Post on 09-Jan-2016
description
transcript
7/17/2019 11g Audit Vault
1/47
1
7/17/2019 11g Audit Vault
2/47
S317045Real-World Deployent and !est Practices "it# $racle %udit &ault
Tammy Bednar, Sr. Principal Product Manager, OracleMike McClure , Sr. Database Administrator, Amazon
7/17/2019 11g Audit Vault
3/47
3
Te !ollo"ing is intended to outline our generalproduct direction. #t is intended !or in!ormationpurposes only, and may not be incorporated into anycontract. #t is not a commitment to deli$er any
material, code, or !unctionality, and sould not berelied upon in making purcasing decisions.Te de$elopment, release, and timing o! any!eatures or !unctionality described !or Oracle%s
products remains at te sole discretion o! Oracle.
7/17/2019 11g Audit Vault
4/47
4
Pro'ra %'enda
&y Audit'
Oracle Audit (ault )eports
#mplementing Audit (ault at Amazon
Best Practices *+A
7/17/2019 11g Audit Vault
5/47
5
W#y %udit(
#ts allabout protecting sensiti$e data, maintainingcustomer trust, and protecting te business
Trustbut$eri!ytat your employees are onlyper!orming operations re-uired by te business
Detecti$e controls to monitor "at is really going on )educe te curiosity seekers !rom looking at data
Compliance demands tat pri$ileged users bemonitored
no""at is going on be!ore oters tell you
7/17/2019 11g Audit Vault
6/47
)
$racle %udit &ault%utoated %cti*ity +onitorin' , %udit Reportin'
/ Consolidate audit data into secure repository
/ Detect and alert on suspicious acti$ities/ Outo!te bo0 compliance reporting
/ Centralized audit policy management
C)M Data
1)P Data
Databases
2) Data
%uditData
Policies
Builtin)eports
Alerts
Custom)eports
%uditor
7/17/2019 11g Audit Vault
7/477
%udit &ault Reports
7/17/2019 11g Audit Vault
8/47. 3
7/17/2019 11g Audit Vault
9/47/ 4
7/17/2019 11g Audit Vault
10/4710 56
%ny o t#e %udit &aultreports can e
sc#eduled to runautoatically and
arc#i*ed in t#e %udit&ault repository or*ie"in'2 printin'2
eailin'2 andattestation
%ny o t#e %udit &aultreports can e
sc#eduled to runautoatically and
arc#i*ed in t#e %udit&ault repository or*ie"in'2 printin'2
eailin'2 andattestation
7/17/2019 11g Audit Vault
11/4711
55
$racle %udit &aultDataase %udit Support
)DBMS (ersions Audit 7ocationsOracle Database Oracle Database 4i)8,
Oracle Database 56g,Oracle Database 55g
/Audit Tables !or standard and !inegrainedauditing
/Oracle audit trail !rom OS !iles "ritten in9M7, te0t !ile, or S:S7O;
/Be!ore set speci!ic audit e$ent
/&indo"s e$ent audit > speci!ic e$ents$ie"ed by "indo"s e$ent $ie"er
/C8 automatically sets all auditable e$ents
#BM DB8 3.8, 4.5 + 4.= on 7inu0,?ni0, &indo"s
/Binary OS !iles "ritten by te audit !acility
Sybase AS1 58.=.@ 5=.6.0 /Sybsecurity database tables
7/17/2019 11g Audit Vault
12/471
$racle %udit &aulteatures y Release
eature 10 103 103
$racle Dataase Support
S6 Ser*er2 I!+ D! 8W2 Syase %S9
$ut-o-t#e-!o: Reports
$pen Sc#ea
%lerts
Policy +ana'er or $racle
%udit ;rail lean-8p
opliance reports =PI2 HIP%%2 ?
9ntitleent reports =users2 pri*ile'es?
Reports =PD2 ustoi@ation?
Reports =Sc#edulin'2 %ttestation2 Aotiication?
%lerts 9ail and Reedy Inte'ration
%rcSi'#t , 61 as Inte'ration
7/17/2019 11g Audit Vault
13/4713
%udit &ault at%a@on
7/17/2019 11g Audit Vault
14/4714
Michael McclureDatabase
Administrator
Global Financial
SystemsAmazon.com
7/17/2019 11g Audit Vault
15/4715
Oracle Audit Vault
Catching the Big Bad Wolf
7/17/2019 11g Audit Vault
16/471)
;o !e2 or Aot ;o !e(
That is the Question.
7/17/2019 11g Audit Vault
17/47
17
W#y %udit &ault(
)educe Cost
7/17/2019 11g Audit Vault
18/47
1.
