da ta plus 8vhu¶v*xlgh december , 20 1 7 omega co re audit · splunk siem is the first one of such...
TRANSCRIPT
DATAPLUS Omega Core Audit NT Agent for Oracle Database - User’s Guide 1.2.0
DATAPLUS 1
December, 2017
Omega Core Audit NT Agent ™ Free Edition For Oracle Database on Windows NT systems With Splunk SIEM support
Omega Core Audit NT Agent
For Oracle Database on Windows NT systems! With Splunk SIEM support!
User’s Guide
1.2.0
www.dataplus-al.com
Copyright © 2007-2017 DATAPLUS. All rights reserved. Omega Core Audit NT Agent is a property of DATAPLUS and is
protected by US, EU and international copyright laws. Omega Core Audit NT Agent and the DATAPLUS logo are trademarks of
DATAPLUS. All other trademarks are the property of their respective owners.
DATAPLUS Omega Core Audit NT Agent for Oracle Database - User’s Guide 1.2.0
DATAPLUS 2
TABLE OF CONTENTS 1 Overview ............................................................................................................................................. 3
1.1 Introducing Omega Core Audit NT Agent ............................................................................... 3
1.2 Solution Architecture .................................................................................................................. 3
1.3 Prerequisites and Compatibility ................................................................................................ 4
1.4 Release Notes .............................................................................................................................. 4
2 Deployment and Setup ..................................................................................................................... 5
2.1 Software Deploy .......................................................................................................................... 5
2.2 Initialization Parameters ............................................................................................................ 6
2.3 NT Service Install and Uninstall ................................................................................................ 8
2.4 Configuring the Audit in Oracle Database ............................................................................... 9
3 Operations ........................................................................................................................................ 10
3.1 Standard Operations ................................................................................................................. 10
3.2 Initializing the NT Service - First Start ................................................................................... 11
3.3 NT Service Management .......................................................................................................... 13
3.4 Error Reporting and Debug ..................................................................................................... 16
3.5 Oracle NT Audit record............................................................................................................. 18
4 Integration to SIEM ......................................................................................................................... 19
4.1 Splunk Interface ........................................................................................................................ 19
4.2 Omega Core Audit NT App for Splunk ................................................................................... 19
5 Appendixes ....................................................................................................................................... 20
5.1 Appendix A1 - Omega Core Audit Product Family ............................................................... 20
5.2 Appendix A2 - Oracle Database Auditing .............................................................................. 21
5.2.1 Oracle Administrative Audit ................................................................................................. 21
5.2.2 Oracle Standard Audit........................................................................................................... 22
5.3 Appendix A3 - Oracle Unified Audit Dataset ......................................................................... 25
5.4 Appendix A4 - Bug Fixes and Existing Issues ....................................................................... 26
5.5 Appendix A5 - References ....................................................................................................... 27
5.6 Appendix B - Technical Support and Copyrights .................................................................. 29
DATAPLUS Omega Core Audit NT Agent for Oracle Database - User’s Guide 1.2.0
DATAPLUS 3
1 Overview
1.1 Introducing Omega Core Audit NT Agent
Omega Core Audit NT Agent is a continuous audit monitoring tool that is specifically designed for Oracle
Databases running on Windows NT systems.
Omega Core Audit NT Agent is an out-of-box and software-only solution. It is a Windows application deployed in
the form of a Windows NT Service that will:
Monitor Oracle databases audit trail records written as Windows Event log records.
Extract Oracle database Administrative and Standard Audit fields from the NT Event message.
Deliver audit trail records in a unified audit trail format to the Splunk SIEM for tamper-proof storage,
reporting, alerting and analyses.
The Omega Core Audit NT Agent is an OS based solution and as such requires no install and no connection to the monitored Oracle databases. It contains no record storage/repository of its own. It has been built to deliver the
Oracle database audit trail records to an available external log storage system.
Splunk SIEM is the first one of such systems to be supported in this initial version. More SIEMs and Central Log
Collection systems will be supported in next releases.
Omega Core Audit NT Agent belongs to the Omega Core Audit product family. Read the Appendix 1, named the same, for more details.
1.2 Solution Architecture
The Omega Core Audit NT Agent service monitors the Windows Event records for new Oracle audit trails and delivers them immediately to Splunk.
When in Splunk you can use the Omega Core Audit NT App for Splunk, written to visualize and monitor in Splunk
the oracle audit records extracted and fed by the Omega Core Audit NT Agent.
DATAPLUS Omega Core Audit NT Agent for Oracle Database - User’s Guide 1.2.0
DATAPLUS 4
1.3 Prerequisites and Compatibility
The following are the requirements of and supported by the Omega Core Audit NT Agent:
Oracle Database All Oracle database versions and releases from 11g R1 to 12c R2 are supported.
All Editions - Standard (One) and Enterprise are supported.
Operating System All Windows NT systems supported by the Oracle database flaws above.
WMI Service * The Windows Management Instrumentation service must be up and running.
External Log System ** Splunk Enterprise and Free edition version 6 and above.
* The Windows Management Instrumentation (WMI) service is by default Automatic on startup type. * More SIEMs and Central Log Collection systems will be supported in the next releases.
1.4 Release Notes
This is the version 1.2.0 of the Omega Core Audit NT Agent!
New Features/Enhancements in 1.2.0:
This is the first release of Omega Core Audit NT Agent!
Bug Fixes and Existing Issues in 1.2.0:
Detailed information on the bug fixes and existing issues of this version are presented in Appendix A4 - Bug Fixes and Existing Issues.
