This section describes new features in Oracle Audit Vault that affect auditors, and provides pointers to additional information. These new features reflect changes since Release 10.2.3.1.
This section contains:
This section contains:
Starting with this release, the Oracle Audit Vault data warehouse automatically refreshes, because Audit Vault can send thousands of audit records continuously to the repository. This feature enables the reports to reflect the up-to-the-latest collection point of the audit data content.
See Chapter 4, "Oracle Audit Vault Data Warehouse Schema," for more information about the data warehouse.
This release introduces a new set of reports called entitlement reports. These reports capture privilege-related audit data from Oracle source databases, such as the types of privileges users have been granted, user account information, the system privileges that have been used in a source database, and so on.
To view the entitlement information, you retrieve it from the source databases, similar to retrieving audit policies from source databases. Each time the entitlement content is retrieved from the Oracle database, it creates a snapshot of the entitlement information, which records the state of the entitlement data at the time of retrieval. With this information, you can compare the snapshots of the entitlement content to see how it has changed over time. For example, you can find out how a user's set of privileges were changed, or what object privileges were modified, between snapshots.
See the following sections for more information:
Section 3.3.5 describes the entitlement reports
Section 3.8 describes how to create and work with snapshot audit data
E-mail notifications have been integrated into the Oracle Audit Vault alerts and reports. This provides the ability to e-mail you and your security team when an alert has been triggered in Oracle Audit Vault. This way, you and your team can proactively review violations in the business processes or malicious activity. In addition, you can notify managers that a report is ready for their review of database activity performed by their database administrative team. The notification contains a link to the report from the Oracle Audit Vault console, or you can directly attach the report to the notification in PDF format.
See the following sections for more information:
Section 2.12.2.2 describes how to create an e-mail notification profile, which is an e-mail address list that you can associate with the e-mail.
Section 2.12.2.3 describes how to create an e-mail notification template, which provides boilerplate text for the e-mail notification.
Section 2.12 describes how to configure an alert to use the e-mail notification.
Section 3.6 describes how to send other users an e-mail notification for a report.
You now can configure Oracle Audit Vault alerts to automatically generate trouble ticket notifications. Currently, you can use this feature for BMC Remedy Service Management trouble ticketing systems.
See the following sections for more information:
Section 2.12.2.4 describes how to create a trouble ticket template, which contains boilerplate text to be used for the trouble ticket.
Section 2.12 describes how to configure an alert to use the trouble ticket notification.
Section 2.13 describes how to send a trouble ticket notification from an alert.
When you schedule a report, you can optionally assign other auditors to attest to the report. While reviewing the report in Oracle Audit Vault, you, the auditor, can annotate the report with comments that will remain until the report is deleted. This enables you to create a record of all notes and attestations for the report in one place, with the most recent note and attestation listed first.
In addition to a record of all annotations and attestations, you can find additional detailed information about alerts and reports.
See the following sections for more information:
Section 3.6 describes how to assign other auditors to attest to a specific report.
Section 3.7 describes how to annotate and attest a report.
When you create an alert, you can create either a basic alert or an advanced alert. The advanced alert enables you to create a condition that can trigger the alert. In this release, you can incorporate more SQL functionality in the advanced alert condition that provides the ability to compare a list of valid values to incoming audit data content. For example, you can compare if the database activity was performed on a trusted host. You also can create PL/SQL functions that help you to retrieve more data to be used as a basis for triggering the alert. And, as described elsewhere in this section, you can configure the alert to be automatically sent to other users or to trigger a trouble ticket.
See Section 2.12.5 for more information.
You now can schedule reports to be generated in PDF format and then send it to a list of recipient users and to other auditors to attest. You can design the report so that it only captures data within a specified window of time based on when the report is run, and set formatting standards such as header and footer information, and whether the report will appear in portrait or landscape orientation.
See Section 3.6 for more information.
This release of Oracle Audit Vault provides many additional compliance reports and entitlement reports, which are designed to help meet compliance regulations that were established by the Sarbanes-Oxley Act (SOX) and Health Insurance Portability and Accountability Act (HIPAA).
