3 Reports and Alerts

Oracle AVDF reports cover a wide range of activities including privileged user activity, changes to database schema, and SQL statements being executed. In addition, reports include information changes in database account management, roles and privileges, object management, and stored procedure changes.

Auditors access reports interactively through a web interface, or through PDF or XLS files. Report columns can be sorted, filtered, re-ordered, added, or removed. PDF and XLS reports can be scheduled to be generated automatically. Reports can also be defined to require signoff by multiple auditors. Users can use Oracle BI Publisher to create new or customize PDF and XLS report templates to meet specific compliance and security requirements. Furthermore, the Audit Vault Server repository schema is documented, enabling integration with third-party reporting solutions.

3.1 Types of Reports

The following are some of the reports available in Oracle AVDF.

Activity Reports

Activity reports track general database access activities such as audited SQL statements, application access and user logins. Specialized activity reports cover failed logins, user entitlements, before-after data modifications, changes to application tables, and database schema. For example, if we need to audit each time a user performs DDL SQL statements such as DROP or ALTER, the pre-built Database Schema report can display the data associated with that particular user and individual event details can be viewed.

Entitlement Reports

User Entitlement reports describe the types of access that users have in an Oracle Database, providing information about the users, roles, profiles, and privileges used. These reports are useful for finding duplicate privileges, and simplifying privilege grants. After an entitlement snapshot is generated, you can compare different snapshots to find how the entitlement information has changed over time. This is particularly useful for identifying any drift from an approved database entitlement baseline and can also pinpoint privilege escalations due to possible malicious activities.

Data Privacy Reports

You can import the sensitive objects in an Oracle database as a file, which could be generated by running the Database Security Assessment Tool (DBSAT) or Enterprise Manager (Application Data Model). Oracle AVDF will use this list to generate predefined reports such as activity on sensitive data, user’s access rights to sensitive data, activity on sensitive data by privileged users, and others.

Stored Procedure and OS Correlation Reports

Stored Procedure Audit Reports can help keep track of the changes made to the stored procedures. Correlation Reports identify events on the database with the original Linux OS user for Oracle Database targets running on Linux. This is useful in cases where this user runs a shell or executes a command on the database as another user by using su or sudo.

Summary and Anomaly Reports

The report group contains Summary Reports, Trend Charts, and Anomaly Reports. These reports can be used to quickly review characteristics of user activity on specific targets or across the enterprise.

Summary Reports focus on statistical occurrence of various types of events generated by individual users or initiated from specific client IP addresses. Trend charts graphically present general event trends and also trends based on specific users, client IPs, and targets.

Reports could be used to identify anomalies such as new and dormant user and client IP anomalies over time. Activities by new users, or previously dormant users, can be an indication of account hijacking.

Compliance Reports

Standard default audit assessment reports are categorized to help meet regulations such as:

  • General Data Protection Regulation (GDPR)
  • Payment Card Industry Data Security Standard (PCI-DSS)
  • Sarbanes-Oxley Act (SOX)
  • Health Insurance Portability and Accountability Act (HIPAA)
  • Gramm-Leach-Bliley Act (GLBA)
  • Data Protection Act (DPA)
  • IRS Publication 1075

3.2 Built-in Reports

There are many built-in reports that you can use to monitor your systems with Oracle Audit Vault and Database Firewall.

You can run the built-in report immediately, or you can create a schedule to run the report at a later date. You can specify a list of users who receive notifications of the report, or who need to attest to the report.

While browsing reports online, you can download them in HTML or CSV format. You can also schedule reports and download them in PDF or XLS format, or send them to other users. When you specify report notifications, you can use your own notification templates to send emails to other users with either a link to a report, or an attached PDF version of the report.

You can create customized reports based on the built-in reports and then save the new report formats to view them online. Oracle AVDF provides tools to filter, group, and highlight data, and define columns displayed in the reports.

Table 3-1 Available Types of Built-in Reports in Oracle Audit Vault and Database Firewall

Types of Reports Description

Activity

A set of reports that track general database access activities such as audited SQL statements, application access activities, and user login activities. Some typical reports are:

  • Activity Overview: Displays information about all monitored and audited events.

  • Data Modification: Displays the details of audited data modifications for a specified period of time.

  • Data Modification Before-After Values: Displays the details of modified data and lists the values before and after modification.

  • Database Schema: Displays details of audited DDL activity for a specified period of time.

  • Failed Login Events: Displays details of audited failed user logins for a specified period of time.

Alert

lert reports display the raised alerts and also let you respond online to alerts and notify others about them.

Additionally, the generated alerts are available for analysis in the Alerts tab, where they can be filtered, and details pertaining to the event raising the alert can be viewed.

