SlideShare a Scribd company logo

Database audit policies copy

Download as DOCX, PDF
Oracle Apps DBA
Oracle Apps DBA

This document provides information about creating and managing database audit policies for Oracle databases using the AuditVault Server console. It discusses retrieving existing audit settings from an Oracle database, specifying which settings are needed, and creating new audit policy settings for SQL statements, schema objects, privileges, and capture rules. The general steps outlined are to retrieve current audit settings, define additional needed settings, and then provision the audit policy back to the database.

Career
1 of 19
Database Audit Policies Author: Sai Ranga Creation Date: August 20, 2015 Last Updated: August 20, 2015 Document Ref: Version: 1 Approvals: Copy Number _____
Database Audit Policies Document Control Change Record 1 9 Date Author Versio n Change Reference 20-Aug- 15 Sairanga 1 Database Audit Policies Reviewers Name Position SAI SeniorOracle andsqlserverconsultant +918978750005 +971-527172182 Distribution Copy No. Name Location 1 Library Master Project Library 2 Project Manager 3 4 Note to Holders: If you receive an electronic copy of this document and print it out, please write your name on the equivalent of the cover page, for document control purposes. If you receive ahard copy of thisdocument,please write your name on the front cover, for document control purposes.
Database Audit Policies Contents Database Audit Policies Document Control..................................................................................... 2 1. About Audit Policies..........................................................................................4 2. General Steps for Creating Audit Policies for Oracle Databases.................................4 3. Retrieving and Modifying Audit Settings from an Oracle Database ............................4 4. Specifying Which Audit Settings Are Needed .........................................................6 5. About Creating Audit Policy Settings ...................................................................7 6. Provisioning Audit Policies to an Oracle Database ................................................ 17 Open and Closed Issues for This Deliverable .................................................19 Open Issues ................................................................................................. 19 Closed Issues................................................................................................ 19
Database Audit Policies 1. About Audit Policies Usingthe AuditVault Serverconsole,youcanretrieve auditpoliciesfromOracle database secured targets.You can thenmodifythe policiesorcreate new ones,andthenprovisionthemtothe Oracle databases.Youcan retrieve andmodifythe followingtypesof Oracle Database auditpolicies.  SQL statements  Schemaobjects  Privileges  Fine-grainedauditing  Capture rules(forredologfile activities) 2. General Steps for Creating Audit Policies for Oracle Databases In general, tocreate auditpoliciesforOracle databases,youperformthe following Retrieve the currentauditpolicysettingsfromthe securedtargetOracle database,andspecifywhichof the current settingsare needed. 1. If necessary,definemore auditpolicysettingstoaddto the neededsettings. 2. Provisionthe auditpolicytothe securedtargetdatabase.The policysettingsyouspecifiedas needed,andthe newonesyoucreated,thenbecome the policiesinuse inthe database 3. Retrieving and Modifying Audit Settings from an Oracle Database To retrieve auditsettingsfromanOracle Database securedtarget: 1. Log in tothe AuditVaultServerconsole asanauditor. 2. Clickthe Policytab. By default,the Audit Settingspage appears.A summaryof auditsettingsatthispointintime is displayedforthatsecuredtarget.Foreach securedtarget,thispage liststhe statusof the audit policies.See"Understandingthe Columnsonthe AuditSettingsPage"below 3. From the Target Name column,selectthe checkboxesforthe securedtargetdatabasesyou want. You can onlysee the Oracle database securedtargetstowhichyouhave access. Note:Audittrailsand auditpolicymanagementare notsupportedforOracle Database 9i. 4. Clickthe Retrieve AuditSettingsbutton.
Database Audit Policies To check the statusof the retrieval,clickthe Settingstab,thenunderthe Systemmenu, clickJobs. Whenthe auditsettingsretrievaliscomplete,the AuditSettingspage isrefreshed withnewdata. 3.1 Understanding the Columns on the Audit Settings Page Each time youretrieve the auditsettingsfromasecuredtargetOracle database,yousee the state of the database auditsettingsatthat pointintime.The AuditSettingspage inthe AuditVaultServer (in the Policy tab) showsan overview of the auditsettingsinuse atsecuredtargetOracle Databases,and showsanydifferencesbetweenthose andthe settingsyouhave setasneededinyourOracle AVDFaudit policiesforthose databases.Youcanthenspecifywhichof the currentsettingsare needed. Table below describesthe columnsshowninthe AuditSettingsPage. Table FieldsUnder ApplyAuditSettings inthe AuditSettingsPage Column Description Target Name Name of the securedtarget In Use Numberof auditsettingsinuse inthe securedtarget Needed Numberof auditsettingsyou(the auditor) specifiedasneeded Problem The difference betweenthe auditsettingsinuse atthe database and the numberspecifiedas neededinyournyour Oracle AVDF auditpolicyforthisdatabase. If this numberisgreaterthanzero,new auditsettingsmayhave beencreatedatthe database since youlast provisionedthe auditpolicyfromOracle AVDF.Youmayalsohave selectedmore audit settingsasneededornot neededsince youlastprovisionedthe auditpolicy. To resolve the problem, youcanspecifywhethernew auditsettingsare neededand/orprovisionthe policyagain.Thisbringsthe numberinthe Problemcolumnbackto zero. Last Retrieved The time that the auditinformationforthe selecteddatabasewaslastretrieved As Provisioned The time that the auditsettingswere lastprovisionedtothe database fromOracle AVDF
Database Audit Policies 4. Specifying Which Audit Settings Are Needed Afteryouretrieve the auditsettingsfrom the securedtargetOracle database,youcanview andmodify themas needed.Rememberthatyouare modifyingauditsettingsinuse atthe time youretrievedthem. If you thinktheymayhave changed,youshouldretrieve themagain.See above "RetrievingAudit SettingsfromanOracle Database" above. 1. In the AuditSettingspage,clickthe name of the securedtargetdatabase youwant. The AuditSettingsOverview page forthissecuredtargetappears,showingthe auditsettingsin use and markedas neededfor these audittypes:  Statement  Object  Privilege  FGA  Capture Rule  2. To update settingsforanyaudittype,clickitslink,forexample, Statement. The AuditSettingspage forthat audittype appears,listingthe currentauditsettings.The second columndisplaysaproblemiconif there isa difference betweenthe settingatthe securedtarget database,andthe settinginOracle AVDF.
Database Audit Policies 3. Selectthe checkboxesforeachauditsettingyoudetermineisneeded,thenclick SetasNeeded. 4. To remove auditsettings,selectthe checkboxesforthe onesyouwanttoremove,thenclick Set as Not Needed. 5. To create newauditsettingsforthisaudittype (forexample,Statement),click Create 5. About Creating Audit Policy Settings Once you have retrievedauditpolicysettings fromthe securedtargetOracle database,andselected whichof the settingsinuse are needed,youcanalsocreate new policysettingsforthe Oracle database.  CreatingAuditPoliciesforSQLStatements  CreatingAuditPoliciesforSchemaObjects  CreatingAuditPoliciesforPrivileges  CreatingAuditPoliciesforFine-GrainedAuditing(FGA)  CreatingCapture RulesforRedoLog File Auditing 5.1 About SQL Statement Auditing Statementauditing auditsSQL statements bytype of statement,notbythe specificschemaobjectson whichthe statementoperates.Statementauditingcanbe broad or focused(forexample,byauditing the activitiesof all database usersoronlya selectlistof users).Typicallybroadstatementauditingaudits the use of several typesof relatedactionsforeachoption.These statementsare inthe following categories:  Data definitionstatements(DDL). For example, AUDITTABLE auditsall CREATE TABLE and DROP TABLE statements. AUDITTABLEtracks several DDLstatementsregardlessof the table on whichtheyare issued.Youcan alsosetstatementauditingtoauditselectedusers or everyuserinthe database.  Data manipulationstatements(DML). For example, AUDITSELECT TABLE auditsall SELECT ... FROM TABLE or SELECT ... FROM VIEW statements,regardlessof the table orview. Defining SQL StatementAuditSettings To define SQLstatementauditsettings: 1. Log in tothe AuditVaultServerconsole asanauditor. 2. If necessary,retrieve andupdate the currentauditsettings. See above "RetrievingandModifyingAuditSettingsfromanOracle Database" formore information. 3. Clickthe Policytab, and inthe AuditSettingspage,clickanOracle Database securedtarget. The target's AuditSettingsOverview page isdisplayed. 4. ClickStatement.
Database Audit Policies The StatementAuditSettingspage appears. 5. Clickthe Create button. 6. In the Create page,define the auditpolicyasfollows:  AuditedBy - Choose the usersto audit: o Both: Auditsall users,includingproxyusers. o Proxy: Auditsthe proxyuserforthe database.Whenyouselectthisoption, the Proxy User fieldappears,inwhichyoumustspecifyatleastone user.To display a listof proxyusersandtheirsecuredtargetsforselection,clickthe up-arrow icon on the rightof the field. o User:Auditsthe userto whichthissettingapplies.If youselectthisoption,youmust selectauser fromthe Usersdrop-downlist.  StatementExecutionCondition - Choose one of the following: o Both: Auditsbothsuccessful andfailedstatements o Success: Auditsthe statementif itissuccessful o Failure:Auditsthe statementif itfails  DML AuditGranularity - Choose auditgranularityforDML statements: o Access: Createsanauditrecord eachtime the operationoccurs
Database Audit Policies o Session:Createsanauditrecord the firsttime an operationoccursinthe current session DDL statements are alwaysaudited byaccess.  StatementsAudit Type - Selectthe SQL statementstoauditbydouble clickingastatement type to move itto the box on the right.Youcan use the double arrowstomove all statementstothe rightor back to the left. 7. ClickSave. The newauditsettingsare addedto the StatementAuditSettingspage. 5.2 About Schema Object Auditing Schema objectauditing isthe auditingof specificstatementsonaparticularschemaobject,such as AUDIT SELECT ON HR.EMPLOYEES. Schemaobjectauditingisveryfocused,auditingonlyaspecific statementona specificschemaobjectforall usersof the database. For example,objectauditingcanauditall SELECT andDML statementspermittedbyobject privileges, such as SELECT or DELETE statementsona giventable.The GRANTand REVOKE statementsthatcontrol those privilegesare alsoaudited. Objectauditingletsyouauditthe use of powerful database commandsthatenable userstoview or delete very sensitive andprivate data.Youcan auditstatementsthatreference tables,views,sequences, standalone storedproceduresorfunctions,andpackages. Oracle Database setsschemaobjectauditoptionsforall usersof the database.Youcannot setthese optionsfora specificlistof users. Defining Schema ObjectAuditSettings To define schemaobjectauditsettings: 1. Log in tothe AuditVaultconsole asanauditor. 2. If necessary,retrieve andupdate the currentauditsettings. See above "RetrievingandModifyingAuditSettingsfromanOracle Database" formore information. 3. Clickthe Policytab, and inthe AuditSettingspage,clickasecuredtargetOracle database. The target's AuditSettingsOverview isdisplayed. 4. ClickObjectto displaythe ObjectAuditSettingspage. 5. Clickthe Create button.
Database Audit Policies 6. In the ObjectAuditSettingspage,definethe settingsasfollows:  ObjectType - Selectthe type of objectto auditfromthe drop-downlist,such as TABLE, LOB, RULE, or VIEW.  Object- Selecta specificobjectof the objecttype youselected.  ObjectExecution Condition - Choose one of the following: o Both: Auditsbothsuccessful andfailedstatements o Success: Auditsthe statementif itissuccessful o Failure:Auditsthe statementif itfails  DML AuditGranularity - Choose auditgranularityforDML statements: o Access: Createsanauditrecord eachtime the operationoccurs o Session:Createsanauditrecord the firsttime an operationoccursinthe current session DDL statementsare alwaysauditedbyaccess.  StatementsAudit Type - Selectthe SQL statementstoauditbydouble clickingastatement type to move itto the box on the right.Youcan use the double arrowstomove all statementstothe rightor back to the left. 7. ClickSave. The newobjectauditsettingsare addedtothe ObjectAuditSettingspage.
