6 Reports

Topics

Generating and Customizing Reports

Report Descriptions

6.1 About the Reports in Audit Vault and Database Firewall

The Oracle Audit Vault and Database Firewall reports are automatically generated reports that reflect audit data collected from secured targets, as well as data monitored by any Database Firewalls you have configured. You can save or schedule reports in either PDF or Excel format. You can also view reports online and interactively adjust the online report view by filtering data. You can save these interactive views to see them online later.

The reports are organized into various categories, such as access reports and management reports. An alerts report allows you to view and respond to alerts. You can also create user-defined reports that focus on specific audit events or firewall data.

You can also produce Sarbanes-Oxley (SOX), Payment Card Industry (PCI), Data Protection Act (DPA), Gramm-Leach-Bliley Act (GLBA), and Health Insurance Portability and Accountability Act (HIPAA) reports. To specify which of these reports are required for a secured target database, you can add the secured target to the appropriate group (such as the SOX group) from the Secured Targets tab.

Auditors can view data and modify reports for secured targets to which they have been granted access by a super auditor. However, an auditor can also send a report to other auditors for attestation regardless of the access rights of the other auditors.

You can specify email recipients for scheduled reports once they are generated, as well as create email templates for report notifications.

6.2 Browsing the Built-In Reports

From the Built-in Reports section of the Reports tab, you can browse report data online, schedule reports, and link to previously scheduled and generated reports. The report displays only records that are collected by the collector before the report execution starts.

Note:

Reports run faster if the audit data is in memory on the Audit Vault Server. If your Oracle AVDF administrator has enabled Oracle Database In-Memory, you will see a date range on the dashboard (Home tab) at the top right, as shown in Figure 6-1. Reports for this date range will run faster.

Figure 6-1 Data Range Selection and In-Memory Date Range


Description of Figure 6-1 follows
Description of "Figure 6-1 Data Range Selection and In-Memory Date Range"

To generate or browse the built-in reports:

  1. Log in to the Audit Vault Server console as an auditor.

  2. Click the Reports tab.

  3. Click a link under the Built-in Reports menu (for example, Compliance Reports), navigate to the report you want, and then do one of the following:

    • Click the report name to view and browse the report data online. Timestamps in reports, when you browse them online, are displayed in your local browser time.

    • Click the Schedule Report icon to schedule the report in PDF or XLS format. Timestamps in a PDF or XLS report are written in the Audit Vault Server time (based on the Timezone Offset setting specified by an administrator).

    • Click the Generated Report icon to view a previously scheduled and generated report.

  4. When browsing a report, click the Single Row View icon in the leftmost column for a row (an audit event) to view detailed information for that event.

Note:

If your Oracle AVDF administrator changes the name of a secured target, the new name does not appear on reports until the administrator restarts the Audit Vault Agent.

6.3 Downloading a Report in HTML or CSV Format

You can download reports you are browsing online as CSV (for use in an Excel spreadsheet) or HTML files.

To download a report in HTML or CSV format:

  1. Log in to the Audit Vault Server console as an auditor.
  2. Click the Reports tab.
  3. Under Built-In Reports, select the type of report that you want, and then select the report.
  4. From the Actions menu, select Download.
  5. Select CSV or HTML.
  6. In the Opening dialog box, select Save File and then click OK.
  7. Select a location and enter a name for the file.
  8. Click Save.

6.4 Customizing the Built-in Reports

Topics

6.4.1 About Customizing Built-in Reports

You can create customized reports based on the built-in reports and then save the new report formats. Oracle Audit Vault and Database Firewall provides tools to filter, group, and highlight data, and define columns displayed in the reports. You can also create a categories for your saved reports. Customized and saved reports are listed on the Saved Interactive Reports page.

While you can schedule the default built-in reports to be generated in PDF format, saved custom reports cannot be scheduled or printed in PDF format, and therefore must be viewed online.

6.4.2 Filtering and Controlling the Display of Data in a Report

Topics

6.4.2.1 About Filtering and Display Settings in Reports

You can control the display of data in a report to focus on a particular set of data. Oracle Audit Vault and Database Firewall automatically saves the report settings so that if you leave the page, the report settings are still in place when you return. Optionally, you can save the report as a custom report.

6.4.2.2 Filtering Data in a Report

6.4.2.2.1 About Filtering Data in Reports

You can filter the report to show all rows based on a particular column, or a subset of rows, using an expression.

You can create multiple filters as needed. For example, if you want to filter all SYS users who are being audited for the SUPER USER LOGON event, you would create one filter to catch all SYS users, and then a second filter to catch all SUPER USER LOGON events. If two or more of the filters for a report are enabled, then the report uses both or all of them (as in an AND operation). You can toggle specific filters on or off, depending on the results that you want.

6.4.2.2.2 Filtering Column and Row Data Using the Search Bar

You can use the Search bar to search for row data in one or all columns in the report (for example, all rows that contain the letters SYS, such as SYS and SYSTEM, in all columns).

To search for row data in one or all columns:

  1. Log in to the Audit Vault Server as an auditor.
  2. Click the Reports tab, and then access the report that you want.
  3. If you want to focus the search on a specific column, in the Search bar, use the Search icon to select from the drop-down list of available columns.

    By default, the search applies to all columns.

  4. In the Search bar text area, enter all or part of the row text you want to search for.
  5. Click Go.
6.4.2.2.3 Filtering All Rows Based on Data from a Selected Column

This filtering method lets you filter data in all rows based on a selected column (for example, all rows that contain SYS in the User column).

To filter all rows based on data from a selected column:

  1. Log in to the Audit Vault Server as an auditor.
  2. Click the Reports tab, and then access the report that you want.
  3. Click the Actions menu, and select Filter.

