| Oracle® Audit Vault and Database Firewall開発者ガイド リリース12.1.2 B71714-05 |
|
 前 |
 次 |
この付録には、異なるタイプの収集プラグインの例が含まれています。
この項の項目は次のとおりです。
次の属性およびフィールドは必須です。
securedTargetType
maxSecuredTargetVersion
version
TableName
Driver
EventTimeUTC
CommandClass変換
EventStatus変換
MarkerField
次のAudit Vault Serverフィールドにマップするソース名は必須ではありませんが、情報が指定されずにデータ収集が開始されると、すべての監査レコードが無効とみなされます。
UserName
CommandClass
例C-1 データベース表の収集プラグインのXMLマッパー・ファイルのサンプル
<AVTableCollectorTemplate securedTargetType="DBSOURCE" minSecuredTargetVersion="10.2.0"
maxSecuredTargetVersion="11.0" version="1.0" >
<!--Example Template for a database Collector-->
<!-- Attributes: securedTargetType, maxSecuredTargetVersion,
and version are mandatory;
minSecuredTargetVersion attribute is optional -->
<!-- Accepted Format for min/maxSecuredTargetVersion and
version attribute value is numbers separated by
dots (For example: 12.2,10.3.2, 11.2.3.0 etc..)-->
<!-- Audit Table Information -->
<!-- Name of Audit Table: Mandatory information -->
<TableName>dummy_auditTable</TableName>
<!-- Source Connection Information -->
<ConnectionInfo>
<!--Datasource class name for current secured target type:
Mandatory information -->
</ConnectionInfo>
<!-- This Gives Mapping Information of Source Fields to various AV
Fields(core and large fields) -->
<!-- There should be no many-to-one mappings from source fields to
AV Server fields -->
<FieldMappingInfo>
<!-- Mapping of Source Fields to Core Fields of AV server -->
<!-- Source fields specified in core field mappings must be of SQL
Datatype: String OR convertible to String-->
<CoreFields>
<Map>
<!-- Mandatory: EventTime mapping information -->
<Name>EVENT_TIME</Name>
<MapTo>EventTimeUTC</MapTo>
</Map>
<Map>
<!-- If UserName core field mapping is not provided, Audit Data
Collection still starts successfully, but every audit record
will be treated as invalid -->
<Name>USER_ID</Name>
<MapTo>UserName</MapTo>
</Map>
<Map>
<Name>OS_USER_ID</Name>
<MapTo>OSUserName</MapTo>
</Map>
<Map>
<!-- If source name, the ACTION field, for CommandClass core field
mapping is not provided, Audit Data Collection still starts
successfully, but all audit records are treated as invalid -->
<Name>ACTION</Name>
<MapTo>CommandClass</MapTo>
<!-- Mandatory: value transformation from secured target field value
to command class field value. Value of "to" Attribute is from AV
Event set -->
<Transformation>
<ValueTransformation from="1" to="CREATE"/>
<ValueTransformation from="2" to="INSERT"/>
<ValueTransformation from="3" to="SELECT"/>
<ValueTransformation from="4" to="CREATE"/>
<ValueTransformation from="15" to="READ"/>
<ValueTransformation from="30" to="LOGON"/>
<ValueTransformation from="34" to="LOGOFF"/>
<ValueTransformation from="35" to="ACQUIRE"/>
</Transformation>
</Map>
<Map>
<Name> OBJ_NAME</Name>
<MapTo>TargetObject</MapTo>
</Map>
<Map>
<Name>USER_HOST</Name>
<MapTo>ClientHostName</MapTo>
</Map>
<Map>
<Name>OBJ_CREATOR</Name>
<MapTo>TargetOwner</MapTo>
</Map>
<Map>
<Name>STATUS</Name>
<MapTo>EventStatus</MapTo>
<!-- Value transformation for "STATUS" source field value.
Mandatory: EventStatus value transformation.
There are three possible values for EventStatus:
SUCCESS, FAILURE, UNKNOWN -->
<Transformation>
<ValueTransformation from="0" to="FAILURE"/>
<ValueTransformation from="1" to="SUCCESS"/>
<ValueTransformation from="2" to="UNKNOWN"/>
</Transformation>
</Map>
</CoreFields>
<!-- Mapping of Source Fields to Large Fields of AV server i.e fields
with huge content -->
<!-- Secured target fields specified in large field mappings must be
of SQL Datatype:CLOB OR SQL Datatype:String OR convertible to
String -->
<LargeFields>
<Map>
<Name>SQL_TEXT</Name>
<MapTo>CommandText</MapTo>
</Map>
<Map>
<Name>COMMAND_PARAMETER</Name>
<MapTo>CommandParam</MapTo>
</Map>
</LargeFields>
<!-- These secured target fields are collected in a single extension
field, all name-value pairs separated by standard delimiter -->
<!-- Secured target fields specified in extension field mapping must
be of SQL Datatype:String OR convertible to String -->
<ExtensionField>
<Name>DB_ID</Name>
<Name>INSTANCE</Name>
<Name>PROCESS</Name>
<Name>TERMINAL</Name>
</ExtensionField>
<!-- Mandatory: Secured target fields for MarkerField
A group of secured target fields to uniquely identify each Audit
Record -->
<!-- Secured target fields specified to be used as MarkerField mapping
must be of SQL Datatype:String OR convertible to String -->
<MarkerField>
<Name>SESSION_ID</Name>
<Name>ENTRY_ID</Name>
</MarkerField>
</FieldMappingInfo>
</AVTableCollectorTemplate>
これは、データベース表の収集プラグインのマニフェスト・ファイルのサンプルです。
例C-2 データベース表の収集プラグインのマニフェスト・ファイルのサンプル
<?xml version="1.0"?>
<plugin xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://xmlns.oracle.com/av/plugin plugin-manifest.xsd"
xmlns="http://xmlns.oracle.com/av/plugin"
name="HRMS-Template"
id="com.oracle.av.plugin"
version="1.0"
provider-name="Oracle Corp."
