Contents

List of Figures

List of Tables

Title and Copyright Information

Preface

• Audience
• Documentation Accessibility
• Related Documents
• Conventions

What's New in Oracle Audit Vault for Auditors?

• Near Real Time Activity Monitoring
• User Entitlement Audit Data
• E-Mail Notifications for Alerts and Reports
• Trouble Ticket Notifications for Alerts
• Annotating and Attesting Alerts and Reports
• More Functionality for Advanced Alerts
• Scheduling Reports to be Sent to Other Users in PDF Format
• Additional and Changed Reports
• New and Changed Audit Events
• Oracle Audit Vault Console User Interface Enhancements

1 Introducing Oracle Audit Vault for Auditors

• 1.1 How Do Auditors Use Oracle Audit Vault?
• 1.2 General Steps for Using Oracle Audit Vault
  • 1.2.1 Step 1: Ensure That the Source Databases Are Collecting Audit Data
  • 1.2.2 Step 2: Create Audit Policies for Oracle Database Data
  • 1.2.3 Step 3: Optionally, Create and Monitor Alerts
  • 1.2.4 Step 4: View and Customize the Oracle Audit Vault Reports
  • 1.2.5 Step 5: Respond to Reports and Alerts
• 1.3 Database Requirements for Collecting Audit Data
  • 1.3.1 Requirements for Oracle Database
    • 1.3.1.1 Ensuring That Auditing Is Enabled in the Source Database
    • 1.3.1.2 Using Recommended Audit Settings in the Source Database
  • 1.3.2 Requirements for SQL Server, Sybase ASE, and IBM DB2 Databases
• 1.4 Starting the Oracle Audit Vault Console
• 1.5 Ensuring That the Oracle Audit Vault Collectors Can Collect Data

2 Creating Oracle Audit Vault Policies and Alerts

• 2.1 About Oracle Audit Vault Policies and Alerts
• 2.2 General Steps for Creating Oracle Audit Vault Policies and Alerts
• 2.3 Retrieving Audit Policy Settings from the Source Oracle Database
  • 2.3.1 Step 1: Retrieve the Audit Settings from the Source Oracle Database
  • 2.3.2 Step 2: Activate (Update) the Fetched Audit Settings State
• 2.4 Creating Oracle Vault Audit Policies for SQL Statements
  • 2.4.1 About SQL Statement Auditing
  • 2.4.2 Defining a SQL Statement Audit Policy
• 2.5 Creating Oracle Audit Vault Policies for Schema Objects
  • 2.5.1 About Schema Object Auditing
  • 2.5.2 Defining a Schema Object Audit Policy
• 2.6 Creating Oracle Audit Vault Policies for Privileges
  • 2.6.1 About Privilege Auditing
  • 2.6.2 Defining a Privilege Audit Policy
• 2.7 Creating Oracle Audit Vault Policies for Fine-Grained Auditing
  • 2.7.1 About Fine-Grained Auditing
    • 2.7.1.1 Auditing Specific Columns and Rows
    • 2.7.1.2 Using Event Handlers in Fine-Grained Auditing
  • 2.7.2 Defining a Fine-Grained Auditing Policy
• 2.8 Creating Capture Rules for Redo Log File Auditing
  • 2.8.1 About Capture Rules Used for Redo Log File Auditing
  • 2.8.2 Defining a Capture Rule for Redo Log File Auditing
• 2.9 Verifying Oracle Audit Vault Policy Settings
• 2.10 Provisioning Audit Vault Policies to the Source Oracle Database
  • 2.10.1 Saving the Audit Policy Settings to a SQL Script for a Database Administrator
  • 2.10.2 Manually Provisioning the Audit Policy Settings to the Source Database
• 2.11 Copying Oracle Audit Vault Policies to Other Oracle Databases
• 2.12 Creating and Configuring Alerts
  • 2.12.1 About Alerts
  • 2.12.2 Creating Templates to be Used for Alerts
    • 2.12.2.1 Creating an E-Mail Notification Profile
    • 2.12.2.2 Creating an E-Mail Notification Template
    • 2.12.2.3 Creating a Trouble Ticket Template
  • 2.12.3 Creating Alert Status Values
  • 2.12.4 Creating a Basic Alert
  • 2.12.5 Creating an Advanced Alert
    • 2.12.5.1 About Advanced Alerts
    • 2.12.5.2 Creating an Advanced Alert That Uses a Condition
    • 2.12.5.3 Creating an Advanced Alert Condition That Uses a Function
  • 2.12.6 Monitoring Alerts
• 2.13 Responding to an Alert
• 2.14 Setting a Retention Period for Audit Data

