Introducing Oracle Audit Vault and Database Firewall

2.1 Downloading the Latest Version of This Manual

Before using Oracle Audit Vault and Database Firewall, you should ensure that you have the latest version of the documentation.

You can download the latest version of this manual from the following website:

https://docs.oracle.com/en/database/oracle/audit-vault-database-firewall/20/sigau/index.html

You can find documentation for other Oracle products at the following website:

https://docs.oracle.com

2.2 Learning About Oracle Audit Vault and Database Firewall

You should understand the features, components, users, and deployment of Oracle Audit Vault and Database Firewall.

To find this information, refer to Oracle Audit Vault and Database Firewall Concepts Guide.

2.3 The Auditor's Role

An auditor uses the Audit Vault Server console to configure the databases or non-databases you are monitoring with Oracle Audit Vault and Database Firewall.

The auditor uses the Audit Vault Server console to configure the following:

Targets - For each target you are monitoring, the Oracle Audit Vault and Database Firewall administrator must configure a target in the Audit Vault Server. As an auditor, you can then specify audit and/or firewall policies for the target, as well as other requirements.
Database Firewall Policies - For any supported database, you can use the Database Firewall and design a firewall policy based on SQL statements from your targets.
Audit Policies - For Oracle databases, you can use Oracle Audit Vault and Database Firewall to design audit policies and provision them to the database.
Alerts - You can create simple or complex alerts based on conditions you specify for the targets you are monitoring. You can also specify alert notifications using email templates.
Audit Trails - For any target type, you can monitor the status of audit trails and see audit reports.
Reports - You can schedule and generate a number of audit and firewall reports in Oracle Audit Vault and Database Firewall, create report notifications, as well as add your own customized reports.

Auditor Roles in Oracle Audit Vault and Database Firewall

There are three auditor roles in Oracle Audit Vault and Database Firewall, with different access levels:

Super Auditor - This role has access to all targets and can grant access to specific targets and groups to an auditor. A super auditor can also assign the super auditor role to others.
Auditor - This role can only see data for targets to which they have been granted access by a super auditor.
Readonly Auditor - This role has read only access to targets, audit trails, Database Firewall monitoring points, dashboard, reports, charts, access rights data, and can add filters.

See Also:

2.4 Understanding Targets

A target is any supported database or non-database that you monitor with Oracle Audit Vault and Database Firewall.

Targets can be monitored by the Audit Vault Agent, the Database Firewall, or both.

The Oracle Audit Vault and Database Firewall administrator creates and configures targets, providing host addresses, usernames, passwords, and other necessary information.

For a target to be monitored by Database Firewall, the administrator must configure the Database Firewall, and also configure a monitoring point for every target.

Once targets are configured, an auditor can do the following for each one:

Collect audit data
Enable stored procedure auditing (SPA)
If the target is a database by a Database Firewall:
- Design and apply a firewall policy
- View the status of configured monitoring points
If the target is an Oracle database:
- Define and provision the audit policies
- Retrieve user entitlement information
Set a data retention policy
Generate a variety of reports
Monitor audit trail status

Super auditors can create target groups for access control purposes. Super auditors grant auditors access to individual targets or to target groups.

See Also:

Managing Targets

2.5 Understanding Firewall Policies

An Oracle Audit Vault and Database Firewall policy monitors Oracle Database statements, objects, privileges, or fine-grained auditing.

See Also:

Chapter 4 of Oracle Audit Vault and Database Firewall Concepts Guide for detailed information.
Database Firewall Policies

2.6 Understanding Audit Policies and Audit Data Collection

Learn about how audit policies manage audit data collection.

See Also:

Chapter 3 of Oracle Audit Vault and Database Firewall Concepts Guide for detailed information
Creating Audit Policies for Oracle Databases

2.7 Requirements for Collecting Audit Data from Targets

Oracle Audit Vault and Database Firewall targets include Oracle Database, SQL Server, Sybase ASE, and IBM DB2 databases.

2.7.1 Requirements for Oracle Database

You should ensure that auditing is enabled in the target database and that it uses the recommended audit settings.

2.7.1.1 Ensuring That Auditing Is Enabled in the Target Database

Oracle Audit Vault and Database Firewall can collect audit data from the target databases. Auditing must be enabled in those databases.

A database administrator can check the type of auditing your database uses by logging in to SQL*Plus and running the appropriate command.

For example, to check if standard auditing is enabled:

SQL> SHOW PARAMETER AUDIT_TRAIL

NAME                   TYPE        VALUE
---------------------- ----------- -----------
audit_trail            string      DB

This output shows that standard auditing is enabled and audit records are being written to the database audit trail.

For fine-grained auditing, you can query the AUDIT_TRAIL column of the DBA_AUDIT_POLICIES data dictionary view to find the audit trail types that are set for the fine-grained audit policies on the database.

2.7.1.2 Using Recommended Audit Settings in the Target Database

After your database administrator checks that auditing is enabled, Oracle recommends that you set several areas of auditing in the database.

