria:
Role and Privilege Audit Event
The Service and Application Access Activity report displays audit records in which operations such as call method, execute procedure, or PL/SQL execute are performed. You can sort the report data by clicking on the desired header.
The Service and Application Access Activity report contains the following report fields and filter criteria:
Service and Application Access Audit Event
The System Management Activity report displays audit records in which operations such as alter system, alter tablespace, or analyze cluster are performed. You can sort the report data by clicking on the desired header.
The System Management Activity report contains the following report fields and filter criteria:
System Management Audit Event
The Uncategorized Activity report displays audit records in which uncategorized operations such as comment, create summary, or no-op are performed. You can sort the report data by clicking on the desired header.
The Uncategorized Activity report contains the following report fields and filter criteria:
The User Session Activity report displays audit records in which operations such as alter session, commit, or create restore point are performed. You can sort the report data by clicking on the desired header.
The User Session Activity report contains the following report fields and filter criteria:
A very useful feature of Audit Vault Reports is the ability to create customized reports from any of the audit event activity pages. By selectively filtering for information in the category activity page, reports can be generated that show very specific audit records. By selecting or defining compliance categories the generated customized reports can be organized under compliance categories that you define.
To create a customized report from any of the audit event activity pages, selectively filter for information in each category field, then click Go to run the query that is the basis of your report. If the query results are as you wish, then click Save Definition to go to the Report Generation page to create a report and save it as a report definition. At the Report Generation page, the Audit Event Status and Audit Event Time fields are populated with values specified from the event category report page from which the report save operation was initiated. Perform the following tasks:
Enter a name for the compliance category type to create a new compliance category type or click the flashlight icon to the right of the Compliance Category field to search for an existing name of a compliance category type. At the Compliance Category Search page, enter the name of the compliance category to search for, then click Go. Click the respective check box in the Select column, then click Select to select the compliance category of interest that is listed in the Compliance Category column.
Enter a description in the Compliance Category Description field.
Enter a report title in the Report Title field.
Enter a short report description in the Short Report Description field.
Enter a more detailed report description in the Detail Report Description field.
Check all entries, then click Create Report to create the report.
After creating the event category report, you are returned to the event category page from which you started. To view the complete list of event report types, including any newly created event report types, click the Activity Report tab to go to the Activity Report page. All created event report types are listed in the Types column on the Activity Report page. Click the plus sign (+) icon for any event report type to expand its view of reports.
As an example of creating a customized report, suppose as part of your auditing policy you created a policy to audit the failure creation of users. So each time a user who does not have privileges tries to create another user, an audit record is created. See Section 2.1 for more information about how to create an audit policy. From such a policy, you can create two customized reports, one for account management and the other for user session activity that will contain only these audit records for a detailed analysis. Both reports will be specific to the same source database.
To create each report, follow these steps:
On the Overview page, for the Activity by Audit Event Category graph, click the link for the Account Management audit event category to display the Account Management Activity page as shown in Figure 3-2.
Figure 3-2 Creating Customized Reports Showing the Pre-Query State
On the Account Management Activity page, select the flashlight for each respective field: Audit Source, User, Account Management Audit Event, and Object to make selections and filter for specific information. Select the source, then the users, then the account management audit events. Select Both for Audit Event Status field. Then select the desired time interval for the report by making a selection in the Audit Event Time field.
Click Go to run the query based on the values selected for the fields to filter the report information as shown in Figure 3-3.
Figure 3-3 Creating Customized Reports Showing the Results of the Query
Click Save Definition to display the Report Generation page. Fill in information for each of the required fields. Select or define a compliance category to organize this report. Either select the compliance report name by clicking its flashlight for the Compliance Category field or enter the name of the compliance category name. Next enter information for the Compliance Category Description, Report Title, Short Report Description, and Detail Report Description fields as shown in Figure 3-4. Click Create Report to create your customized report and return to the Account Management Activity page. A success message should display indicating the report was generated.
Figure 3-4 Creating Customized Reports Generating the Account Management Report
To view the customized account management report, click the Activity Reports subtab to display the Activity Reports page. Click the plus sign (+) to open the name of the compliance category in which the report was created. In this example, the compliance category is named, "Auditing User Creation Failures". The report description is "Audit user creation failures" as shown in Figure 3-5, which is the name given in Step 4 and shown in Figure 3-4.
Click the report name "My Customized Report: User Creation Failures" to display your customized report as shown in Figure 3-6.
Figure 3-6 My Customized Account Management Report: User Creation Failures
Note that in Figure 3-4, this report was given a title of "My Customized Report: User Creation Failures" and a detail report description of "Auditing user creation failures". In Figure 3-6, the report title is the name of the report page, while the detail report description is the subheading for the report page.
Repeat Steps 1 through 5 to create a customized user session report. A sample report is shown in Figure 3-7 that shows a customized report of SYS user sessions.
Figure 3-7 My Customized Report: SYS User Sessions
Notice that you can create a variety of customized reports by filtering for specific event category information and then organize your customized reports by selecting or defining specific compliance categories under which to catalog your reports.