The following table describes how the reports have changed for this release.
| Report Name | Category of Report | Change for This Release |
|---|---|---|
| Audit Setting Changes Report | All compliance reports | Previously called the Changes to Audit Report |
| Before/After Values Report | All compliance reports | Previously called the Data Change Report |
| Changes to Audit Report | Default compliance reports | Now called the Audit Setting Changes Report |
| Credit Card Related Data Access Report | Credit card compliance reports | New for this release |
| Data Change Report | Default compliance reports | Now called the Before/After Values Report |
| Database Failed Logins Report | All compliance reports | Previously called the Login Failures Report. Mostly the same as in earlier releases except that the report varies depending whether it is a credit card, financial, or health care compliance report. |
| Database Login/Logoff Report | All compliance reports | Previously called the Login/Logoff Report. Mostly the same as in earlier releases except that the report varies depending whether it is a credit card, financial, or health care compliance report. |
| Database Logoff Report | All compliance reports | Contains the user logoff information from the Login/Logoff Report. Mostly the same as in earlier releases except that the report varies depending whether it is a credit card, financial, or health care compliance report. |
| Database Logon Report | All compliance reports | Contains the user logon information from the Login/Logoff Report. Mostly the same as in earlier releases except that the report varies depending whether it is a credit card, financial, or health care compliance report. |
| Database Roles by Source Report | Default entitlement reports | New for this release |
| Database Roles Report | Default entitlement reports | New for this release |
| Database Startup/Shutdown Report | All compliance reports | New for this release |
| Data Change Report | Default compliance reports | Now called the Program Changes Report |
| DDL Report | Default compliance reports | Now called the Schema Changes Report |
| Deleted Objects Report | All compliance reports | Mostly the same as in earlier releases except that the report varies depending whether it is a credit card, financial, or health care compliance report |
| EPHI Related Data Access Report | Health care compliance report | New for this release |
| Financial Related Data Access Report | Financial compliance reports | New for this release |
| Financial Related Data Modifications Report | Financial compliance reports | New for this release |
| Login Failures Report | Default compliance reports | Now called the Database Failed Logins Report |
| Login/Logoff Report | Default compliance reports | Now called the Database Login/Logoff Report |
| Object Privileges by Source Report | Default entitlement reports | New for this release |
| Object Privileges Report | Default entitlement reports | New for this release |
| Privileged Users by Source Report | Default entitlement reports | New for this release |
| Privileged Users Report | Default entitlement reports | New for this release |
| Program Changes Report | All compliance reports | Previously called the Data Change Report. Mostly the same as in earlier releases except that the report varies depending whether it is a credit card, financial, or health care compliance report. |
| Schema Changes Report | All compliance reports | Previously called the DDL Report. Mostly the same as in earlier releases except that the report varies depending whether it is a credit card, financial, or health care compliance report. |
| System Events Report | All compliance reports | New for this release |
| System Privileges by Source Report | Default entitlement reports | New for this release |
| System Privileges Report | Default entitlement reports | New for this release |
| User Accounts by Source Report | Default entitlement reports | New for this release |
| User Accounts Report | Default entitlement reports | New for this release |
| User Privilege Change Activity Report | All compliance reports | New for this release |
| User Privileges by Source Report | Default entitlement reports | New for this release |
| User Privileges Report | Default entitlement reports | New for this release |
| User Profiles by Source Report | Default entitlement reports | New for this release |
| User Profiles Report | Default entitlement reports | New for this release |
See the following sections for more information about the new reports:
Section 3.4 describes the new compliance reports.
Section 3.3.5 describes the new entitlement reports.
This section contains:
This section contains:
Starting with this release, Oracle Audit Vault supports the following new audit events that were added to Oracle Database 11g Release 2 (11.2).
| Event Name Description | Source Event | Oracle Audit Vault Category |
|---|---|---|
ALTER ASSEMBLY |
217 |
Application Management |
ALTER FLASHBACK ARCHIVE |
219 |
System Management |
ALTER EDITION |
213 |
Object Management |
ALTER MINING MODEL |
130 |
Object Management |
ALTER PUBLIC SYNONYM |
134 |
Object Management |
ALTER SYNONYM |
192 |
Object Management |
CREATE ASSEMBLY |
216 |
Application Management |
CREATE FLASHBACK ARCHIVE |
218 |
System Management |
CREATE EDITION |
212 |
Object Management |
CREATE MINING MODEL |
133 |
Object Management |
DROP ASSEMBLY |
215 |
Application Management |
DROP EDITION |
214 |
Object Management |
DROP FLASHBACK ARCHIVE |
220 |
System Management |
SELECT MINING MODEL |
131 |
Data Access |
SUPER USER TRANSACTION CONTROL |
20000 |
System Management |
See Appendix A, "Oracle Database Audit Events," for more information.