%uditin' #allen'es
&e a$e lots o! di!!erent )DBMS systems Tey allaudit di!!erently
Policies "o do you trust'
7/17/2019 11g Audit Vault
19/47
1/
$racle %udit &ault %rc#itecture
7/17/2019 11g Audit Vault
20/47
0
oncerns
5. Per!ormance < #mpact
8. )esource utilization
E. Scalability@. Fault Tolerance < BCP < D)
7/17/2019 11g Audit Vault
21/47
1
Beneration
1 auditCtrail dE
auditCtrail :lE
3 redo
1 D!%8D ollector ollection
$S%8D ollector
3 R9D$ ollector
ollection
7/17/2019 11g Audit Vault
22/47
We liFed t#e $S%8D collector ro t#e G+ audittrail
W#ic# did "e c#oose(
7/17/2019 11g Audit Vault
23/47
3
% loser looF at G+ %udit ;railBeneration and ollection
7/17/2019 11g Audit Vault
24/47
4
%udit &ault o" Ipact ault ;olerant%rc#itecture
7/17/2019 11g Audit Vault
25/47
5
%& Ser*er , Data'uard "S$
1) Using the OUI, install the AV er!er a""lication on t#odifferent $achines using the sa$e I%.
&) Choose one $achine to 'e (our "ri$ar( $achine and!alidate that AV #ors '( logging into the #e' a"".
*) Turn off %ata'ase Vault
+) orce -ogging in (our "ri$ar( data'ase
) /odif( init.ora "ar$s and listener.ora for %ataguard and AVco$"ati'ilit(
0) Other cleanu" of standardied AV install
2) %elete the data'ase on (our chosen stand'( ser!er
3) Instantiate a %4 stand'( on (our stand'( ser!er
5) Create and ena'le O configuration
7/17/2019 11g Audit Vault
26/47
)
Disalin' Dataase &ault
1.Shutdown the database
2.Recompile the oracle executablewith Database ault o!"
cd $R%9CH$+9rdsliaFe - insCrdsF d*Cocd $R%9CH$+9inrelinF oracle
3 Startup t#e dataase
4 Brant t#e ollo"in'J'rant create user2 alter user to a*sysK
7/17/2019 11g Audit Vault
27/47
7
orce lo''in' or Data'uard
1 orce lo''in' at t#e dataase le*elJS6> alter dataase orce lo''in'K
orce lo''in' or eac# talespaceJS6> select Lalter talespace LMMtalespaceCnae MM L orce lo''in'KL rodaCtalespaces "#ere contents LP9R+%A9A;LK
utpaste output into your sNlplus"indo"
7/17/2019 11g Audit Vault
28/47
.
Initora and listenerora pars orDB%& copatiility
1 dispatc#ersL=DISP%;H9RS?=PR$;$$;P?=S9R&I9O$R%9CSIDGD!?=IS;9A9R=D9SRIP;I$A=%DDR9SS=PR$;$$tcp?=H$S;?=P$R;151????
1 IS;9A9R =D9SRIP;I$ACIS;
=D9SRIP;I$A =%DDR9SS =PR$;$$ IP?=9Q 9G;PR$1??=%DDR9SS =PR$;$$ ;P?=H$S; ? =P$R; 151??
?(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST = )(PORT = 5707))(Presentat!n=HTTP)(Sess!n=RA")
)?
SIDCIS;CIS;9A9R =SIDCIS;
=SIDCD9S =SIDCA%+9 PS9:tProc?=$R%9CH$+9 optapporacleproduct1031a*ser*er?=PR$BR%+ e:tproc?
?(SID#DESC =
(SID#NAME = )(ORACLE#HOME = %!&t%a&&%!ra'e%&r!*'t%+0,-,.,+%a/ser/er)(!1a#1na2e = , )
) ?
Initora
istenerora
7/17/2019 11g Audit Vault
29/47
/
Beneral dataase cleanup
5. Mo$e data!iles, control!ile, online redo to better locations
8. Multiple0 online redo and control!iles across controllers
E. #ncrease te number o! redolog groups
@.Appropriately size your S;A !or your ser$er
=. Setup logGarci$eGdestG5 to use someting oter tan te A( install de!ault
H. Setup logGarci$eGdestG8 to point to your standby database ser$er
I. Setup logGarci$eGcon!ig, dbGuni-ueGname, !alGJ entries and localGlistener to useyour database listeners in preparation !or implenting Dataguard.