copyright="Copyright Oracle Corp. 2011">
<!-- targetVersion: Version of Oracle Audit Vault supported by this
plugin. This is represented by the "min" attribute of
<targetVersion> tag -->
<targetVersion min="11.1.0.0.0"/>
<extensionSet>
<extensionPoint type= "securedTargetType">
<!-- Tag: fileList: Lists all files that ship with the plugin -->
<fileList>
<jars></jars>
<templates>
<include file="DBSource-Mapper.xml"/>
</templates>
<bin></bin>
<config></config>
<shell></shell>
<patch></patch>
<unresolved-external>
</unresolved-external>
</fileList>
<!-- Tag: securedTargetTypeInfo: Contains secured target type and
trail information -->
<securedTargetTypeInfo name="DBSOOURCE"/>
<!-- Tag: trailType: contains trail type, location , classname for
source type testSource -->
<trailInfo>
<trailType>TABLE</trailType>
<className name="oracle.av.platform.agent.
collfwk.Collector. table.DatabaseTableCollector"/>
</trailInfo>
<!-- eventPatch: OPTIONAL field that indicates any event patches
that need to be applied as part of plugin deployment
The files listed here must be present in the <patch>
tag entries. The order in which the patches need to
applied can be controlled via the "order" attribute
Patches with lower "order" value will be applied
first -->
<eventPatch name="p6753288_11.1.2.0.0_GENERIC.zip" order="2"/>
</extensionPoint>
</extensionSet>
</plugin>
この項の項目は次のとおりです。
次の属性およびフィールドは必須です。
securedTargetType
maxSecuredTargetVersion
version
HeaderInfo
RecordInfo
EventTimeUTC
CommandClass変換
EventStatus変換
MarkerField
次のAudit Vault Serverフィールドにマップするソース名は必須ではありませんが、情報が指定されずにデータ収集が開始されると、すべての監査レコードが無効とみなされます。
UserName
CommandClass
例C-3 XMLファイルの収集プラグインのマッパー・ファイルのサンプル
<AVXMLCollectorTemplate securedTargetType="XMLSOURCE"
maxSecuredTargetVersion="11.0"
version="1.0">
<!--Example Template for XML template collector-->
<!-- Attributes: "securedTargetType", "maxSecuredTargetVersion" and
"version" are mandatory attributes, "minSecuredTargetVersion"
attribute is optional -->
<!-- Accepted Format for min/maxSecuredTargetVersion and version
attribute value is numbers separated by dots (For example:
12.2,10.3.2, 11.2.3.0 etc..)-->
<!-- Header Information like XML Header start tag -->
<HeaderInfo>
<!-- Mandatory: HeaderInfo-->
<!-- Value in this tag gives Root tag of the XML audit file-->
<StartTag>Audit</StartTag>
</HeaderInfo>
<!-- Record Information like Record Start tag and conformation to hold
original record -->
<RecordInfo>
<!-- Mandatory: RecordInfo -->
<!-- Provides starting tag of audit record in XML audit file -->
<StartTag>AuditRecord</StartTag>
</RecordInfo>
<!-- Gives Mapping Information of Source Fields to various AV Fields
(core and large fields) -->
<!-- Not Allowed: many-to-one mapping from source field to
AV Server fields -->
<FieldMappingInfo>
<!-- Mapping of Source Fields to Core Fields of AV server
Source fields specified in core field mappings must be of SQL
Datatype: String OR convertible to String -->
<CoreFields>
<Map>
<Name>EVENT_TIME</Name>
<MapTo>EventTimeUTC</MapTo>
<TimestampPattern>yyyy-MM-dd HH:mm:ss.SSS</TimestampPattern>
</Map>
<Map>
<!-- If UserName core field mapping is not provided, Audit Data
Collection still starts successfully, but every audit record
will be treated as invalid -->
<Name>USER_ID</Name>
<MapTo>UserName</MapTo>
</Map>
<Map>
<Name>OS_USER_ID</Name>
<MapTo>OSUserName</MapTo>
</Map>
<Map>
<!-- If source name, the ACTION field, for CommandClass
core field mapping is not provided, Audit Data Collection
still starts successfully, but all audit records are treated
as invalid -->
<Name>ACTION</Name>
<MapTo>CommandClass</MapTo>
<!-- Mandatory: value transformations from source to Action
field value. Value of "to" Attribute is from AV Event set -->
<Transformation>
<ValueTransformation from="1" to="CREATE"/>
<ValueTransformation from="2" to="INSERT"/>
<ValueTransformation from="3" to="SELECT"/>
<ValueTransformation from="4" to="CREATE"/>
<ValueTransformation from="15" to="READ"/>
<ValueTransformation from="30" to="LOGON"/>
<ValueTransformation from="34" to="LOGOFF"/>
<ValueTransformation from="35" to="ACQUIRE"/>
</Transformation>
</Map>
<Map>
<Name> OBJ_NAME</Name>
<MapTo>TargetObject</MapTo>
</Map>
<Map>
<Name>USER_HOST</Name>
<MapTo>ClientHostName</MapTo>
</Map>
<Map>
<Name>OBJ_CREATOR</Name>
<MapTo>TargetOwner</MapTo>
</Map>
<Map>
<Name>STATUS</Name>
<MapTo>EventStatus</MapTo>
<!-- Specifying value transformation for Status source field value.