Limitations:
1. Oracle databases running on Windows NT servers only are supported.
2. The Omega Core Audit NT Agent must be locally deployed on the Windows machine where Oracle is running.
Remote collection of Windows Events is not supported.
3. Monitoring audit trails is supported when written as Windows Event records only in Text format!
4. Within Oracle standard auditing, supported is only the Traditional (available to latest Oracle version 13c R1)
Visit our website for news on current developments:
www.dataplus-al.com
DATAPLUS Omega Core Audit NT Agent for Oracle Database - User’s Guide 1.2.0
DATAPLUS 5
2 Deployment and Setup
2.1 Software Deploy
Download, extract and deploy from our website the Omega Core Audit NT Agent software package
Omega_CA_NT_Agent_01_02_0.zip on your Windows NT machine where Oracle database[s] is running.
There is no installation routine in the proper sense, no installing software package, just the files you are
extracting from the compressed package and a simple (single command) windows service install.
Create a directory for the application in your Windows Explorer, for example:
C:\Program Files\DataPlus\OmegaCANTAgent
Put all the software package’s files and folders into this directory.
The application files and folders deployed in this version are:
OmegaCANTAgentSvc.exe The NT Service’s executable binary file. The Omega Core Audit NT Agent comes in the form of a Windows NT Service within the above executable.
OmegaCANTAgent.ini Omega Core Audit NT Agent service’s initialization parameters file
Ext Folder Contain auxiliary data files Ora_ac.ext, Ora_ao.ext and Ora_sp.ext for the audit fields’ extraction process.
Logs Folder Log files containing system messages, errors and debug are generated here.
Deployed is also this document - “Omega Core Audit NT Agent User Guide”.
Note:
Files deployed are opened and managed only by the NT Agent service’s executable! Compressing, modifying, or
accessing them in any mode other than the indicated above may permanently damage the software and also lead to abnormal and erroneous behavior and results!
On initial setup, infrastructure changes, or eventual debug, manual user intervention on OmegaCANTAgent.ini is an exception to this - see next topic!
DATAPLUS Omega Core Audit NT Agent for Oracle Database - User’s Guide 1.2.0
DATAPLUS 6
2.2 Initialization Parameters
The Omega Core Audit NT Agent windows service parameters are stored and configured in its initialization file
deployed with the executable.
Initialization parameters available are grouped as in the following:
OmegaNT
Interval Interval in seconds the NT Events are queried for new Oracle audit trail records and processed. Default value is 30.
NT_Source Single-value (or list) of NT Events’ Source field values produced by the Oracle
databases, each one in the format Oracle.<Ora_SID> - where Ora_SID is the unique
Database name on the Windows server.
NT_Timestamp UTC Timestamp to query NT Events “from”, used automatically only on the first Service first start.
NT_Record_No The number of the last NT Event record number (EventRecordID) processed; updated on every run. Default value is null.
NT_Rec_Max The NT Event record number (EventRecordID) on which process stops. Used for
debugging only, default value is null.
NT_Rec_Limit Maximum number of NT Events processed in a single run. Other records will be
processed in the next run. Default value is 100,000.
Debug_Level Debug level of messages written the by the NT Agent to the .log file, available options:
0 - Generic and Error messages only - default value
1 - Generic, Error and Debug messages
Debug_File_Fmt Naming format and rotation of the new log file, available options:
DD - every day, name formatted year to day (ex. ...2017_12_09…) - default value HH24 - every hour, name formatted year to hour (ex. …2017_12_09_23…)
DATAPLUS Omega Core Audit NT Agent for Oracle Database - User’s Guide 1.2.0
DATAPLUS 7
Oracle
Ora_Ext_Adm Extract Oracle Administrative Audit fields from NT Event Message, available options:
1 - Enabled - fields will be completed - default value
0 - Disabled - fields will be empty
Ora_Ext_Std Extract Oracle Standard Audit fields from NT Event Message, available options:
1 - Enabled - fields will be completed - default value
0 - Disabled - fields will be empty
Splunk
SP_Host Host name or IP Address of the Splunk server
SP_Port Splunk TCP Data Input Port
Omega Core Audit NT Agent is deployed as a Windows NT Service, and as such it has no standard user front-end.
Initialization parameters are configured via any text editor (like Notepad) for the reason above, but even for the fact that for normal operations no user configuration is require in the initialization parameters.
Cases requiring configuration of initialization parameters are:
Software Initialization discussed in own Topic 3.2 Initializing the NT Service - First Start
Infrastructure Changes changes in databases being monitored, host/IP or port of the Splunk server
Software Debug discussed in own Topic 3.4 Error Reporting and Debug
In each case, the initialization parameters are set only when indicated and in the way explained whenever they appear in topics of Chapter 3 Operations.
Note
Always stop the NT Agent service before making any change in the initialization parameters!
Changes in the initialization parameters take effect on the next service start.
DATAPLUS Omega Core Audit NT Agent for Oracle Database - User’s Guide 1.2.0
DATAPLUS 8
2.3 NT Service Install and Uninstall
NT Service Install
To install the Omega Core Audit NT Agent Windows service, open the system’s command prompt; navigate to the
software deployment directory and type:
OmegaCANTAgentSvc.exe /install
You will see a confirmation dialog “Service installed successfully”, or an error message if it failed.
To view the service properties in open the Services form on Windows control panel, Administrative tools.