Database Audit Policies 5.3 About Privilege Auditing Privilege auditingisthe auditingof SQL statementsthatuse a systemprivilege.Youcanauditthe use of any systemprivilege.Like statementauditing,privilege auditingcanauditthe activitiesof all database usersor onlya specifiedlistof users. For example,if youenable AUDITSELECT ANY TABLE, Oracle Database audits all SELECT tablenamestatementsissuedbyuserswhohave theSELECTANYTABLE privilege.Thistype of auditingisveryimportantforthe Sarbanes-Oxley(SOX) Actcompliancerequirements.Sarbanes-Oxley and othercompliance regulationsrequire the privilegeduserbe auditedforinappropriatedatachanges or fraudulentchangestorecords. Privilegeauditingauditsthe use of powerful systemprivilegesenablingcorrespondingactions,such as AUDIT CREATE TABLE. If you setbothsimilarstatementandprivilegeauditoptions,thenonlyasingle auditrecord isgenerated.Forexample,if the statementclause TABLEand the systemprivilegeCREATE TABLE are bothaudited,thenonlyasingle auditrecordisgeneratedeachtime atable iscreated.The statementauditingclause, TABLE,auditsCREATE TABLE, ALTER TABLE, and DROP TABLE statements. However,the privilegeauditingoption, CREATETABLE, auditsonly CREATE TABLE statements,because onlythe CREATE TABLE statementrequiresthe CREATE TABLE privilege. Privilegeauditingdoesnotoccurif the action isalreadypermittedbythe existingownerandschema objectprivileges.Privilege auditingistriggeredonlyif theseprivilegesare insufficient,thatis,onlyif whatmakesthe action possible isasystemprivilege. Privilegeauditingismore focusedthanstatementauditingforthe followingreasons:  It auditsonlya specifictype of SQLstatement,nota relatedlistof statements.  It auditsonlythe use of the targetprivilege. Defining Privilege Audit Settings To define create privilege auditsettings: 1. Log in tothe AuditVaultServerconsole asanauditor. 2. If necessary,retrieve andupdate the currentauditsettings. See above "RetrievingandModifyingAuditSettingsfromanOracle Database" formore information. 3. Clickthe Policytab, and inthe AuditSettingspage,clickasecuredtargetOracle database. The target's Audit SettingsOverview isdisplayed. 4. ClickPrivilege todisplaythe Privilege AuditSettingspage. 5. Clickthe Create button,and inthe Create Privilege Auditpage,definethe privilege auditpolicy as follows:  AuditedBy - Choose the usersto audit:
Database Audit Policies o Both: Auditsall users,includingproxyusers. o Proxy: Auditsthe proxyuserforthe database.Whenyouselectthisoption, the Proxy User fieldappears,inwhichyoumustspecifyatleastone user.To display a listof proxyusersandtheirsecuredtargetsforselection,clickup-arrow iconon the right of the field. o User:Auditsthe userto whichthissettingapplies.Whenyouselectthisoption, the Usersfieldappears,andyoumustspecifyauserfrom the drop-downlist.  StatementExecutionCondition - Choose one of the following: o Both: Auditsbothsuccessful andfailedstatements o Success: Auditsthe statementif itissuccessful o Failure:Auditsthe statementif itfails  DML AuditGranularity - Choose auditgranularityforDML statements: o Access: Createsanauditrecord eachtime the operationoccurs o Session:Createsanauditrecord the firsttime an operationoccursinthe current session DDL statementsare alwaysauditedbyaccess.  StatementsAudit Type - Selectthe privilegestoauditbydouble clickingastatementtype to move itto the box onthe right. You can use the double arrowsto move all statementstothe rightor back to the left. 6. ClickSave. The newprivilege auditsettingsare addedtothose listedinthe PrivilegeAuditSettingspage. 5.4 About Fine-Grained Auditing Fine-grainedauditing(FGA) enablesyouto create a policythatdefinesspecificconditionsthatmust existforthe auditto occur. For example,fine-grainedauditingletsyouauditthe followingtypesof activities:  Accessingatable between9p.m.and 6 a.m. or on Saturdayand Sunday  Usingan IPaddressfromoutside the corporate network  Selectingorupdatingatable column  Modifyingavalue ina table column A fine-grainedauditpolicyprovidesgranularauditingof select,insert,update,anddelete operations. Furthermore,youreduce the amountof auditinformationgeneratedbyrestrictingauditingtoonlythe conditionsthatyouwantto audit.Thiscreatesa more meaningfulaudittrail thatsupportscompliance requirements.Forexample,acentral tax authoritycanuse fine-grainedauditingtotrackaccess to tax returnsto guard againstemployee snooping,withenoughdetail todetermine whatdatawasaccessed. It isnot enoughtoknowthat a specificuserusedthe SELECTprivilege onaparticulartable.Fine-grained auditingprovidesadeeperaudit,suchaswhenthe userqueriedthe table orthe computerIPaddressof the userwho performedthe action.
Database Audit Policies AuditingSpecificColumnsandRows Whenyoudefine the fine-grainedauditpolicy, youcantargetone or more specificcolumns,called a relevantcolumn,to be auditedif aconditionismet.Thisfeature enablesyoutofocuson particularly important,sensitive,orprivacy-relateddatatoaudit,suchas the data in columnsthatholdcreditcard numbers,patientdiagnoses,Social Securitynumbers,andsoon.A relevant-columnaudithelpsreduce the instancesof false orunnecessaryauditrecords,because the auditistriggeredonlywhenaparticular columnisreferencedinthe query. You furthercan fine-tunethe audittospecificcolumnsandrowsbyaddinga conditiontothe audit policy.Forexample,suppose youenterthe followingfieldsinthe Create Fine GrainedAuditpage:  Condition:department_id= 50  Columns:salary, commission_pct Thissettingauditsanyone whotriestoselectdatafromthe salary and commission_pctcolumnsof employeesinDepartment50. If you do notspecifyarelevantcolumn,thenOracle Database appliesthe audittoall the columnsinthe table;thatis, auditingoccurswheneveranyspecifiedstatementtype affectsanycolumn,whetheror not anyrows are returned. UsingEvent Handlers inFine-GrainedAuditing In a fine-grainedauditpolicy,youcan specifyaneventhandlertoprocessan auditevent.The event handlerprovidesflexibilityindetermininghow tohandle atriggeringauditevent.Forexample,itcould write the auditeventtoa special audittable forfurtheranalysis,oritcouldsenda pageror an email alertto a securityadministrator.Thisfeature enablesyoutofine-tune auditresponsestoappropriate levelsof escalation. For additional flexibilityinimplementation,youcanemployauser-definedfunctiontodetermine the policycondition,andidentifyarelevantcolumnforauditing(auditcolumn).Forexample,the function couldallowunauditedaccesstoanysalaryas longas the userisaccessingdata withinthe company,but specifyauditedaccesstoexecutive-level salarieswhentheyare accessedfromoutside the company. Defining Fine-Grained AuditSettings To define fine-grainedauditsettings: 1. Log in tothe AuditVaultServerconsole asanauditor. 2. If necessary,retrieve andupdate the currentauditsettings. See above "RetrievingandModifyingAuditSettingsfromanOracle Database" formore information. 3. Clickthe Policytab, and inthe AuditSettingspage,clickasecuredtargetOracle database.
Database Audit Policies The database'sAuditSettingsOverview isdisplayed. 4. ClickFGAto displaythe Fine GrainedAuditSettingspage. 5. Clickthe Create button. 6. Define the auditpolicyasfollows:  PolicyName - Entera name forthisfine-grainedauditpolicy.  Audit Trail - Selectfromone of the followingaudittrail types: o Database: Writesthe policyrecordstothe database audit trail SYS.FGA_LOG$systemtable. o Database withSQL Text: Performsthe same functionasthe Database option,but alsopopulatesthe SQLbindand SQL textCLOB-type columnsof the SYS.FGA_LOG$table. o XML: Writesthe policyrecordstoan operatingsystemXMLfile.Tofindthe location of thisfile, adatabase administratorcanrunthe followingcommandinSQL*Plus:
Database Audit Policies SQL> SHOW PARAMETER AUDIT_FILE_DEST o XML with SQL Text: Performsthe same functionasthe XML option,butalso includesall columnsof the audittrail,includingSQLTEXTandSQLBIND values. o WARNING: Be aware that sensitivedata,suchas creditcard numbers,appearinthe audittrail if you collectSQL text.  SecuredTarget Schema- Selecta schemato audit.  SecuredTarget Object- Selectanobjectto audit.  Statements- Selectone ormore SQL statementstoauditbydouble clickingeach statementtomove itto the box on the right. Youcan select:DELETE, INSERT, MERGE, SELECT, or UPDATE.  Columns- (Optional) Enterthe namesof the database columns(relevantcolumns)to audit.Separate eachcolumnname witha comma.If youentermore than one column, selectAll or Any as the conditionthattriggersthispolicy.  Conditions- (Optional) EnteraBooleanconditiontofilterrow data.For example, department_id=50 . If this fieldisblankornull, auditingoccursregardlessof condition.  Handler Schema - (Requiredif youspecifyaneventhandlerfunction) Enterthe name of the schemaaccount inwhichthe eventhandlerwascreated.Forexample: SEC_MGR  Handler Package - (Requiredif youspecifyaneventhandlerfunction) Enterthe name of the package in whichthe eventhandlerwascreated.Forexample: OE_FGA_POLICIES  Handler Function- (Optional) Enterthe name of the eventhandler.For example:CHECK_OE_VIOLATIONS 7. ClickSave. The fine-grainedauditpolicyiscreated. 5.5 About Capture Rules Redo Log File Auditing You can create a capture rule to track before andaftervalue changesinthe database redologfiles.The capture rule specifiesDMLandDDL changesthat shouldbe checkedwhenOracle Database scansthe database redolog.You can applythe capture rule to an individual table,aschema,orgloballytothe entire database.Unlike statement,object,privilege,andfine-grainedauditpolicies,youdonotretrieve and activate capture rule settingsfromasecuredtarget,because youcannotcreate themthere.You onlycan create the capture rule inthe AuditVaultServerconsole. Note: In the securedtargetdatabase,ensure thatthe table thatyou planto use forthe redologfile auditis not listedin theDBA_STREAMS_UNSUPPORTEDdata dictionaryview.
Database Audit Policies Defining a CaptureRule forRedo Log File Auditing To define acapture rule: 1. Log in tothe console asan auditor. 2. If necessary,retrieve andupdate the currentstatementauditpolicies. See above "RetrievingandModifyingAuditSettingsfromanOracle Database" for more information. 3. Clickthe Policytab, and inthe AuditSettingspage,clickasecuredtargetOracle database. The target's AuditSettingsOverview isdisplayed. 4. ClickCapture Rule to displaythe Capture Rule Settingspage. 5. Clickthe Create button. Define the capture rule asfollows: Rule Type - Selectone of the following: o Table: Captureseitherrow changesresultingfromDML changesor DDL changestoa particulartable. o Schema: Captureseitherrow changesresultingfromDML changesor DDL changes to the database objectsina particularschema. o Global:Captureseitherall row changesresultingfromDMLchangesor all DDL changesinthe database.  StatementType - SelectDDL, DML, or Both.  SecuredTarget Schema- If youselectedTable orSchemaasthe Rule Type,selectthe name of the schemato whichthe capture rule appliesfromthe drop-downlist.  SecuredTarget Table - If youselectedTable asthe Rule Type,selectthe name of the table to whichthe capture rule appliesfromthe drop-downlist. 6. ClickSave. The capture rule iscreatedand addedtothe listinthe Capture Rule Settingspage.
Database Audit Policies 6. Provisioning Audit Policies to an Oracle Database 6.1 Exporting Audit Settings to a SQL Script You can exportauditpolicysettingsforasecuredtargetto a SQL script fromOracle AVDF.Thenyoucan give the scriptto a database administratorforthe securedtargetOracle Database to use to update the auditsettingsonthat database. To exportthe auditsettingstoa SQL script fora securedtargetdatabase: 1. Log in tothe AuditVaultconsole asanauditor,andclick the Policytab. The AuditSettingspage isdisplayed,showingthe Oracle database securedtargetstowhichyou have access. 2. Clickthe name of a securedtargetdatabase. The AuditSettingsOverview forthatdatabase appears. 3. Selectfromthe audittypesyouwantto export: Statement,Object,Privilege,FGA,orCapture Rule. 4. ClickExport/Provision. The Export/ProvisionAuditSettingspage appears,displayingthe exportable auditcommands. 5. ClickExport, andthenclick OK to confirm. 6. Save the SQL file toa locationonyoursystem. 7. Give the savedscriptto the database administratorforthat securedtarget.The database administratorcanthenapplythe policiestothe securedtarget.Toverifythatthe settingshave beenupdated 6.2 Provisioning the Audit Settings from the Audit Vault Server You can provisionthe auditpolicysettingsdirectlyfromthe AuditVaultServertothe securedtarget Oracle database.Thisupdatesthe auditsettingsinthe securedtargetwithoutthe interventionof a database administrator.However,adatabase administratorcanmodifyordelete these auditsettings,as well asadd newones.Forthisreason,youshouldperiodicallyretrieve the settingstoensure thatyou have the latestauditsettings.See above "RetrievingAuditSettingsfromanOracle Database". To provisionthe auditsettingstothe securedtarget: 1. Log in tothe AuditVaultServerconsole asanauditor,and clickthe Policy tab. The AuditSettingspage isdisplayed,showingthe Oracle database securedtargetstowhichyou have access. 2. Clickthe name of a securedtargetdatabase.
Database Audit Policies The AuditSettingsOverview forthatdatabase appears. 3. Selectfromthe audit typesyouwantto provision: Statement,Object, Privilege,FGA,orCapture Rule. 4. ClickExport/Provision. The Export/ProvisionAuditSettingspage appears,displayingthe exportable auditcommands, and allowingyoutoverifythembefore provisioning. 5. In the Username field,enterthe username of a userwhohas beengranted the EXECUTE privilege forthe AUDITSQL statement,theNOAUDITSQLstatement,and the DBMS_FGA PL/SQL package. If the securedtargetdatabase isprotectedwithOracle Database Vault,ensure thatthe userhas beengrantedthe AUDIT SYSTEM and AUDIT ANY privileges.If there isanauditcommandrule in place,ensure the commandisenabledandthe userwhose name youenterisable toexecute the command. 6. In the Password field,enterthe password of thisuser. 7. ClickProvision,andthenclick OK toconfirm.
Database Audit Policies Open and Closed Issues for This Deliverable Open Issues ID Issue Resolution Responsibility Target Date Impact Date Closed Issues ID Issue Resolution Responsibility Target Date Impact Date

