Contents

List of Examples

List of Figures

List of Tables

Title and Copyright Information

Preface

• Audience
• Documentation Accessibility
• Related Documents
• Conventions

Quick Reference for Common Tasks

• About this Quick Reference
• Secured Targets
• User Accounts and Access Rights
• Email Notifications
• Status and Job Monitoring
• Audit Policies (for Oracle Databases)
• Firewall Policies
  • Creating, Copying, and Editing Firewall Policies
  • Defining a Firewall Policy
  • Publishing and Deploying a Firewall Policy
• Reports
• Entitlements
• Alerts

Changes In This Document

• Revision History

1 Introducing Oracle Audit Vault and Database Firewall

• 1.1 Downloading the Latest Version of This Manual
• 1.2 Learning About Oracle AVDF
• 1.3 The Auditor's Role
• 1.4 Understanding Secured Targets
• 1.5 Understanding Firewall Policies
• 1.6 Understanding Audit Policies and Audit Data Collection
  • 1.6.1 Requirements for Collecting Audit Data from Secured Targets
    • 1.6.1.1 Requirements for Oracle Database
      • 1.6.1.1.1 Ensuring That Auditing Is Enabled in the Secured Target Database
      • 1.6.1.1.2 Using Recommended Audit Settings in the Secured Target Database
    • 1.6.1.2 Requirements for SQL Server, Sybase ASE, and IBM DB2 Databases
• 1.7 Configuring Alerts and Notifications
• 1.8 Generating Reports
• 1.9 Creating Users and Managing Access
• 1.10 Logging in and Understanding the Audit Vault Server Console UI
  • 1.10.1 Logging in to the Audit Vault Server Console
  • 1.10.2 Understanding the Tabs in the Audit Vault Server Console UI
  • 1.10.3 Working with Lists of Objects in the UI

2 Managing Secured Targets

• 2.1 About Managing Secured Targets
• 2.2 Viewing and Changing Settings for a Secured Target
  • 2.2.1 Viewing Audit Policy Settings for Oracle Databases
  • 2.2.2 Retrieving User Entitlement Data for Oracle Database Secured Targets
  • 2.2.3 Activating Stored Procedure Auditing
  • 2.2.4 Viewing a List of Audit Trails
    • 2.2.4.1 Viewing a List of Audit Trails for One Secured Target
    • 2.2.4.2 Viewing a List of Audit Trails for All Your Secured Targets
  • 2.2.5 Selecting a Firewall Policy
  • 2.2.6 Viewing a List of Enforcement Points
    • 2.2.6.1 Viewing a List of Enforcement Points for One Database Secured Target
    • 2.2.6.2 Viewing a List of Enforcement Points for All Your Secured Target Databases
  • 2.2.7 Setting a Data Retention (Archiving) Policy
• 2.3 Creating and Modifying Secured Target Groups
  • 2.3.1 About Secured Target Groups
  • 2.3.2 Creating and Modifying Secured Target Groups
• 2.4 Managing Compliance for Secured Target Databases
• 2.5 Setting Access Rights for Secured Targets and Groups

3 Managing Access and Other Settings

• 3.1 Managing User Accounts and Access
  • 3.1.1 About Oracle Audit Vault and Database Firewall Auditor Accounts and Passwords
  • 3.1.2 Creating Auditor Accounts
  • 3.1.3 Viewing the Status of Auditor User Accounts
  • 3.1.4 Managing User Access to Secured Targets or Groups
    • 3.1.4.1 About Managing User Access
    • 3.1.4.2 Controlling Access by User
    • 3.1.4.3 Controlling Access by Secured Target or Group
  • 3.1.5 Changing a User Account Type
  • 3.1.6 Unlocking a User Account
  • 3.1.7 Deleting an Auditor Account
  • 3.1.8 Changing the Auditor Password
• 3.2 Creating Templates and Distribution Lists for Email Notifications
  • 3.2.1 About Email Notifications and Templates
  • 3.2.2 Creating or Modifying an Email Distribution List
  • 3.2.3 Creating or Modifying an Email Template
• 3.3 Creating Non-Interactive Report Templates
  • 3.3.1 Creating Non-Interactive Report Template
  • 3.3.2 Modifying Non-Interactive Report Template
  • 3.3.3 Generating XML Data File Using SPOOL Command
  • 3.3.4 Generating Reports Using RTF And XML Sample Templates
• 3.4 Creating Alert Syslog Templates
• 3.5 Viewing Enforcement Point and Audit Trail Status
  • 3.5.1 Viewing Enforcement Point Status
  • 3.5.2 Viewing Audit Trail Status
• 3.6 Monitoring Jobs