The NT service is listed under the name OmegaCoreAuditNTAgent
and has the following properties:
Service Name: OmegaCANTAgent
Display Name: OmegaCoreAuditNTAgent
Startup type: Automatic
Executable: OmegaCANTAgentSvc.exe
NT Service Uninstall
To uninstall the Omega Core Audit NT Agent Windows service, open the system’s command prompt; navigate to the software deployment directory and type:
OmegaCANTAgentSvc.exe /uninstall
You will see a confirmation dialog “Service uninstalled successfully”, or an error message if it failed.
Notes
Administrator rights are needed to install and uninstall service applications!
Ensure the SYSTEM account (running the NT Agent service) has read/write access to the initialization file.
Stop the service first before uninstalling!
DATAPLUS Omega Core Audit NT Agent for Oracle Database - User’s Guide 1.2.0
DATAPLUS 9
2.4 Configuring the Audit in Oracle Database
Omega Core Audit only collects audit trails already produced by the Oracle database. Before starting operations of
the NT Agent, audit configurations must first be set (if not existing) in the database so that it starts producing audit trails.
Follow the steps below to enable Oracle database Administrative and Standard Audit; and to configure them for
audit trail collection with Omega Core Audit NT Agent.
STEP 1:
Set the initialization parameter AUDIT_SYS_OPERATIONS = TRUE
This will activate the Administrative Audit.
STEP 2:
Set the initialization parameter AUDIT_TRAIL = OS
This will activate the Standard Audit.
It will set both Administrative and Standard Audit trails to be written as Windows Events records in Text format.
STEP 3: Set audit configuration with the AUDIT command
Set your environment specific configurations for the Standard Audit.
Note:
Detailed information and steps on configuring the Oracle database audit for usage with Omega Core Audit NT Agent are presented in Appendix A2 - Oracle Database Auditing.
DATAPLUS Omega Core Audit NT Agent for Oracle Database - User’s Guide 1.2.0
DATAPLUS 10
3 Operations
In this chapter the main operation procedures, system functionalities and behavior are described.
3.1 Standard Operations
Standard (normal and routine) operations and system behavior are presented in the following topics.
On Service start
On service start the NT Agent will load:
All initialization parameters and check their validity
Oracle database[s] SID names to monitor
Auxiliary data for the audit field extraction process
Finally it will:
Set the “NT Events Process” procedure’s run interval according to the initialization parameter Interval.
Activate the periodic execution of the “NT Events Process” procedure.
“NT Events Process” Procedure
The “NT Events Process” procedure searches Windows Events for new Oracle audit trails and (when found) deliver them to Splunk. It is launched from the NT Agent Service periodically on every Interval seconds.
The “NT Events Process” procedure’s general steps are displayed below:
Connects to the WMI service.
Prepares the WMI Query to retrieve NT Events in the correct range
from: the last record number (EventRecordID), as set in the initialization parameter NT_Record_No.
to: the limit set as per combination of the initialization parameters NT_Rec_Limit and NT_Rec_Max.
Executes the WMI Query and retrieve NT Events data.
Oracle events only are loaded for process and delivery, as set in the initialization parameter NT_Source.
Extracts administrative/standard audit fields from the NT message for each record.
Sends each record to Splunk SIEM in an Oracle unified audit trail XML format.
Writes the last successfully transferred NT Event record number (EventRecordID) to the initialization
parameter NT_Record_No, to start from there on the next run.
The run cycle above is then repeated every Interval seconds, as set in the initialization parameter named such. Splunk availability is checked before each run.
On Service Stop:
Before stopping the Service will deactivate the “NT Events Process” periodic run, but will wait until it finishes in
case of an on-going execution the former!
Read the related topic 3.3 NT Service Management for further details.
DATAPLUS Omega Core Audit NT Agent for Oracle Database - User’s Guide 1.2.0
DATAPLUS 11
3.2 Initializing the NT Service - First Start
After you have installed the Omega Core Audit NT Agent Windows service, and set the Oracle audit
configurations, you must follow the guidelines below before you start it for the first time! 1. Select the Oracle database[s] to monitor:
Declaration of the Oracle database[s] for which audit trails will be monitored is configured in the initialization parameter NT_Source. Every Oracle database has its own SID (the unique Database name on the Windows
server). Whenever an audit trail is generated, the Windows Event’s field Source is set as Oracle.<Ora_SID>.
Many times Oracle single-database installations on Windows are installed with the default SID “orcl”. In this case
the default value of the initialization parameter NT_Source is set as:
NT_Source=Oracle.orcl
When (justly) the default Oracle SID is changed to a more system-descriptive one, as for example “corebankdb”,
the value of the NT_Source would be:
NT_Source=Oracle.corebankdb
Multiple DB/SID name entries are supported (separated by diesis #), as in the example below for two monitored
Oracle databases “dblive01” and “dbtestunc”:
NT_Source=Oracle.dblive01#Oracle.dbtestunc 2. Establish NT Events collection starting point:
In standard (routine) operating conditions, the NT Agent reads the Windows Events by progressing from the last
Record Number (EventRecordID) successfully processed. This number is persisted in the initialization parameter NT_Record_No; it is manipulated only by the NT Service and should not be touched!
However, at the starting point, this number needs to be set. There are two ways this is done:
1. Automatic configuration 2.
You can start the NT Agent service with an empty initialization parameter NT_Record_No. In this case, the service will first extract the system’s UTC DateTime, write it to the initialization parameter NT_Timestamp, and then
query for new NT Event records using a time-based condition as above set. At the first time the query returns
records (there might not be new NT Application events immediately), it will write the last processed record number to the NT_Record_No, and from then switch to its regular record number based query condition.
