This paper is a review of Oracle Audit Vault, which provides database log centralization, management, alerting and reporting across multiple databases.. With Oracle Audit Vault, investig
Trang 1SANS Institute Product Review:
Oracle Audit Vault
March 2012
A SANS Whitepaper
Written by: Tanya Baccam
Product Review: Oracle Audit Vault PAGE 2
Auditing PAGE 2 Reporting PAGE 4
Sponsored by Oracle
Trang 2The number, scale and severity of successful data theft and espionage attacks rose considerably last year, according to Verizon’s 2011 Data Breach Investigations Report.1 While 92 percent of these attacks are executed from outside the enterprise, many attacks made their way into databases, accounting for the majority of financial losses over the history of the report Loss of records due to insider or outsider breach can have a huge impact on organizations The average organizational cost of a data breach is $7.2 million, or $214 per compromised record, according to the most recent Ponemon Annual Study: U.S Cost of Data Breach.2
When breaches are related to customer personal data, there is no doubt that an investigation is needed to apprise regulators, law enforcement and affected consumers In the case of espionage against private and government enterprises, investigations are an ongoing part of doing business Such investigations help close
up vulnerabilities and improve overall security of operations
When those investigations get down to the database level, how can auditors and responders determine what databases were impacted, what access and commands were used, and what applications were utilized within the database? Equally important, how can organizations be alerted to this activity occurring within their databases in time to take action and prevent an attack from being successful?
This paper is a review of Oracle Audit Vault, which provides database log centralization, management, alerting and reporting across multiple databases With Oracle Audit Vault, investigators and auditors can gather information about who accessed data, what applications were accessed, what was changed, and more This centralization makes it easier to identify and contain potential compromises before they occur, as well as create reports for compliance and forensics Oracle Audit Vault can be set to send alerts, which are critical for a fast response to stop risky behavior and attacks, and provide out-of-the-box compliance reports and methods
of detecting unauthorized activities
Trang 3Product Review: Oracle Audit Vault
Most organizations utilize multiple database types and versions that are difficult and time-consuming to audit and report on individually Oracle Audit Vault acts as a secure, centralized database audit trail repository It
is able to collect audit trails from a variety of databases, including Microsoft SQL Server 2000, 2005, and 2008; IBM DB2 UDB 8.2 through 9.5 and Sybase ASE 12.5.4 through 15.0.x as well as Oracle databases These audit trails can be automatically consolidated and reported on for audit and compliance purposes as well as for early threat detection With unified reporting against their disparate databases, organizations can get more accurate reports and alerts without trying to manually tie events together across database systems
Oracle Audit Vault uses collectors designed to collect data for the database audit trail, operating system audit trail, and redo logs for Oracle to gather logs from multiple databases Oracle Audit Vault centrally and securely consolidates the audit data, making it easier to search and manage data drawn from multiple databases The ability to search and manage audit data from multiple databases can be used for alerting, notifying, following trends, and for more comprehensive audit/compliance functionality For example, a secure repository for logs not only meets specific compliance needs, but also offers more scalability for searching and reporting
In this functional review of the Oracle Audit Vault product, we used Oracle Database 11g to generate the audit data to be collected by Oracle Audit Vault, then conducted the review in three phases: Auditing, Reporting, and Alerting
Auditing
In centralizing the audit data, database audit trails are stored in Oracle Audit Vault, which provides a
secure repository on a separate server Leaving audit data on the originating system leaves the data open
to alteration Keeping the repository securely separated from the system is critical to most compliance
requirements that dictate that data cannot be altered By storing the data in Oracle Audit Vault, administrators can be restricted from the data completely, or simply provided a read-only role so they cannot change the data inside the repository
Oracle Audit Vault leverages Oracle Database Vault and Oracle Advanced Security to strictly control access and prevent tampering with the audit data Oracle Audit Vault includes Oracle Partitioning to enhance
manageability and performance and can, optionally, be deployed with Oracle Real Application Clusters (RAC) and Oracle Data Guard for additional scalability and high-availability deployments Oracle Audit Vault can also
be deployed on Oracle Exadata and the Oracle Database Appliance
Trang 4In the first part of this review, we tested the Audit Policy features against a single Oracle Database 11g This involved clicking on the Audit Policy tab and then selecting the database being audited We retrieved the policy by clicking the Audit Settings radio button, which provided the link for the database and a summary of what audit was occurring, as shown in Figure 1
Figure 1: Summary of Audit Settings
Audit settings were easy to review They enable users to easily obtain an understanding of what was being audited and sent to Audit Vault The In Use column notes the number of active settings from the database sending records to Audit Vault The Needed column notes the number of required audit settings the auditor has specified And, the Problem column notes the number of audit settings that require attention from the auditor Users can follow each of the links to get additional details about how the audit was set up
Trang 5Product Review: Oracle Audit Vault (CONTINUED)
Reporting
Next, we evaluated the default reports provided Reports on access, database account management, system management, entitlement, exceptions, alerts and more are provided by default with Audit Vault Oracle Audit Vault’s default report options are shown in Figure 2 By clicking on the links, we were able to review the log reports, which provided basic audit information that might be required of any centralized logging solution immediately
Figure 2: Default Reports Provided by Audit Vault
Trang 6Next, we tested what detail the reports would show For example, to audit specific statements that might indicate employee abuse, we issued the following queries in the database:
The results appeared in the Data Access report showing all queries that matched the specified parameters, as summarized in Figure 3
Figure 3: Data Access Report under the Audit Reports Tab
Trang 7Product Review: Oracle Audit Vault (CONTINUED)
Oracle Audit Vault can be used to query for specific data in order to identify signs of malicious intent or policy violations By clicking on the individual records, we could read each of the queries in order to understand what data had been queried by which users Figure 4 shows an example of what appears to be an employee querying for specific employee salary information
Figure 4: Observing the SELECT Query
The SQL Text in Figure 4 specified the query that was conducted In this particular case, the user (SYSTEM) had queried for a count of the employees that make over $10,000 Security personnel can use a number of the reports to query the audit data being created By centralizing all the data in a single location, it makes it easier
to investigate and identify potentially suspicious activity We could also create customized queries based
on specific organizational data concerns such as who is viewing credit cards, Social Security numbers and other such sensitive data Of course, all of this is dependent on how auditing is set up in the source database, because Audit Vault reflects data that is sent to it
Trang 8Another type of access report provided is Entitlement reports Entitlement reports are important for
organizations wanting to protect regulated data and intellectual property from those with privileged user access to administer systems We retrieved the entitlement information from our database by going to the Audit Policy tab and selecting the User Entitlement option for the appropriate Audit Store Then we clicked the Retrieve button, as shown in Figure 5
Figure 5: Retrieving Entitlement Reports Data
Trang 9Product Review: Oracle Audit Vault (CONTINUED)
Once the entitlement information was retrieved, we needed to view the specific data via the Entitlement reports We found multiple built-in Entitlement reports for objects, users and systems that cover privileged user accounts, roles, profiles, privileges and more In this case, we selected the User Privileges report and then clicked Go The data was displayed in Audit Vault as shown in Figure 6
Figure 6: Privileged Users Entitlement Report
The Entitlement reports were simply reporting on the data from the databases related to privileges in use when the snapshot was obtained Reports can be automatically scheduled and generated for management and compliance purposes Auditors can be alerted when reports are available and an attestation process set
in motion for review and approval
Trang 10Reports also provide data on login/logoff, startup/shut down, failures, audit settings, changes, system events and user activity, among other data revealed by database logs These, and other access and system events, provide valuable security intelligence that can be fed into Oracle Audit Vault alert reports, which can be classified based on level of severity
Reports can also create an alert in realtime as the data is analyzed To review this feature, we created an individual alert whenever a new user was added to the system To set up the alert, we went to the Audit Policy tab, chose Alerts, and clicked Create Figures 7 and 8 show how the alert was configured
Figure 7: Setting up an Alert
The alert was titled CREATE_USER, and the severity was set to Warning We selected the audit source type (ORCLDB) and the specific database to alert on Each of the alerts can also be placed in a category, so we used the Account Management category
The audit event was set to occur when the CREATE USER activity occurs Additionally, this was done for both
Trang 11Product Review: Oracle Audit Vault (CONTINUED)
Once the alert was saved and properly set up, two accounts were created in the database Once the accounts had been created, we went to the Audit Reports tab and selected All Alerts to see whether the alerts had been created The alerts included the accounts that had been created for TANYA and PAUL See Figure 8
Figure 8: Completed Alerts
The alerts were easy to set up and allowed customization of the data that is important to a given organization Alerts could also be sent via e-mail or even SMS text messages
Trang 12Oracle Audit Vault automates the collection and consolidation of database audit data into a central, secure repository so that investigators and auditors can gather information and report on who accessed the
data, what applications were accessed, what was changed, and more Adding detective measures to a
comprehensive database security strategy can help protect sensitive customer data and comply with industry and governmental compliance requirements
Organizations need actionable data on who accessed the database, what methods they used, what they accessed, and what actions were taken Oracle Audit Vault can quickly and automatically detect unauthorized activities that violate security and governance policies, thereby stopping perpetrators from covering their tracks
Overall, Oracle Audit Vault was easy to use for analyzing the Oracle Database 11g audit data with which it was reviewed By using the reports provided by Audit Vault, organizations can quickly identify and mitigate risks
in a more proactive manner, thus limiting the number of compromises that occur and their associated costs Although not covered in this review, centralizing and managing log data from heterogeneous databases consolidates actionable information that can be queried for better alerting, quicker response and smoother audit processes
Oracle Audit Vault takes a deep approach to collecting and centralizing log data on a variety of database types and schemas As observed during this review, the combined auditing, alerting and reporting in realtime can help address security events quicker This is important to auditors and responders as well security personnel charged with preventing breaches from occurring
Trang 13About the Author
Tanya Baccam is a SANS senior instructor as well as a SANS courseware author She is the current author
for the SANS Security 509: Securing Oracle Databases course Tanya works for Baccam Consulting, where she provides many security consulting services for clients, including system audits, vulnerability and risk assessments, database audits, and web application audits Today much of her time is spent on the security
of databases and applications within organizations Tanya has also played an integral role in developing multiple business applications She currently holds the CPA, GCFW, GCIH, CISSP, CISM, CISA, and OCP DBA certifications
SANS would like to thank its sponsors: