この付録には、異なるタイプの収集プラグインの例が含まれています。
この項の項目は次のとおりです。
次の属性およびフィールドは必須です。
securedTargetType
maxSecuredTargetVersion
version
TableName
Driver
EventTimeUTC
CommandClass
変換
EventStatus
変換
MarkerField
次のAudit Vault Serverフィールドにマップするソース名は必須ではありませんが、情報が指定されずにデータ収集が開始されると、すべての監査レコードが無効とみなされます。
UserName
CommandClass
例C-1 データベース表の収集プラグインのXMLマッパー・ファイルのサンプル
<AVTableCollectorTemplate securedTargetType="DBSOURCE" minSecuredTargetVersion="10.2.0" maxSecuredTargetVersion="11.0" version="1.0" > <!--Example Template for a database Collector--> <!-- Attributes: securedTargetType, maxSecuredTargetVersion, and version are mandatory; minSecuredTargetVersion attribute is optional --> <!-- Accepted Format for min/maxSecuredTargetVersion and version attribute value is numbers separated by dots (For example: 12.2,10.3.2, 11.2.3.0 etc..)--> <!-- Audit Table Information --> <!-- Name of Audit Table: Mandatory information --> <TableName>dummy_auditTable</TableName> <!-- Source Connection Information --> <ConnectionInfo> <!--Datasource class name for current secured target type: Mandatory information --> </ConnectionInfo> <!-- This Gives Mapping Information of Source Fields to various AV Fields(core and large fields) --> <!-- There should be no many-to-one mappings from source fields to AV Server fields --> <FieldMappingInfo> <!-- Mapping of Source Fields to Core Fields of AV server --> <!-- Source fields specified in core field mappings must be of SQL Datatype: String OR convertible to String--> <CoreFields> <Map> <!-- Mandatory: EventTime mapping information --> <Name>EVENT_TIME</Name> <MapTo>EventTimeUTC</MapTo> </Map> <Map> <!-- If UserName core field mapping is not provided, Audit Data Collection still starts successfully, but every audit record will be treated as invalid --> <Name>USER_ID</Name> <MapTo>UserName</MapTo> </Map> <Map> <Name>OS_USER_ID</Name> <MapTo>OSUserName</MapTo> </Map> <Map> <!-- If source name, the ACTION field, for CommandClass core field mapping is not provided, Audit Data Collection still starts successfully, but all audit records are treated as invalid --> <Name>ACTION</Name> <MapTo>CommandClass</MapTo> <!-- Mandatory: value transformation from secured target field value to command class field value. Value of "to" Attribute is from AV Event set --> <Transformation> <ValueTransformation from="1" to="CREATE"/> <ValueTransformation from="2" to="INSERT"/> <ValueTransformation from="3" to="SELECT"/> <ValueTransformation from="4" to="CREATE"/> <ValueTransformation from="15" to="READ"/> <ValueTransformation from="30" to="LOGON"/> <ValueTransformation from="34" to="LOGOFF"/> <ValueTransformation from="35" to="ACQUIRE"/> </Transformation> </Map> <Map> <Name> OBJ_NAME</Name> <MapTo>TargetObject</MapTo> </Map> <Map> <Name>USER_HOST</Name> <MapTo>ClientHostName</MapTo> </Map> <Map> <Name>OBJ_CREATOR</Name> <MapTo>TargetOwner</MapTo> </Map> <Map> <Name>STATUS</Name> <MapTo>EventStatus</MapTo> <!-- Value transformation for "STATUS" source field value. Mandatory: EventStatus value transformation. There are three possible values for EventStatus: SUCCESS, FAILURE, UNKNOWN --> <Transformation> <ValueTransformation from="0" to="FAILURE"/> <ValueTransformation from="1" to="SUCCESS"/> <ValueTransformation from="2" to="UNKNOWN"/> </Transformation> </Map> </CoreFields> <!-- Mapping of Source Fields to Large Fields of AV server i.e fields with huge content --> <!-- Secured target fields specified in large field mappings must be of SQL Datatype:CLOB OR SQL Datatype:String OR convertible to String --> <LargeFields> <Map> <Name>SQL_TEXT</Name> <MapTo>CommandText</MapTo> </Map> <Map> <Name>COMMAND_PARAMETER</Name> <MapTo>CommandParam</MapTo> </Map> </LargeFields> <!-- These secured target fields are collected in a single extension field, all name-value pairs separated by standard delimiter --> <!-- Secured target fields specified in extension field mapping must be of SQL Datatype:String OR convertible to String --> <ExtensionField> <Name>DB_ID</Name> <Name>INSTANCE</Name> <Name>PROCESS</Name> <Name>TERMINAL</Name> </ExtensionField> <!-- Mandatory: Secured target fields for MarkerField A group of secured target fields to uniquely identify each Audit Record --> <!-- Secured target fields specified to be used as MarkerField mapping must be of SQL Datatype:String OR convertible to String --> <MarkerField> <Name>SESSION_ID</Name> <Name>ENTRY_ID</Name> </MarkerField> </FieldMappingInfo> </AVTableCollectorTemplate>