    The Filter dialog box appears. The existing filter definitions for the current user session are shown below the Filter dialog box.

  4. For Filter Type, select Column.
  5. In the Column drop-down list, select the column on which you want to base the filter.

    You can select from columns that are displayed in the report or other columns.

  6. Select the Operator and Expression that you want to use, to further filter the data.
  7. Click Apply.

    The existing filter definitions for the current user session are shown above the report columns.

  8. To enable or disable the display of the filtered data, select its corresponding check box. To remove a filter, click its Remove Filter icon.
6.4.2.2.4 Filtering Row Data Using an Expression

This method lets you select all rows that meet a WHERE condition, such as all users who are not user SYS. You can create the expression for all columns, even those that are not shown in the current report.

To filter row data using an expression:

  1. Log in to the Audit Vault Server as an auditor.
  2. Click the Reports tab, and then access the report that you want.
  3. From the Actions menu, select Filter.

    The Filter dialog box appears. The existing filter definitions for the current user session are shown below the Filter dialog box.

  4. For Filter Type, select Row.
  5. Enter a Name for the filter.
  6. Use the Columns, Function/Operators, and Filter Expression fields to build your filter expression:
    • Columns: Select the name(s) of the column(s) from the list to use them in the expression. When you select a column, its abbreviation appears in the Filter Expression field.

    • Functions/Operators: Select function(s) and/or operator(s) from the list to build your expression.

    • Filter Expression: If you have built an expression from the available columns, functions and operators, enter any parameters needed to complete your expression. If you type the expression, remember that it is case-sensitive. In most cases, use uppercase letters.

    As you build the expression, the Filter Expression field is populated with the expression.

  7. Click Apply.

    Oracle Audit Vault and Database Firewall filters the display of row data based on the expression you created, and adds the filter definition above the report columns.

  8. To enable or disable the display of the filtered data, select its corresponding check box. To remove a filter, click its Remove Filter icon.

6.4.2.3 Hiding or Showing Columns in a Report

When you hide or show columns in a report, you still can perform operations on hidden columns, such as filtering data based on a column that you have hidden.

To hide or show columns in a report:

  1. Log in to the Audit Vault Server as an auditor.
  2. Click the Reports tab, and then access the report that you want.
  3. From the Actions menu, click Select Columns.
  4. Move column names under the Do Not Display or Display in Report boxes:
    • Select the column names to move and then click the left or right arrow between the column name boxes.

    • Move all columns left or right by using the >> and << buttons.

    • Use the top button (the arrows in a circle) to reset the columns to their original locations in the two boxes.

  5. To set the order of displayed columns, in the Display in Report box, select the column name, then click the up or down arrow on the right side of the box to reorder the column's position in the list.
  6. Click Apply.

6.4.2.4 Formatting Data in a Report

6.4.2.4.1 Sorting Row Data for All Columns

To sort row data for all columns:

  1. Log in to the Audit Vault Server as an auditor.
  2. Click the Reports tab, and then access the report that you want.
  3. From the Actions menu, select Format, then select Sort.

    The Sort dialog box appears.

  4. Enter the following information:
    • Column: For up to six columns, select the columns to sort. By default, the first sort column is Event Time, which is sorted in descending order.

    • Direction: Select either Ascending or Descending.

    • Null Sorting: Select the Null sorting rule for each column (Default, Nulls Always Last, or Nulls Always First). The default is to not sort nulls.

  5. Click Apply.
6.4.2.4.2 Highlighting Rows in a Report

You can highlight specific rows in a report by assigning them colors. This enables anyone viewing the report to quickly find areas that are of particular interest.

To highlight rows in the report:

  1. Log in to the Audit Vault Server as an auditor.
  2. Click the Reports tab, and then access the report that you want.
  3. From the Actions menu, select Format, then Highlight.

    The Highlight dialog box appears.

  4. Enter the following information:
    • Name: Optionally enter a name for this highlight instance.

    • Sequence: Enter a sequence number to determine the order in which the highlight filter rules are to be applied when two or more highlight filter rules are in effect. The default value is 10.

    • Enabled: Select Yes to enable the highlight or select No to disable it.

    • Highlight Type: Select Row to highlight a row or select Cell to highlight a cell.

    • Background Color: Select a background color for the row or cell. Click a color to display color options, or click the colored icon to the right of the color selection field to display a color selection box from which to choose a different color. Alternatively, you can manually enter the HTML code for a color.

    • Text Color: Select a text color for the row or cell using the same method you used for the background color. (Optional)

    • Highlight Condition: Edit the highlight filter rule expression by identifying the column, the operator, and the expression for each of the three fields in the highlight condition.

      • Column: Select any column name, including hidden columns.

      • Operator: Select an operator from a list of standard Oracle Database operators, such as =, !=, NOT IN, and BETWEEN.

      • Expression: Enter the comparison expression (without quotation marks) based on a known value for that column name to complete the filter expression.

        For example, entering the filter expression EVENT=SUPER USER LOGON filters for all values in the Event column that contain the value SUPER USER LOGON.

  5. Click Apply.
6.4.2.4.3 Charting Data in a Report

You can select from four chart styles to chart data in a report. After you create the chart, you can access it whenever you access the report.

To chart data in a report:

  1. Log in to the Audit Vault Server as an auditor.
  2. Click the Reports tab, and then access the report that you want.
  3. From the Actions menu, select Format, then Chart.

    The Chart dialog box appears.

  4. Enter the following information:
    • Chart style: Select from one of the four chart styles: Horizontal Column, Vertical Column, Pie, and Line.

    • Label: Select from the list of columns for this report. You can include hidden columns as well as displayed columns.