Recommended

Painting the Future of Big Data with Apache Spark and MongoDB
Painting the Future of Big Data with Apache Spark and MongoDBPainting the Future of Big Data with Apache Spark and MongoDB
Painting the Future of Big Data with Apache Spark and MongoDB
MongoDB
 
Row-level security and Dynamic Data Masking
Row-level security and Dynamic Data MaskingRow-level security and Dynamic Data Masking
Row-level security and Dynamic Data Masking
SolidQ
 
Query Store and live Query Statistics
Query Store and live Query StatisticsQuery Store and live Query Statistics
Query Store and live Query Statistics
SolidQ
 
Cad02 How To Get An Idea
Cad02 How To Get An IdeaCad02 How To Get An Idea
Cad02 How To Get An Idea
IntrepidNavigator
 
Padron Elecciones Cnm Nutricionistas De Peru
Padron Elecciones Cnm Nutricionistas De PeruPadron Elecciones Cnm Nutricionistas De Peru
Padron Elecciones Cnm Nutricionistas De Peru
consejoregionaliv
 
Abraham Lincoln
Abraham LincolnAbraham Lincoln
Abraham Lincoln
Keith Erickson
 
76 1759872654 Te1st
76 1759872654 Te1st76 1759872654 Te1st
76 1759872654 Te1st
sameer
 
Lesson 2 module 8 how rna is made
Lesson 2 module 8 how rna is madeLesson 2 module 8 how rna is made
Lesson 2 module 8 how rna is madeCRDevelopment
 

Recommended

Painting the Future of Big Data with Apache Spark and MongoDB
Painting the Future of Big Data with Apache Spark and MongoDBPainting the Future of Big Data with Apache Spark and MongoDB
Painting the Future of Big Data with Apache Spark and MongoDB
MongoDB
 
Row-level security and Dynamic Data Masking
Row-level security and Dynamic Data MaskingRow-level security and Dynamic Data Masking
Row-level security and Dynamic Data Masking
SolidQ
 
Query Store and live Query Statistics
Query Store and live Query StatisticsQuery Store and live Query Statistics
Query Store and live Query Statistics
SolidQ
 
Cad02 How To Get An Idea
Cad02 How To Get An IdeaCad02 How To Get An Idea
Cad02 How To Get An Idea
IntrepidNavigator
 
Padron Elecciones Cnm Nutricionistas De Peru
Padron Elecciones Cnm Nutricionistas De PeruPadron Elecciones Cnm Nutricionistas De Peru
Padron Elecciones Cnm Nutricionistas De Peru
consejoregionaliv
 
Abraham Lincoln
Abraham LincolnAbraham Lincoln
Abraham Lincoln
Keith Erickson
 
76 1759872654 Te1st
76 1759872654 Te1st76 1759872654 Te1st
76 1759872654 Te1st
sameer
 
Lesson 2 module 8 how rna is made
Lesson 2 module 8 how rna is madeLesson 2 module 8 how rna is made
Lesson 2 module 8 how rna is madeCRDevelopment
 
Problem of the day - April
Problem of the day - AprilProblem of the day - April
Problem of the day - April
smolinaalvarez
 
Ws5.1.1 finished
Ws5.1.1 finishedWs5.1.1 finished
Ws5.1.1 finishedhumaira28
 
Ws5 1-3
Ws5 1-3Ws5 1-3
Ws5 1-3humaira28
 
78 1759872654te1st
78 1759872654te1st78 1759872654te1st
78 1759872654te1st
sameer
 
Vdomainhosting wordpress-seo-checklist20151016e
Vdomainhosting wordpress-seo-checklist20151016eVdomainhosting wordpress-seo-checklist20151016e
Vdomainhosting wordpress-seo-checklist20151016e
Guy Cook
 
Facebook Organic + Paid Strategy For Business
Facebook Organic + Paid Strategy For BusinessFacebook Organic + Paid Strategy For Business
Facebook Organic + Paid Strategy For BusinessKate Buck Jr
 
The not so short introduction to Kinect
The not so short introduction to KinectThe not so short introduction to Kinect
The not so short introduction to Kinect
AXM
 
Do I really need Iinternet Marketing Budget ?
Do I really need Iinternet Marketing Budget ?Do I really need Iinternet Marketing Budget ?
Do I really need Iinternet Marketing Budget ?thinkahead.net
 
SPARK: How to Generate Ideas Worth Spreading
SPARK: How to Generate Ideas Worth SpreadingSPARK: How to Generate Ideas Worth Spreading
SPARK: How to Generate Ideas Worth Spreading
Emily H. Griebel
 
Lista exonerados beto_richa_portalcaiua
Lista exonerados beto_richa_portalcaiuaLista exonerados beto_richa_portalcaiua
Lista exonerados beto_richa_portalcaiuaportalcaiua
 
Lawrence Tom Design
Lawrence Tom DesignLawrence Tom Design
Lawrence Tom DesignLawrence Tom
 