This method best applies when you want to start collecting audit trails starting from the service start time in an
already running (or soon to be started) database[s].
2. Manual configuration
Manually set the initialization parameter NT_Record_No in the .ini configuration file. To choose the starting point,
in Windows form Event Viewer, “Application” events, select the record from which you want to start from. In the lower pane, tab Details, you can see the event’s field EventRecordID either in Friendly View/System, or the XML.
Set the NT_Record_No = EventRecordID - 1
This because what we are setting is the last record processed, not the first one to process! This is the preferred initialization method, least for the fact that it gives control on the starting record number,
thus allowing you to collect logs from a previous point other than limited at the current service start time.
DATAPLUS Omega Core Audit NT Agent for Oracle Database - User’s Guide 1.2.0
DATAPLUS 12
3. Set Splunk parameters; review all and start the service
1. Splunk server parameters
Set the Splunk server parameters initialization parameters, the Host name or IP Address of for the SP_Host; the Splunk TCP Data Input Port for the SP_Port.
Make sure the Splunk server is up and running and that so is also the TCP Data Input Port.
2. Review all parameters
Review all initialization parameters, especially the ones that need to be set before start:
NT_Source NT_Record_No
SP_Host SP_Port
You can override the default value of 30 for the initialization parameter Interval. In most systems of this kind this
value stands for 60 seconds (1 min), however you can set a smaller value too.
Meanwhile, you are advised not to change the default value 100,000 of the initialization parameter NT_Rec_Limit,
although the Service can ingest a much bigger number.
3. Start the NT Service
At this point you can start the NT Agent service.
Read the related topic 3.3 NT Service Management for further details.
DATAPLUS Omega Core Audit NT Agent for Oracle Database - User’s Guide 1.2.0
DATAPLUS 13
3.3 NT Service Management
Starting the NT Service:
The Omega Core Audit NT Agent service start type is Automatic, meaning the service will start automatically at
system start.
In case you need to start the service manually, for example right after the first install, or after a manual stop, this is done:
In the Windows Services form by first selecting the service and pressing the button Start Service. Or manually, in the system’s command prompt using the command “net start OmegaCANTAgent”.
The service will start, or a warning or error can be thrown. Both cases leave entries in the service’s .log and in the
Event Viewer System logs; in case of errors watch the Event Viewer Application for service error entries.
Stopping the NT service:
Stopping the service manually is done:
In the Windows Services form by first selecting the service and pressing the button Stop Service. Or manually, in the system’s command prompt using the command “net stop OmegaCANTAgent”.
The service will stop, or a warning or error can be thrown. Both cases leave entries in the service’s .log and in the Event Viewer System logs; in case of errors watch the Event Viewer Application for service error entries.
Carefully read the topic “NT Service Tips” for related information.
DATAPLUS Omega Core Audit NT Agent for Oracle Database - User’s Guide 1.2.0
DATAPLUS 14
Monitoring the NT Service:
The service activity can be monitored in Windows Task Manager. Being a service application it will appear only in the tab Services, listed with the service name
and in the tab Processes, listed with the executable name (.exe), in the later only when the service is started.
Presence of the service’s .exe name in the Process List is an indication of a running service, absence of a stopped
one.
DATAPLUS Omega Core Audit NT Agent for Oracle Database - User’s Guide 1.2.0
DATAPLUS 15
NT Service Tips Service Start Failure:
In case of service start error, for example for failure in the initialization parameters, you will receive a warning notifying that the service failed to start. On the left a service start failure started from the Windows Service form;
on the right the same started from the command prompt.
The service will not start, as it justly notifies!
It will write an NT Event Application Error-Level log and also a mandatory [Error] entry in the service’s .log file. Check the Event Viewer Logs and the service’s .log file for error details.
Service Stop on a “long” running job:
A “long” running job, in terms of a service which is written to work “quasi” on real time, could be something from the timeout of waiting to connect to an unavailable SIEM, till for example, transferring tens of thousands records
after a day or more of SIEM unavailability or any other problem.
It is best in such cases to let the service finish its work (monitor it) before trying to stop it either from the service
form, or from the command prompt. However, if the service is tried to stop under such conditions, you will receive a warning notifying that the service failed to stop. On the left a service stop failure started from the
Windows Service form; on the right the same stopped from the command prompt.
The service will not stop, as it justly notifies!
It will continue its work until the “NT Events Process” procedure completes, as stated earlier in this chapter. You
can (and are advised to) monitor the service working in the Task Manager. Do not manually kill the process at this point! Watch on the Memory and CPU fields to verify it is working!
There will (logically) be no error thrown either in to NT Events Application Logs, or service’s .log file. When the job is completed, then the service is normally terminated, as in every normal manual stop and the
process name will disappear in the processes list.
Windows Shutdown on a “long” running job:
A service stop called not by the user, but by a Windows Shutdown will interrupt the process in the middle and will
not ensure a correct write of the last NT Event record number processed, thus sending duplicates after restart! Always shut down manually the Listener and the Database[s] before a Windows shutdown (as usually on NIX)!
This recommended practice will avoid the situation above.
DATAPLUS Omega Core Audit NT Agent for Oracle Database - User’s Guide 1.2.0
DATAPLUS 16
3.4 Error Reporting and Debug
Omega Core Audit NT Agent is deployed as a Windows NT service application.