    • Value: Select from the list of columns for this report, including hidden columns. If you select Count from the Function list, then you do not need to select a value.

    • Function: Select an aggregate function (Sum, Average, Minimum, Maximum, or Count) on which to aggregate the data values.

    • Sort: Select ascending or descending sorting for values and labels.

    • Axis Title for Label: Enter a name for the axis title.

    • Axis Title for Value: Enter a name for the axis value.

  5. Click Apply.

    The chart appears, with the Edit Chart and View Report links under the Search bar.

6.4.2.4.4 Adding Control Breaks to a Report

You can create a break group based on selected columns. This pulls the column(s) out of the report as a main record and groups all rows with the same value for the selected column under that main record. This is useful for filtering by multiple column values.

For example, you may have an Activity Overview report that displays several columns of data. If you want to see that data broken up by the Client IP Address and Secured Target Name columns, you would add control breaks for those columns. The resulting report would have data broken up into smaller tables for each unique combination of Client IP Address and Secured Target Name.

To add a control break in a column:

  1. Log in to the Audit Vault Server as an auditor.
  2. Click the Reports tab, and then access the report that you want.
  3. From the Actions menu, select Format, then Control Break.
  4. Select the column(s) to which you want to add a control break.

    You can select up to six columns in the order that you want the data to be broken up. Selecting Enabled adds a control break; selecting Disabled removes the control break.

  5. Click Apply.
6.4.2.4.5 Using the Group By Function to Format a Report

The Group By dialog lets you group data by up to three columns in a report, and specify up to three functions to perform on any column, and display the resulting values as additional columns in the custom report.

For example, suppose you want to create a custom report to show the number of events of a certain status (for example SUCCESS or FAILURE) for each secured target and client IP address combination. Using Group By, you can create a custom report to group unique secured targets together in the first column, client IP addresses for each secured target together in the second column, and display Event Status in the third column. You then specify a function to count distinct values in the Event Status column for each secured target and client IP address combination.

The resulting custom report will contain four columns: Secured Target, Client IP, Event Status, and the final column will show the results of the function, for example, the number of events with SUCCESS status for that secured target and IP address.

To use the Group By feature:

  1. Log in to the Audit Vault Server as an auditor.

  2. Click the Reports tab, and then access the report that you want.

  3. From the Actions menu, select Format, then Group By.

    The Group By dialog is displayed, similar to the following:

  4. In the Group By Column section, from the first drop-down list, select a data column for grouping data in column 1 of your custom report.

    For example, if you select Secured Target Name, column 1 of your report will have secured targets grouped together. Optionally, select data groupings for columns 2 and 3 of your report.

  5. Optionally, in the Functions section, specify up to three functions to operate on specific data columns:

    1. Under Functions, select a function, such as Count Distinct.

    2. Under Column, select any data column in the default report.

    3. Optionally, under Label, enter a column heading for the new column created by the result of this function.

    4. Optionally, under Format Mask, select the format of the data in the new column created by the result of this function.

    5. Optionally, select the Sum check box if you want to add a Sum row to the bottom of your custom report to add the values in the new column.

  6. Click Apply.

6.4.2.5 Resetting the Report Display Values to Their Default Settings

You can reset the report display values to their original default settings.

To reset the display settings to their defaults:

  1. Log in to the Audit Vault Server as an auditor.
  2. Click the Reports tab, and then access the report that you want.
  3. From the Actions menu, select Reset.

6.4.3 Saving your Customized Reports

When you customize a built-in report with your specified filters and display settings, you can save this customized report. Saved reports are listed in the Saved Interactive Reports page in the Reports tab. The saved reports cannot be printed in PDF format, and therefore must be viewed online.

When you save a custom report, you can save it under a specific category that you select or create as you save the report. You can also make the custom report private or share it with other users as a public report.

To create and save a custom report starting from a built-in report:

  1. Log in to the Audit Vault Server as an auditor.
  2. Click the Reports tab, and then access the report that you want.
  3. Filter and design the display as needed.
  4. From the Actions menu, select Save Report.
  5. Enter the following information in the Save Report dialog box:
    • Name: Enter a name for the report.

    • Public: Select this check box to make the report accessible to all users.

    • Category: Select from the list of available categories, or select New Category, then enter a name for the new category.

      When you save the report, the category appears in the Category column of the saved reports list.

    • Description: Enter a brief description of the report.

  6. Click Apply.

    The custom report data is displayed, and the custom report is listed on the Saved Interactive Reports page.

6.4.4 Accessing Your Saved Custom Reports

To access a saved custom report:

  1. Log in to the Audit Vault Server as an auditor.
  2. Click the Reports tab.
  3. Under Custom Reports, click Saved Interactive Reports.

    The Saved Interactive Reports page appears.

  4. In the Report Name column, select the link for the report that you want to access.

    The report appears. From here, you can:

    • Click the saved report name to edit it.

    • Click a filter to modify it

    • Enable or disable a filter by selecting or unselecting its check box

    • Remove a filter by clicking the Remove Filter icon (an "X")

    • Enable or disable a control break by selecting or unselecting its check box

    • Remove a control break by clicking the Remove Breaks icon (an "x")

    See Also:

6.5 Scheduling and Generating PDF or XLS Reports

Topics

6.5.1 About Scheduling and Creating PDF or XLS Reports

You can schedule reports to be sent to other users in PDF or XLS format. You can run the report immediately, or you can create or select a schedule to run the report at a later time. You can specify a list of users who receive notifications of the report, or who need to attest to the report.

Note:

The saved interactive reports (saved reports you created by customizing built-in reports) cannot be scheduled.