American Flag
American FlagAmerican Flag
American FlagKeith Erickson
 
090513 Feyenoord Bc Sam
090513 Feyenoord Bc Sam090513 Feyenoord Bc Sam
090513 Feyenoord Bc Sam
basvanrossem
 
Recording films
Recording filmsRecording films
Recording filmshumaira28
 
The Statue of Liberty
The Statue of LibertyThe Statue of Liberty
The Statue of LibertyKeith Erickson
 
Fossoway Community Strategy Group: Strategy for Crook of Devon & Drum 2010
Fossoway Community Strategy Group: Strategy for Crook of Devon & Drum 2010Fossoway Community Strategy Group: Strategy for Crook of Devon & Drum 2010
Fossoway Community Strategy Group: Strategy for Crook of Devon & Drum 2010
Jimp87
 
Fuglar
FuglarFuglar
Fuglardagbjort
 
Realtor Kip Nance's Maximum Home Audit for Sellers in The Carolina Grand Stra...
Realtor Kip Nance's Maximum Home Audit for Sellers in The Carolina Grand Stra...Realtor Kip Nance's Maximum Home Audit for Sellers in The Carolina Grand Stra...
Realtor Kip Nance's Maximum Home Audit for Sellers in The Carolina Grand Stra...
Kenneth "Kip" Nance
 
Fast guidetonkoj
Fast guidetonkojFast guidetonkoj
Fast guidetonkoj
AXM
 
ภาคเหนือเจ้า
ภาคเหนือเจ้าภาคเหนือเจ้า
ภาคเหนือเจ้า
jarudee
 
Database firewall policies copy
Database firewall policies copyDatabase firewall policies copy
Database firewall policies copy
Oracle Apps DBA
 
ICT-DBA4-09-0811-Monitor-and-Administer-Database.docx
ICT-DBA4-09-0811-Monitor-and-Administer-Database.docxICT-DBA4-09-0811-Monitor-and-Administer-Database.docx
ICT-DBA4-09-0811-Monitor-and-Administer-Database.docx
AmanGunner
 

More Related Content

Viewers also liked

Problem of the day - April
Problem of the day - AprilProblem of the day - April
Problem of the day - April
smolinaalvarez
 
Ws5.1.1 finished
Ws5.1.1 finishedWs5.1.1 finished
Ws5.1.1 finishedhumaira28
 
78 1759872654te1st
78 1759872654te1st78 1759872654te1st
78 1759872654te1st
sameer
 
Vdomainhosting wordpress-seo-checklist20151016e
Vdomainhosting wordpress-seo-checklist20151016eVdomainhosting wordpress-seo-checklist20151016e
Vdomainhosting wordpress-seo-checklist20151016e
Guy Cook
 
Facebook Organic + Paid Strategy For Business
Facebook Organic + Paid Strategy For BusinessFacebook Organic + Paid Strategy For Business
Facebook Organic + Paid Strategy For BusinessKate Buck Jr
 
The not so short introduction to Kinect
The not so short introduction to KinectThe not so short introduction to Kinect
The not so short introduction to Kinect
AXM
 
Do I really need Iinternet Marketing Budget ?
Do I really need Iinternet Marketing Budget ?Do I really need Iinternet Marketing Budget ?
Do I really need Iinternet Marketing Budget ?thinkahead.net
 
SPARK: How to Generate Ideas Worth Spreading
SPARK: How to Generate Ideas Worth SpreadingSPARK: How to Generate Ideas Worth Spreading
SPARK: How to Generate Ideas Worth Spreading
Emily H. Griebel
 
Lista exonerados beto_richa_portalcaiua
Lista exonerados beto_richa_portalcaiuaLista exonerados beto_richa_portalcaiua
Lista exonerados beto_richa_portalcaiuaportalcaiua
 
Lawrence Tom Design
Lawrence Tom DesignLawrence Tom Design
Lawrence Tom DesignLawrence Tom
 
090513 Feyenoord Bc Sam
090513 Feyenoord Bc Sam090513 Feyenoord Bc Sam
090513 Feyenoord Bc Sam
basvanrossem
 
Recording films
Recording filmsRecording films
Recording filmshumaira28
 
Fossoway Community Strategy Group: Strategy for Crook of Devon & Drum 2010
Fossoway Community Strategy Group: Strategy for Crook of Devon & Drum 2010Fossoway Community Strategy Group: Strategy for Crook of Devon & Drum 2010
Fossoway Community Strategy Group: Strategy for Crook of Devon & Drum 2010
Jimp87
 
Realtor Kip Nance's Maximum Home Audit for Sellers in The Carolina Grand Stra...
Realtor Kip Nance's Maximum Home Audit for Sellers in The Carolina Grand Stra...Realtor Kip Nance's Maximum Home Audit for Sellers in The Carolina Grand Stra...
Realtor Kip Nance's Maximum Home Audit for Sellers in The Carolina Grand Stra...
Kenneth "Kip" Nance
 
Fast guidetonkoj
Fast guidetonkojFast guidetonkoj
Fast guidetonkoj
AXM
 
ภาคเหนือเจ้า
ภาคเหนือเจ้าภาคเหนือเจ้า
ภาคเหนือเจ้า
jarudee
 

Viewers also liked (20)

Problem of the day - April
Problem of the day - AprilProblem of the day - April
Problem of the day - April
 
Ws5.1.1 finished
Ws5.1.1 finishedWs5.1.1 finished
Ws5.1.1 finished
 
Ws5 1-3
Ws5 1-3Ws5 1-3
Ws5 1-3
 
78 1759872654te1st
78 1759872654te1st78 1759872654te1st
78 1759872654te1st
 
Vdomainhosting wordpress-seo-checklist20151016e
Vdomainhosting wordpress-seo-checklist20151016eVdomainhosting wordpress-seo-checklist20151016e
Vdomainhosting wordpress-seo-checklist20151016e
 
Facebook Organic + Paid Strategy For Business
Facebook Organic + Paid Strategy For BusinessFacebook Organic + Paid Strategy For Business
Facebook Organic + Paid Strategy For Business
 
The not so short introduction to Kinect
The not so short introduction to KinectThe not so short introduction to Kinect
The not so short introduction to Kinect
 
Do I really need Iinternet Marketing Budget ?
Do I really need Iinternet Marketing Budget ?Do I really need Iinternet Marketing Budget ?
Do I really need Iinternet Marketing Budget ?
 
SPARK: How to Generate Ideas Worth Spreading
SPARK: How to Generate Ideas Worth SpreadingSPARK: How to Generate Ideas Worth Spreading
SPARK: How to Generate Ideas Worth Spreading
 
Lista exonerados beto_richa_portalcaiua
Lista exonerados beto_richa_portalcaiuaLista exonerados beto_richa_portalcaiua
Lista exonerados beto_richa_portalcaiua
 
Lawrence Tom Design
Lawrence Tom DesignLawrence Tom Design
Lawrence Tom Design
 
American Flag
American FlagAmerican Flag
American Flag
 
090513 Feyenoord Bc Sam
090513 Feyenoord Bc Sam090513 Feyenoord Bc Sam
090513 Feyenoord Bc Sam
 
Recording films
Recording filmsRecording films
Recording films
 
The Statue of Liberty
The Statue of LibertyThe Statue of Liberty
The Statue of Liberty
 
Fossoway Community Strategy Group: Strategy for Crook of Devon & Drum 2010
Fossoway Community Strategy Group: Strategy for Crook of Devon & Drum 2010Fossoway Community Strategy Group: Strategy for Crook of Devon & Drum 2010
Fossoway Community Strategy Group: Strategy for Crook of Devon & Drum 2010
 
Fuglar
FuglarFuglar
Fuglar
 
Realtor Kip Nance's Maximum Home Audit for Sellers in The Carolina Grand Stra...
Realtor Kip Nance's Maximum Home Audit for Sellers in The Carolina Grand Stra...Realtor Kip Nance's Maximum Home Audit for Sellers in The Carolina Grand Stra...
Realtor Kip Nance's Maximum Home Audit for Sellers in The Carolina Grand Stra...
 
Fast guidetonkoj
Fast guidetonkojFast guidetonkoj
Fast guidetonkoj
 
ภาคเหนือเจ้า
ภาคเหนือเจ้าภาคเหนือเจ้า
ภาคเหนือเจ้า
 

Similar to Database audit policies copy

Database firewall policies copy
Database firewall policies copyDatabase firewall policies copy
Database firewall policies copy
Oracle Apps DBA
 
ICT-DBA4-09-0811-Monitor-and-Administer-Database.docx
ICT-DBA4-09-0811-Monitor-and-Administer-Database.docxICT-DBA4-09-0811-Monitor-and-Administer-Database.docx
ICT-DBA4-09-0811-Monitor-and-Administer-Database.docx
AmanGunner
 
Managing SQLserver for the reluctant DBA
Managing SQLserver for the reluctant DBAManaging SQLserver for the reluctant DBA
Managing SQLserver for the reluctant DBAConcentrated Technology
 
Data Archiving -Ramesh sap bw
Data Archiving -Ramesh sap bwData Archiving -Ramesh sap bw
Data Archiving -Ramesh sap bw
ramesh rao
 
Sql server 2016 new features
Sql server 2016 new featuresSql server 2016 new features
Sql server 2016 new features
Ajeet pratap Singh
 
Sql server 2016 new features
Sql server 2016 new featuresSql server 2016 new features
Sql server 2016 new features
Ajeet Singh
 
Oracle data capture c dc
Oracle data capture c dcOracle data capture c dc
Oracle data capture c dcAmit Sharma
 
OER UNIT 5 Audit
OER UNIT 5 AuditOER UNIT 5 Audit
OER UNIT 5 Audit
Girija Muscut
 
InfoSphere_Information_Analyzer
InfoSphere_Information_AnalyzerInfoSphere_Information_Analyzer
InfoSphere_Information_AnalyzerSourav Maity
 
Sas training in hyderabad
Sas training in hyderabadSas training in hyderabad
Sas training in hyderabad
Kelly Technologies
 
SQL Server and System Center Advisor
SQL Server and System Center AdvisorSQL Server and System Center Advisor
SQL Server and System Center Advisor
Eduardo Castro
 
BI Publisher Data model design document
BI Publisher Data model design documentBI Publisher Data model design document
BI Publisher Data model design document
adivasoft
 
BI Publisher 11g : Data Model Design document
BI Publisher 11g : Data Model Design documentBI Publisher 11g : Data Model Design document
BI Publisher 11g : Data Model Design document
adivasoft
 
12 1-man-operation center-ug(2)
12 1-man-operation center-ug(2)12 1-man-operation center-ug(2)
12 1-man-operation center-ug(2)
Ron DeLong
 
