Oracle AVDF reports cover a wide range of activities including privileged user activity, changes to database schema, and SQL statements being executed. In addition, reports include information changes in database account management, roles and privileges, object management, and stored procedure changes.
Auditors access reports interactively through a web interface, or through PDF or XLS files. Report columns can be sorted, filtered, re-ordered, added, or removed. PDF and XLS reports can be scheduled to be generated automatically. Reports can also be defined to require signoff by multiple auditors. Users can use Oracle BI Publisher to create new or customize PDF and XLS report templates to meet specific compliance and security requirements. Furthermore, the Audit Vault Server repository schema is documented, enabling integration with third-party reporting solutions.
3.1 Types of Reports
The following are some of the reports available in Oracle AVDF.
Activity reports track general database access activities such as audited SQL statements, application access and user logins. Specialized activity reports cover failed logins, user entitlements, before-after data modifications, changes to application tables, and database schema. For example, if we need to audit each time a user performs DDL SQL statements such as DROP or ALTER, the pre-built Database Schema report can display the data associated with that particular user and individual event details can be viewed.
User Entitlement reports describe the types of access that users have in an Oracle Database, providing information about the users, roles, profiles, and privileges used. These reports are useful for finding duplicate privileges, and simplifying privilege grants. After an entitlement snapshot is generated, you can compare different snapshots to find how the entitlement information has changed over time. This is particularly useful for identifying any drift from an approved database entitlement baseline and can also pinpoint privilege escalations due to possible malicious activities.
Data Privacy Reports
You can import the sensitive objects in an Oracle database as a file, which could be generated by running the Database Security Assessment Tool (DBSAT) or Enterprise Manager (Application Data Model). Oracle AVDF will use this list to generate predefined reports such as activity on sensitive data, user’s access rights to sensitive data, activity on sensitive data by privileged users, and others.
Stored Procedure and OS Correlation Reports
Stored Procedure Audit Reports can help keep track of the changes made to the stored
procedures. Correlation Reports identify events on the database with the original Linux
OS user for Oracle Database targets running on Linux. This is useful in cases where this
user runs a shell or executes a command on the database as another user by using
Summary and Anomaly Reports
The report group contains Summary Reports, Trend Charts, and Anomaly Reports. These reports can be used to quickly review characteristics of user activity on specific targets or across the enterprise.
Summary Reports focus on statistical occurrence of various types of events generated by individual users or initiated from specific client IP addresses. Trend charts graphically present general event trends and also trends based on specific users, client IPs, and targets.
Reports could be used to identify anomalies such as new and dormant user and client IP anomalies over time. Activities by new users, or previously dormant users, can be an indication of account hijacking.
Standard default audit assessment reports are categorized to help meet regulations such as:
- General Data Protection Regulation (GDPR)
- Payment Card Industry Data Security Standard (PCI-DSS)
- Sarbanes-Oxley Act (SOX)
- Health Insurance Portability and Accountability Act (HIPAA)
- Gramm-Leach-Bliley Act (GLBA)
- Data Protection Act (DPA)
- IRS Publication 1075
3.2 Built-in Reports
There are many built-in reports that you can use to monitor your systems with Oracle Audit Vault and Database Firewall.
You can run the built-in report immediately, or you can create a schedule to run the report at a later date. You can specify a list of users who receive notifications of the report, or who need to attest to the report.
While browsing reports online, you can download them in HTML or CSV format. You can also schedule reports and download them in PDF or XLS format, or send them to other users. When you specify report notifications, you can use your own notification templates to send emails to other users with either a link to a report, or an attached PDF version of the report.
You can create customized reports based on the built-in reports and then save the new report formats to view them online. Oracle AVDF provides tools to filter, group, and highlight data, and define columns displayed in the reports.
Table 3-1 Available Types of Built-in Reports in Oracle Audit Vault and Database Firewall
|Types of Reports||Description|
A set of reports that track general database access activities such as audited SQL statements, application access activities, and user login activities. Some typical reports are:
lert reports display the raised alerts and also let you respond online to alerts and notify others about them.
Additionally, the generated alerts are available for analysis in the Alerts tab, where they can be filtered, and details pertaining to the event raising the alert can be viewed.
Stored Procedure Audit
A set of reports that help you keep track of the changes made to the stored procedures, such as stored procedure creation, modification, and deletion. The reports display details of audited stored procedure modifications for a specified period of time.
- Data Privacy Report (GDPR)
A set of reports that track possible violations that are defined by the following compliance areas:
Oracle Database Firewall
For database Targets that you are monitoring with the database firewall, this set of reports gives detailed event information about SQL traffic. Much of the information is dependent on the firewall policy you have defined for the database. For example, you can see details of statements that had warnings, or were blocked, according to the policy. You can also see general information about SQL traffic to these databases, for example, statement type such as data definition and data manipulation.
Some example reports are:
A set of reports that describe user access and privileges for Oracle Database targets, for example:
For Oracle Database targets running on Linux, these
reports let you correlate events on the database with the original
Linux OS user. This is useful in cases where this user runs a shell
or executes a command on the database as another user by using
Database Vault Activity
If your Oracle Database targets have Database Vault enabled, the Database Vault Activity report shows Database Vault events, which capture policy or rule violations, unauthorized access attempts, and other activity.
3.3 Custom Reports
There are two ways of creating custom reports with Oracle Audit Vault and Database Firewall. One way is to interactively customize the built-in reports by filtering data, and then save these interactive views so you can view them again online later.
The second way is to create your own reports by making simple customizations based on built-in report templates, or by using a software package such as Oracle BI Publisher. You can then upload your own custom reports into Oracle AVDF. This second method is discussed below.
For simple changes to the built-in report formats, you can also do some customizations without using a report authoring tool.
Oracle AVDF provides two types of files to help you get started creating custom reports. The first type of file is a report template in RTF format, which you can open in a tool such as Microsoft Word. The template determines the display of the report. For example, you can easily add your own custom logo on the report. The second type of file is a report definition in XML format, which you can open in a text or XML editor. The report definition file specifies the data in the report.
You can download report definition and template files corresponding to any of the built-in reports, and then you can use these files as a starting point for creating your own custom report. Oracle AVDF documentation also provides information on event data collected from different types of targets that will help you create your own reports.
3.4 Alerts and Notifications
In many instances, you want to be notified as soon as certain events happen. Oracle AVDF lets you define rule-based alerts on audit records, whether these records come from the Audit Vault Agent or the Database Firewall. You can also specify notifications for those alerts. For example, you can set up an email to be automatically sent to a user, such as a security officer, or to a distribution list. Alerts can be also forwarded to syslog. This is useful if you want to integrate them with another system.
Because alerts are rule-based, if the rule definition is matched, then an alert is raised. For example, an alert can be defined which states that if user A fails to log in to database B after three tries, then an alert is raised.
Alert conditions are flexible and can include more than one event, and the events can come from different targets. The alert condition can also be a complex statement based on multiple fields in the collected audit data or SQL network event data. A good way to define an alert condition is to first look at the All Activity Report, which displays details of all captured audit events. From this report you can see possible events that may be of interest to you. Alerts can be threshold and time based as well. For example, if five login failures occur within one minute window, possibly indicating a brute force attack, then an alert can be raised.
Oracle Audit Vault and Database Firewall consolidates activity audit data from Oracle and non-Oracle databases, operating systems, and directories, and provides security and compliance reports. Through an accurate SQL grammar-based engine, the Database Firewall monitors SQL traffic and blocks unauthorized SQL. Now with modern and rich UI, and extensible monitoring platform, Oracle Audit Vault and Database Firewall 20 is your first line of defense with enterprise-level scale, security, and automation.
For more information, refer to the Oracle Audit Vault and Database Firewall documentation or the product data sheet, FAQ, and Technical Report.