Mandatory: EventStatus value transformation.
There are three possible values for EventStatus:
SUCCESS, FAILURE, UNKNOWN -->
<Transformation>
<ValueTransformation from="0" to="FAILURE"/>
<ValueTransformation from="1" to="SUCCESS"/>
<ValueTransformation from="2" to="UNKNOWN"/>
</Transformation>
</Map>
</CoreFields>
<!-- Mapping of Source Fields to Large Fields of AV server i.e fields
with huge content -->
<!-- Source fields specified in large field mappings must be of SQL
Datatype:CLOB OR SQL Datatype:String OR convertible to String -->
<LargeFields>
<Map>
<Name>SQL_TEXT</Name>
<MapTo>CommandText</MapTo>
</Map>
<Map>
<Name>COMMAND_PARAMETER</Name>
<MapTo>CommandParam</MapTo>
</Map>
</LargeFields>
<!-- These Source fields will be collected in a single extension
field, all name-value pairs are separated by standard delimiter -->
<!-- Source fields specified in extension field mapping must be of
SQL Datatype:String OR convertible to String -->
<ExtensionField>
<Name>DB_ID</Name>
<Name>INSTANCE</Name>
<Name>PROCESS</Name>
<Name>TERMINAL</Name>
</ExtensionField>
<!-- This is group of source fields for uniquely identifying each
Audit Record Marker -->
<!-- Source fields specified to be used as Marker field mapping must
be of SQL Datatype:String OR convertible to String -->
<!-- Mandatory: Source fields for MarkerField -->
<MarkerField>
<Name>SESSION_ID</Name>
<Name>ENTRY_ID</Name>
</MarkerField>
</FieldMappingInfo>
</AVXMLCollectorTemplate>
これは、XMLファイルの収集プラグインのマニフェスト・ファイルのサンプルです。
例C-4 XMLファイルの収集プラグインのマニフェスト・ファイルのサンプル
<?xml version="1.0"?>
<plugin xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://xmlns.oracle.com/av/plugin plugin-manifest.xsd"
xmlns="http://xmlns.oracle.com/av/plugin"
name="Oracle-XML-Template"
id="com.oracle.av.plugin"
version="1.0"
provider-name="Oracle Corp."
copyright="Copyright Oracle Corp. 2011">
<!-- targetVersion: Version of Oracle Audit Vault supported by
this plugin. This is represented by the "min" attribute of
targetVersion> tag -->
<targetVersion min="11.1.0.0.0"/>
<extensionSet>
<extensionPoint type= "securedTargetType">
<!-- fileList: Lists *all* the files that ship with the plugin -->
<fileList>
<jars></jars>
<templates>
<include file="XMLSource-Mapper.xml"/>
</templates>
<bin></bin>
<config></config>
<shell></shell>
<patch></patch>
<unresolved-external></unresolved-external>
</fileList>
<!-- securedTargetTypeInfo: Contains source type and trail information
-->
<securedTargetTypeInfo name="oracle"/>
<!-- trailType: contains trail type, location , classname for
source type testSource -->
<trailInfo>
<trailType>DIRECTORY</trailType>
<className name="oracle.av.platform.agent.collfwk.
ezcollector.xml.XMLFileCollector"/>
</trailInfo>
<!-- eventPatch: OPTIONAL field that indicates any event patches
that need to be applied as part of plugin deployment-->
The files listed here must be present in the <patch>-->
tag entries. The order in which the patches need to -->
applied can be controlled via the "order" attribute -->
Patches with lower "order" value will be applied -->
first -->
<eventPatch name="p6753288_11.1.2.0.0_GENERIC.zip" order="2"/>
</extensionPoint>
</extensionSet>
</plugin>