CaseStudy-MohammedImranAlam-Xcelsius
CaseStudy-MohammedImranAlam-XcelsiusCaseStudy-MohammedImranAlam-Xcelsius
CaseStudy-MohammedImranAlam-XcelsiusMohammed Imran Alam
 
Cognos framework manager
Cognos framework managerCognos framework manager
Cognos framework manager
maxonlinetr
 
Process management seminar
Process management seminarProcess management seminar
Process management seminar
apurva_naik
 
7 Things To Know About Database Testing.pdf
7 Things To Know About Database Testing.pdf7 Things To Know About Database Testing.pdf
7 Things To Know About Database Testing.pdf
Enov8
 

Similar to Database audit policies copy (20)

Database firewall policies copy
Database firewall policies copyDatabase firewall policies copy
Database firewall policies copy
 
ICT-DBA4-09-0811-Monitor-and-Administer-Database.docx
ICT-DBA4-09-0811-Monitor-and-Administer-Database.docxICT-DBA4-09-0811-Monitor-and-Administer-Database.docx
ICT-DBA4-09-0811-Monitor-and-Administer-Database.docx
 
DB2 LUW Auditing
DB2 LUW AuditingDB2 LUW Auditing
DB2 LUW Auditing
 
Managing SQLserver for the reluctant DBA
Managing SQLserver for the reluctant DBAManaging SQLserver for the reluctant DBA
Managing SQLserver for the reluctant DBA
 
Data Archiving -Ramesh sap bw
Data Archiving -Ramesh sap bwData Archiving -Ramesh sap bw
Data Archiving -Ramesh sap bw
 
Less11 Security
Less11 SecurityLess11 Security
Less11 Security
 
Sql server 2016 new features
Sql server 2016 new featuresSql server 2016 new features
Sql server 2016 new features
 
Sql server 2016 new features
Sql server 2016 new featuresSql server 2016 new features
Sql server 2016 new features
 
Oracle data capture c dc
Oracle data capture c dcOracle data capture c dc
Oracle data capture c dc
 
OER UNIT 5 Audit
OER UNIT 5 AuditOER UNIT 5 Audit
OER UNIT 5 Audit
 
InfoSphere_Information_Analyzer
InfoSphere_Information_AnalyzerInfoSphere_Information_Analyzer
InfoSphere_Information_Analyzer
 
Sas training in hyderabad
Sas training in hyderabadSas training in hyderabad
Sas training in hyderabad
 
SQL Server and System Center Advisor
SQL Server and System Center AdvisorSQL Server and System Center Advisor
SQL Server and System Center Advisor
 
BI Publisher Data model design document
BI Publisher Data model design documentBI Publisher Data model design document
BI Publisher Data model design document
 
BI Publisher 11g : Data Model Design document
BI Publisher 11g : Data Model Design documentBI Publisher 11g : Data Model Design document
BI Publisher 11g : Data Model Design document
 
12 1-man-operation center-ug(2)
12 1-man-operation center-ug(2)12 1-man-operation center-ug(2)
12 1-man-operation center-ug(2)
 
CaseStudy-MohammedImranAlam-Xcelsius
CaseStudy-MohammedImranAlam-XcelsiusCaseStudy-MohammedImranAlam-Xcelsius
CaseStudy-MohammedImranAlam-Xcelsius
 
Cognos framework manager
Cognos framework managerCognos framework manager
Cognos framework manager
 
Process management seminar
Process management seminarProcess management seminar
Process management seminar
 
7 Things To Know About Database Testing.pdf
7 Things To Know About Database Testing.pdf7 Things To Know About Database Testing.pdf
7 Things To Know About Database Testing.pdf
 

Recently uploaded

135. Reviewer Certificate in Journal of Engineering
135. Reviewer Certificate in Journal of Engineering135. Reviewer Certificate in Journal of Engineering
135. Reviewer Certificate in Journal of Engineering
Manu Mitra
 
Luke Royak's Personal Brand Exploration!
Luke Royak's Personal Brand Exploration!Luke Royak's Personal Brand Exploration!
Luke Royak's Personal Brand Exploration!
LukeRoyak
 
Full Sail_Morales_Michael_SMM_2024-05.pptx
Full Sail_Morales_Michael_SMM_2024-05.pptxFull Sail_Morales_Michael_SMM_2024-05.pptx
Full Sail_Morales_Michael_SMM_2024-05.pptx
mmorales2173
 
太阳城娱乐-太阳城娱乐推荐-太阳城娱乐官方网站| 立即访问【ac123.net】
太阳城娱乐-太阳城娱乐推荐-太阳城娱乐官方网站| 立即访问【ac123.net】太阳城娱乐-太阳城娱乐推荐-太阳城娱乐官方网站| 立即访问【ac123.net】
太阳城娱乐-太阳城娱乐推荐-太阳城娱乐官方网站| 立即访问【ac123.net】
foismail170
 
Brand Identity For A Sportscaster Project and Portfolio I
Brand Identity For A Sportscaster Project and Portfolio IBrand Identity For A Sportscaster Project and Portfolio I
Brand Identity For A Sportscaster Project and Portfolio I
thomasaolson2000
 
DOC-20240602-WA0001..pdf DOC-20240602-WA0001..pdf
DOC-20240602-WA0001..pdf DOC-20240602-WA0001..pdfDOC-20240602-WA0001..pdf DOC-20240602-WA0001..pdf
DOC-20240602-WA0001..pdf DOC-20240602-WA0001..pdf
Pushpendra Kumar
 
Personal Brand Exploration Comedy Jxnelle.
Personal Brand Exploration Comedy Jxnelle.Personal Brand Exploration Comedy Jxnelle.
Personal Brand Exploration Comedy Jxnelle.
alexthomas971
 
Digital Marketing Training In Bangalore
Digital Marketing Training In BangaloreDigital Marketing Training In Bangalore
Digital Marketing Training In Bangalore
nidm599
 
RECOGNITION AWARD 13 - TO ALESSANDRO MARTINS.pdf
RECOGNITION AWARD 13 - TO ALESSANDRO MARTINS.pdfRECOGNITION AWARD 13 - TO ALESSANDRO MARTINS.pdf
RECOGNITION AWARD 13 - TO ALESSANDRO MARTINS.pdf
AlessandroMartins454470
 
How Mentoring Elevates Your PM Career | PMI Silver Spring Chapter
How Mentoring Elevates Your PM Career | PMI Silver Spring ChapterHow Mentoring Elevates Your PM Career | PMI Silver Spring Chapter
How Mentoring Elevates Your PM Career | PMI Silver Spring Chapter
Hector Del Castillo, CPM, CPMM
 
一比一原版(YU毕业证)约克大学毕业证如何办理
一比一原版(YU毕业证)约克大学毕业证如何办理一比一原版(YU毕业证)约克大学毕业证如何办理
一比一原版(YU毕业证)约克大学毕业证如何办理
yuhofha
 
Exploring Career Paths in Cybersecurity for Technical Communicators
Exploring Career Paths in Cybersecurity for Technical CommunicatorsExploring Career Paths in Cybersecurity for Technical Communicators
Exploring Career Paths in Cybersecurity for Technical Communicators
Ben Woelk, CISSP, CPTC
 
欧洲杯投注app-欧洲杯投注app推荐-欧洲杯投注app| 立即访问【ac123.net】
欧洲杯投注app-欧洲杯投注app推荐-欧洲杯投注app| 立即访问【ac123.net】欧洲杯投注app-欧洲杯投注app推荐-欧洲杯投注app| 立即访问【ac123.net】
欧洲杯投注app-欧洲杯投注app推荐-欧洲杯投注app| 立即访问【ac123.net】
foismail170
 
Personal Brand exploration KE.pdf for assignment
Personal Brand exploration KE.pdf for assignmentPersonal Brand exploration KE.pdf for assignment
Personal Brand exploration KE.pdf for assignment
ragingokie
 
134. Reviewer Certificate in Computer Science
134. Reviewer Certificate in Computer Science134. Reviewer Certificate in Computer Science
134. Reviewer Certificate in Computer Science
Manu Mitra
 
Chapters 3 Contracts.pptx Chapters 3 Contracts.pptx
Chapters 3 Contracts.pptx Chapters 3 Contracts.pptxChapters 3 Contracts.pptx Chapters 3 Contracts.pptx
Chapters 3 Contracts.pptx Chapters 3 Contracts.pptx
Sheldon Byron
 
欧洲杯投注网站-欧洲杯投注网站推荐-欧洲杯投注网站| 立即访问【ac123.net】
欧洲杯投注网站-欧洲杯投注网站推荐-欧洲杯投注网站| 立即访问【ac123.net】欧洲杯投注网站-欧洲杯投注网站推荐-欧洲杯投注网站| 立即访问【ac123.net】
欧洲杯投注网站-欧洲杯投注网站推荐-欧洲杯投注网站| 立即访问【ac123.net】
foismail170
 
欧洲杯买球平台-欧洲杯买球平台推荐-欧洲杯买球平台| 立即访问【ac123.net】
欧洲杯买球平台-欧洲杯买球平台推荐-欧洲杯买球平台| 立即访问【ac123.net】欧洲杯买球平台-欧洲杯买球平台推荐-欧洲杯买球平台| 立即访问【ac123.net】
欧洲杯买球平台-欧洲杯买球平台推荐-欧洲杯买球平台| 立即访问【ac123.net】
foismail170
 
原版制作(RMIT毕业证书)墨尔本皇家理工大学毕业证在读证明一模一样
原版制作(RMIT毕业证书)墨尔本皇家理工大学毕业证在读证明一模一样原版制作(RMIT毕业证书)墨尔本皇家理工大学毕业证在读证明一模一样
原版制作(RMIT毕业证书)墨尔本皇家理工大学毕业证在读证明一模一样
atwvhyhm
 
How to create an effective K-POC tutorial
How to create an effective K-POC tutorialHow to create an effective K-POC tutorial
How to create an effective K-POC tutorial
vencislavkaaa
 

Recently uploaded (20)

135. Reviewer Certificate in Journal of Engineering
135. Reviewer Certificate in Journal of Engineering135. Reviewer Certificate in Journal of Engineering
135. Reviewer Certificate in Journal of Engineering
 
Luke Royak's Personal Brand Exploration!
Luke Royak's Personal Brand Exploration!Luke Royak's Personal Brand Exploration!
Luke Royak's Personal Brand Exploration!
 