See Also:

The timestamp shown in scheduled reports is based on the Timezone Offset setting specified by the administrator in the Audit Vault Server. See Oracle Audit Vault and Database Firewall Administrator's Guide for more information.

6.5.2 Creating a Report Schedule

To schedule and create a PDF or XLS report:

  1. Log in to the Audit Vault Server as an auditor.
  2. Click the Reports tab.
  3. Find the report you want to schedule, and click the schedule icon for the report.
  4. At the top of the Schedule Report page, in the Schedule Report section, select the Report Format (PDF or XLS).

    You can optionally change the Category Name and Report Name fields.

  5. In the Report Filters section, enter or select:
    • Secured Target Name (or All) - This appears if applicable to the report.

    • Row Limit

    • Event Time

  6. In the Schedule section, select how you want to schedule the report:
    • Immediately - Run the report immediately

    • Specify Schedule - Select a run time, timezone, run date, and how often to repeat the schedule.

    • Select Schedule - (See Note) Select an existing schedule for the report by selecting a Schema where the schedule is stored, and the name of the Schedule from the drop-down lists.

      Note: This options only appears if a database administrator creates these schedules in the embedded Oracle Database using the DBMS_SCHEDULER PL/SQL package. The Schema list displays schemas that contain DBMS_SCHEDULER schedules. The Schedule list displays all the DBMS_SCHEDULER schedules in that schema. By default, the Schema drop-down list contains the SYS schema, which owns the DBMS_SCHEDULER package.

  7. In the Retention Policy section, if necessary, click Change to change the default archiving policy, and then click Save.

    The archiving (or retention) policy is created by an Oracle Audit Vault and Database Firewall administrator, and determines how long the generated PDF or XLS report is retained in the Audit Vault Server before it is archived. If you do not select one, the default retention policy will be used (12 months retention online and 12 months in archives before purging).

  8. In the Notification section, optionally select users to notify about this report:
    • For the Send field, select either Notification to send an email with a link to the report, or Attachment to send an email with the report attached as an XLS or PDF file.

    • From the Template drop-down list, select a report notification template.

    • From the Distribution List drop-down list, if applicable, select a distribution list.

    • If you want to send the report to additional recipients, enter their email addresses in the To e-mail and Cc fields. Enter full email addresses separated by commas.

    • Click Add to List.

  9. Under Attestation, select one or more auditors who should attest to the report.

    Optionally, you can set the order in which the auditors are listed in the Attestation area.

  10. Click Schedule.

    The PDF or XLS is stored in the database, and the report appears in the Report Schedules page in the Reports tab.

    You can check the Jobs page in the Quick Links menu to see the status of report generation.

    Note:

    Avoid triggering or scheduling concurrent long running reports at the same time, as they may be left in a hung state forever. The reports must be scheduled with staggered intervals in between. For example, a gap of 5, 10, or 20 minutes.

6.5.3 Viewing or Modifying Report Schedules

To view or modify report schedules, in the Report Workflow menu, click Report Schedules. To modify a report schedule, click the name of the report.

See Also:

Creating a Report Schedule for details on report schedule fields.

6.5.4 Downloading Generated Reports in PDF or XLS Format

When scheduled reports are generated you can download them to your computer in PDF or XLS format (depending on the format you selected in your report schedule). You can also notify other users by sending a link to the report, or attaching the report in an email.

You can download an unscheduled report in HTML or CSV format, while browsing it online.

To list and download generated PDF or XLS reports you have scheduled:

  1. Log in to the Audit Vault Server as an auditor.
  2. Click the Reports tab.
  3. Under Report Workflow, click Generated Reports.

    A list of generated reports appears.

  4. From here, you can do the following:
    • To see a list of pending reports, click Show Pending Reports.

    • To save the report to your computer, click the report name, and then save the file.

    • To notify another user of the report, select the check box for the report, and then click Notify.

    • To attest and annotate the report, click the Details icon in the second column.

6.5.5 Notifying Users About Generated PDF or XML Reports

To send notifications to other users or distribution lists about a scheduled and generated report:

  1. Log in to the Audit Vault Server as an auditor.
  2. Click the Reports tab.
  3. Under Report Workflow, click Generated Reports.

    A list of generated reports appears.

  4. Select the check box for the report that you want and then click the Notify button.
  5. Fill the fields as follows:
    • For the Send field, select either Notification to send an email with a link to the report, or Attachment to send an email with the report attached as an XLS or PDF file.

    • From the Template drop-down list, select a report notification template.

    • From the Distribution List drop-down list, if applicable, select a distribution list.

    • If you want to send the report to additional recipients, enter their email addresses in the To email and Cc fields. Enter full email addresses separated by commas.

  6. Click Notify.

6.6 Annotating and Attesting Reports

After a report has been generated, auditors can annotate and attest to the report. This enables you to create a record of all notes and attestations for the report in one place, with the most recent note and attestation listed first. If you delete the report, its associated annotation and attestations are removed as well.

To annotate and attest to a report:

  1. Log in to the Audit Vault Server as an auditor.
  2. Access the list of reports to attest to by doing one of the following:
    • From the Home page, under Attestation Actions, select the report from the list.

    • Click the Reports tab, and under the Report Workflow menu, select Generated Reports secondary tab. Find the report that you want to annotate or attest and then click the report name. When you display the report, it appears in PDF format. Click the Details button to display the Details for Generated Report page.

      You can quickly filter the reports if you want.

  3. In the New Note field, enter a note for the report.
  4. Perform one of the following actions:
    • To save the note only, click the Save button. The note appears in the Previous Notes area.

    • To save the note and attest to the report, click the Save & Attest button. The note appears in the Previous Notes area and the Attestation area is updated with your user name and the time that you attested to the report.

    • To return to the report, click the View Report button.