3 Using Oracle Audit Vault Reports

• 3.1 What Are Oracle Audit Vault Reports?
• 3.2 Accessing the Oracle Audit Vault Audit Reports
• 3.3 Using the Default Reports
  • 3.3.1 About the Default Reports
  • 3.3.2 Using the Default Access Reports
    • 3.3.2.1 About the Default Access Reports
    • 3.3.2.2 Activity Overview Report
    • 3.3.2.3 Data Access Report
    • 3.3.2.4 Database Vault Report
    • 3.3.2.5 Distributed Database Report
    • 3.3.2.6 Procedure Executions Report
    • 3.3.2.7 User Sessions Report
  • 3.3.3 Using the Default Management Activity Reports
    • 3.3.3.1 About the Default Management Activity Reports
    • 3.3.3.2 Account Management Report
    • 3.3.3.3 Audit Commands Report
    • 3.3.3.4 Object Management Report
    • 3.3.3.5 Procedure Management Report
    • 3.3.3.6 Role and Privilege Management Report
    • 3.3.3.7 System Management Report
  • 3.3.4 Using the Default System Exception Reports
    • 3.3.4.1 About the Default System Exception Reports
    • 3.3.4.2 Exception Activity Report
    • 3.3.4.3 Invalid Audit Record Report
    • 3.3.4.4 Uncategorized Activity Report
  • 3.3.5 Using the Default Entitlement Reports
    • 3.3.5.1 About the Default Entitlement Reports
    • 3.3.5.2 User Accounts Report and User Accounts by Source Report
    • 3.3.5.3 User Privileges Report and User Privileges by Source Report
    • 3.3.5.4 User Profiles Report and User Profiles by Source Report
    • 3.3.5.5 Database Roles Report and Database Roles by Source Report
    • 3.3.5.6 System Privileges Report and System Privileges by Source Report
    • 3.3.5.7 Object Privileges Report and Object Privileges by Source Report
    • 3.3.5.8 Privileged Users Report and Privileged Users by Source Report
• 3.4 Using the Compliance Reports
  • 3.4.1 About the Compliance Reports
  • 3.4.2 Credit Card Compliance Report: Related Data Access Compliance Report
  • 3.4.3 Financial Compliance Reports
    • 3.4.3.1 Financial Related Data Access Report
    • 3.4.3.2 Financial Related Data Modifications Report
  • 3.4.4 Health Care Compliance Report: EPHI Related Data Access Report
  • 3.4.5 Common Credit Card, Financial, and Health Care Compliance Reports
    • 3.4.5.1 Audit Setting Changes Report
    • 3.4.5.2 Before/After Values Report
    • 3.4.5.3 Database Failed Logins Report
    • 3.4.5.4 Database Login/Logoff Report
    • 3.4.5.5 Database Logoff Report
    • 3.4.5.6 Database Logon Report
    • 3.4.5.7 Database Startup/Shutdown Report
    • 3.4.5.8 Deleted Objects Report
    • 3.4.5.9 Program Changes Report
    • 3.4.5.10 Schema Changes Report
    • 3.4.5.11 System Events Report
    • 3.4.5.12 User Privilege Change Activity Report
• 3.5 Using the Critical and Warning Alert Reports
  • 3.5.1 About the Critical and Warning Alert Reports
  • 3.5.2 All Alerts Report
  • 3.5.3 Critical Alerts Report
  • 3.5.4 Warning Alerts Report
• 3.6 Scheduling and Creating PDF Reports
  • 3.6.1 About Scheduling and Creating PDF Reports
  • 3.6.2 Scheduling and Creating a PDF Report
• 3.7 Annotating and Attesting Reports
  • 3.7.1 About Annotating and Attesting Reports
  • 3.7.2 Annotating and Attesting a Report
• 3.8 Generating and Comparing Snapshots of Entitlement Audit Data
  • 3.8.1 About Entitlement Report Snapshots and Labels
  • 3.8.2 General Steps for Using Entitlement Reports
  • 3.8.3 Retrieving Entitlement Audit Data to Create the Snapshot
  • 3.8.4 Creating an Entitlement Snapshot Label
  • 3.8.5 Assigning Snapshots to a Label
  • 3.8.6 Viewing Entitlement Snapshot and Label Audit Data
    • 3.8.6.1 Checking Entitlement Reports for Individual Snapshot or Label Audit Data
    • 3.8.6.2 Checking Entitlement Reports for Changes to Snapshot or Label Audit Data
• 3.9 Controlling the Display of Data in a Report
  • 3.9.1 About Controlling the Display of Report Data
  • 3.9.2 Hiding or Showing Columns in a Report
    • 3.9.2.1 Hiding the Currently Selected Column
    • 3.9.2.2 Hiding or Showing Any Column
  • 3.9.3 Filtering Data in a Report
    • 3.9.3.1 Filtering All Rows Based on Data from the Currently Selected Column
    • 3.9.3.2 Filtering Column and Row Data
    • 3.9.3.3 Filtering Row Data Using an Expression
  • 3.9.4 Sorting Data in a Report
    • 3.9.4.1 Sorting Row Data for the Currently Selected Column
    • 3.9.4.2 Sorting Row Data for All Columns
  • 3.9.5 Highlighting Rows in a Report
  • 3.9.6 Charting Data in a Report
  • 3.9.7 Adding a Control Break to a Column in a Report
  • 3.9.8 Resetting the Report Display Values to Their Default Settings
• 3.10 Finding Information About Report Data
  • 3.10.1 Finding Detailed Information About an Audit Record
  • 3.10.2 Finding Information About the Purpose of a Column
• 3.11 Working with User-Defined Reports
  • 3.11.1 About User-Defined Reports
  • 3.11.2 Creating a Category for User-Defined Reports
    • 3.11.2.1 Creating a Category Name
    • 3.11.2.2 Alphabetizing the Category Name List
    • 3.11.2.3 Editing a Category Name
  • 3.11.3 Creating a User-Defined Report
  • 3.11.4 Accessing a User-Defined Report
• 3.12 Downloading a Report to a CSV File

