Download Slide 1

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
page
37
page
38
page
39
page
40
page
41
page
42
page
43
page
44
page
45
page
46
page
47
Document related concepts

Microsoft Access wikipedia , lookup

SQL wikipedia , lookup

Entity–attribute–value model wikipedia , lookup

Extensible Storage Engine wikipedia , lookup

IMDb wikipedia , lookup

Microsoft SQL Server wikipedia , lookup

Open Database Connectivity wikipedia , lookup

Microsoft Jet Database Engine wikipedia , lookup

Concurrency control wikipedia , lookup

Relational model wikipedia , lookup

Database wikipedia , lookup

PL/SQL wikipedia , lookup

Database model wikipedia , lookup

Clusterpoint wikipedia , lookup

ContactPoint wikipedia , lookup

Oracle Database wikipedia , lookup

Transcript 
1
<Insert Picture Here>
S317045
Real-World Deployment and Best Practices with Oracle Audit Vault
Tammy Bednar, Sr. Principal Product Manager, Oracle
Mike McClure , Sr. Database Administrator, Amazon
The following is intended to outline our general
product direction. It is intended for information
purposes only, and may not be incorporated into any
contract. It is not a commitment to deliver any
material, code, or functionality, and should not be
relied upon in making purchasing decisions.
The development, release, and timing of any
features or functionality described for Oracle’s
products remains at the sole discretion of Oracle.
3
Program Agenda
•
•
•
•
•
Why Audit?
Oracle Audit Vault Reports
Implementing Audit Vault at Amazon
Best Practices
Q&A
<Insert Picture Here>
4
Why Audit?
• Its all about protecting sensitive data, maintaining
customer trust, and protecting the business
• Trust-but-verify that your employees are only
performing operations required by the business
– Detective controls to monitor what is really going
on
– Reduce the curiosity seekers from looking at data
– Compliance demands that privileged users be
monitored
• Know what is going on before others tell you
5
Oracle Audit Vault
Automated Activity Monitoring & Audit Reporting
!
HR Data
CRM Data
ERP Data
Audit
Data
Databases
Alerts
Built-in
Reports
Custom
Reports
Policies
Auditor
• Consolidate audit data into secure repository
• Detect and alert on suspicious activities
• Out-of-the box compliance reporting
• Centralized audit policy management
6
Audit Vault Reports
7
8
8
9
9
Any of the Audit Vault
reports can be
scheduled to run
automatically and
archived in the Audit
Vault repository for
viewing, printing,
emailing, and
attestation
10
10
Oracle Audit Vault
Database Audit Support
RDBMS
Versions
Audit Locations
Oracle Database
Oracle Database 9iR2,
Oracle Database 10g,
Oracle Database 11g
•Audit Tables for standard and fine-grained
auditing
•Oracle audit trail from OS files written in
XML, text file, or SYSLOG
•Before/after values and DDL changes from
redo log
•Database Vault specific audit records
Microsoft SQL
Server
2000, 2005, 2008
•Server side trace – set specific audit event
•Windows event audit – specific events
viewed by windows event viewer
•C2 - automatically sets all auditable events
IBM DB2
8.2, 9.1 & 9.5 on Linux,
Unix, Windows
•Binary OS files written by the audit facility
Sybase ASE
12.5.4 - 15.0.x
•Sybsecurity database tables
11
11
Oracle Audit Vault
Features by Release
Feature
10.2.2
10.2.3
10.2.3.2
Oracle Database Support
SQL Server, IBM DB2 LUW, Sybase ASE
Out-of-the-Box Reports
Open Schema
Alerts
Policy Manager for Oracle
Audit Trail Clean-Up
Compliance reports (PCI, HIPAA, …..)
Entitlement reports (users, privileges…..)
Reports (PDF, Customization)
Reports (Scheduling, Attestation, Notification)
Alerts Email and Remedy Integration
ArcSight & Q1 Labs Integration
12
Audit Vault at
Amazon
13
Michael Mcclure
Database Administrator
Global Financial
Systems
Amazon.com
14
Oracle Audit Vault
Catching the Big Bad Wolf
15
To Be, or Not To Be…?
That is the Question….
16
Why Audit Vault?
• Reduce Cost/Increase efficiency related to S-Ox,
HIPPA, PCI/DSS+ and other compliance reporting
• Cross Database compatibility
• Separation of Duties
• More efficient audit policy management
• Catch the Big Bad Wolf
17
Auditing Challenges
• We have lots of different RDBMS systems; They all
audit differently
• Policies/mechanisms for auditing are different across
the organization
• “Dealing with” our audit data
• Watching the watchers – who do you trust?
18
Oracle Audit Vault Architecture
19
Concerns
1.
2.
3.
4.
Performance / Impact
Resource utilization
Scalability
Fault Tolerance / BCP / DR
20
Generation
1.
audit_trail = db*
2.
audit_trail = xml*
3.
redo
Collection
1.
2.
3.
DBAUD Collector Collection
OSAUD Collector
REDO Collector
21
Which did we choose?
We liked the OSAUD collector from the XML audit
trail
22
A Closer look at XML Audit Trail
Generation and Collection
23
Audit Vault Low Impact / Fault Tolerant
Architecture
24
AV Server & Dataguard w/FSFO
1) Using the OUI, install the AV Server application on two
different machines using the same SID.
2) Choose one machine to be your primary machine and
validate that AV works by logging into the web app.
3) Turn off Database Vault
4) Force Logging in your primary database
5) Modify init.ora parms and listener.ora for Dataguard and AV
compatibility
6) Other cleanup of standardized AV install
7) Delete the database on your chosen standby server
8) Instantiate a DG standby on your standby server
9) Create and enable FSFO configuration
25
Disabling Database Vault
1. Shutdown the database
2. Recompile the oracle executable with
Database Vault off:
cd $ORACLE_HOME/rdbms/lib
make -f ins_rdbms.mk dv_off
cd $ORACLE_HOME/bin
relink oracle
3. Startup the database
4. Grant the following:
grant create user, alter user to avsys;
26
Force logging for Dataguard
1. Force logging at the database level:
SQL> alter database force logging;
2. Force logging for each tablespace:
SQL> select 'alter tablespace '||
tablespace_name || ' force logging;' from
dba_tablespaces where contents =
'PERMANENT';
Cut/paste output into your sqlplus
window.
27
Init.ora and listener.ora parms for
DG/AV compatibility
Init.ora
1. dispatchers='(DISPATCHERS=2)(PROTOCOL=TCP)(SERVICE=${ORACLE_SID}XDB)(LISTENER=(DESCRIPTION=(ADDRE
SS=(PROTOCOL=tcp)(HOST=<YOUR HOST NAME>)(PORT=1521))))‘
Listener.ora
1.
LISTENER =
(DESCRIPTION_LIST =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1))
(ADDRESS = (PROTOCOL = TCP)(HOST = <YOUR HOST NAME>) (PORT = 1521))
)
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST = <YOUR HOST NAME> )(PORT = 5707))
(Presentation=HTTP)(Session=RAW)
)
)
2.
SID_LIST_LISTENER =
(SID_LIST =
(SID_DESC =
(SID_NAME = PLSExtProc)
(ORACLE_HOME = /opt/app/oracle/product/10.2.3.1/avserver)
(PROGRAM = extproc)
)
(SID_DESC =
(SID_NAME = <YOUR DBNAME>)
(ORACLE_HOME = /opt/app/oracle/product/10.2.3.1/avserver)
(global_dbname = <sid>.<domain> )
)
)
28
General database cleanup
1. Move datafiles, controlfile, online redo to better locations
2. Multiplex online redo and controlfiles across controllers
3. Increase the number of redolog groups
4. Appropriately size your SGA for your server
5. Setup log_archive_dest_1 to use something other than the AV install default
6. Setup log_archive_dest_2 to point to your standby database server
7. Setup log_archive_config, db_unique_name, fal_* entries and local_listener to use
your database listeners in preparation for implenting Dataguard.
8. Move the flashback directory from the default of
$ORACLE_BASE/flash_recovery_area to a better location and clean up the
archivelogs backed up via rman to the old flash_recovery_area directory
9. Decide whether or not you want auto-extensible data files
10.Set whatever other init.ora parameters you like at your organization
11.Install backups / crontab / scripts / monitors to your company standard
29
Setting up the DG Standby and FSFO
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
Validate that Audit Vault works on the standby AV Server by logging into the