4 Creating Audit Policies for Oracle Databases

• 4.1 About Audit Policies
  • 4.1.1 General Steps for Creating Audit Policies for Oracle Databases
• 4.2 Retrieving and Modifying Audit Settings from an Oracle Database
  • 4.2.1 Understanding the Columns on the Audit Settings Page
  • 4.2.2 Retrieving Audit Settings from Multiple Oracle Databases
  • 4.2.3 Scheduling Retrieval of Audit Settings for a Single Oracle Database
  • 4.2.4 Specifying Which Audit Settings Are Needed
• 4.3 Creating Additional Audit Policy Settings for an Oracle Database
  • 4.3.1 About Creating Audit Policy Settings
  • 4.3.2 Creating Audit Policies for SQL Statements
    • 4.3.2.1 About SQL Statement Auditing
    • 4.3.2.2 Defining SQL Statement Audit Settings
    • 4.3.2.3 Understanding the Statement Audit Settings Page
  • 4.3.3 Creating Audit Policies for Schema Objects
    • 4.3.3.1 About Schema Object Auditing
    • 4.3.3.2 Defining Schema Object Audit Settings
    • 4.3.3.3 Understanding the Object Audit Settings Page
  • 4.3.4 Creating Audit Policies for Privileges
    • 4.3.4.1 About Privilege Auditing
    • 4.3.4.2 Defining Privilege Audit Settings
    • 4.3.4.3 Understanding the Privilege Audit Settings Page
  • 4.3.5 Creating Audit Policies for Fine-Grained Auditing (FGA)
    • 4.3.5.1 About Fine-Grained Auditing
      • 4.3.5.1.1 Auditing Specific Columns and Rows
      • 4.3.5.1.2 Using Event Handlers in Fine-Grained Auditing
    • 4.3.5.2 Defining Fine-Grained Audit Settings
    • 4.3.5.3 Understanding the Fine-Grained Audit Settings Page
  • 4.3.6 Creating Capture Rules for Redo Log File Auditing
    • 4.3.6.1 About Capture Rules Redo Log File Auditing
    • 4.3.6.2 Defining a Capture Rule for Redo Log File Auditing
    • 4.3.6.3 Understanding the Capture Rule Settings Page
• 4.4 Provisioning Audit Policies to an Oracle Database
  • 4.4.1 Exporting Audit Settings to a SQL Script
  • 4.4.2 Provisioning the Audit Settings from the Audit Vault Server

5 Creating Database Firewall Policies

• 5.1 Overview of Database Firewall Policies
  • 5.1.1 About Firewall Policies
  • 5.1.2 The Steps of Developing a Database Firewall Policy
• 5.2 Creating a Database Firewall Policy
  • 5.2.1 Creating a New Database Firewall Policy
  • 5.2.2 Copying a Database Firewall Policy
  • 5.2.3 Editing a Database Firewall Policy
  • 5.2.4 Understanding a Database Firewall Policy's Overview Page
• 5.3 Defining a Database Firewall Policy
  • 5.3.1 About Defining the Policy
  • 5.3.2 Defining Session Filters to Use in Profiles and Exceptions
  • 5.3.3 Creating an Exception
    • 5.3.3.1 About Exception
    • 5.3.3.2 Creating Exceptions
    • 5.3.3.3 The Order of Applying Exceptions
  • 5.3.4 Defining Policy Rules for Analyzed SQL
    • 5.3.4.1 About Analyzed SQL
    • 5.3.4.2 Defining Policy Rules for Analyzed SQL
    • 5.3.4.3 Analyzing SQL Encrypted with Oracle Network Encryption
  • 5.3.5 Creating a Novelty Policy
    • 5.3.5.1 About Novelty Policies
    • 5.3.5.2 Creating Novelty Policies
    • 5.3.5.3 The Order of Applying Novelty Policies
    • 5.3.5.4 Novelty Policy Examples
  • 5.3.6 Defining a Default Rule
    • 5.3.6.1 About the Default Rule
    • 5.3.6.2 Default Rule Settings in Relation to Other Policies
    • 5.3.6.3 Defining the Default Rule
  • 5.3.7 Blocking SQL and Creating Substitute Statements
  • 5.3.8 Configuring Other Policy Settings
    • 5.3.8.1 Creating Login and Logout Policies for Database Users
    • 5.3.8.2 Masking Data
    • 5.3.8.3 Setting a Policy for Invalid SQL
    • 5.3.8.4 Configuring Global Database Firewall Policy Settings
• 5.4 Using Profiles to Customize a Database Firewall Policy
  • 5.4.1 About Profiles
  • 5.4.2 Creating a Profile
• 5.5 Publishing and Deploying Firewall Policies
  • 5.5.1 About Publishing and Using Firewall Policies
  • 5.5.2 Publishing a Database Firewall Policy
  • 5.5.3 Deploying Firewall Policies to Secured Targets