Error reporting and debugging are thus performed in the absence of a usual user application interface and follow Windows’ service rules and system approach.
Error Reporting
The service’s error are thrown into the Windows Application Event log, with Level Error, Source field set to the service .exe name and Event ID equal to 0.
It is advised you create a Custom View at the Windows Event Logs form, filtering records to display the Omega
Core Audit NT Agent records only. Set a for field Source equal to the service’s .exe filename
Errors are also mandatory written to the service’s .log as [Error] entries
Most errors, especially those that directly affect the service, are written both to Windows Events Application Log and to the service’s .log file. It is advised to monitor both Windows NT Events and the .log file for eventual errors!
Record-level processing errors:
Any error going on during individual record processing, such as extraction of Oracle audit fields, is written as
[Error] entry in the service’s .log file only and reported in the summary of the transfer, written itself as a [Generic] entry. Indicated is the NT Event record number (EventRecordID) where the error occurred.
There will be no interruption of the service process in case of such errors!
DATAPLUS Omega Core Audit NT Agent for Oracle Database - User’s Guide 1.2.0
DATAPLUS 17
Software Debug
Deployed as a Windows NT service, absence of a normal user interface, the Omega Core Audit NT Agent features process debugging capabilities to output information of internal workflow, help initial software implementation and
maintenance, help diagnostics eventual issues and finally use the service for testing and debugging.
This Debug feature is built-in and independent of the entries generated to the Windows Event logs (Application
and System) by the NT service maintenance (start, stop, errors …). The later is a Windows built-in feature on all Windows services - the NT Agent included.
The service will write debug entries in a .log file, created and maintained automatically by the software. Debug
entries fall in the three categories below:
Generic Important NT Agent events, mandatory written
Error NT Agent errors, mandatory written Debug Debug information, written conditionally on initialization parameter Debug_Level set to 1.
Note:
The default value of the initialization parameter Debug_Level is 0 (Generic and Error entries only). Elevated level
1 is recommended on initial system deploy and later for debug/diagnostics/test reasons only.
Debugging/testing with a custom record range:
Under normal conditions the NT Agent monitors for new Oracle audit trails and transfers them to the Splunk SIEM; it advances every time to the next starting point, in terms of NT Event record numbers. Everything is done
automatically in the monitored system.
However there are debug and testing situations that require divergence from normal live/production ones; and
that the NT Agent does support. Consider for example a case in which you need to send a predefined and manually selected range of NT Event records to process their Oracle audit trails and send them to a test Splunk
machine or index.
In this case you can use a combination of the initialization parameters NT_Record_No and NT_Rec_Max; the first
parameter always in use, the second always empty under normal operations and used only for debug/test to enable the concept of EventRecordID range.
For example, to process a range of NT Event records from 680504 to 731127, you must set the
NT_Record_No=680503 (680504-1); and the NT_Rec_Max=731127.
After the NT_Record_No reaches the NT_Rec_Max you can stop the service, it will not “advance” the former parameter, limited by the later one.
DATAPLUS Omega Core Audit NT Agent for Oracle Database - User’s Guide 1.2.0
DATAPLUS 18
3.5 Oracle NT Audit record
Omega Core Audit NT Agent features a unified audit dataset, composed of different audit types for the:
Administrative audit
Standard audit
General system audit
Extraction of Oracle audit fields is performed from the NT Message for the Administrative and Standard Audit records. This behavior of type On/Off (1/0) is controlled respectively by the two initialization parameters:
Ora_Ext_Adm Extract Administrative audit fields Ora_Ext_Std Extract Standard audit fields
Both are set by default to 1 - field extraction is enabled.
Several NT Event fields are added to the Oracle “native” audit fields to complete the unified audit record. The Oracle unified audit dataset is then delivered to Splunk as pure XML records.
Note:
Oracle audit fields availability differs on the database version. Detailed information on the audit record produced is
presented in Appendix A3 - Oracle Unified Audit Dataset.
DATAPLUS Omega Core Audit NT Agent for Oracle Database - User’s Guide 1.2.0
DATAPLUS 19
4 Integration to SIEM
Omega Core Audit NT Agent contains no record storage/repository of its own. Delivery of Oracle database audit
trail records to an available external log storage system is thus mandatory and a built-in activated functionality.
Splunk is the first SIEM/Central Log Collection system to be supported in this initial version. More systems of the kind will be supported in the next ones.
4.1 Splunk Interface
Oracle database audit trail records are sent to Splunk SIEM in virtually real-time from Omega Core Audit NT Agent; thus enabling storage of your mission critical Oracle database audit trail records in a central location,
visualization and quick access of audited events history.
Delivery of records is performed “on-the-fly” and Agent-less via Splunk TCP Data Input! Nothing to install!
Splunk Requirements:
Minimal for loading a Splunk Index, a Source Type and an active TCP Data Input port *
Minimal for reporting Splunk Search and Reporting App - built-in with the Splunk distribution
Advanced Omega Core Audit NT App for Splunk *
* refer to the Omega Core Audit NT App for Splunk User Guide
4.2 Omega Core Audit NT App for Splunk
Continuously monitor audit trail records of your Oracle databases via the graphical interface of our next solution: Omega Core Audit NT App for Splunk * - running on top of the Splunk system.
* Omega Core Audit NT App for Splunk is a Splunk application made by DATAPLUS and is free to all Omega Core Audit NT
Agent users!