  5. Click Done when you are finished.

    The Generated Reports page appears.

6.7 Creating and Uploading Your Own Custom Reports

You can add your own custom reports by using Oracle BI Publisher, or another report authoring tool from a third party. You will need a report definition file (XML format) and a report template (RTF format), which you can download from Oracle Audit Vault and Database Firewall. This section describes how to download these files from an existing Oracle Audit Vault and Database Firewall report and use them for your own report.

The audit event appendices in this guide contain data that may help you in creating your own reports.

To add a report starting from an existing report definition and template file:

  1. Log in to the Audit Vault Server console as an auditor.

  2. Click the Reports tab, and under Custom Reports, click PDF/XLS Reports.

    The PDF/XLS Reports page is displayed, listing any previously uploaded custom reports, and built-in reports in the Built-in Reports section.

  3. Find a built-in report to use as a starting point for your new custom report.

  4. Download the report definition and template files for the report you want:

    1. Click the Download Report Template icon and save the RTF file.

    2. Click the Download Report Definition icon and save the XML file.

  5. Customize the report definition and template files using either Oracle BI Publisher or another tool, as necessary.

  6. Click Upload.

  7. In the Report Template file field, enter the name or browse for your customized report template (RTF) file.

  8. In the Report Definition file field, enter the name or browse for your customized report definition (XML) file.

  9. Click Save.

    The new report is listed under PDF/XLS Reports.

6.8 Activity Reports

Topics

6.8.1 About the Activity Reports

You can access Activity Reports from the Reports tab by clicking Activity Reports. There are six groups of Activity Reports:

  • Activity Reports

  • Alert Reports

  • Correlation Reports

  • Database Firewall Reports

  • Entitlement Reports

  • Stored Procedure Audit Reports

This section contains information about Activity, Alert, and Stored Procedure Reports.

6.8.2 Activity Reports

Topics

6.8.2.1 About the Activity Reports

You can access Activity Reports from the Reports tab by clicking Activity Reports.

The default activity reports track general database access activities such as audited SQL statements, application access activities, and user login activities. These reports display the following kinds of information: secured target name, secured target type, host name for the secured target, version of the secured target, IP address of the secured target, audit time, the event itself (such as LOGIN statements), current and previous values of the event, user and host client information, the event status (such as failure), and the time the event took place.

6.8.2.2 Activity Overview Report

The Activity Overview page provides a summary of all audited and monitored events.

This includes information about all monitored and audited events. Events appear based on their audit event time in descending order (newest record first). This report can be very large, but you can create a user-defined version that filters specific audit data. By default, 15 audit records are displayed on each page.

If you suspect that the Oracle Audit Vault and Database Firewall data warehouse is not being refreshed with the latest audit data, then check the Activity Overview Report. If you find that the audit data that you want is not listed in this report, then ask your Oracle Audit Vault and Database Firewall administrator to check the server-side log files (alert and trace logs) for errors. If there are errors, then contact Oracle Support.

Note:

Apply filters based on date and time. Access the audit interactive reports. For example, Activity Overview report. Click on Actions, and then select Filter. Choose Row as the Filter Type.

Enter a name for the filter you are creating. In the Filter Expression field, enter the query as follows:

<event_time> BETWEEN ‘MM/DD/YYYY HH:MM:SS PM/AM’ and ‘MM/DD/YYYY HH:MM:SS PM/AM’

For example:

BZ BETWEEN ‘8/20/2018 2:30:50 PM’ and ‘8/20/2018 2:40:50 PM’

6.8.2.3 All Activity Report

The All Activity Report displays details of all captured audit events for a specified period of time.

6.8.2.4 Audit Settings Changes Report

The Audit Settings Changes Report displays details of observed user activity targeting audit settings for a specified period of time.

6.8.2.5 Data Access Report

The Data Access Report displays details of read access events.

See Also:

Related Event Data Appendices for related data access audit events in a specific secured target type.

6.8.2.6 Data Modification Report

The Data Modification Report displays events that lead to data modification.

6.8.2.7 Data Modification Before-After Values Report

The Data Modification Before-After Values Report displays data modification events with before and after values in an Oracle database.

Data for this report comes from the TRANSACTION LOG audit trails written by databases. Be sure that an Oracle AVDF administrator has configured and started a TRANSACTION LOG audit trail for the secured target you want to monitor. This report then pulls data from database transaction (REDO) logs.

The user can filter the Data Modification Before-After Values report. To apply the filter on a Column Name, Before Value, and After Value, select Like as the Operator.

Note:

  • The Transaction Log collector uses Streams to collect the Audit Trail. When Transaction Log trail is added, it creates the capture process on the secured target. When the capture process begins, it creates a Logminer dictionary in an archive log. From then onwards, only the Before and After records from the archive logs is captured. It is not possible to acquire the Before and After values prior to the creation of Logminer dictionary. So Transaction Log trail cannot capture the old data. This is a limitation.

  • While setting up REDO collector, no role should be granted to the source user other than DV_STREAMS_ADMIN. To set up DVSYS.AUDIT_TRAIL$ table trail, first set up the REDO collector with DV_STREAMS_ADMIN role granted to the source user. Once REDO collector is up and running, grant DV_SECANALYST role to the source user.

  • The Equal To (=) operator does not work while applying filter on Column Name, Before Value, and After Value columns.

  • To check the change in column value of a particular table, add filter on Target Object. The filter can be something like, Target Object Equal to (=) table name and Column Name in the Column field. For example, if the Address column of employee table is changed, the filter should be Target Object = EMPLOYEE and Column Name like %ADDRESS%.

6.8.2.8 Database Schema Changes Report

The Database Schema Changes Report displays information about changes in the database schema.