6 Reports

• 6.1 About the Reports in Audit Vault and Database Firewall
  • 6.1.1 Related Event Data Appendices
• 6.2 Browsing the Built-In Reports
• 6.3 Downloading a Report in HTML or CSV Format
• 6.4 Customizing the Built-in Reports
  • 6.4.1 About Customizing Built-in Reports
  • 6.4.2 Filtering and Controlling the Display of Data in a Report
    • 6.4.2.1 About Filtering and Display Settings in Reports
    • 6.4.2.2 Filtering Data in a Report
      • 6.4.2.2.1 About Filtering Data in Reports
      • 6.4.2.2.2 Filtering Column and Row Data Using the Search Bar
      • 6.4.2.2.3 Filtering All Rows Based on Data from a Selected Column
      • 6.4.2.2.4 Filtering Row Data Using an Expression
    • 6.4.2.3 Hiding or Showing Columns in a Report
    • 6.4.2.4 Formatting Data in a Report
      • 6.4.2.4.1 Sorting Row Data for All Columns
      • 6.4.2.4.2 Highlighting Rows in a Report
      • 6.4.2.4.3 Charting Data in a Report
      • 6.4.2.4.4 Adding Control Breaks to a Report
      • 6.4.2.4.5 Using the Group By Function to Format a Report
    • 6.4.2.5 Resetting the Report Display Values to Their Default Settings
  • 6.4.3 Saving your Customized Reports
  • 6.4.4 Accessing Your Saved Custom Reports
• 6.5 Scheduling and Generating PDF or XLS Reports
  • 6.5.1 About Scheduling and Creating PDF or XLS Reports
  • 6.5.2 Creating a Report Schedule
  • 6.5.3 Viewing or Modifying Report Schedules
  • 6.5.4 Downloading Generated Reports in PDF or XLS Format
  • 6.5.5 Notifying Users About Generated PDF or XML Reports
• 6.6 Annotating and Attesting Reports
• 6.7 Creating and Uploading Your Own Custom Reports
• 6.8 Activity Reports
  • 6.8.1 About the Activity Reports
  • 6.8.2 Activity Reports
    • 6.8.2.1 About the Activity Reports
    • 6.8.2.2 Activity Overview Report
    • 6.8.2.3 All Activity Report
    • 6.8.2.4 Audit Settings Changes Report
    • 6.8.2.5 Data Access Report
    • 6.8.2.6 Data Modification Report
    • 6.8.2.7 Data Modification Before-After Values Report
    • 6.8.2.8 Database Schema Changes Report
    • 6.8.2.9 Entitlements Changes Report
    • 6.8.2.10 Failed Logins Report
    • 6.8.2.11 User Login and Logout Report
    • 6.8.2.12 Startup and Shutdown Report
  • 6.8.3 Alert Reports
  • 6.8.4 Correlation Reports
  • 6.8.5 Database Firewall Reports
  • 6.8.6 Entitlement Reports
  • 6.8.7 Stored Procedure Auditing Reports
• 6.9 Summary Reports
  • 6.9.1 Trend Charts
  • 6.9.2 Anomaly Reports
  • 6.9.3 Summary Reports
• 6.10 Compliance Reports
  • 6.10.1 About the Compliance Reports
  • 6.10.2 Associating Secured Targets with Compliance Report Categories
  • 6.10.3 Reports Based on IRS Publication 1075
• 6.11 Specialized Reports
  • 6.11.1 About the Specialized Reports
  • 6.11.2 Oracle Database Reports - Database Vault Activity
• 6.12 Data Privacy Reports
  • 6.12.1 Implementation In Oracle Audit Vault And Database Firewall
  • 6.12.2 Importing Sensitive Data Into Repository
  • 6.12.3 Accessing Data Privacy Reports

7 Managing Entitlements

• 7.1 Managing and Viewing Entitlement Data
• 7.2 Working With Entitlement Snapshots and Labels
  • 7.2.1 About Entitlement Snapshots and Labels
  • 7.2.2 Creating, Modifying, or Deleting Labels for Entitlement Snapshots
  • 7.2.3 Assigning Labels to Entitlement Snapshots
• 7.3 Generating Entitlement Reports
  • 7.3.1 About Viewing Entitlement Reports with Snapshots and Labels
  • 7.3.2 Viewing Entitlement Reports by Snapshot or Label
  • 7.3.3 Comparing Entitlement Data Using Snapshots or Labels
• 7.4 Entitlement Report Descriptions
  • 7.4.1 About the Entitlement Reports
  • 7.4.2 User Accounts Reports
  • 7.4.3 User Privileges Reports
  • 7.4.4 User Profiles Reports
  • 7.4.5 Database Roles Reports
  • 7.4.6 System Privileges Reports
  • 7.4.7 Object Privileges Reports
  • 7.4.8 Privileged Users Reports