DATAPLUS Omega Core Audit NT Agent for Oracle Database - User’s Guide 1.2.0
DATAPLUS 20
5 Appendixes
5.1 Appendix A1 - Omega Core Audit Product Family
The Omega Core Audit product family features Oracle database security compliance software-only solutions.
Two Oracle database security “core” products are available:
Omega Core Audit (Enterprise) - commercial solution
Omega Core Audit NT Agent - free solution, commercial elevated support
While the Omega Core Audit (Enterprise) is an overall solution featuring OS Independence and Protection, the
Omega Core Audit NT Agent is an alternative solution tailored specifically to Windows NT systems, with differences in functionalities and capabilities as highlighted in the tale below:
Feature/Edition Omega Core Audit NT Agent Omega Core Audit
General
OS Windows NT Systems All Oracle supported OSs
Deployment OS Database
Repository External required Available (included)
Administrative Audit Available Partial (1)
Standard Audit Available (2) Available (3)
Access Control - Available
Real-Time Protection DDL - Available
Real-Time Protection DML - Available
Unified Audit Trail Available (4) Available (5)
Integration
Splunk Out-of-box (6) Customizable
Notes
1. Available in Access Control and Real-Time Protection DDL.
2. Standard Audit trail destination set to the OS.
3. Standard Audit trail destination set to the Database. 4. Combined Administrative and Standard Audit trails
5. Combined four trail-producing modules of the Omega Core Audit. 6. Built-in support for data delivery in Splunk. Plus the Omega Core Audit NT App for Splunk.
For more details on the Omega Core Audit (Enterprise) and Omega Core Audit NT Agent, please visit the product page on our site:
Omega Core Audit www.dataplus-al.com/omega-core-audit Omega Core Audit NT Agent www.dataplus-al.com/omega-core-audit-nt-agent
For the later see also its requirement (and other DATAPLUS product), Omega Core Audit NT App for Splunk.
www.dataplus-al.com/omega-core-audit-nt-app-for-splunk
Other Oracle database security related products:
Omega DB Scanner Standalone www.dataplus-al.com/omega-db-scanner-standalone Omega DB Scanner App for Splunk www.dataplus-al.com/omega-db-scanner-app-for-splunk
DATAPLUS Omega Core Audit NT Agent for Oracle Database - User’s Guide 1.2.0
DATAPLUS 21
5.2 Appendix A2 - Oracle Database Auditing
5.2.1 Oracle Administrative Audit
The Oracle database Administrative Audit feature enables full audit of all top-level commands issued by
Administrative accounts SYS and users connecting with SYSDBA or SYSOPER privileges. For an Oracle database running on a Windows NT Server, the administrative audit trail records are written outside the database, either as
Windows Event records in Windows Event Log, or as XML file[s] in operating system.
The two initialization parameters below control the Administrative Audit in an Oracle database running on a
Windows NT Server:
Initialization parameter AUDIT_SYS_OPERATIONS
This parameter is of Boolean type TRUE/FALSE, respectively Enabling/Disabling the administrative audit
operations. It is default TRUE since Oracle 12c Release 1. It is default FALSE in Oracle 11g Release 2 (last) and
below. However, even when this parameter is set to FALSE, still some default/generic Administrative trails will be collected, ex. database shutdown or startup.
Check for activation of Administrative Audit:
SQL> select name, value from V$PARAMETER where name = 'audit_sys_operations';
In the row returned, the field VALUE must be TRUE.
To activate the Administrative Audit:
SQL> alter system set AUDIT_SYS_OPERATIONS=TRUE scope=spfile;
The activation requires a database restart to take effect!
SQL> SHUTDOWN [mode];
where mode is normal, immediate, or abort.
Initialization parameter AUDIT_TRAIL
This initialization parameter, although mostly noted for controlling the Standard Audit, impacts the Administrative Audit too. For all operating systems in general it will decide the format of the Administrative Audit trail record,
whether Text or XML. For Oracle Databases running on Windows NT servers it will also decide the destination of the Audit Trail records, whether written as Windows Event records, or as XML files in operating system directories.
Note:
To enable collection of Oracle Administrative Audit trail records with Omega Core Audit NT Agent this parameter
must be set to a non-XML (XML or XML _EXTENDED) value!
The AUDIT_TRAIL initialization parameter is described in more details in the next topic.
DATAPLUS Omega Core Audit NT Agent for Oracle Database - User’s Guide 1.2.0
DATAPLUS 22
5.2.2 Oracle Standard Audit
The Oracle database Standard Audit feature enables audit of user statements and operations on schema objects.
Statements issued by users can be audited for a specific user (or users), or for all users.
Operations performed on schema objects are always audited for all users.
The Oracle database Standard Audit availability in general is controlled by the initialization parameter AUDIT_TRAIL. Audit configurations must then be set with the AUDIT command to produce audit events.
AUDIT_TRAIL initialization parameter
This initialization parameter enables or disables the database standard (traditional) auditing. It also controls the
format and the destination of the standard audit record. And finally it also impacts the Administrative Audit, as stated above.
Checking for activation and properties of Standard (Traditional) Audit: SQL> select name, value from V$PARAMETER where name = 'audit_trail';
Available options for the value of the initialization parameter AUDIT_TRAIL and their effect on the Standard Audit
are displayed below:
NONE Standard Audit is not available. This is the default value and must be changed!
OS Audit records generated as text files into the OS. O Windows NT systems the audit records
are written as Windows Event records in Text format! DB Audit records generated to database table AUD$, fields SQL_TEXT/ SQL_BIND empty.