Full Sail_Morales_Michael_SMM_2024-05.pptx
Full Sail_Morales_Michael_SMM_2024-05.pptxFull Sail_Morales_Michael_SMM_2024-05.pptx
Full Sail_Morales_Michael_SMM_2024-05.pptx
 
太阳城娱乐-太阳城娱乐推荐-太阳城娱乐官方网站| 立即访问【ac123.net】
太阳城娱乐-太阳城娱乐推荐-太阳城娱乐官方网站| 立即访问【ac123.net】太阳城娱乐-太阳城娱乐推荐-太阳城娱乐官方网站| 立即访问【ac123.net】
太阳城娱乐-太阳城娱乐推荐-太阳城娱乐官方网站| 立即访问【ac123.net】
 
Brand Identity For A Sportscaster Project and Portfolio I
Brand Identity For A Sportscaster Project and Portfolio IBrand Identity For A Sportscaster Project and Portfolio I
Brand Identity For A Sportscaster Project and Portfolio I
 
DOC-20240602-WA0001..pdf DOC-20240602-WA0001..pdf
DOC-20240602-WA0001..pdf DOC-20240602-WA0001..pdfDOC-20240602-WA0001..pdf DOC-20240602-WA0001..pdf
DOC-20240602-WA0001..pdf DOC-20240602-WA0001..pdf
 
Personal Brand Exploration Comedy Jxnelle.
Personal Brand Exploration Comedy Jxnelle.Personal Brand Exploration Comedy Jxnelle.
Personal Brand Exploration Comedy Jxnelle.
 
Digital Marketing Training In Bangalore
Digital Marketing Training In BangaloreDigital Marketing Training In Bangalore
Digital Marketing Training In Bangalore
 
RECOGNITION AWARD 13 - TO ALESSANDRO MARTINS.pdf
RECOGNITION AWARD 13 - TO ALESSANDRO MARTINS.pdfRECOGNITION AWARD 13 - TO ALESSANDRO MARTINS.pdf
RECOGNITION AWARD 13 - TO ALESSANDRO MARTINS.pdf
 
How Mentoring Elevates Your PM Career | PMI Silver Spring Chapter
How Mentoring Elevates Your PM Career | PMI Silver Spring ChapterHow Mentoring Elevates Your PM Career | PMI Silver Spring Chapter
How Mentoring Elevates Your PM Career | PMI Silver Spring Chapter
 
一比一原版(YU毕业证)约克大学毕业证如何办理
一比一原版(YU毕业证)约克大学毕业证如何办理一比一原版(YU毕业证)约克大学毕业证如何办理
一比一原版(YU毕业证)约克大学毕业证如何办理
 
Exploring Career Paths in Cybersecurity for Technical Communicators
Exploring Career Paths in Cybersecurity for Technical CommunicatorsExploring Career Paths in Cybersecurity for Technical Communicators
Exploring Career Paths in Cybersecurity for Technical Communicators
 
欧洲杯投注app-欧洲杯投注app推荐-欧洲杯投注app| 立即访问【ac123.net】
欧洲杯投注app-欧洲杯投注app推荐-欧洲杯投注app| 立即访问【ac123.net】欧洲杯投注app-欧洲杯投注app推荐-欧洲杯投注app| 立即访问【ac123.net】
欧洲杯投注app-欧洲杯投注app推荐-欧洲杯投注app| 立即访问【ac123.net】
 
Personal Brand exploration KE.pdf for assignment
Personal Brand exploration KE.pdf for assignmentPersonal Brand exploration KE.pdf for assignment
Personal Brand exploration KE.pdf for assignment
 
134. Reviewer Certificate in Computer Science
134. Reviewer Certificate in Computer Science134. Reviewer Certificate in Computer Science
134. Reviewer Certificate in Computer Science
 
Chapters 3 Contracts.pptx Chapters 3 Contracts.pptx
Chapters 3 Contracts.pptx Chapters 3 Contracts.pptxChapters 3 Contracts.pptx Chapters 3 Contracts.pptx
Chapters 3 Contracts.pptx Chapters 3 Contracts.pptx
 
欧洲杯投注网站-欧洲杯投注网站推荐-欧洲杯投注网站| 立即访问【ac123.net】
欧洲杯投注网站-欧洲杯投注网站推荐-欧洲杯投注网站| 立即访问【ac123.net】欧洲杯投注网站-欧洲杯投注网站推荐-欧洲杯投注网站| 立即访问【ac123.net】
欧洲杯投注网站-欧洲杯投注网站推荐-欧洲杯投注网站| 立即访问【ac123.net】
 
欧洲杯买球平台-欧洲杯买球平台推荐-欧洲杯买球平台| 立即访问【ac123.net】
欧洲杯买球平台-欧洲杯买球平台推荐-欧洲杯买球平台| 立即访问【ac123.net】欧洲杯买球平台-欧洲杯买球平台推荐-欧洲杯买球平台| 立即访问【ac123.net】
欧洲杯买球平台-欧洲杯买球平台推荐-欧洲杯买球平台| 立即访问【ac123.net】
 
原版制作(RMIT毕业证书)墨尔本皇家理工大学毕业证在读证明一模一样
原版制作(RMIT毕业证书)墨尔本皇家理工大学毕业证在读证明一模一样原版制作(RMIT毕业证书)墨尔本皇家理工大学毕业证在读证明一模一样
原版制作(RMIT毕业证书)墨尔本皇家理工大学毕业证在读证明一模一样
 
How to create an effective K-POC tutorial
How to create an effective K-POC tutorialHow to create an effective K-POC tutorial
How to create an effective K-POC tutorial
 