8 Creating Alerts

• 8.1 About Alerts
  • 8.1.1 Overview
  • 8.1.2 Defining Useful Alerts
• 8.2 Creating Alerts and Writing Alert Conditions
  • 8.2.1 Creating or Modifying an Alert
  • 8.2.2 Writing Alert Conditions
    • 8.2.2.1 About Alert Conditions
    • 8.2.2.2 Writing an Alert Condition
  • 8.2.3 Disabling, Enabling, or Deleting Alerts
• 8.3 Monitoring Alerts
• 8.4 Responding to an Alert
• 8.5 Creating Custom Alert Status Values
• 8.6 Forwarding Alerts to Syslog

A Oracle Audit Vault and Database Firewall Database Schemas

• A.1 About Oracle Audit Vault and Database Firewall Schemas
• A.2 Metadata for Activity Reports
• A.3 Data for Event Reports
• A.4 Data for Alert Reports
• A.5 Data for Entitlement Reports
• A.6 Data for SPA Reports
• A.7 Data for Database Firewall Reports

B Data Warehouse Partition

C Audit Record Fields

D Oracle Database Audit Events

• D.1 About the Oracle Database Audit Events
• D.2 Account Management Events
• D.3 Application Management Events
• D.4 Audit Command Events
• D.5 Data Access Events
• D.6 Database Vault Events
  • D.6.1 Database Vault Events in Oracle Database 11g
  • D.6.2 Database Vault Events in Oracle Database 12c
• D.7 Exception Events
• D.8 Invalid Record Events
• D.9 Object Management Events
• D.10 Peer Association Events
• D.11 Role and Privilege Management Events
• D.12 Service and Application Utilization Events
• D.13 System Management Events
• D.14 Unknown or Uncategorized Events
• D.15 User Session Events

E AIX Audit Events

F Sybase ASE Audit Events

• F.1 About the Sybase ASE Audit Events
• F.2 Account Management Events
• F.3 Application Management Events
• F.4 Audit Command Events
• F.5 Data Access Events
• F.6 Exception Events
• F.7 Invalid Record Events
• F.8 Object Management Events
• F.9 Peer Association Events
• F.10 Role and Privilege Management Events
• F.11 Service and Application Utilization Events
• F.12 System Management Events
• F.13 Unknown or Uncategorized Events
• F.14 User Session Events

G Microsoft SQL Server SQL Trace Audit Events

• G.1 About the Microsoft SQL Server Audit Events
• G.2 Account Management Events
• G.3 Application Management Events
• G.4 Audit Command Events
• G.5 Data Access Events
• G.6 Exception Events
• G.7 Invalid Record Events
• G.8 Object Management Events
• G.9 Peer Association Events
• G.10 Role and Privilege Management Events
• G.11 Service and Application Utilization Events
• G.12 System Management Events
• G.13 Unknown or Uncategorized Events
• G.14 User Session Events
• G.15 Target Type Values for SQL Trace Audit Events
  • G.15.1 Possible Target Types Values Associated With Certain SQL Trace Audit Events

H Microsoft SQL Server SQL Audit and Event Log Events

• H.1 SQL Audit Events
• H.2 Event Log Events
• H.3 Target Type Values for SQL Audit and Event Log Events
  • H.3.1 Possible Target Types Values Associated With SQL Audit and Event Log Events

I IBM DB2 Audit Events

• I.1 About the IBM DB2 for LUW Audit Events
• I.2 Account Management Events
• I.3 Application Management Events
• I.4 Audit Command Events
• I.5 Context Events
• I.6 Data Access Events
• I.7 Exception Events
• I.8 Execution Event
• I.9 Invalid Record Events
• I.10 Object Management Events
• I.11 Peer Association Events
• I.12 Role and Privilege Management Events
• I.13 Service and Application Utilization Events
• I.14 System Administration Events
• I.15 System Management Events
• I.16 Unknown or Uncategorized Events
• I.17 User Session Events
• I.18 Possible Target Type Values for IBM DB2 Audit Events
  • I.18.1 List 1: Possible Target Type Values for IBM DB2 Audit Events
  • I.18.2 List 2: Possible Target Type Values for IBM DB2 Audit Events
  • I.18.3 List 3: Possible Target Type Values for IBM DB2 Audit Events

J MySQL Audit Events

K Solaris Operating System Audit Events

L Microsoft Windows Operating System Audit Events

M Linux Operating System Audit Events

N Oracle ACFS Audit Events

O Active Directory Audit Events

• O.1 About Active Directory Audit Events
• O.2 Directory Service Audit Trail Events
• O.3 Security Audit Trail Events

Index