Developing Value from Oracle’s Audit Vault

For Auditors and IT Security Professionals

November 13, 2014

Michael Miller Stephen Kost Phil Reimann

Chief Security Officer Chief Technology Officer Director of Business Development
Integrigy Corporation Integrigy Corporation Integrigy Corporation
Agenda

Integrigy
Log & Audit
Overview Framework

1 2 3 4
Audit Vault Q&A
About Integrigy

ERP Applications Databases

Oracle E-Business Suite Oracle, SQL Server, MySQL

Products Services
Verify
Security Security Assessments
AppSentry
Validates
Oracle EBS, Apex, OBIEE, Databases,
Security
Sensitive Data, Penetration Testing
ERP Application and Database
Security Auditing Tool Ensure
Compliance Compliance Assistance
SOX, PCI, HIPAA

AppDefend
Protects
Oracle EBS
Build
Enterprise Application Firewall Security Security Design Services
for the Oracle E-Business Suite
Auditing, Encryption, DMZ

You
Agenda

Integrigy
Log & Audit
Overview Framework

1 2 3 4
Audit Vault Q&A
Oracle Audit Vault and Database Firewall
Oracle Audit Vault

 One appliance for both Audit Vault and Firewall

- Virtual or physical

 Secured appliance
- Database
- Application and report server

 Configure Audit Vault first

- First define hosts and secured targets
- Database Firewall feeds Audit Vault
- Database Vault feeds Audit Vault
Agenda

Integrigy
Log & Audit
Overview Framework

1 2 3 4
Audit Vault Q&A
 About the Oracle Audit Vault

 Tool built for Auditors and IT

security professionals DB2

- Alert suspicious activity Sybase

- Detect and prevent insider threats Dev MS SQL

 Oracle Audit Vault is a vault Test MySQL

- Warehouse of audit logs
Prod Oracle
 Secure At-Source
- Does not generate the logs
Audit Vault
With The Audit Vault Auditors Can ...

 Manage and apply audit policies to databases

- Centrally provision database audit settings to support
security and compliance policies
- Manage collection of audit settings on the databases
- Compare against existing audit settings on database to
required security and compliance policies

 View dashboards
- Enterprise IT Security and audit overviews
- Alerts and Reports
- Audit Policies
Advantages of Oracle Audit Vault

 Leverage native database auditing beneath Apps

- Turn ON database auditing under application for compliance specific
events (DDL, DBA logins)
- Low performance impact
- Fine-grained-audit (FGA) specific to sensitive tables

 Application end-user identity propagation

- Pass "Client identifier” from mid-tier or initialize after connection –
recorded in Audit trail

 Extensible reporting capabilities

- 100+ standard reports
- Build customer reports using BI Publisher
Secure At-Source Approach
The Oracle Audit Vault uses the concept of Secure At-Source to
protect application log and audit tables at the source.

1 2
EBS Table
User Login
APPSLYS.FND_LOGINS

Standard Database Audit Logs Audit Vault 4

Auditing Agent

Secure At-Source
3

5
Oracle Audit Vault
 How Audit Vault Works
Agents are deployed and activated on source systems to forward audit
log data. Agents are managed through the Audit Vault application.

Oracle Database MySQL MS SQL-Server

Standard Auditing Standard Auditing Standard Auditing

Audit Vault Audit Vault Audit Vault

Agent Agent Agent

Audit Logs
Audit Logs Audit Logs
Oracle Audit Vault
100+ Standard Reports
Entitlement Reports
Stored Procedure Auditing
Compliance Reports

Out-of-the-box standard
reports for:

 PCI
 Gramm-Leach-Bliley
 HIPAA
 SOX
 DPA
Database Firewall and F5 Reports
Report Options
BI Publisher for Custom Reports

Download template to BI
Publisher to edit
BI Publisher for Custom Reports
Forward Alerts to Syslog, ArcSight, or Remedy

 Standard functionality to
send alert to ArcSight and
Syslog

 BMC Remedy Action Request

Server integration through
standard templates
- Version 7.x and higher
Custom Alerts for Key Security Events
Email Notifications
Agenda

Integrigy
Log & Audit
Overview Framework

1 2 3 4
Audit Vault Q&A
Why Talk About the Framework?

 Value is generated through data

- Audit Vault is only a data warehouse
- Logs are generated by the source databases

 Integrigy’s Framework for Database Auditing

defines content for the Oracle Audit Vault
- Defines what should be audited and alerted
- Starting point and/or direction for database logging
 Integrigy Framework for Database Auditing
Payment Card SOX HIPAA FISMA IT Security
(PCI DSS) (COBIT) (NIST 800-66) (NIST 800-53) (ISO 27001)

Foundation security events and actions

(logins, logoffs, account creation, privileges, etc.)

Oracle Database Applications

Native Auditing Syslog DB log files Signon AuditTrails Navigation

Centralized Logging Solution

Protected Audit Data Alerting & Monitoring Reporting Correlation

Integrigy Framework for Auditing and Logging

Foundation Security Events and Actions
The foundation of the framework is a set of key security events and
actions derived from and mapped to compliance and security
requirements that are critical for all organizations.

E1 - Login E8 - Modify role

E2 - Logoff E9 - Grant/revoke user privileges
E3 - Unsuccessful login E10 - Grant/revoke role privileges
E4 - Modify auth mechanisms E11 - Privileged commands
E5 - Create user account E12 - Modify audit and logging
E6 - Modify user account E13 - Create, Modify or Delete object
E7 - Create role E14 - Modify configuration settings
 Foundation Security Events Mapping
Security Events PCI HIPAA IT Security FISMA
SOX (COBIT)
and Actions DSS 10.2 (NIST 800-66) (ISO 27001) (NIST 800-53)
E1 - Login 10.2.5 A12.3 164.312(c)(2) A 10.10.1 AU-2
E2 - Logoff 10.2.5 DS5.5 164.312(c)(2) A 10.10.1 AU-2
A 10.10.1
E3 - Unsuccessful login 10.2.4 DS5.5 164.312(c)(2) AC-7
A.11.5.1
E4 - Modify authentication
10.2.5 DS5.5 164.312(c)(2) A 10.10.1 AU-2
mechanisms
E5 – Create user account 10.2.5 DS5.5 164.312(c)(2) A 10.10.1 AU-2
E6 - Modify user account 10.2.5 DS5.5 164.312(c)(2) A 10.10.1 AU-2
E7 - Create role 10.2.5 DS5.5 164.312(c)(2) A 10.10.1 AU-2
E8 - Modify role 10.2.5 DS5.5 164.312(c)(2) A 10.10.1 AU-2
E9 - Grant/revoke user privileges 10.2.5 DS5.5 164.312(c)(2) A 10.10.1 AU-2
E10 - Grant/revoke role privileges 10.2.5 DS5.5 164.312(c)(2) A 10.10.1 AU-2
E11 - Privileged commands 10.2.2 DS5.5 164.312(c)(2) A 10.10.1 AU-2
AU-2
E12 - Modify audit and logging 10.2.6 DS5.5 164.312(c)(2) A 10.10.1
AU-9
AU-2
E13 - Objects Create/Modify/Delete 10.2.7 DS5.5 164.312(c)(2) A 10.10.1
AU-14
E14 - Modify configuration settings 10.2.2 DS5.5 164.312(c)(2) A 10.10.1 AU-2
Integrigy Framework Maturity Model
Enable baseline auditing and logging for
Level 1 application/database and implement security
monitoring and auditing alerts
Send audit and log data to a centralized
logging solution outside the Oracle Database
Level 2 and Application(s) such as the Oracle Audit
Vault

Extend logging to include functional logging

Level 3 and more complex alerting and monitoring
Logging Maturity Model
5 – Continuous
Level 3+
Improvement

4 – Metrics Driven Level 3

3 – Centralized Logging Level 2

2 – Minimal Logging
Level 1
Partial Integration

1 – Vendor Defaults

0 - Not Performed

Common Maturity Model (CMM) Integrigy Framework

Integrigy Framework – Level 1
 Enhance or start baseline auditing and logging
 Enhance or implement base security monitoring
Objectives and auditing alerts
 Using standard database and EBS functionality

1. Database logging
 Enable AUDIT_SYS_OPERATIONS
 Enable Standard auditing
2. E-Business Suite logging
Tasks  Set Sign-on audit to log at the ‘Form’ level
 Enable Page Access Tracking
 Enable Audit Trail
3. Create simple alerts
 Level 1 – Database Logging
Oracle Audit Resulting Audited
Object
Statement SQL Statements
Session session Database logons and failed logons
create user

 Enable Standard Users user alter user

drop user
Audit Roles role
create role
alter role
- Log to sys.aud$ drop role
create database link
- Define events Database Links database link drop database link
Public Database Links public database link create public database link
drop public database link
System alter system alter system

Purge per
Database alter database alter database
 Grants
grant
organizational
(system privileges system grant
revoke
and roles)

policy Profiles profile

create profile
alter profile
drop profile
sysdba All SQL executed with sysdba and
SYSDBA and SYSOPER
sysoper sysoper privileges
Note: table is not complete – see whitepaper for full table
 Level 1 – Recommended Alerts
What to What to What to
Framework Framework Framework
Monitor For Monitor For Monitor For
Direct database logins
(successful or User SYSADMIN -
E1 unsuccessful) to EBS E3
unsuccessful login attempts E12 Turning Sign-On Audit off
schema database
accounts

User SYSADMIN Modify authentication

E1, E11 E4
successful logins configurations to database E12 Turning off AuditTrail

Generic seeded Modify authentication

E1, E11 application account E4 configurations to Oracle E- Turning Page Access
E12
logins Business Suite Tracking off

Unlocking of generic New database accounts

E1, E11 seeded application E6
created E12 Turning Audit Trail off
accounts

E9, E10,
E1 E12, Updates to AOL tables under Turning audit sys operations
Login/Logoff E13, AuditTrail E12
E2 off
E14
Integrigy Framework – Level 2
 Integrate Oracle Database and Oracle EBS with
Oracle Audit Vault for protection and alerting
Objectives  Use Oracle Database Syslog auditing functionality
 Protect EBS logon and navigation activity

1. Implement Oracle Audit Vault

 Implement before Oracle Database Firewall
2. Redirect database logs to Audit Vault
Tasks  Use either DB or OS collection agent
3. Log and protect EBS audit data with Audit Vault
4. Transition level alerts and monitoring to logging
solution
 Secure End-User Navigation Logs
Table Description
APPLSYS.FND_USERS This is the base table defining all users and their associated email
address and links to HR records
APPLSYS.FND_LOGINS Sign-On Audit table
APPLSYS.FND_LOGIN_RESPONSIBILITIES Sign-On Audit table
Framework:
APPLSYS.FND_LOGIN_RESP_FORMS Sign-On Audit table E1, E2 & E3
APPLSYS.FND_UNSUCCESSFUL_LOGINS Unsuccessful logins via the Personal Home Page (Self
Service/Web Interface) are stored in both the
FND_UNSUCCESSFUL_LOGINS and ICX_FAILURES tables. Built alerts
and report
ICX.ICX_FAILURES The ICX_FAILURES table contains more information than the
FND_UNSUCCESSFUL_LOGINS. Failed logins to the Professional to monitor
Interface (Forms) are only logged to the these
FND_UNSUCCESSFUL_LOGINS tables.
JTF.JTF_PF_SES_ACTIVITY Page Access Tracking Table
tables
JTF.JTF_PF_ANON_ACTIVITY Page Access Tracking Table
JTF.JTF_PF_REPOSITORY Page Access Tracking Table
JTF.JTF_PF_LOGICAL_FLOWS Page Access Tracking Table
APPLSYS.WF_USER_ROLE_ASSIGNMENTS Need for E-Business end-user entitlements and role assignments

APPLSYS.FND_USER_RESP_GROUPS Need for E-Business end-user entitlements and role assignments

