Q Monitoring Audit Vault Server
Learn how to monitor Audit Vault Server.
Monitoring enables investigation of suspicious activity, accountability for actions, and address auditing requirements for compliance. Monitoring involves configuring auditing (in both embedded repository and operating system) and collecting the generated records into a shadow Audit Vault Server for analysis and reporting.
Audit Vault Server automatically configures auditing for both the operating system and the embedded repository.
Q.1 About Auditing Operating System
Learn all about auditing of the operating system.
Audit Vault Sever enables default Oracle Linux audit configuration. The
configuration settings are available in /etc/audit/auditd.conf
file and the audit logs are recorded in /var/log/audit
directory
.
Q.2 About Auditing Audit Vault Server Repository
Learn all about auditing of Audit Vault Server repository.
Prior to Oracle AVDF release 20.7, Audit Vault Server enables the default mixed mode auditing with the following settings:
audit_file_dest = /var/lib/oracle/admin/dbfwdb/adump
audit_sys_operations = TRUE
audit_trail = DB
Note:
The above default configuration prior to release 20.7 auditsSYS
operations and does not audit
application level schemas AVSYS
and
MANAGEMENT
.
Starting with Oracle AVDF release 20.7, pure unified auditing is
automatically enabled with additional policies to audit application schemas
AVSYS
and MANAGEMENT
.
With pure unified auditing enabled, the Audit Vault Server centralizes all auditing to a unified audit trail. For example, Database Vault audit records go to the unified audit trail. The Unifed Audit Policies are configured by default. This includes fresh installations and upgrades of Audit Vault Server to release 20.7.
With traditional auditing, operations by all administrative users (such as SYS and SYSDBA) are audited by default.
With unified auditing, if the database is not open, the top-level operations by all administrative users (such as SYS and SYSDBA) are audited. If the database is open, all secure configurations are audited (in new databases). To audit administrative users, create a unified audit policy, and then apply this policy to the users.
Note:
Your Oracle Database installation configuration might affect the auditing behavior. See the Oracle Database Security Guide for more details.Table Q-1 Oracle Predefined Policies Configured for Audit Vault Server
Policy Name | Description |
---|---|
|
Any failed log in events. |
|
Secure configuration defined by Oracle Database
except for |
|
Database Vault protected |
|
Database Vault protected |
|
Database management operations. |
|
Select any dictionary privilege. |
AVSYS_DV_UA_POLICY
CREATE AUDIT POLICY
statement shows the
AVSYS_DV_UA_POLICY
unified audit policy definition as
follows:
create audit policy AVSYS_DV_UA_POLICY actions component=dv
realm violation on "Audit Vault Realm",
realm success on "Audit Vault Realm",
realm access on "Audit Vault Realm",
rule set failure on "AVSYS audit command",
rule set success on "AVSYS audit command",
rule set eval on "AVSYS audit command"
Unified Audit Policy for Database Vault AVSYS Realm
AVSYS
Database Vault realm protects all AVSYS
objects including AVSYS
tables, packages, and others.
AVSYS_DV_UA_POLICY
audits all activities on the Database Vault
AVSYS
realm.
The following commands are audited by Database Vault AVSYS realm:
drop database link
drop index
drop package
drop package body
drop procedure
drop sequence
drop synonym
drop table
drop type
drop type body
drop view
delete
revoke
truncate table
MANAGEMENT_DV_UA_POLICY
CREATE AUDIT POLICY
statement shows the
MANAGEMENT_DV_UA_POLICY
unified audit policy definition as
follows:
create audit policy MANAGEMENT_DV_UA_POLICY actions component=dv
realm violation on "Audit Vault Account Manager Realm",
realm success on "Audit Vault Account Manager Realm",
realm access on "Audit Vault Account Manager Realm",
rule set failure on "MANAGEMENT audit command",
rule set success on "MANAGEMENT audit command",
rule set eval on "MANAGEMENT audit command"
Unified Audit Policy for Database Vault MANAGEMENT Realm
Management Database Vault realm protects all the MANAGEMENT
object,
includes MANAGEMENT
tables, packages, etc.