3. Mo$e te !lasback directory !rom te de!ault o!KO)AC71GBAS1
4. Decide "eter or not you "ant autoe0tensible data !iles
56.Set "ate$er oter init.ora parameters you like at your organization55.#nstall backups < crontab < scripts < monitors to your company standard
7/17/2019 11g Audit Vault
30/47
30
Settin' up t#e DB Standy and S$
5. (alidate tat Audit (ault "orks on te standby A( Ser$er by logging into teapplication and looking around
8. Sutdo"n te Audit (ault ser$er application
E. Delete te database !rom te standby macine
@. Bring o$er te init.ora and listener.ora modi!ications in Slide L5= to testandby, but cange te macine name to tat o! te standby ser$er.
=. Bring o$er te pass"ord !ile !rom te primary.
H. )estore a backup o! your A( primary to your standby ser$er and create astandby control!ile !or it.
I. startup managed reco$ery
3. #mplement FSFO
4. (alidate tat FSFO is "orking and te A( &eb Application is "orking56. Turn Database (ault back on
55. Troublesoot inouse scripts tat break as a result o! Database (ault beingturned back on
7/17/2019 11g Audit Vault
31/47
31
$t#er Data'uard S$onsiderations
5. #! you use an 9M7 audit trail, you may "ant to mo$eyour audit directories to !aster !iles systems
8. #! you use a DB audit trail, you%ll "ant to mo$e youraudK and !gaGlogK tables to a nonsystem tablespace.
E. #! you customize your s-lnet.oraAM1S.D1FA?7TGDOMA#, you%re going to a$e tomanually modi!y e$ery entry in te Audit (aulttnsnames.ora to include te $alue. :ou%ll also a$e to
modi!y te tns con!iguration on te collector macinesN"eter tey be source db ser$ers or collectormacines similar to slide L58.
7/17/2019 11g Audit Vault
32/47
3
Deinitions and onte:t
Source > Te database you are getting your audit data !rom.
)egardless o! o" many nodes tere are in your dataguard con!ig,tere is only 5 source.
Agent > Tied to a single ser$er, an Agent connects to te Audit (aultSer$er to insert te audit trail data into te database. #t manages tecollectors.
Collector > Te )DBMS speci!ic process tat kno"s o" to get auditdata !rom te source database. Tere are collectors tat talk to Oracle,MS S-l, DB8, and Sybase. Multiple collectors can use te same agent todeposit all audit data into te same Audit (ault repository.
A collector is tied to a source it collects !rom tat source. #n an Audit (ault, te combination o! Source and Collector is uni-ue.
7/17/2019 11g Audit Vault
33/47
33
Settin' up reote G+ collection
5. ;et local collection "orking on te source database ser$er !ollo"ing te Audit (aultdocumentation.
8. ?sing a$ca on te A( Ser$er, add a ne" agent mapped to te primary collector ser$erNs.
E. )un te O?# to install te Audit (ault Agent so!t"are on eac primary remote collectorpro$iding te ne" agent created in Step L8 to te installation dialog.
@. ?sing a$orcldb on te A( Ser$er, add a ne" source using te !liptolerant ost name.=. ?sing a$orcldb on te A( Ser$er, add ne" collectors !or te source created in L@ tied to te
agents created in LE.
H. ?sing a$orcldb on te remote collector ser$er, run setup to create te "allet and tnsnamesentries !or pass"ordless connection !rom te primary remote collector to te source db.
I. Modi!y te source db tnsnames.ora entry created in LI to cange te source db entry !romte !liptolerant ost name to te node speci!ic ost name.
3. #! auditGtrail 0mlJ, create identical audit trail directories on te remote collector.
4. #! doing 9M7 generation, sync te audit trail directories created in Step LH bet"een tesource db ser$er and te remote collector, and create Qob to sync tem regularly.
56. Stop te collectors created in Step L5, and startup te ne"ly modi!ied collector and $alidatetat it is collecting te sync%d !iles.
7/17/2019 11g Audit Vault
34/47
34
Ae" %'ent +appin'
7/17/2019 11g Audit Vault
35/47
35
Source ollector +ap
7/17/2019 11g Audit Vault
36/47
3)
onclusion #n a "orld o! compliance auditing, li!e can be easy or it
can be ard Audit data is Qust as important as production data and
sould be treated as suc
#n some "ays, te stakes are igerR #! "e mess up,market cap plummets, companies !ail and people go toQail.
2o" Big a ;ambler are :O?'