You can use the following Oracle Label Security-specific audit events for all supported Oracle Database Releases.
| Event Name Description | Source Event | Oracle Audit Vault Category |
|---|---|---|
APPLY TABLE OR SCHEMA POLICY |
500 |
Object Management |
OBJECT EXISTS ERRORS |
505 |
Role and Privilege Management |
PRIVILEGED ACTION |
506 |
Role and Privilege Management |
REMOVE TABLE OR SCHEMA POLICY |
501 |
Object Management |
SET USER OR PROGRAM UNIT LABEL |
502 |
Role and Privilege Management |
See Appendix A, "Oracle Database Audit Events," for more information.
The following Oracle Database source events have changed:
| Event Name Description | Previous Source Event | New Source Event |
|---|---|---|
SHUTDOWN |
216 |
20005 |
STARTUP |
215 |
20004 |
SUPER USER DDL |
213 |
20002 |
SUPER USER DML |
214 |
20003 |
SUPER USER LOGON |
212 |
20001 |
SUPER USER UNKNOWN |
217 |
20006 |
See Appendix A, "Oracle Database Audit Events," for more information.
For Microsoft SQL Server 2008, the following new events have been added to the User Session Events category.
| Event Name Description | Source Event | Audit Vault Event |
|---|---|---|
Audit Database Mirroring Login Event |
DATABASE MIRRORING LOGIN:LOGIN SUCCESS
|
LOGON |
See Section B.14 for more information.
The Audit Vault Console has the following new enhancements:
Dashboard. The Dashboard, accessible from the Home tab, has been expanded to include the following new information:
Recently raised alerts, including all warning and critical alerts
Top five objects accessed
Failed logins
Report accession actions for the auditor who has logged into the Audit Vault Auditor console
The following components from earlier releases of Oracle Audit Vault are still available:
View data time ranges
Alert severity summary
Summary of alert activity
Top five audit source by number of alerts
Alerts by audit event category
Statement, Object, Privilege, FGA, and Capture Rules Audit Settings pages. The audit settings pages for statements, object privileges, fine-grained auditing, and capture rules now have a Mark All as Not Needed button. If you have set one or more policies as being needed (for example, by clicking the Mark All as Needed button) and realize that this was not a good idea, you can reverse the action by clicking the Mark All as Not Needed button.
Audit Settings page. This page now has the following new functionality:
User Entitlement option. This option enables you to retrieve user entitlement (privileges) information from the source databases. See "User Entitlement Audit Data" for more information.
Check boxes for individual source databases. You now can select one or more source databases and then perform a bulk retrieval of the audit policies and user entitlement information from the selected source databases. To select all the source databases, select the Select All link; to remove them from selection, select Select None.
Settings tab. This tab provides access to pages that enable you to configure the following new features: notification profiles, notification templates, trouble ticket templates, and alert statuses. It also provides access to the Collector Status page.
This release introduces the AVSYS.AV$DW_BEFORE_AFTER PL/SQL package, which you can use to include before and after values collected by the REDO collector in your queries.
See Section 4.7 for more information.
This section contains:
Starting with this release, you can generate reports that have audit events for Sybase Adaptive Server (ASE) and IBM DB2 databases. The supported releases for these two database products are as follows:
Sybase ASE: ASE 12.5.4 and ASE 15.0.2 on platforms based on Linux and UNIX, and on Microsoft Windows platforms
IBM DB2: IBM DB2 Version 8.2 and Version 9.5 on platforms based on Linux and UNIX, and on Microsoft Windows platforms. If you are using Version 8.2, ensure that you have installed Fixpack 16.
See the following sections for more information: