Integrigy Database Log and Audit Framework with the Oracle Audit Vault
Most clients do not fully take advantage of their database auditing and logging features. These features are sophisticated and are able to satisfy most organization’s compliance and security requirements.
The Integrigy Framework for database logging and auditing is a direct result of Integrigy’s consulting experience and will be equally useful to both those wanting to improve their capabilities as well as those just starting to implement logging and auditing. Our goal is to provide a clear explanation of the native auditing and logging features available, present an approach and strategy for using these features and a straight-forward configuration steps to implement the approach.
Integrigy’s Framework is also specifically designed to help clients meet compliance and security standards such as Sarbanes-Oxley (SOX), Payment Card Industry (PCI), FISMA, and HIPAA. The foundation of the Framework is PCI DSS requirement 10.2.
Integrigy’s Log and Audit Framework can be easily implemented using the Oracle Audit Vault. The high-level summary is a follows –
Level 1
Enable database auditing as directed by the Integrigy Framework Level 1 requirements.
Level 2
- Install the Oracle Audit Vault. If already installed, it is highly recommended to perform a health check as described in Audit Vault Server Configuration Report and Health Check Script (Doc ID 1360138.1).
- Configure Oracle database to use Syslog per Integrigy Framework Level 2 requirements. Set the database initialization parameter AUDIT_TRAIL parameter to equal ‘OS’ and AUDIT_FILE_DEST parameter to desired file in the directory specification. Last set the initialization parameter AUDIT_SYSLOG_LEVEL to ‘LOCAL1.WARNING’ to generate Syslog formatted log files.
- Install and activate the Oracle Audit Vault collector agent OSAUD for operating system files. Collect Syslog formatted logs located by the AUDIT_FILE_DEST parameter.
Level 3
Protect application log and audit tables by creating standard database audit policies and adding these new policies the Audit Vault Collectors. Create database alerts based on correlations between standard database events and application audit logs.
Oracle E-Business Suite Example
To use the Oracle Audit Vault with the Oracle E-Business Suite, no additional patches required either for the E-Business Suite or the Oracle database. This is because the Oracle Audit Vault uses only standard Oracle database functionality.
There are two steps for Level 3. The first is to protect the Oracle E-Business Suite audit tables, the second is to build alerts and reports that correlate application and database log information. To protect the E-Business Log and Audit tables, enable standard auditing on them. The second step is to define the Audit Vault alerts and reports.
Below is an example of event E12 - Protect Application Audit Data
The sign-on audit tables log user logon and navigation activity for the professional forms user interface. This data needs to be protected.
Steps
- Enable Standard Auditing
- Create Audit Vault Alert
- Forward to Alert to Syslog (This feature is available as of Oracle AVDF version 12.1.2)
To enable standard auditing:
AUDIT UPDATE, DELETE ON APPLSYS.FND_LOGINS BY ACCESS;
AUDIT UPDATE, DELETE ON APPLSYS.FND_LOGIN_RESPONSIBILITIES BY ACCESS;
AUDIT UPDATE, DELETE ON APPLSYS.FND_LOGIN_RESP_FORMS BY ACCESS;
AUDIT UPDATE, DELETE ON APPLSYS.FND_UNSUCCESSFUL_LOGINS BY ACCESS;
To create an alert in Audit Vault:
Audit Vault -> Auditor -> Policy -> Alerts -> Create Alert
Name: E12 - Modify audit and logging
Condition:
:TARGET_OWNER='APPLSYS' AND :EVENT_NAME in ('UPDATE','DELETE') AND :TARGET_OBJECT in ('FND_LOGINS','FND_LOGIN_RESPONSIBILITIES','FND_LOGIN_RESP_FORMS','FND_UNSUCCESSFUL_LOGINS')
Example:
If you have questions, please contact us at mailto:info@integrigy.com
Reference
- Integrigy Guide to Oracle Audit Vault Integrigy Guide to Oracle Audit Vault
- Presentation “Developing Value with Oracle Audit Vault Developing Value with Oracle Audit Vault