Oracle Audit (ault "it Dataguard
7/17/2019 11g Audit Vault
37/47
37
!est Practices
7/17/2019 11g Audit Vault
38/47
3. E3
W#at Do Qou Aeed ;o %udit(
Dataase
%udit ReNuireentsS$G
PIDSS
HIP%%HI;9H
!asel II IS+% B!%
%ccounts2 Roles , BR%A; c#an'es T T T T T T
ailed o'ins and ot#er 9:ceptions T T T T T T
Pri*ile'ed 8ser %cti*ity T T T T T T
%ccess to Sensiti*e Data =S99;s? T T T T T
Data #an'es =IAS9R;2 8PD%;92 ? T T
Sc#ea #an'es =DR$P2 %;9R? T T T T T T
7/17/2019 11g Audit Vault
39/47
3/
Aati*e %uditin'Perorance Buidelines
/ $ri'inal "orFload P8 50U or 50 auditrecordssec
%udit ;railSettin'
%dditional;#rou'#put ;ie
%dditional P8 8sa'e
OS 5.E4 5.I=
9M7 5.I6 E.=5
9M7, 10tended E.I6 =.EH
DB @.=I 3.II
DB, 10tended 5@.64 5=.I4
EInternal testin'J SourceJ +6 *.+7 48 Intel 9eons , + 4B :A/, 630;0+ -inu6 Oracle %ata'ase 11.&.7.1
Oracle Con!idential E4
7/17/2019 11g Audit Vault
40/47
40
8se %utoatic %udit ;rail lean-8p
Automatically deletes audit trails !rom target a!ter teyare securely inserted into Audit (ault
)educes DBA manageability callenges "it audit trails
Database
?8pdate last inserted record
1?;ranser audit trail data
3?Delete older audit records
Oracle Con!idential @6
7/17/2019 11g Audit Vault
41/47
41
$racle Dataase SecurityDeense-in-Dept#
%ccess ontrol
/ $racle Dataase &ault/ $racle ael Security
/ $racle %d*anced Security
/ $racle Secure !acFup
/ $racle Data +asFin'
9ncryption and +asFin'
%uditin' and ;racFin'
/ $racle %udit &ault
/ $racle oni'uration +ana'eent
/ $racle ;otal Recall
/ $racle Dataase ire"all
!locFin' and +onitorin'
7/17/2019 11g Audit Vault
42/47
4
+ore $racle Dataase Security Presentations
MondayR 1J30 pJ +aFin' a !usiness ase or Inoration Security +S 300 3J30 pJ $racle Dataase 11' Release SecurityJ Deense-in-Dept# +S 103
TuesdayR 1J30 pJ Real-World Deployent and !est Practices J $racle %udit &ault +S 30)
J00 pJ Real-World Deployent and !est Practices J $racle %d*anced Security +S 300
J00 pJ !est Practices or 9nsurin' t#e Hi'#est 9nterprise Dataase Security +S 304
3J30 pJ Dataase Security 9*ent +ana'eent J $racle %udit &ault and %rcSi'#t +S 300
5J00 pJ Real-World Deployent and !est Practices J$racle Dataase &ault +S 303
&ednesdayR 10J00 aJ Protect Data and Sa*e +oneyJ %erdeen +S 30)
11J30 aJ Pre*entin' Dataase %ttacFs Wit# $racle Dataase ire"all +S 30)
4J45 pJ entrali@ed ey +ana'eent and Perorance J$racle %d*anced Security +S 30)
TursdayR 10J30 aJ Deployin' $racle Dataase 11' Securely on $racle Solaris +S 104
+S +oscone Sout#
7/17/2019 11g Audit Vault
43/47
43
$racle Dataase Security Hands-on-as
MondayR
Dataase &ault 11J00%+ M +arriott +arNuis2 Salon 10 11 #ecF %*ailaility Dataase &ault 5J00P+ M +arriott +arNuis2 Salon 10 11 #ecF %*ailaility
TuesdayR
Dataase Security 11J00%+ M +arriott +arNuis2 Salon 10 11 #ecF %*ailaility
Tursday
%d*anced Security 1J00P+ M +arriott +arNuis2 Salon 10 11 #ecF %*ailaility
%udit &ault 1J30P+ M +arriott +arNuis2 Salon 10 11 #ecF %*ailaility
7/17/2019 11g Audit Vault
44/47
44
$racle Dataase Security Deo Brounds+oscone West
$racle Dataase ire"all
$racle Dataase &ault
$racle ael Security
$racle %udit &ault $racle %d*anced Security
$racle Dataase 11' Release Security
9:#iition Hours+onday2 Septeer 0 4R@= a.m. =RE6 p.m.
;uesday2 Septeer 1 4R@= a.m. =RE6 p.m.
Wednesday2 Septeer 4R66 a.m. @R66 p.m.
7/17/2019 11g Audit Vault
45/47
45
Oracle Open&orldatin %erica 010
December I>4, 8656
7/17/2019 11g Audit Vault
46/47
4)
Oracle Open&orld!eiVin' 010
December 5E>5H, 8656
7/17/2019 11g Audit Vault
47/47
$racle Products %*ailale $nline
$racleStore
!uy $racle license and support
online today atoraclecostore