DB_EXTENDED Audit records generated to database table AUD$, fields SQL_TEXT/ SQL_BIND populated.
XML Audit records generated as XML files to OS, fields SQL_TEXT/ SQL_BIND empty.
XML _EXTENDED Audit records generated as XML files to OS, fields SQL_TEXT/ SQL_BIND populated.
Note:
To enable collection of Oracle Standard Audit trail records with Omega Core Audit NT Agent this parameter must
be set to OS! In case this value is set to DB/DB_EXTENDED you can still use in full the Administrative Audit collection feature.
To activate the Administrative Audit:
SQL> alter system set AUDIT_TRAIL=OS scope=spfile;
The activation requires a database restart to take effect! SQL> SHUTDOWN [mode];
where mode is normal, immediate, or abort.
DATAPLUS Omega Core Audit NT Agent for Oracle Database - User’s Guide 1.2.0
DATAPLUS 23
AUDIT command
After enabling the Standard Audit with the AUDIT_TRAIL parameter above, you must set audit configurations with the AUDIT command. Two main divisions appear in the syntax of the Audit SQL command:
1. Auditing user statements and system privileges:
Statement Audit can be performed on a single user, multiple, or all users. An audit option can be used for
auditing, like ALTER TABLE. Alternatively a system privilege can be audited, like CREATE ANY TABLE.
Finally several Shortcuts (enabling several audit options) can be used, like for example TABLE - this will have the same effect of issuing three AUDIT commands for: CREATE TABLE, DROP TABLE and CREATE TABLE.
Auditing user for a SQL statement:
SQL>audit ALTER TABLE by TESTUSER by access;
Auditing two users with a statement Shortcut:
SQL>audit TABLE by TESTUSER1, TESTUSER2 by access;
Auditing user for a system privilege: SQL>audit CREATE ANY TABLE by TESTUSER by access;
Auditing all users for user creation: SQL>audit CREATE USER by access;
Another important Shortcut is the ALL STATEMENTS. This feature is available from Oracle 11g R2 and enables full audit of all top-level statements issued by the audited user[s] - in the same concept as in the Administrative
Audit.
Auditing the DBA user for all statements:
SQL>audit ALL STATEMENTS by TESTDBA by access;
In the following, display of current statement and system privileges audit settings.
Checking for SQL statements audit settings: SQL> select * from DBA_STMT_AUDIT_OPTS;
Checking specifically for system privileges audit settings:
SQL> select * from DBA_PRIV_AUDIT_OPTS;
Note:
Auditing operations on SQL statements apply only to subsequent sessions, not to current ones!
DATAPLUS Omega Core Audit NT Agent for Oracle Database - User’s Guide 1.2.0
DATAPLUS 24
2. Auditing operations performed on schema objects:
Object auditing is performed on database schema objects. Operations performed on schema objects are always
audited for all users.
Auditing updates and deletes on FIN table Departments: SQL> audit UPDATE, DELETE on FIN.DEPT by access;
Auditing updates and inserts on FIN table Customers:
SQL> audit UPDATE, INSERT on FIN.CUSTOMER by access;
Checking for Schema objects audit settings: SQL> select * from DBA_OBJ_AUDIT_OPTS;
Note:
Auditing operations on schema objects apply immediately to current sessions and to subsequent ones!
DATAPLUS Omega Core Audit NT Agent for Oracle Database - User’s Guide 1.2.0
DATAPLUS 25
5.3 Appendix A3 - Oracle Unified Audit Dataset
The Oracle Unified Audit Dataset fields sent to SIEM, formatted by Oracle version/maintenance and audit type.
Field Name 11gR1-12cR1 >= 12cR2 Description
Adm. Std. Adm. Std.
NT_RECORD_NO x x x x NT Event field EventRecordID
NT_USER x x x x NT Event field User
NT_TYPE x x x x NT Event field Level, available options: Information, Warning, Error, Critical
NT_EVENT_ID x x x x NT Event field EventID
AUDIT_TYPE x x x x Audit Type indicating audit Administrative, Standard or General; other types are: Unknown - for messages not recognized ExtErr - for extraction process failure in Administrative/Standard
TIMESTAMP_STS x x x x NT Event field Date and Time, Oracle database audit trail date-time created
DB_HOST x x x x NT Event field ComputerName, Oracle database Host
DB_NAME x x x x Oracle database SID name, derived from NT Event field Source
USERNAME x x x x Database user name whose actions were audited
ADMIN_PRIV x x Oracle Administrative Privilege, available options: SYSDBA, SYSOPER,NONE
PRIVILEGE_ID x x Unique identifier of the system privilege used to execute the action audited
SYSTEM_PRIVILEGE x x System privilege name used to execute the action
ACTION_ID x x x Unique identifier of the action audited
ACTION_NAME x x x Name of the action audited
ACTION_CMD x x Full (SQL text) action of the audited Administrative command
USERHOST x x x Oracle user’s client host machine name
OS_USER x x x x Oracle user’s operating system login username
TERMINAL x x x x Oracle user’s identifier of the user's terminal
SESSIONID x x x Oracle user’s session identifier
ENTRYID x x Numeric ID for each audit trail entry in the session
STATEMENTID x x nth statement in the user session
OBJECT_OWNER x x Database Owner account of the object affected by the action
OBJECT_NAME x x Name of the Database object affected by the action
LOGOFF_LREAD x x Number of logical reads for the session
LOGOFF_PREAD x x Number of physical reads for the session
LOGOFF_LWRITE x x Number of logical writes for the session
LOGOFF_DEAD x x Number of deadlocks detected during the session
SESSION_CPU x x Amount of CPU time used by each Oracle session
CLIENT_ADDRESS x Text comment on the audit trail entry
COMMENT_TEXT x x Text comment on the audit trail entry
IP_ADDRESS x x x IP address of the connected database user
NET_PROTOCOL x x x Network protocol of the connected database user
NET_PORT x x x Network Port of the connected database user
SYS_OPTIONS x x Numeric identifier for granted privileges or audited options
SYS_PRIVILEGE x x System privileges granted or revoked
OBJ_PRIVILEGE x x Object privileges granted or revoked
GRANTEE x x Grantee of the privilege, audited user on audit statements
AUDIT_OPTION x x Auditing option set
CURRENT_USER x Effective user for the statement execution
RETURNCODE x x x x Oracle error code generated by the action. Ex: 0 - Action succeeded. 6564 - Object does not exist
DBID x x x x Numeric database identifier of the audited database
NT_MESSAGE x x x x NT Event original message text
DATAPLUS Omega Core Audit NT Agent for Oracle Database - User’s Guide 1.2.0
DATAPLUS 26
5.4 Appendix A4 - Bug Fixes and Existing Issues
Bug fixes in 1.2.0:
This is the first official release of the Omega Core Audit NT Agent!