6.8.2.9 Entitlements Changes Report

The Entitlements Changes Report displays information about changes in grants of database privileges and roles.

6.8.2.10 Failed Logins Report

The Failed Logins Report displays information about failed authentication attempts.

6.8.2.11 User Login and Logout Report

The Login and Logout Report displays information about all successful login and logout events.

6.8.2.12 Startup and Shutdown Report

The Startup and Shutdown Report displays details of observed startup and shutdown events for a specified period of time.

6.8.3 Alert Reports

Alert reports are accessed from the Reports tab, by clicking Activity Reports.

The alert reports track critical and warning alerts. An alert is raised when data in audit records matches a predefined alert rule condition. Alerts are grouped by associated secured target, by event category, and by the severity level of the alert (either warning or critical).

There are three alert reports:

  • All Alerts Report - This report shows all alerts, both critical and warning alerts, that were raised by raised by Audit Vault Server.

  • Critical Alerts Report - This report shows critical alerts that were raised by raised by Audit Vault Server.

  • Warning Alerts Report - This report shows warning alerts that were raised by raised by Audit Vault Server.

See Also:

6.8.4 Correlation Reports

The Linux SU SUDO Transition Report provides details of database events that are correlated with the Linux operating system user before su or sudo transition. It is specific to Oracle Database secured targets running on Linux. This report uses the OS and Database audit trails to correlate su and sudo activity on the Linux OS with Oracle Database audit events. This lets auditors see the original OS user in cases where this user runs a shell or executes a command as another user by using su or sudo.

For example, suppose the Linux OS user, user_01, logs in to a Linux terminal, and then performs su or sudo activity to another Linux user, user_02. Then user_01 connects as the Oracle Database user user_db locally and then remotely, and performs some database activities.The Linux SU SUDO Transition report displays the Oracle Database audit events with the additional columns OS User Transition, Transition Type, and Database Connection Type. These columns provide information about the correlation that occurred before the Oracle Database operations. For example:

Column Name Data

OS User Transition

user_01 > user_02

Transition Type

su (for a sudo operation, it would list sudo)

Database Connection Type

Local (for a remote database connection, it would be remote)

Database User Name

user_db

Similarly, the Linux SU SUDO Transition Report displays data for local and remote database connections and for SYS and non-SYS users.

In order to generate information for this report, you must have audit trails configured and running for both the Oracle Database and for the Linux OS on which the database runs. The Linux OS audit trail must be registered with a host name, and not an IP address. See Oracle Audit Vault and Database Firewall Administrator's Guide for instructions on how to configure audit trails in Oracle AVDF.

Be aware that if there is a slippage in Linux events, then the report does not show the correct correlation data.

Table 6-1 shows the currently available correlation reports.

Table 6-1 su/sudo Correlation Reports

Report Description

Linux SU SUDO Transition

Details of database events correlated with the Linux operating system user before su or sudo transition

6.8.5 Database Firewall Reports

Database Firewall Reports contain data that is collected if a secured target is monitored by the Database Firewall (using a firewall policy).

Data collected by the Database Firewall includes:

  • Database Firewall action and threat level

  • Database user name

  • OS user name

  • Statement type (data definition, procedural, data manipulation, etc.)

  • Client application name and IP address

  • SQL request ID

  • Database Firewall cluster ID

Table 6-2 lists the Database Firewall reports.

Table 6-2 Database Firewall Policy Reports

Report Name Description

Database Traffic Analysis by Client IP

Database Firewall events grouped by client IP and database

Database Traffic Analysis by OS User

Database Firewall events grouped by operating system user and database

Database Traffic Analysis by User Blocked Statements

SQL statements blocked by the Database Firewall

Database Traffic Analysis by User Warned Statements

SQL statements marked as WARN by the Database Firewall

Database Traffic Analysis by User Invalid Statements

SQL statements marked as INVALID by the Database Firewall

6.8.6 Entitlement Reports

6.8.7 Stored Procedure Auditing Reports

You can access Stored Procedure Auditing reports from the Reports tab by clicking Activity Reports.

Stored procedure auditing reports allow you to audit changes to stored procedures on secured target databases. Oracle AVDF connects to the secured target database at scheduled intervals and discovers any changes or additions that have been made to stored procedures.

Table 6-3 lists the Stored Procedure Auditing reports.

Table 6-3 Stored Procedure Auditing Reports

Report Description

Stored Procedure Activity Overview

Summary of stored procedure activity

Created Stored Procedures

Creation history of stored procedures

Deleted Stored Procedures

Deletion history of stored procedures

New Stored Procedures

Recently created stored procedures

Stored Procedure Modification History

Modifications of stored procedures

6.9 Summary Reports

Topics

6.9.1 Trend Charts

The Trend Charts report shows the event trends (total events) in the last n days.

Table 6-4 shows the available event trend reports.

Table 6-4 Trend Charts

Report Description

Event Trend

Trend of all events

Event Trend By Secured Target

Trend of events by secured target

Event Trend By Client IP

Trend of events by client IP

Event Trend By OS User

Trend of events by OS user

6.9.2 Anomaly Reports

The Anomaly Reports report shows new and dormant user and client IP anomalies (total anomalies) in the last n days.

Table 6-5 shows the available anomaly reports.

Table 6-5 Anomaly Reports

Report Description

New or Dormant User Activity

Activity by newly created or dormant users

New or Dormant Client IP Activity

Activity from newly seen or dormant client IPs

6.9.3 Summary Reports

The Summary Reports report shows summaries of client and operating system user activities, DDL and DML activities, and failed logins in the last n days.

Table 6-6 shows the available summary reports.