application and “looking around”
Shutdown the Audit Vault server application
Delete the database from the standby machine
Bring over the init.ora and listener.ora modifications in Slide #15 to the
standby, but change the machine name to that of the standby server.
Bring over the password file from the primary.
Restore a backup of your AV primary to your standby server and create a
standby controlfile for it.
startup managed recovery
Implement FSFO
Validate that FSFO is working and the AV Web Application is working
Turn Database Vault back on
Troubleshoot in-house scripts that break as a result of Database Vault being
turned back on
30
Other Dataguard / FSFO
Considerations
1. If you use an XML audit trail, you may want to move
your audit directories to faster files systems
2. If you use a DB audit trail, you’ll want to move your
aud$ and fga_log$ tables to a non-system
tablespace.
3. If you customize your sqlnet.ora
NAMES.DEFAULT_DOMAIN, you’re going to have
to manually modify every entry in the Audit Vault
tnsnames.ora to include the value. You’ll also have
to modify the tns configuration on the collector
machines (whether they be source db servers or
collector machines similar to slide #12).
31
Definitions and Context
• Source – The database you are getting your audit data from.
Regardless of how many nodes there are in your dataguard config,
there is only 1 source.
• Agent – Tied to a single server, an Agent connects to the Audit
Vault Server to insert the audit trail data into the database. It
“manages” the collectors.
• Collector – The RDBMS specific process that knows how to get
audit data from the source database. There are collectors that talk
to Oracle, MS Sql, DB2, and Sybase. Multiple collectors can use
the same agent to deposit all audit data into the same Audit Vault
repository.
• A collector is tied to a source; it “collects” from that source.
• In an Audit Vault, the combination of Source and Collector is
unique.
32
Setting up remote XML collection
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
Get local collection working on the source database server following the Audit Vault
documentation.
Using avca on the AV Server, add a new agent mapped to the primary collector server(s).
Run the OUI to install the Audit Vault Agent software on each primary remote collector
providing the new agent created in Step #2 to the installation dialog.
Using avorcldb on the AV Server, add a new source using the “flip-tolerant” host name.
Using avorcldb on the AV Server, add new collectors for the source created in #4 tied to the
agents created in #3.
Using avorcldb on the remote collector server, run setup to create the wallet and tnsnames
entries for passwordless connection from the primary remote collector to the source db.
Modify the source db tnsnames.ora entry created in #7 to change the source db entry from
the “flip-tolerant” host name to the node specific host name.
If audit_trail = xml*, create identical audit trail directories on the remote collector.
If doing XML generation, sync the audit trail directories created in Step #6 between the
source db server and the remote collector, and create job to sync them regularly.
Stop the collectors created in Step #1, and startup the newly modified collector and validate
that it is collecting the sync’d files.
33
New Agent Mapping
34
Source Collector Map
35
Conclusion
• In a world of compliance auditing, life can be easy or it
can be hard
• Audit data is just as important as production data and
should be treated as such
• In some ways, the stakes are higher: If we mess up,
market cap plummets, companies fail and people go to
jail.
• How Big a Gambler are YOU?
• Oracle Audit Vault with Dataguard/FSFO and remote
collection is a high performance, low impact, highly
available solution that makes compliance reporting
easy.
36
Best Practices
37
What Do You Need To Audit?
Database
Audit Requirements
SOX
PCI
DSS
HIPAA/
HITECH
Basel II
FISMA
GLBA