Stored Procedure Audit

A set of reports that help you keep track of the changes made to the stored procedures, such as stored procedure creation, modification, and deletion. The reports display details of audited stored procedure modifications for a specified period of time.

Compliance

- Data Privacy Report (GDPR)

A set of reports that track possible violations that are defined by the following compliance areas:

  • Data Privacy Report (GDPT)
  • Payment Card Industry (PCI)
  • Gramm-Leach-Bliley Act (GLBA)
  • Health Insurance Portability and Accountability Act (HIPAA)
  • Sarbanes-Oxley Act (SOX)
  • Data Protection Act (DPA)
  • IRS Publication 1075

Oracle Database Firewall

For database Targets that you are monitoring with the database firewall, this set of reports gives detailed event information about SQL traffic. Much of the information is dependent on the firewall policy you have defined for the database. For example, you can see details of statements that had warnings, or were blocked, according to the policy. You can also see general information about SQL traffic to these databases, for example, statement type such as data definition and data manipulation.

Some example reports are:

  • Database Traffic Analysis by Client IP: Displays audit details for statements by the protected database and client IP address.

  • Database Traffic Analysis by OS User: Displays audit details for statements grouped by protected database and OS user.

  • Blocked Statements: Displays audit details for blocked statements grouped by protected database and OS use.

User Entitlements

A set of reports that describe user access and privileges for Oracle Database targets, for example:

  • User Accounts: Displays information such as the target in which the user account was created or the user account name, and whether this account is locked or expired.

  • User Privileges: Displays information such as the target in which the privilege was created, user name, and privilege.

  • Object Privileges: Displays information such as the target in which the object was created, users granted the object privilege, and the schema owner.

  • Privileged Users: Displays information such as the target in which the privileged user account was created, user name, and privileges granted to the user.

User Correlation

For Oracle Database targets running on Linux, these reports let you correlate events on the database with the original Linux OS user. This is useful in cases where this user runs a shell or executes a command on the database as another user by using su or sudo.

Database Vault Activity

If your Oracle Database targets have Database Vault enabled, the Database Vault Activity report shows Database Vault events, which capture policy or rule violations, unauthorized access attempts, and other activity.

3.3 Custom Reports

There are two ways of creating custom reports with Oracle Audit Vault and Database Firewall. One way is to interactively customize the built-in reports by filtering data, and then save these interactive views so you can view them again online later.

The second way is to create your own reports by making simple customizations based on built-in report templates, or by using a software package such as Oracle BI Publisher. You can then upload your own custom reports into Oracle AVDF. This second method is discussed below.

For simple changes to the built-in report formats, you can also do some customizations without using a report authoring tool.

Oracle AVDF provides two types of files to help you get started creating custom reports. The first type of file is a report template in RTF format, which you can open in a tool such as Microsoft Word. The template determines the display of the report. For example, you can easily add your own custom logo on the report. The second type of file is a report definition in XML format, which you can open in a text or XML editor. The report definition file specifies the data in the report.

You can download report definition and template files corresponding to any of the built-in reports, and then you can use these files as a starting point for creating your own custom report. Oracle AVDF documentation also provides information on event data collected from different types of targets that will help you create your own reports.

3.4 Alerts and Notifications

In many instances, you want to be notified as soon as certain events happen. Oracle AVDF lets you define rule-based alerts on audit records, whether these records come from the Audit Vault Agent or the Database Firewall. You can also specify notifications for those alerts. For example, you can set up an email to be automatically sent to a user, such as a security officer, or to a distribution list. Alerts can be also forwarded to syslog. This is useful if you want to integrate them with another system.

Because alerts are rule-based, if the rule definition is matched, then an alert is raised. For example, an alert can be defined which states that if user A fails to log in to database B after three tries, then an alert is raised.

Alert conditions are flexible and can include more than one event, and the events can come from different targets. The alert condition can also be a complex statement based on multiple fields in the collected audit data or SQL network event data. A good way to define an alert condition is to first look at the All Activity Report, which displays details of all captured audit events. From this report you can see possible events that may be of interest to you. Alerts can be threshold and time based as well. For example, if five login failures occur within one minute window, possibly indicating a brute force attack, then an alert can be raised.

3.5 Summary

Oracle Audit Vault and Database Firewall consolidates activity audit data from Oracle and non-Oracle databases, operating systems, and directories, and provides security and compliance reports. Through an accurate SQL grammar-based engine, the Database Firewall monitors SQL traffic and blocks unauthorized SQL. Now with modern and rich UI, and extensible monitoring platform, Oracle Audit Vault and Database Firewall 20 is your first line of defense with enterprise-level scale, security, and automation.

For more information, refer to the Oracle Audit Vault and Database Firewall documentation or the product data sheet, FAQ, and Technical Report.