Level 2 – Recommended Alerts

Framework What to Monitor Framework What to Monitor

Successful or unsuccessful login

E1 attempts to E-Business without network
End-users granted System
or system login E9
Administration Responsibility

Successful or unsuccessful logins of

E1 named database user without network
or system login
Addition or removal of privileges granted
E9
to user SYSADMIN
Horizontal unsuccessful application
E3 attempts – more than 5 users more
than 5 times within the hour

Horizontal unsuccessful direct database N/A Monitor for database attacks

E3 attempts – more than 5 users more
than 5 times within the hour
Integrigy Framework – Level 3
 Extend logging to include functional logging and
more complex alerting and monitoring
Objectives  Automate routine compliance activities
 Enhance and extend for continuous monitoring

1. Pass database logs and application server logs

 Use correlation to identify multi-layer incidents
2. Extend to include EBS functional setups
Tasks  Focus on automating compliance activities
3. Enhance and extend alerting, monitoring, and
reporting for continuous monitoring
 Integrate people, processes, and technology
Level 3 – Recommended Alerts

Framework What to Monitor Framework What to Monitor

Key functional setup and configuration

E1 Reconcile creation and updates to
activity
E13, E14 Forms, Menus, Responsibilities, System
Profiles and Concurrent Programs

E1 SYSADMIN usage pattern

E6 FND User email account changes

E6, E11 E-Business Suite Proxy user grants

Database account creation and Tables listed in

E14
privilege changes APPLSYS.FND_AUDIT_TABLES
E5, E11
Level 3 is Continuous

 Continuous process
- Baseline expected activity
- Define correlations
- Build alerts and reports
- Look for anomalies

 Continuous audit and operations monitoring

- Automated compliance
Oracle Client Identifier
Application Example of how used
As of Release 12, the Oracle E-Business Suite automatically sets and updates
CLIENT_IDENTIFIER to the FND_USER.USERNAME of the user logged on. Prior to
E-Business Suite Release 12, follow Support Note How to add
DBMS_SESSION.SET_IDENTIFIER(FND_GLOBAL.USER_NAME) to
FND_GLOBAL.APPS_INITIALIZE procedure (Doc ID 1130254.1)
Starting with PeopleTools 8.50, the PSOPRID is now additionally set in the
PeopleSoft
Oracle database CLIENT_IDENTIFIER attribute.
With SAP version 7.10 above, the SAP user name is stored in the
SAP
CLIENT_IDENTIFIER.
When querying an Oracle database using OBIEE the connection pool username
Oracle Business is passed to the database. To also pass the middle-tier username, set the user
Intelligence identifier on the session. Edit the RPD connection pool settings and create a
Enterprise new connection script to run at connect time. Add the following line to the
Edition(OBIEE) connect script:
CALL DBMS_SESSION.SET_IDENTIFIER('VALUEOF(NQ_SESSION.USER)')
Integrigy Framework for Database Auditing
Log and Audit Maturity Scale
Security Incident Event
Management (SIEM)
Maturity

Advanced
Anomaly Analytics
Functional Audit Logs Detection

Security and Audit

Application
Correlation
Event Correlation
Sign-On & Navigation Oracle Audit Vault
(SIEM)

Apache, DB Listener
Logs

Alerting
Audit_Trail Audit_Trail
Sys.aud$ Syslog
Technology
Log
Foundation
Management
Sys_Audit Sys_Audit
Sys.aud$ Syslog Level III

Level II
OS OS
Syslog Syslog Level I Minimal
Agenda

Integrigy
Log & Audit
Overview Framework

1 2 3 4
Audit Vault Q&A
Integrigy Oracle Whitepapers

This presentation is based on our

Auditing and Logging whitepapers
available for download at –
http://www.integrigy.com/security-resources
Contact Information

web: www.integrigy.com
Michael Miller
e-mail: [email protected]
Chief Security Officer
blog: integrigy.com/oracle-security-blog
Integrigy Corporation
youtube: youtube.com/integrigy