Database audit policies copy

  • 1. Database Audit Policies Author: Sai Ranga Creation Date: August 20, 2015 Last Updated: August 20, 2015 Document Ref: Version: 1 Approvals: Copy Number _____
  • 2. Database Audit Policies Document Control Change Record 1 9 Date Author Versio n Change Reference 20-Aug- 15 Sairanga 1 Database Audit Policies Reviewers Name Position SAI SeniorOracle andsqlserverconsultant +918978750005 +971-527172182 Distribution Copy No. Name Location 1 Library Master Project Library 2 Project Manager 3 4 Note to Holders: If you receive an electronic copy of this document and print it out, please write your name on the equivalent of the cover page, for document control purposes. If you receive ahard copy of thisdocument,please write your name on the front cover, for document control purposes.
  • 3. Database Audit Policies Contents Database Audit Policies Document Control..................................................................................... 2 1. About Audit Policies..........................................................................................4 2. General Steps for Creating Audit Policies for Oracle Databases.................................4 3. Retrieving and Modifying Audit Settings from an Oracle Database ............................4 4. Specifying Which Audit Settings Are Needed .........................................................6 5. About Creating Audit Policy Settings ...................................................................7 6. Provisioning Audit Policies to an Oracle Database ................................................ 17 Open and Closed Issues for This Deliverable .................................................19 Open Issues ................................................................................................. 19 Closed Issues................................................................................................ 19
  • 4. Database Audit Policies 1. About Audit Policies Usingthe AuditVault Serverconsole,youcanretrieve auditpoliciesfromOracle database secured targets.You can thenmodifythe policiesorcreate new ones,andthenprovisionthemtothe Oracle databases.Youcan retrieve andmodifythe followingtypesof Oracle Database auditpolicies.  SQL statements  Schemaobjects  Privileges  Fine-grainedauditing  Capture rules(forredologfile activities) 2. General Steps for Creating Audit Policies for Oracle Databases In general, tocreate auditpoliciesforOracle databases,youperformthe following Retrieve the currentauditpolicysettingsfromthe securedtargetOracle database,andspecifywhichof the current settingsare needed. 1. If necessary,definemore auditpolicysettingstoaddto the neededsettings. 2. Provisionthe auditpolicytothe securedtargetdatabase.The policysettingsyouspecifiedas needed,andthe newonesyoucreated,thenbecome the policiesinuse inthe database 3. Retrieving and Modifying Audit Settings from an Oracle Database To retrieve auditsettingsfromanOracle Database securedtarget: 1. Log in tothe AuditVaultServerconsole asanauditor. 2. Clickthe Policytab. By default,the Audit Settingspage appears.A summaryof auditsettingsatthispointintime is displayedforthatsecuredtarget.Foreach securedtarget,thispage liststhe statusof the audit policies.See"Understandingthe Columnsonthe AuditSettingsPage"below 3. From the Target Name column,selectthe checkboxesforthe securedtargetdatabasesyou want. You can onlysee the Oracle database securedtargetstowhichyouhave access. Note:Audittrailsand auditpolicymanagementare notsupportedforOracle Database 9i. 4. Clickthe Retrieve AuditSettingsbutton.
  • 5. Database Audit Policies To check the statusof the retrieval,clickthe Settingstab,thenunderthe Systemmenu, clickJobs. Whenthe auditsettingsretrievaliscomplete,the AuditSettingspage isrefreshed withnewdata. 3.1 Understanding the Columns on the Audit Settings Page Each time youretrieve the auditsettingsfromasecuredtargetOracle database,yousee the state of the database auditsettingsatthat pointintime.The AuditSettingspage inthe AuditVaultServer (in the Policy tab) showsan overview of the auditsettingsinuse atsecuredtargetOracle Databases,and showsanydifferencesbetweenthose andthe settingsyouhave setasneededinyourOracle AVDFaudit policiesforthose databases.Youcanthenspecifywhichof the currentsettingsare needed. Table below describesthe columnsshowninthe AuditSettingsPage. Table FieldsUnder ApplyAuditSettings inthe AuditSettingsPage Column Description Target Name Name of the securedtarget In Use Numberof auditsettingsinuse inthe securedtarget Needed Numberof auditsettingsyou(the auditor) specifiedasneeded Problem The difference betweenthe auditsettingsinuse atthe database and the numberspecifiedas neededinyournyour Oracle AVDF auditpolicyforthisdatabase. If this numberisgreaterthanzero,new auditsettingsmayhave beencreatedatthe database since youlast provisionedthe auditpolicyfromOracle AVDF.Youmayalsohave selectedmore audit settingsasneededornot neededsince youlastprovisionedthe auditpolicy. To resolve the problem, youcanspecifywhethernew auditsettingsare neededand/orprovisionthe policyagain.Thisbringsthe numberinthe Problemcolumnbackto zero. Last Retrieved The time that the auditinformationforthe selecteddatabasewaslastretrieved As Provisioned The time that the auditsettingswere lastprovisionedtothe database fromOracle AVDF
  • 6. Database Audit Policies 4. Specifying Which Audit Settings Are Needed Afteryouretrieve the auditsettingsfrom the securedtargetOracle database,youcanview andmodify themas needed.Rememberthatyouare modifyingauditsettingsinuse atthe time youretrievedthem. If you thinktheymayhave changed,youshouldretrieve themagain.See above "RetrievingAudit SettingsfromanOracle Database" above. 1. In the AuditSettingspage,clickthe name of the securedtargetdatabase youwant. The AuditSettingsOverview page forthissecuredtargetappears,showingthe auditsettingsin use and markedas neededfor these audittypes:  Statement  Object  Privilege  FGA  Capture Rule  2. To update settingsforanyaudittype,clickitslink,forexample, Statement. The AuditSettingspage forthat audittype appears,listingthe currentauditsettings.The second columndisplaysaproblemiconif there isa difference betweenthe settingatthe securedtarget database,andthe settinginOracle AVDF.
  • 7. Database Audit Policies 3. Selectthe checkboxesforeachauditsettingyoudetermineisneeded,thenclick SetasNeeded. 4. To remove auditsettings,selectthe checkboxesforthe onesyouwanttoremove,thenclick Set as Not Needed. 5. To create newauditsettingsforthisaudittype (forexample,Statement),click Create 5. About Creating Audit Policy Settings Once you have retrievedauditpolicysettings fromthe securedtargetOracle database,andselected whichof the settingsinuse are needed,youcanalsocreate new policysettingsforthe Oracle database.  CreatingAuditPoliciesforSQLStatements  CreatingAuditPoliciesforSchemaObjects  CreatingAuditPoliciesforPrivileges  CreatingAuditPoliciesforFine-GrainedAuditing(FGA)  CreatingCapture RulesforRedoLog File Auditing 5.1 About SQL Statement Auditing Statementauditing auditsSQL statements bytype of statement,notbythe specificschemaobjectson whichthe statementoperates.Statementauditingcanbe broad or focused(forexample,byauditing the activitiesof all database usersoronlya selectlistof users).Typicallybroadstatementauditingaudits the use of several typesof relatedactionsforeachoption.These statementsare inthe following categories:  Data definitionstatements(DDL). For example, AUDITTABLE auditsall CREATE TABLE and DROP TABLE statements. AUDITTABLEtracks several DDLstatementsregardlessof the table on whichtheyare issued.Youcan alsosetstatementauditingtoauditselectedusers or everyuserinthe database.  Data manipulationstatements(DML). For example, AUDITSELECT TABLE auditsall SELECT ... FROM TABLE or SELECT ... FROM VIEW statements,regardlessof the table orview. Defining SQL StatementAuditSettings To define SQLstatementauditsettings: 1. Log in tothe AuditVaultServerconsole asanauditor. 2. If necessary,retrieve andupdate the currentauditsettings. See above "RetrievingandModifyingAuditSettingsfromanOracle Database" formore information. 3. Clickthe Policytab, and inthe AuditSettingspage,clickanOracle Database securedtarget. The target's AuditSettingsOverview page isdisplayed. 4. ClickStatement.
  • 8. Database Audit Policies The StatementAuditSettingspage appears. 5. Clickthe Create button. 6. In the Create page,define the auditpolicyasfollows:  AuditedBy - Choose the usersto audit: o Both: Auditsall users,includingproxyusers. o Proxy: Auditsthe proxyuserforthe database.Whenyouselectthisoption, the Proxy User fieldappears,inwhichyoumustspecifyatleastone user.To display a listof proxyusersandtheirsecuredtargetsforselection,clickthe up-arrow icon on the rightof the field. o User:Auditsthe userto whichthissettingapplies.If youselectthisoption,youmust selectauser fromthe Usersdrop-downlist.  StatementExecutionCondition - Choose one of the following: o Both: Auditsbothsuccessful andfailedstatements o Success: Auditsthe statementif itissuccessful o Failure:Auditsthe statementif itfails  DML AuditGranularity - Choose auditgranularityforDML statements: o Access: Createsanauditrecord eachtime the operationoccurs
  • 9. Database Audit Policies o Session:Createsanauditrecord the firsttime an operationoccursinthe current session DDL statements are alwaysaudited byaccess.  StatementsAudit Type - Selectthe SQL statementstoauditbydouble clickingastatement type to move itto the box on the right.Youcan use the double arrowstomove all statementstothe rightor back to the left. 7. ClickSave. The newauditsettingsare addedto the StatementAuditSettingspage. 5.2 About Schema Object Auditing Schema objectauditing isthe auditingof specificstatementsonaparticularschemaobject,such as AUDIT SELECT ON HR.EMPLOYEES. Schemaobjectauditingisveryfocused,auditingonlyaspecific statementona specificschemaobjectforall usersof the database. For example,objectauditingcanauditall SELECT andDML statementspermittedbyobject privileges, such as SELECT or DELETE statementsona giventable.The GRANTand REVOKE statementsthatcontrol those privilegesare alsoaudited. Objectauditingletsyouauditthe use of powerful database commandsthatenable userstoview or delete very sensitive andprivate data.Youcan auditstatementsthatreference tables,views,sequences, standalone storedproceduresorfunctions,andpackages. Oracle Database setsschemaobjectauditoptionsforall usersof the database.Youcannot setthese optionsfora specificlistof users. Defining Schema ObjectAuditSettings To define schemaobjectauditsettings: 1. Log in tothe AuditVaultconsole asanauditor. 2. If necessary,retrieve andupdate the currentauditsettings. See above "RetrievingandModifyingAuditSettingsfromanOracle Database" formore information. 3. Clickthe Policytab, and inthe AuditSettingspage,clickasecuredtargetOracle database. The target's AuditSettingsOverview isdisplayed. 4. ClickObjectto displaythe ObjectAuditSettingspage. 5. Clickthe Create button.
  • 10. Database Audit Policies 6. In the ObjectAuditSettingspage,definethe settingsasfollows:  ObjectType - Selectthe type of objectto auditfromthe drop-downlist,such as TABLE, LOB, RULE, or VIEW.  Object- Selecta specificobjectof the objecttype youselected.  ObjectExecution Condition - Choose one of the following: o Both: Auditsbothsuccessful andfailedstatements o Success: Auditsthe statementif itissuccessful o Failure:Auditsthe statementif itfails  DML AuditGranularity - Choose auditgranularityforDML statements: o Access: Createsanauditrecord eachtime the operationoccurs o Session:Createsanauditrecord the firsttime an operationoccursinthe current session DDL statementsare alwaysauditedbyaccess.  StatementsAudit Type - Selectthe SQL statementstoauditbydouble clickingastatement type to move itto the box on the right.Youcan use the double arrowstomove all statementstothe rightor back to the left. 7. ClickSave. The newobjectauditsettingsare addedtothe ObjectAuditSettingspage.