これは、データベース表の収集プラグインのマニフェスト・ファイルのサンプルです。
例C-2 データベース表の収集プラグインのマニフェスト・ファイルのサンプル
<?xml version="1.0"?> <plugin xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.oracle.com/av/plugin plugin-manifest.xsd" xmlns="http://xmlns.oracle.com/av/plugin" name="HRMS-Template" id="com.oracle.av.plugin" version="1.0" provider-name="Oracle Corp." copyright="Copyright Oracle Corp. 2011"> <!-- targetVersion: Version of Oracle Audit Vault supported by this plugin. This is represented by the "min" attribute of <targetVersion> tag --> <targetVersion min="11.1.0.0.0"/> <extensionSet> <extensionPoint type= "securedTargetType"> <!-- Tag: fileList: Lists all files that ship with the plugin --> <fileList> <jars></jars> <templates> <include file="DBSource-Mapper.xml"/> </templates> <bin></bin> <config></config> <shell></shell> <patch></patch> <unresolved-external> </unresolved-external> </fileList> <!-- Tag: securedTargetTypeInfo: Contains secured target type and trail information --> <securedTargetTypeInfo name="DBSOOURCE"/> <!-- Tag: trailType: contains trail type, location , classname for source type testSource --> <trailInfo> <trailType>TABLE</trailType> <className name="oracle.av.platform.agent. collfwk.Collector. table.DatabaseTableCollector"/> </trailInfo> <!-- eventPatch: OPTIONAL field that indicates any event patches that need to be applied as part of plugin deployment The files listed here must be present in the <patch> tag entries. The order in which the patches need to applied can be controlled via the "order" attribute Patches with lower "order" value will be applied first --> <eventPatch name="p6753288_11.1.2.0.0_GENERIC.zip" order="2"/> </extensionPoint> </extensionSet> </plugin>
この項の項目は次のとおりです。
次の属性およびフィールドは必須です。
securedTargetType
maxSecuredTargetVersion
version
HeaderInfo
RecordInfo
EventTimeUTC
CommandClass
変換
EventStatus
変換
MarkerField
次のAudit Vault Serverフィールドにマップするソース名は必須ではありませんが、情報が指定されずにデータ収集が開始されると、すべての監査レコードが無効とみなされます。
UserName
CommandClass
例C-3 XMLファイルの収集プラグインのマッパー・ファイルのサンプル
<AVXMLCollectorTemplate securedTargetType="XMLSOURCE" maxSecuredTargetVersion="11.0" version="1.0"> <!--Example Template for XML template collector--> <!-- Attributes: "securedTargetType", "maxSecuredTargetVersion" and "version" are mandatory attributes, "minSecuredTargetVersion" attribute is optional --> <!-- Accepted Format for min/maxSecuredTargetVersion and version attribute value is numbers separated by dots (For example: 12.2,10.3.2, 11.2.3.0 etc..)--> <!-- Header Information like XML Header start tag --> <HeaderInfo> <!-- Mandatory: HeaderInfo--> <!-- Value in this tag gives Root tag of the XML audit file--> <StartTag>Audit</StartTag> </HeaderInfo> <!-- Record Information like Record Start tag and conformation to hold original record --> <RecordInfo> <!-- Mandatory: RecordInfo --> <!-- Provides starting tag of audit record in XML audit file --> <StartTag>AuditRecord</StartTag> </RecordInfo> <!-- Gives Mapping Information of Source Fields to various AV Fields (core and large fields) --> <!-- Not Allowed: many-to-one mapping from source field to AV Server fields --> <FieldMappingInfo> <!-- Mapping of Source Fields to Core Fields of AV server Source fields specified in core field mappings must be of SQL Datatype: String OR convertible to String --> <CoreFields> <Map> <Name>EVENT_TIME</Name> <MapTo>EventTimeUTC</MapTo> <TimestampPattern>yyyy-MM-dd HH:mm:ss.SSS</TimestampPattern> </Map> <Map> <!-- If UserName core field mapping is not provided, Audit Data Collection still starts successfully, but every audit record will be treated as invalid --> <Name>USER_ID</Name> <MapTo>UserName</MapTo> </Map> <Map> <Name>OS_USER_ID</Name> <MapTo>OSUserName</MapTo> </Map> <Map> <!