Table 6-6 Summary Reports

Report Description

Activity Summary by Client IP and OS User

Events grouped by user and client IP

Activity Summary by Secured Target

Events grouped by secured target

DDL Activity Summary by Secured Target

Schema changes grouped by secured target

DML Activity Summary by Secured Target

Data modifications grouped by secured target

Failed Logins Summary by Secured Target

Failed authentication attempts grouped by secured target

6.10 Compliance Reports

Topics

6.10.1 About the Compliance Reports

The compliance reports provide out-of-the-box reports to help you meet regulations associated with credit card, financial, data protection, and health care related data. They track activities that are typically required to meet standard compliance regulations, such as changes to the database structure or its objects, failed logins, administrator activities, system events, and user logins or logoffs.

The following compliance report categories are available:

  • Data Privacy Reports

  • Payment Card Industry (PCI) Reports

  • Gramm-Leach-Bliley Act (GLBA) Reports

  • Health Insurance Portability and Accountability Act (HIPAA) Reports

  • Sarbanes-Oxley Act (SOX) Reports

  • Data Protection Act (DPA) Reports

  • Reports based on IRS Publication 1075

To access the compliance reports, click the Reports tab, then from the Built-in Reports menu, select Compliance Reports.

6.10.2 Associating Secured Targets with Compliance Report Categories

In order to generate compliance reports for a secured target, you must add it to a compliance report category.

To associate secured targets with compliance report categories from the Compliance Reports page, click the Go button for a compliance category, as shown in Figure 6-2.

Figure 6-2 Associating Secured Targets With Compliance Report Categories



This takes you to the Groups page under the Secured Targets tab, and allows you to add a secured target as a member of a compliance group in Oracle Audit Vault and Database Firewall.

See Also:

Managing Compliance for Secured Target Databases for detailed instructions on assigning secured targets to compliance groups.

6.10.3 Reports Based on IRS Publication 1075

Table 6-7 lists reports that help you meet the reporting requirements of IRS Publication 1075.

Table 6-7 Reports Based on IRS Publication 1075

Report Name Description

Password Change

Password change events in operating systems

User Switch

Switch user events for Windows and Linux operating systems

Permissions and Privileges Change

Privilege changes in operating systems

Startup and Shutdown of Audit Functions

Start and stop of auditing functionality in the database

6.11 Specialized Reports

Topics

6.11.1 About the Specialized Reports

There are several categories of specialized reports, which are listed under separate headings in this section. To access these specialized reports, click the Reports tab, then from the Built-in Reports menu, select Specialized Reports.

6.11.2 Oracle Database Reports - Database Vault Activity

Oracle Database Vault may be enabled in an Oracle Database secured target to provide greater security by restricting access to sensitive areas of the database. For example, you can restrict administrative access to employee salaries, customer medical records, or other sensitive information.

If your Oracle Database secured targets have Database Vault enabled, then the Database Vault Activity report shows the details of Oracle Database Vault activity, such as Database Vault events that capture policy or rule violations, unauthorized access attempts, and so on.

You can check if Oracle Database Vault is enabled in a target by running the following SQL query in SQL*Plus:

SELECT PARAMETER, VALUE FROM V$OPTION WHERE PARAMETER = 'Oracle Database Vault';

Remember that the PARAMETER column value is case sensitive.

If Oracle Database Vault is enabled, the following output appears:

PARAMETER                     VALUE
----------------------------- -----------------------
Oracle Database Vault         TRUE

6.12 Data Privacy Reports

Overview

Data privacy is also known as information privacy or data protection. It is concerned with the relationship between collection and dissemination of data and technology, the public perception, expectation of privacy, the legal regulation, and political issues surrounding that data. The details and implementation of data protection vary depending on the region, the context, the methods, and the extent to which it is regulated.

GDPR (General Data Protection Regulation) is a regulation in European Union (EU) law on data protection and privacy for all individuals within the European Union. It addresses the export of personal data outside the EU. GDPR is an overhaul of the existing European Commission data protection legislation. It harmonizes data privacy laws, aims to strengthen, and unify these laws for EU citizens. GDPR is about individuals having autonomy and control over their data. It primarily aims to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. It is important for organizations to protect information they possess about individuals to prevent others from accessing or misusing their personal information.

GDPR is applicable in case the following are based in the European Union:

  • Data controller

  • Data processor

  • Data subject or the person

  • Data recipient

  • Authority supervising and auditing data

  • An organization that collects data from EU residents

  • An organization that processes data on behalf of data controller like the service providers

  • An organization based outside the EU that collects or processes personal data of individuals located inside the EU

According to the European Commission, personal data is any information relating to an individual. This information can be private, professional, or public life of the individual. It includes, but is not limited to, a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or an IP address.

In order to comply with GDPR, the data controller must implement measures, which meet the principles of data protection by design, and data protection by default. It is the responsibility and the liability of the data controller to implement effective measures and to demonstrate the compliance of processing activities. This includes if the processing is performed by an external data processor on behalf of the controller.

GDPR considers encryption as one of the components in the security strategy, and mandates that organizations need to consider assessment, preventive, and detective controls based upon the sensitivity of the personal data in their possession.

Articles 30 and 33 of GDPR, mandate that organizations must maintain a record of its processing activities. This can only be achieved by constantly monitoring and auditing activities on personal data. This data can be used to timely notify authorities in case of a breach. In addition to mandating auditing and timely alerts, GDPR also requires that organizations must keep the audit records under their control. A centralized control of audit records prevents attackers or malicious users to cover the tracks of their suspicious activity by deleting the local audit records. There are four reports under Data Protection. They primarily focus on access to sensitive data by regular or privileged users and also privilege settings on objects.