An alert is raised when data in a single audit record matches a predefined alert rule condition. When that rule condition is met, the audit event is evaluated and, because it matches the rule condition, an alert is raised. Alerts are grouped by the sources with which they are associated, by the event category to which the event belongs, and by the severity level of the alert (warning, critical, all).
From the Dashboard page, you click Alert Report at the top of the page to go directly to the Alert Report page.
On the Alert Report page, specify or select filter criteria to generate a report.
Table 3-4 describes how to use each of the report fields and filter criteria.
Table 3-4 Report Fields and Filter Criteria on the Alert Report Page
| Field | Description |
|---|---|
|
Alert Name |
Enter Alert criteria or click the search icon for the Alert field. An alert is a situation in which data in an event matches an alert rule condition that causes the alert to be evaluated, raised, and stored in the alert queue for processing. At the Search and Select: Alert page, you can filter the list or search for a specific item by entering text in the text field for the Alert field, Event Category field, Source Type field, and the Alert Severity field, then click Go to see the items that are returned. Next, you can select one or more of the returned items by clicking individual check boxes for each item listed, or click Select All to select all items. You can also click Select None to deselect all selected items and begin again. After making your selections, click Select to populate the Alert field with your selected filter criteria, and return to the Alert Report page. |
|
Alert Severity |
Select the severity level from the Alert Severity field. The options are: ALL, CRITICAL, or WARNING. |
|
Audit Source |
Enter Source criteria or click the search icon for the Audit Source field. A source is where events are created. At the Search and Select: Audit Source page, you can filter the list or search for a specific item by entering text in the text field for the Audit Source field, Audit Source Host field, and the Source Host IP field, then click Go to see the items that are returned. Next, you can select one or more of the returned items by clicking individual check boxes for each item listed, or click Select All to select all items. You can also click Select None to deselect all selected items and begin again. After making your selections, click Select to populate the Source field with your selected filter criteria, and return to the Alert Report page. |
|
User |
Enter User criteria or click the search icon for the User field. A user is someone associated with an event. At the Search and Select: User page, you can filter the list or search for a specific item by entering text in the text field for the User field, then click Go to see the items that are returned. Next, you can select one or more of the returned items that display by clicking individual check boxes for each item listed, or click Select All to select all items. You can also click Select None to deselect all selected items and begin again. After making your selections, click Select to populate the User field with your selected filter criteria, and return to the Alert Report page. |
|
Audit Event Category |
Enter Audit Event Category criteria or click the search icon for the Audit Event Category field. At the Search and Select: Audit Event Category page, you can filter the list or search for a specific item by entering text in the text field for the Audit Event Category field, then click Go to see the items that are returned. Next, you can select one or more of the returned items by clicking individual check boxes for each item listed, or click Select All to select all items. You can also click Select None to deselect all selected items and begin again. After making your selections, click Select to populate the Audit Event Category field with your selected filter criteria, and return to the Alert Report page. |
|
Audit Event |
Enter Audit Event criteria or click the search icon for the Audit Event field. An event is the encapsulation into an audit record of some action in the audit data source. At the Search and Select: Audit Event page, you can filter the list or search for a specific item by entering text in the text field for the Audit Event field and the Audit Event Category field, then click Go to see the items that are returned. Next, you can select one or more of the returned items by clicking individual check boxes for each item listed, or click Select All to select all items. You can also click Select None to deselect all selected items and begin again. After making your selections, click Select to populate the Audit Event field with your selected filter criteria, and return to the Alert Report page. |
|
Object |
Enter Object criteria or click the search icon for the Object field. An object is the entity on which an event is performed. At the Search and Select: Object page, you can filter the list or search for a specific item by entering text in the text field for the Owner field and the Object field, then click Go to see the items that are returned. Next, you can select one or more of the returned items by clicking individual check boxes for each item listed, or click Select All to select all items. You can also click Select None to deselect all selected items and begin again. After making your selections, click Select to populate the Object field with your selected filter criteria, and return to the Alert Report page. |
|
Audit Event Time |
Select the Event Time field as being either during the Last 24 hours, Last One Week, Last One Month, or by The Period by clicking the option preceding each field. If you select The Period, you must enter a From date and a To date. |
When you have made your filter criteria selections, click Go to generate the report. Once you have generated the report, you can perform the following actions:
Click Save as CSV to save the report as a comma-separated values (CSV) file format. The CSV file format is a delimited data format that has fields separated by the comma character and records separated by newlines.
From the filtered report that appears, you can click the Detail icon in the Detail column for the desired row to see a Detail Report report for the audit record data representing that selected row.
Click Next 25 to view the next 25 listed items returned or click Previous to view the previous 25 listed items.
The reports provided by Oracle Audit Vault are useful for assessing the type of audit data being collected. It is also possible to leverage the data for more sophisticated compliance reporting and analysis. Oracle Audit Vault stores the data in a data warehouse. The schema for this warehouse is available to customers, and can be used in conjunction with in-house reporting and analysis tools, such as Oracle Business Intelligence Publisher and the Oracle Business Intelligence Suite.
Details of the Audit Vault data warehouse are provided in Appendix A.
|
 Copyright © 2007, Oracle. All rights reserved. Legal Notices |
|