-- If source name, the ACTION field, for CommandClass core field mapping is not provided, Audit Data Collection still starts successfully, but all audit records are treated as invalid --> <Name>ACTION</Name> <MapTo>CommandClass</MapTo> <!-- Mandatory: value transformations from source to Action field value. Value of "to" Attribute is from AV Event set --> <Transformation> <ValueTransformation from="1" to="CREATE"/> <ValueTransformation from="2" to="INSERT"/> <ValueTransformation from="3" to="SELECT"/> <ValueTransformation from="4" to="CREATE"/> <ValueTransformation from="15" to="READ"/> <ValueTransformation from="30" to="LOGON"/> <ValueTransformation from="34" to="LOGOFF"/> <ValueTransformation from="35" to="ACQUIRE"/> </Transformation> </Map> <Map> <Name> OBJ_NAME</Name> <MapTo>TargetObject</MapTo> </Map> <Map> <Name>USER_HOST</Name> <MapTo>ClientHostName</MapTo> </Map> <Map> <Name>OBJ_CREATOR</Name> <MapTo>TargetOwner</MapTo> </Map> <Map> <Name>STATUS</Name> <MapTo>EventStatus</MapTo> <!-- Specifying value transformation for Status source field value. Mandatory: EventStatus value transformation. There are three possible values for EventStatus: SUCCESS, FAILURE, UNKNOWN --> <Transformation> <ValueTransformation from="0" to="FAILURE"/> <ValueTransformation from="1" to="SUCCESS"/> <ValueTransformation from="2" to="UNKNOWN"/> </Transformation> </Map> </CoreFields> <!-- Mapping of Source Fields to Large Fields of AV server i.e fields with huge content --> <!-- Source fields specified in large field mappings must be of SQL Datatype:CLOB OR SQL Datatype:String OR convertible to String --> <LargeFields> <Map> <Name>SQL_TEXT</Name> <MapTo>CommandText</MapTo> </Map> <Map> <Name>COMMAND_PARAMETER</Name> <MapTo>CommandParam</MapTo> </Map> </LargeFields> <!-- These Source fields will be collected in a single extension field, all name-value pairs are separated by standard delimiter --> <!-- Source fields specified in extension field mapping must be of SQL Datatype:String OR convertible to String --> <ExtensionField> <Name>DB_ID</Name> <Name>INSTANCE</Name> <Name>PROCESS</Name> <Name>TERMINAL</Name> </ExtensionField> <!-- This is group of source fields for uniquely identifying each Audit Record Marker --> <!-- Source fields specified to be used as Marker field mapping must be of SQL Datatype:String OR convertible to String --> <!-- Mandatory: Source fields for MarkerField --> <MarkerField> <Name>SESSION_ID</Name> <Name>ENTRY_ID</Name> </MarkerField> </FieldMappingInfo> </AVXMLCollectorTemplate>
これは、XMLファイルの収集プラグインのマニフェスト・ファイルのサンプルです。
例C-4 XMLファイルの収集プラグインのマニフェスト・ファイルのサンプル
<?xml version="1.0"?> <plugin xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.oracle.com/av/plugin plugin-manifest.xsd" xmlns="http://xmlns.oracle.com/av/plugin" name="Oracle-XML-Template" id="com.oracle.av.plugin" version="1.0" provider-name="Oracle Corp." copyright="Copyright Oracle Corp. 2011"> <!-- targetVersion: Version of Oracle Audit Vault supported by this plugin. This is represented by the "min" attribute of targetVersion> tag --> <targetVersion min="11.1.0.0.0"/> <extensionSet> <extensionPoint type= "securedTargetType"> <!-- fileList: Lists *all* the files that ship with the plugin --> <fileList> <jars></jars> <templates> <include file="XMLSource-Mapper.xml"/> </templates> <bin></bin> <config></config> <shell></shell> <patch></patch> <unresolved-external></unresolved-external> </fileList> <!-- securedTargetTypeInfo: Contains source type and trail information --> <securedTargetTypeInfo name="oracle"/> <!-- trailType: contains trail type, location , classname for source type testSource --> <trailInfo> <trailType>DIRECTORY</trailType> <className name="oracle.av.platform.agent.collfwk. ezcollector.xml.XMLFileCollector"/> </trailInfo> <!-- eventPatch: OPTIONAL field that indicates any event patches that need to be applied as part of plugin deployment--> The files listed here must be present in the <patch>--> tag entries. The order in which the patches need to --> applied can be controlled via the "order" attribute --> Patches with lower "order" value will be applied --> first --> <eventPatch name="p6753288_11.1.2.0.0_GENERIC.zip" order="2"/> </extensionPoint> </extensionSet> </plugin>