6.12.1 Implementation In Oracle Audit Vault And Database Firewall

Oracle Audit Vault and Database Firewall complies with data protection directives and regulations by offering services like centralized auditing, monitoring, reporting, and alerting of anomalous activity on the database. It reports any access to sensitive data stored in the database.

The report relates to sensitive data, as identified and received from the sensitive data discovery processes. It contains information regarding activity on sensitive data by all users including privileged users.

Oracle Audit Vault and Database Firewall complies with data protection at source by centralizing control and administration. It stores and manages the data for processing in a centralized location. It monitors and sends timely alerts of suspicious behavior. It can centrally manage millions of audit records, or different types of security policies, by simplifying the administration related tasks. This is managed using Oracle Enterprise Manager that has a unified web based GUI.

Oracle Audit Vault and Database Firewall centrally collects and manages audit records. It monitors, alerts, reports, and blocks suspicious behavior.

Note:

Oracle Audit Vault and Database Firewall helps in complying with data privacy regulations such as GDPR.

6.12.2 Importing Sensitive Data Into Repository

Information about sensitive data is imported and stored in the AVDF repository. You can import a data file in .csv and .xml format. These data files are sourced from Oracle Enterprise Manager and Oracle Database Security Assessment Tool by running data discovery job to search for sensitive data in specific Oracle Database secured targets.

Oracle Database Security Assessment Tool generates the file in .csv format and Oracle Enterprise Manager generates the file in .xml format. The data file extracted contains a list of sensitive columns that is imported into the AVDF repository. It is viewed in the Audit Vault Server GUI using Data Privacy Reports.

Note:

Oracle Audit Vault and Database Firewall supports 13.1; 13.2; and 13.3 versions of Oracle Enterprise Manager Cloud Control.

See Also:

  1. Ensure you have the sensitive data report in .csv or .xml format by running data discovery job through Oracle Database Security Assessment Tool or Oracle Enterprise Manager respectively.
  2. Save the file in your local drive.
  3. Log in to the Audit Vault Server terminal as root user.
  4. Switch to oracle user, by executing:

    su - oracle

  5. Execute the following command to grant av_sensitive role to the admin user, or list of admin users:

    python /usr/local/dbfw/bin/av_sensitive_role grant <admin1> <admin2>

    Note:

    To revoke the av_sensitive role granted, execute the command:

    python /usr/local/dbfw/bin/av_sensitive_role revoke <admin1> <admin2>

  6. Log in to the Audit Vault Server GUI as admin user.
  7. Navigate to Secured Targets tab. The Secured Targets page lists the configured secured targets to which you have access. You can sort or filter the list of targets.
  8. Click on a specific secured target name.

    Result:

    Modify Secured Target page is displayed.

  9. Scroll down to Sensitive Objects.
  10. Click Browse against the Import From (.xml / .csv) field. Choose the sensitive data file saved in your local drive.
  11. Click Upload.

    Result:

    A pop up message File loaded successfully is displayed on the screen. The recent secured target file upload information is displayed on the GUI. The previous one is overwritten.

  12. Click Save.

    Note:

    • In case the user does not have the required role to import the sensitive data, or if the uploaded file is in incorrect format, then appropriate error message is displayed.

    • The report contains sensitive data generated from the recent .csv or .xml file uploaded. The earlier imported sensitive data is overwritten and the history is not maintained.

6.12.3 Accessing Data Privacy Reports

The sensitive data file is imported into the AVDF repository. Once the sensitive data definitions are imported into the repository, the Audit Vault Server GUI is used to view related Data Privacy Reports. This section contains information on how to access the reports that contain sensitive data.

Prerequisite

Ensure the appropriate entitlement data is available for the secured target. See Retrieving User Entitlement Data for Oracle Database Secured Targets for complete information.

  1. Log in to the Audit Vault Server GUI as auditor.
  2. Select Reports.
  3. Click on Built-in Reports, and then select Compliance Reports.

    The first tab Data Privacy Reports is expanded.

  4. Click on the Go button against the field To associate Secured Target(s) with this Compliance Category, click on the Go button.
  5. Check the box against the specific secured target displayed in the list. In case the specific secured target is not listed, then use the search option to find the secured target and then select it.
  6. Click Add Members. This associates the specific secured target with the compliance group.
  7. Click Save.
  8. Navigate back to the Compliance Reports.

    The page lists several sensitive reports:

    Report Description

    Sensitive Data

    Displays details of sensitive data like the Schema Name, Target Object, Column Name, Sensitive Type, and Target Type.

    Access Rights to Sensitive Data

    Displays details of user's access rights to sensitive data.

    Activity on Sensitive Data

    Displays details of activity on sensitive data by all users.

    Activity on Sensitive Data by Privileged Users

    Displays details of activity on sensitive data by privileged users.

    Note:

    • To view the privileges granted to users on sensitive data, see Access Rights to Sensitive Data report. See the below example report for reference. The user may have one or more of the privileges listed in the Privilege column for the respective sensitive data.

    • The user can get these privileges assigned directly or through roles granted.

    • Privileges granted to sensitive data that is assigned to a role is displayed only when the role is assigned to any user.

    • Privileges on sensitive data may be granted to the user group PUBLIC. In such a case the privilege is granted to all users. This privilege granted to PUBLIC is not visible in the report.

    • The report contains only privileges on sensitive data granted as an object privilege. System privileges are not displayed in the report.

    Secured Target Name : <Target Name 1>

    Sensitive Object User Name Privileges

    Table_1

    User X

    DELETE,INSERT,SELECT,UPDATE

    Table_2

    User Y

    DELETE,INSERT,SELECT,UPDATE

    Table_3

    User Z

    DELETE,INSERT,SELECT,UPDATE

  9. Click on the specific report to access it.