These areas that you must enable are as follows:

Database schema or structure changes. Use the following AUDIT SQL statement settings:
- AUDIT ALTER ANY PROCEDURE BY ACCESS;
- AUDIT ALTER ANY TABLE BY ACCESS;
- AUDIT ALTER DATABASE BY ACCESS;
- AUDIT ALTER SYSTEM BY ACCESS;
- AUDIT CREATE ANY JOB BY ACCESS;
- AUDIT CREATE ANY LIBRARY BY ACCESS;
- AUDIT CREATE ANY PROCEDURE BY ACCESS;
- AUDIT CREATE ANY TABLE BY ACCESS;
- AUDIT CREATE EXTERNAL JOB BY ACCESS;
- AUDIT DROP ANY PROCEDURE BY ACCESS;
- AUDIT DROP ANY TABLE BY ACCESS;
Database access and privileges. Use the following AUDIT SQL statements:
- AUDIT ALTER PROFILE BY ACCESS;
- AUDIT ALTER USER BY ACCESS;
- AUDIT AUDIT SYSTEM BY ACCESS;
- AUDIT CREATE PUBLIC DATABASE LINK BY ACCESS;
- AUDIT CREATE SESSION BY ACCESS;
- AUDIT CREATE USER BY ACCESS;
- AUDIT DROP PROFILE BY ACCESS;
- AUDIT DROP USER BY ACCESS;
- AUDIT EXEMPT ACCESS POLICY BY ACCESS;
- AUDIT GRANT ANY OBJECT PRIVILEGE BY ACCESS;
- AUDIT GRANT ANY PRIVILEGE BY ACCESS;
- AUDIT GRANT ANY ROLE BY ACCESS;
- AUDIT ROLE BY ACCESS;

2.7.2 Requirements for SQL Server, Sybase ASE, and IBM DB2 Databases

Ensure that auditing is enabled in these databases.

You also should ensure that they are correctly configured to send audit data to the Audit Vault Server. A database administrator can check these requirements for you. For more information, check the documentation for these databases and Oracle Audit Vault and Database Firewall Administrator's Guide.

2.8 Configuring Alerts and Notifications

Oracle Audit Vault and Database Firewall lets you define rule-based alerts on audit records and specify notification actions for those alerts.

Whenever an audit event meets the rule or condition defined in the alert definition, an alert is raised and a notification is sent as specified. You can define alerts by type of target, the number of times an event occurs, and by using available fields in audit records to define a Boolean condition that must be met. You can also configure email templates to be used for alert notifications.

You can monitor and respond to alerts from the Audit Vault Server console and from alert reports.

See Also:

Creating Alerts

2.9 Generating Reports

As an Oracle Audit Vault and Database Firewall auditor, you can generate various audit reports for the targets to which you have access.

You can schedule, print, and/or email the reports to others, in PDF or XLS format. Reports include information on audit data, entitlements, and stored procedures. You can also generate compliance reports to meet regulations associated with credit card, financial, data protection, and health care-related data.

Oracle Audit Vault and Database Firewall also lets you browse and customize report data interactively, and upload your own custom reports created with third party tools.

See Also:

2.10 Creating Users and Managing Access

A super auditor creates auditor accounts, and manages auditor access to targets and target groups.

See Also:

Managing Access and Other Settings for information on these functions.

2.11 Logging in and Understanding the Audit Vault Server Console UI

After you log in to the Audit Vault Server Console, you can work with various tabbed pages and lists of objects.

2.11.1 Logging in to the Audit Vault Server Console

To log in to the Audit Vault Server console, you must have a valid user name and password.

To log in to the Audit Vault Server console:

From a browser, enter the following URL:
```
https://host/console
```
where host is the server where you installed Audit Vault Server.

For example:
```
https://192.0.2.1/console
```
In the Login page, enter your user name and password, and then click Login.

The Home page appears.

2.11.2 Understanding the Tabs in the Audit Vault Server Console UI

An auditor or super auditor can see the auditor's dashboard on the home page and the functions that are available for the auditor roles.

Home page

The Home tab on the console has the following sections:

Targets
Security assessment for Oracle databases
Security assessment drift graph (Starting in Oracle AVDF 20.11, this section will be included.)
All activity (Starting in Oracle AVDF 20.11, this section will be omitted.)
Alerts
- Open alerts
- Alerts by severity
- Top 5 targets by alerts
- Top 5 alert policies by volume

There is an option to filter the display by time period.

Other tabs

Audit Insights - See a summarized view of details about your targets, users, and policies, including total counts and top five activity and sensitive data details. You can drill down from the summary view and charts to the detailed activity reports. In rare cases, the summary view may be out of sync with the charts.
Targets - Set firewall, audit, and data retention policies for each target; manage entitlement snapshots; set up target groups; see audit trails and monitoring points.
Policies - Manage audit and firewall policies, and configure alerts.
Alerts - Manage alerts.
Reports - Generate default reports, schedule reports, customize reports online, and upload your custom reports.
Settings Change your password, create and manage email distribution lists, configure email notification templates for alerts and reports, view audit trail and monitoring point status, manage user accounts and access, and view job status.

2.11.3 Working with Lists of Objects in the UI

Throughout the Audit Vault Server UI, you will see lists of objects such as reports, users, targets, firewall policies, and so on.

You can filter and customize any of these lists of objects in the same way as you can for Oracle Audit Vault and Database Firewall reports. This section provides a summary of how you can filter and custom the display of lists of objects.

See Also:

Filtering Data in a Report

To filter and control the display of lists of objects in the Audit Vault Server UI:

Click on the report, list, or column heading.
You can customize the list, by selecting any of the following available options:
- Sort Ascending
- Sort Descending
- Hide Column
- Control Break