Accounts, Roles & GRANT changes
●
●
●
●
●
●
Failed Logins and other Exceptions
●
●
●
●
●
●
Privileged User Activity
●
●
●
●
●
●
●
●
●
●
●
●
●
Access to Sensitive Data (SELECTs…)
Data Changes (INSERT, UPDATE, …)
●
Schema Changes (DROP, ALTER…)
●
●
●
●
38
●
38
Native Auditing
Performance Guidelines
• Original workload CPU 50% for 250 audit
records/sec
Audit Trail
Setting
Additional
Throughput Time
Additional CPU Usage
OS
1.39%
1.75%
XML
1.70%
3.51%
XML, Extended
3.70%
5.36%
DB
4.57%
8.77%
DB, Extended
14.09%
15.79%
*Internal testing: Source: 4x 3.40 GHz Intel Xeons , 4 GB RAM, x86_64 Linux Oracle Database 11.2.0.1
Oracle Confidential
39
39
Use Automatic Audit Trail Clean-Up
• Automatically deletes audit trails from target after they
are securely inserted into Audit Vault
• Reduces DBA manageability challenges with audit trails
Database
1) Transfer audit trail data
3) Delete older
audit records
Oracle Confidential
2) Update last inserted record
40
40
Oracle Database Security
Defense-in-Depth
Encryption and Masking
• Oracle Advanced Security
• Oracle Secure Backup
• Oracle Data Masking
Access Control
• Oracle Database Vault
• Oracle Label Security
Auditing and Tracking
• Oracle Audit Vault
• Oracle Configuration Management
• Oracle Total Recall
Blocking and Monitoring
• Oracle Database Firewall
41
More Oracle Database Security Presentations
• Monday:
– 12:30 pm: Making a Business Case for Information Security
– 3:30 pm: Oracle Database 11g Release 2 Security: Defense-in-Depth
MS 300
MS 103
• Tuesday:
–
–
–
–
–
12:30 pm: Real-World Deployment and Best Practices : Oracle Audit Vault
2:00 pm: Real-World Deployment and Best Practices : Oracle Advanced Security
2:00 pm: Best Practices for Ensuring the Highest Enterprise Database Security
3:30 pm: Database Security Event Management : Oracle Audit Vault and ArcSight
5:00 pm: Real-World Deployment and Best Practices :Oracle Database Vault
MS 306
MS 300
MS 304
MS 300
MS 303
• Wednesday:
– 10:00 am: Protect Data and Save Money: Aberdeen
– 11:30 am: Preventing Database Attacks With Oracle Database Firewall
– 4:45 pm: Centralized Key Management and Performance :Oracle Advanced Security
MS 306
MS 306
MS 306
• Thursday:
– 10:30 am: Deploying Oracle Database 11g Securely on Oracle Solaris
MS 104
MS = Moscone South
42
Oracle Database Security Hands-on-Labs
• Monday:
– Database Vault 11:00AM | Marriott Marquis, Salon 10 / 11
– Database Vault 5:00PM | Marriott Marquis, Salon 10 / 11
Check Availability
Check Availability
• Tuesday:
– Database Security 11:00AM | Marriott Marquis, Salon 10 / 11
Check Availability
• Thursday
– Advanced Security 12:00PM | Marriott Marquis, Salon 10 / 11
– Audit Vault 1:30PM | Marriott Marquis, Salon 10 / 11
Check Availability
Check Availability
43
Oracle Database Security Demo Grounds
Moscone West
•
•
•
•
•
•
Oracle Database Firewall
Oracle Database Vault
Oracle Label Security
Oracle Audit Vault
Oracle Advanced Security
Oracle Database 11g Release2 Security
Exhibition Hours
Monday, September 20
9:45 a.m. - 5:30 p.m.
Tuesday, September 21
9:45 a.m. - 5:30 p.m.
Wednesday, September 22
9:00 a.m. - 4:00 p.m.
44
Oracle OpenWorld
Latin America 2010
December 7–9, 2010
45
Oracle OpenWorld
Beijing 2010
December 13–16, 2010
46
Oracle Products Available Online
Oracle Store
Buy Oracle license and support
online today at
oracle.com/store
47
Related documents
Big Data Gives Artificial Intelligence Something to Think About
Big Data Gives Artificial Intelligence Something to Think About
Slide 1
Slide 1
Lesson 7 Marketing Audit
Lesson 7 Marketing Audit
Slide 1
Slide 1
Exam preparation session
Exam preparation session
Auditor Senior IT Ad 4 3 2017
Auditor Senior IT Ad 4 3 2017
JO US! IN
JO US! IN
A guide for developing a marketing plan
A guide for developing a marketing plan
Database Administrator
Database Administrator
Info
Info
post conditional offer contingencies
post conditional offer contingencies
Blue Lines and Gradients
Blue Lines and Gradients
Slide 1
Slide 1