  • 11. Database Audit Policies 5.3 About Privilege Auditing Privilege auditingisthe auditingof SQL statementsthatuse a systemprivilege.Youcanauditthe use of any systemprivilege.Like statementauditing,privilege auditingcanauditthe activitiesof all database usersor onlya specifiedlistof users. For example,if youenable AUDITSELECT ANY TABLE, Oracle Database audits all SELECT tablenamestatementsissuedbyuserswhohave theSELECTANYTABLE privilege.Thistype of auditingisveryimportantforthe Sarbanes-Oxley(SOX) Actcompliancerequirements.Sarbanes-Oxley and othercompliance regulationsrequire the privilegeduserbe auditedforinappropriatedatachanges or fraudulentchangestorecords. Privilegeauditingauditsthe use of powerful systemprivilegesenablingcorrespondingactions,such as AUDIT CREATE TABLE. If you setbothsimilarstatementandprivilegeauditoptions,thenonlyasingle auditrecord isgenerated.Forexample,if the statementclause TABLEand the systemprivilegeCREATE TABLE are bothaudited,thenonlyasingle auditrecordisgeneratedeachtime atable iscreated.The statementauditingclause, TABLE,auditsCREATE TABLE, ALTER TABLE, and DROP TABLE statements. However,the privilegeauditingoption, CREATETABLE, auditsonly CREATE TABLE statements,because onlythe CREATE TABLE statementrequiresthe CREATE TABLE privilege. Privilegeauditingdoesnotoccurif the action isalreadypermittedbythe existingownerandschema objectprivileges.Privilege auditingistriggeredonlyif theseprivilegesare insufficient,thatis,onlyif whatmakesthe action possible isasystemprivilege. Privilegeauditingismore focusedthanstatementauditingforthe followingreasons:  It auditsonlya specifictype of SQLstatement,nota relatedlistof statements.  It auditsonlythe use of the targetprivilege. Defining Privilege Audit Settings To define create privilege auditsettings: 1. Log in tothe AuditVaultServerconsole asanauditor. 2. If necessary,retrieve andupdate the currentauditsettings. See above "RetrievingandModifyingAuditSettingsfromanOracle Database" formore information. 3. Clickthe Policytab, and inthe AuditSettingspage,clickasecuredtargetOracle database. The target's Audit SettingsOverview isdisplayed. 4. ClickPrivilege todisplaythe Privilege AuditSettingspage. 5. Clickthe Create button,and inthe Create Privilege Auditpage,definethe privilege auditpolicy as follows:  AuditedBy - Choose the usersto audit:
  • 12. Database Audit Policies o Both: Auditsall users,includingproxyusers. o Proxy: Auditsthe proxyuserforthe database.Whenyouselectthisoption, the Proxy User fieldappears,inwhichyoumustspecifyatleastone user.To display a listof proxyusersandtheirsecuredtargetsforselection,clickup-arrow iconon the right of the field. o User:Auditsthe userto whichthissettingapplies.Whenyouselectthisoption, the Usersfieldappears,andyoumustspecifyauserfrom the drop-downlist.  StatementExecutionCondition - Choose one of the following: o Both: Auditsbothsuccessful andfailedstatements o Success: Auditsthe statementif itissuccessful o Failure:Auditsthe statementif itfails  DML AuditGranularity - Choose auditgranularityforDML statements: o Access: Createsanauditrecord eachtime the operationoccurs o Session:Createsanauditrecord the firsttime an operationoccursinthe current session DDL statementsare alwaysauditedbyaccess.  StatementsAudit Type - Selectthe privilegestoauditbydouble clickingastatementtype to move itto the box onthe right. You can use the double arrowsto move all statementstothe rightor back to the left. 6. ClickSave. The newprivilege auditsettingsare addedtothose listedinthe PrivilegeAuditSettingspage. 5.4 About Fine-Grained Auditing Fine-grainedauditing(FGA) enablesyouto create a policythatdefinesspecificconditionsthatmust existforthe auditto occur. For example,fine-grainedauditingletsyouauditthe followingtypesof activities:  Accessingatable between9p.m.and 6 a.m. or on Saturdayand Sunday  Usingan IPaddressfromoutside the corporate network  Selectingorupdatingatable column  Modifyingavalue ina table column A fine-grainedauditpolicyprovidesgranularauditingof select,insert,update,anddelete operations. Furthermore,youreduce the amountof auditinformationgeneratedbyrestrictingauditingtoonlythe conditionsthatyouwantto audit.Thiscreatesa more meaningfulaudittrail thatsupportscompliance requirements.Forexample,acentral tax authoritycanuse fine-grainedauditingtotrackaccess to tax returnsto guard againstemployee snooping,withenoughdetail todetermine whatdatawasaccessed. It isnot enoughtoknowthat a specificuserusedthe SELECTprivilege onaparticulartable.Fine-grained auditingprovidesadeeperaudit,suchaswhenthe userqueriedthe table orthe computerIPaddressof the userwho performedthe action.
  • 13. Database Audit Policies AuditingSpecificColumnsandRows Whenyoudefine the fine-grainedauditpolicy, youcantargetone or more specificcolumns,called a relevantcolumn,to be auditedif aconditionismet.Thisfeature enablesyoutofocuson particularly important,sensitive,orprivacy-relateddatatoaudit,suchas the data in columnsthatholdcreditcard numbers,patientdiagnoses,Social Securitynumbers,andsoon.A relevant-columnaudithelpsreduce the instancesof false orunnecessaryauditrecords,because the auditistriggeredonlywhenaparticular columnisreferencedinthe query. You furthercan fine-tunethe audittospecificcolumnsandrowsbyaddinga conditiontothe audit policy.Forexample,suppose youenterthe followingfieldsinthe Create Fine GrainedAuditpage:  Condition:department_id= 50  Columns:salary, commission_pct Thissettingauditsanyone whotriestoselectdatafromthe salary and commission_pctcolumnsof employeesinDepartment50. If you do notspecifyarelevantcolumn,thenOracle Database appliesthe audittoall the columnsinthe table;thatis, auditingoccurswheneveranyspecifiedstatementtype affectsanycolumn,whetheror not anyrows are returned. UsingEvent Handlers inFine-GrainedAuditing In a fine-grainedauditpolicy,youcan specifyaneventhandlertoprocessan auditevent.The event handlerprovidesflexibilityindetermininghow tohandle atriggeringauditevent.Forexample,itcould write the auditeventtoa special audittable forfurtheranalysis,oritcouldsenda pageror an email alertto a securityadministrator.Thisfeature enablesyoutofine-tune auditresponsestoappropriate levelsof escalation. For additional flexibilityinimplementation,youcanemployauser-definedfunctiontodetermine the policycondition,andidentifyarelevantcolumnforauditing(auditcolumn).Forexample,the function couldallowunauditedaccesstoanysalaryas longas the userisaccessingdata withinthe company,but specifyauditedaccesstoexecutive-level salarieswhentheyare accessedfromoutside the company. Defining Fine-Grained AuditSettings To define fine-grainedauditsettings: 1. Log in tothe AuditVaultServerconsole asanauditor. 2. If necessary,retrieve andupdate the currentauditsettings. See above "RetrievingandModifyingAuditSettingsfromanOracle Database" formore information. 3. Clickthe Policytab, and inthe AuditSettingspage,clickasecuredtargetOracle database.
  • 14. Database Audit Policies The database'sAuditSettingsOverview isdisplayed. 4. ClickFGAto displaythe Fine GrainedAuditSettingspage. 5. Clickthe Create button. 6. Define the auditpolicyasfollows:  PolicyName - Entera name forthisfine-grainedauditpolicy.  Audit Trail - Selectfromone of the followingaudittrail types: o Database: Writesthe policyrecordstothe database audit trail SYS.FGA_LOG$systemtable. o Database withSQL Text: Performsthe same functionasthe Database option,but alsopopulatesthe SQLbindand SQL textCLOB-type columnsof the SYS.FGA_LOG$table. o XML: Writesthe policyrecordstoan operatingsystemXMLfile.Tofindthe location of thisfile, adatabase administratorcanrunthe followingcommandinSQL*Plus:
  • 15. Database Audit Policies SQL> SHOW PARAMETER AUDIT_FILE_DEST o XML with SQL Text: Performsthe same functionasthe XML option,butalso includesall columnsof the audittrail,includingSQLTEXTandSQLBIND values. o WARNING: Be aware that sensitivedata,suchas creditcard numbers,appearinthe audittrail if you collectSQL text.  SecuredTarget Schema- Selecta schemato audit.  SecuredTarget Object- Selectanobjectto audit.  Statements- Selectone ormore SQL statementstoauditbydouble clickingeach statementtomove itto the box on the right. Youcan select:DELETE, INSERT, MERGE, SELECT, or UPDATE.  Columns- (Optional) Enterthe namesof the database columns(relevantcolumns)to audit.Separate eachcolumnname witha comma.If youentermore than one column, selectAll or Any as the conditionthattriggersthispolicy.  Conditions- (Optional) EnteraBooleanconditiontofilterrow data.For example, department_id=50 . If this fieldisblankornull, auditingoccursregardlessof condition.  Handler Schema - (Requiredif youspecifyaneventhandlerfunction) Enterthe name of the schemaaccount inwhichthe eventhandlerwascreated.Forexample: SEC_MGR  Handler Package - (Requiredif youspecifyaneventhandlerfunction) Enterthe name of the package in whichthe eventhandlerwascreated.Forexample: OE_FGA_POLICIES  Handler Function- (Optional) Enterthe name of the eventhandler.For example:CHECK_OE_VIOLATIONS 7. ClickSave. The fine-grainedauditpolicyiscreated. 5.5 About Capture Rules Redo Log File Auditing You can create a capture rule to track before andaftervalue changesinthe database redologfiles.The capture rule specifiesDMLandDDL changesthat shouldbe checkedwhenOracle Database scansthe database redolog.You can applythe capture rule to an individual table,aschema,orgloballytothe entire database.Unlike statement,object,privilege,andfine-grainedauditpolicies,youdonotretrieve and activate capture rule settingsfromasecuredtarget,because youcannotcreate themthere.You onlycan create the capture rule inthe AuditVaultServerconsole. Note: In the securedtargetdatabase,ensure thatthe table thatyou planto use forthe redologfile auditis not listedin theDBA_STREAMS_UNSUPPORTEDdata dictionaryview.
  • 16. Database Audit Policies Defining a CaptureRule forRedo Log File Auditing To define acapture rule: 1. Log in tothe console asan auditor. 2. If necessary,retrieve andupdate the currentstatementauditpolicies. See above "RetrievingandModifyingAuditSettingsfromanOracle Database" for more information. 3. Clickthe Policytab, and inthe AuditSettingspage,clickasecuredtargetOracle database. The target's AuditSettingsOverview isdisplayed. 4. ClickCapture Rule to displaythe Capture Rule Settingspage. 5. Clickthe Create button. Define the capture rule asfollows: Rule Type - Selectone of the following: o Table: Captureseitherrow changesresultingfromDML changesor DDL changestoa particulartable. o Schema: Captureseitherrow changesresultingfromDML changesor DDL changes to the database objectsina particularschema. o Global:Captureseitherall row changesresultingfromDMLchangesor all DDL changesinthe database.  StatementType - SelectDDL, DML, or Both.  SecuredTarget Schema- If youselectedTable orSchemaasthe Rule Type,selectthe name of the schemato whichthe capture rule appliesfromthe drop-downlist.  SecuredTarget Table - If youselectedTable asthe Rule Type,selectthe name of the table to whichthe capture rule appliesfromthe drop-downlist. 6. ClickSave. The capture rule iscreatedand addedtothe listinthe Capture Rule Settingspage.
  • 17. Database Audit Policies 6. Provisioning Audit Policies to an Oracle Database 6.1 Exporting Audit Settings to a SQL Script You can exportauditpolicysettingsforasecuredtargetto a SQL script fromOracle AVDF.Thenyoucan give the scriptto a database administratorforthe securedtargetOracle Database to use to update the auditsettingsonthat database. To exportthe auditsettingstoa SQL script fora securedtargetdatabase: 1. Log in tothe AuditVaultconsole asanauditor,andclick the Policytab. The AuditSettingspage isdisplayed,showingthe Oracle database securedtargetstowhichyou have access. 2. Clickthe name of a securedtargetdatabase. The AuditSettingsOverview forthatdatabase appears. 3. Selectfromthe audittypesyouwantto export: Statement,Object,Privilege,FGA,orCapture Rule. 4. ClickExport/Provision. The Export/ProvisionAuditSettingspage appears,displayingthe exportable auditcommands. 5. ClickExport, andthenclick OK to confirm. 6. Save the SQL file toa locationonyoursystem. 7. Give the savedscriptto the database administratorforthat securedtarget.The database administratorcanthenapplythe policiestothe securedtarget.Toverifythatthe settingshave beenupdated 6.2 Provisioning the Audit Settings from the Audit Vault Server You can provisionthe auditpolicysettingsdirectlyfromthe AuditVaultServertothe securedtarget Oracle database.Thisupdatesthe auditsettingsinthe securedtargetwithoutthe interventionof a database administrator.However,adatabase administratorcanmodifyordelete these auditsettings,as well asadd newones.Forthisreason,youshouldperiodicallyretrieve the settingstoensure thatyou have the latestauditsettings.See above "RetrievingAuditSettingsfromanOracle Database". To provisionthe auditsettingstothe securedtarget: 1. Log in tothe AuditVaultServerconsole asanauditor,and clickthe Policy tab. The AuditSettingspage isdisplayed,showingthe Oracle database securedtargetstowhichyou have access. 2. Clickthe name of a securedtargetdatabase.
  • 18. Database Audit Policies The AuditSettingsOverview forthatdatabase appears. 3. Selectfromthe audit typesyouwantto provision: Statement,Object, Privilege,FGA,orCapture Rule. 4. ClickExport/Provision. The Export/ProvisionAuditSettingspage appears,displayingthe exportable auditcommands, and allowingyoutoverifythembefore provisioning. 5. In the Username field,enterthe username of a userwhohas beengranted the EXECUTE privilege forthe AUDITSQL statement,theNOAUDITSQLstatement,and the DBMS_FGA PL/SQL package. If the securedtargetdatabase isprotectedwithOracle Database Vault,ensure thatthe userhas beengrantedthe AUDIT SYSTEM and AUDIT ANY privileges.If there isanauditcommandrule in place,ensure the commandisenabledandthe userwhose name youenterisable toexecute the command. 6. In the Password field,enterthe password of thisuser. 7. ClickProvision,andthenclick OK toconfirm.
  • 19. Database Audit Policies Open and Closed Issues for This Deliverable Open Issues ID Issue Resolution Responsibility Target Date Impact Date Closed Issues ID Issue Resolution Responsibility Target Date Impact Date