MANAGEMENT_DV_UA_POLICY
audits all activities on the Database
Vault MANAGEMENT
realm.
The following commands are audited by Database Vault MANAGEMENT
realm:
drop database link
drop index
drop package
drop package body
drop procedure
drop sequence
drop synonym
drop table
drop type
drop type body
drop view
delete
revoke
truncate table
AUDIT_DB_MGMT_POLICY
CREATE AUDIT POLICY
statement shows the
AUDIT_DB_MGMT_POLICY
unified audit policy definition and audits
all users:
create audit policy audit_db_mgmt_policy
privileges
ALTER PUBLIC DATABASE LINK,
AUDIT ANY, AUDIT SYSTEM,
CREATE ANY TRIGGER, CREATE PUBLIC DATABASE LINK,
DROP ANY DIRECTORY, DROP PUBLIC DATABASE LINK
actions
ALTER FUNCTION, ALTER PACKAGE, ALTER PROCEDURE,
ALTER TRIGGER,
CREATE PACKAGE, CREATE PACKAGE BODY, CREATE PROCEDURE,
CREATE SPFILE, CREATE TRIGGER,
DROP FUNCTION, DROP PACKAGE, DROP PROCEDURE,
DROP TRIGGER;
AUDIT_SELECT_DICTIONARY_POLICY
CREATE AUDIT POLICY
statement shows the
AUDIT_SELECT_DICTIONARY_POLICY
unified audit policy definition
and audits all users except AVSYS
and
MANAGEMENT
:
create audit policy audit_select_dictionary_policy
privileges
SELECT ANY DICTIONARY;
Q.3 About Purging Unified Audit Trail on the Main Audit Vault Server
Learn how to configure a purge job for unified audit data pertaining to the main Audit Vault Server.
Unified audit trail data that is older than 7 days is purged by default.
This is done as part of the AVS_MAINTENANCE_JOB
that is scheduled
to run daily by default. The schedule can be changed using the Audit Vault Server
console.
See Also:
Schedule Maintenance JobsAfter configuring the unified audit trail collection in the shadow Audit Vault Server, it is recommended to configure a unified audit trail purge job in the main Audit Vault Server.
Follow these steps to configure unified audit trail purge job:
Q.4 Storage Requirement for Main Audit Vault Server
Learn about the storage requirement for the main Audit Vault Server when auditing is enabled.
For every 1 million audit records and network events collected, the Audit Vault Server generates 3 GB of audit records as part of self auditing. The administrator must complete the sizing exercise to account for this space usage as per the deployment.
For a fresh installation of Audit Vault Server, refer to Audit Vault Sizing Guide. For an upgrade of Audit Vault Server from an older version, follow these guidelines:
-
Collect the data on the number of records (in million) generated by the Audit Vault Server for a duration of 8 days. Take this as
X
. For example, if 2 million records are generated per day, thenX is 2 * 8 = 16
. -
Now calculate the space required (
Y
) for Audit Vault Server self auditing. This includesSYSTEMDATA
andEVENTDATA
. For every million records the space required is 3 GB.Y = X multiplied by 3 GB
The administrator needs to allocate Y
GB of space in
SYSTEMDATA
and EVENTDATA
disk groups. For example,
if the system is processing 2 million audit records per day, then it requires 48 GB
storage space in both SYSTEMDATA
and EVENTDATA
for
auditing Audit Vault Server. (2 million records * 8 days * 3 GB = 48
GB
).
X = 2 * 8 = 16
Y = 16 * 3 GB = 48 GB
For auditing of Audit Vault Server to process about 2 million audit records
per day, the administrator must allocate 48 GB space in
SYSTEMDATA
and EVENTDATA
.
Q.5 Collecting Audit Records to Shadow Audit Vault Server
Learn how to collect audit records to the shadow Audit Vault Server.
You can configure a shadow Audit Vault Server to monitor the audit trails
of the main Audit Vault Server. For example, if someone logs in to the main Audit
Vault Server and drops an AVSYS
package, the activity is audited,
and the trail is collected in the shadow Audit Vault Server for reporting and
analysis. The audit records are found in the activity reports that an auditor can access in the Audit Vault Server console. For
example, All Activity report.
When you configure a shadow Audit Vault Server, you should configure collection from both unified and OS audit trails.
Configuring these trails involves the following steps:
- Deploying Audit Vault Agent on the main Audit Vault Server
- Adding a trail on the shadow Audit Vault Server to collect data from unified audit trail in the main Audit Vault Server
- Adding a trail on the shadow Audit Vault Server to collect data from operating system audit trail in the main Audit Vault Server
Q.6 Deploying the Audit Vault Agent on the Main Audit Vault Server
Learn how to deploy Audit Vault Agent on the main Audit Vault Server.
A shadow Audit Vault Server can be configured to monitor the audit trail of the main Audit Vault Server. To accomplish this an Audit Vault Agent must be deployed on the main Audit Vault Server.
Follow these steps:
Q.7 Adding a Trail to Collect Data From Unified Audit Trail on the Main Audit Vault Server
Learn how to add a trail to collect data from unified audit trail on the main Audit Vault Server as an Oracle Database target.
This involves two steps on a high level:
- Registering the main Audit Vault Server as an Oracle Database target.
- Configuring the trail to collect data from the unified audit trail on the main Audit Vault Server.
Q.7.1 Registering the Main Audit Vault Server as an Oracle Database Target
Learn how to register the main Audit Vault Server as an Oracle Database target.
Q.7.2 Configuring Trail to Collect Data from Unified Audit Trail on the Main Audit Vault Server
Learn how to add an audit trail to collect data from the unified audit trail on the main Audit Vault Server as an Oracle Database target.
- Log in to the shadow Audit Vault Server as administrator.
- Add an audit trail for the main Audit Vault Server Oracle Database target.
- Click Targets tab.
- Identify and click the main Audit Vault Server Oracle Database target.
- In the Audit Data Collection section, click Add.
- Select the table for Audit Trail Type field.
- Select
UNIFIED_AUDIT_TRAIL
in the Trail Location field. - Select the Audit Vault Agent deployed in the Agent Host field.
- In the Agent Plugin field, select
com.oracle.av.plugin.oracle
. - Click Save.
- The audit trail is started automatically.
Q.8 Adding a Trail to Collect Data from OS Audit Trail on the Main Audit Vault Server
Learn how to add a trail to collect data from OS audit trail on the main Audit Vault Server as a Linux target.
This involves two steps on a high level:
- Registering the main Audit Vault Server as a Linux target.
- Configuring trail to collect data from OS audit trail on the main Audit Vault Server.
Q.8.1 Registering the Main Audit Vault Server as a Linux Target
Learn how to register the main Audit Vault Server as a Linux target.
- Log in to the shadow Audit Vault Server as an administrator.
- Click Targets tab, and then click Register.
- Select
Linux
in the Type field. - Select
6 months online and 0 months
as the Retention Policy. - Enter the Host Name of the main Audit Vault Server if DNS is configured.
- Enter the IP address of the main Audit Vault Server.
- Click Save.
Q.9 Creating an Alter Policy to Monitor
AVREPORTUSER
, AVSAUDIT
, and
ORDS_PUBLIC_USER
Users
Oracle recommends creating an alert policy with
email notifications to monitor the AVREPORTUSER
,
AVSAUDIT
, and ORDS_PUBLIC_USER
users.
upper(:EVENT_STATUS)='FAILURE' and upper(:EVENT)='LOGON' and (upper(:USER)='AVREPORTUSER' or upper(:USER)='AVSAUDIT' or upper(:USER)='ORDS_PUBLIC_USER')
For more information see, Creating Alerts and Writing Alert Conditions in the Oracle Audit Vault and Database Firewall Auditor's Guide.
If you receive an alert you should check the event
details and take action to prevent further login attempts for the
AVREPORTUSER
, AVSAUDIT
, and
ORDS_PUBLIC_USER
users.