4 Oracle Audit Vault Data Warehouse Schema

• 4.1 About the Oracle Audit Vault Data Warehouse Schema
• 4.2 Oracle Audit Vault Audit Data Warehouse Architecture
• 4.3 Design of the Audit Data Warehouse Schema
• 4.4 How the Fact Table and Dimension Tables Work
• 4.5 Fact Table Constraints and Indexes
• 4.6 Relationships Between the Fact and Dimension Tables
  • 4.6.1 AUDIT_EVENT_FACT Fact Table
  • 4.6.2 CLIENT_HOST_DIM Dimension Table
  • 4.6.3 CLIENT_TOOL_DIM Dimension Table
  • 4.6.4 CONTEXT_DIM Dimension Table
  • 4.6.5 EVENT_DIM Dimension Table
  • 4.6.6 PRIVILEGES_DIM Dimension Table
  • 4.6.7 SOURCE_DIM Dimension Table
  • 4.6.8 TARGET_DIM Dimension Table
  • 4.6.9 TIME_DIM Dimension Table
  • 4.6.10 USER_DIM Dimension Table

A Oracle Database Audit Events

• A.1 About the Oracle Database Audit Events
• A.2 Account Management Events
• A.3 Application Management Events
• A.4 Audit Command Events
• A.5 Data Access Events
• A.6 Oracle Database Vault Events
• A.7 Exception Events
• A.8 Invalid Record Events
• A.9 Object Management Events
• A.10 Peer Association Events
• A.11 Role and Privilege Management Events
• A.12 Service and Application Utilization Events
• A.13 System Management Events
• A.14 Unknown or Uncategorized Events
• A.15 User Session Events

B Microsoft SQL Server Audit Events

• B.1 About the Microsoft SQL Server Audit Events
• B.2 Account Management Events
• B.3 Application Management Events
• B.4 Audit Command Events
• B.5 Data Access Events
• B.6 Exception Events
• B.7 Invalid Record Events
• B.8 Object Management Events
• B.9 Peer Association Events
• B.10 Role and Privilege Management Events
• B.11 Service and Application Utilization Events
• B.12 System Management Events
• B.13 Unknown or Uncategorized Events
• B.14 User Session Events

C Sybase Adaptive Server Enterprise Audit Events

• C.1 About the Sybase Adaptive Server Enterprise Audit Events
• C.2 Account Management Events
• C.3 Application Management Events
• C.4 Audit Command Events
• C.5 Data Access Events
• C.6 Exception Events
• C.7 Invalid Record Events
• C.8 Object Management Events
• C.9 Peer Association Events
• C.10 Role and Privilege Management Events
• C.11 Service and Application Utilization Events
• C.12 System Management Events
• C.13 Unknown or Uncategorized Events
• C.14 User Session Events

D IBM DB2 Audit Events

• D.1 About the IBM DB2 Audit Events
• D.2 Account Management Events
• D.3 Application Management Events
• D.4 Audit Command Events
• D.5 Data Access Events
• D.6 Exception Events
• D.7 Invalid Record Events
• D.8 Object Management Events
• D.9 Peer Association Events
• D.10 Role and Privilege Management Events
• D.11 Service and Application Utilization Events
• D.12 System Management Events
• D.13 Unknown or Uncategorized Events
• D.14 User Session Events

Index