Existing Issues in 1.2.0:
1. (WMI) NT empty message
WMI Query fails to retrieve NT Message, returns empty while content does exist. Behavior verified
OS: Windows 64 bit
Oracle: 12c R2 for Win64 Error when an IP v6 entry is present in audit trail, see case below:
Tool: wbemtest.exe
-------------------------------------------------------------------------------------------------------------------------------------- Audit trail: LENGTH: "459" SESSIONID:[6] "420040" ENTRYID:[1] "1" STATEMENT:[1] "1" USERID:[16] "OMEGACATESTDBA01" USERHOST:[25] "WORKGROUP\WINCTRL-ODG3R7J" TERMINAL:[15] "WINCTRL-ODG3R7J" ACTION:[3] "100" RETURNCODE:[1] "0" COMMENT$TEXT:[115] "Authenticated by: DATABASE; Client address: (ADDRESS=(PROTOCOL=tcp)(HOST=fe80::dd3c:9367:b31e:43d2%11)(PORT=50406))" OS$USERID:[29] "WINCTRL-ODG3R7J\Administrator" DBID:[10] "3931518429" PRIV$USED:[1] "5" CURRENT_USER:[16] "OMEGACATESTDBA01". --------------------------------------------------------------------------------------------------------------------------------------
This is not software’s problem, but a Windows WMI-level one. It can be verified by using the Windows WMI test tool wbemtest.exe
In this case the record is delivered to Splunk with an Audit Type field set to Unknown!
DATAPLUS Omega Core Audit NT Agent for Oracle Database - User’s Guide 1.2.0
DATAPLUS 27
5.5 Appendix A5 - References
The following resources are listed as references relevant to Omega Core Audit NT Agent operations.
1. Oracle Dictionary views audit-related:
DBA_AUDIT_TRAIL https://docs.oracle.com/database/121/REFRN/GUID-A9993FAC-12D3-4725-A37D-938CC32D74CC.htm#REFRN23023
DBA_AUDIT_STATEMENT https://docs.oracle.com/database/121/REFRN/GUID-181FEC64-A7D8-4FC3-8DBD-A2F812213848.htm#REFRN23022 DBA_AUDIT_OBJECT https://docs.oracle.com/database/121/REFRN/GUID-DE848F66-13A9-414C-AB43-7ADDD5B59DF6.htm#REFRN23019
DBA_AUDIT_SESSION https://docs.oracle.com/database/121/REFRN/GUID-C89F5D18-5918-4A5A-8F6C-972111C19A1A.htm#REFRN23021
DBA_STMT_AUDIT_OPTS https://docs.oracle.com/database/121/REFRN/GUID-82DE8AE1-CB64-4F44-A6DA-CE19B2BBEF3B.htm#REFRN23255 DBA_PRIV_AUDIT_OPTS https://docs.oracle.com/database/121/REFRN/GUID-C1879C38-35D9-4097-8ABE-047C0461A308.htm#REFRN23167 DBA_OBJ_AUDIT_OPTS https://docs.oracle.com/database/121/REFRN/GUID-A6E91022-1EF6-4805-A567-6E5AC45F8FC9.htm#REFRN23141
AUDIT_ACTIONS https://docs.oracle.com/database/121/REFRN/GUID-4EC2B658-F2A4-4E38-9906-A89D5861364C.htm#REFRN29501
STMT_AUDIT_OPTION_MAP https://docs.oracle.com/database/121/REFRN/GUID-229C65FB-2AEE-4CE8-A2CD-12AA70E6B0CC.htm#REFRN29507 SYSTEM_PRIVILEGE_MAP https://docs.oracle.com/database/121/REFRN/GUID-F41FFD18-4CBF-4ED3-825C-F6BE44DA2FF1.htm#REFRN29508
V$PARAMETER https://docs.oracle.com/database/121/REFRN/GUID-C86F3AB0-1191-447F-8EDF-4727D8693754.htm#REFRN30176
2. Oracle Initialization Parameters Audit-related:
AUDIT_SYS_OPERATIONS https://docs.oracle.com/database/121/REFRN/GUID-58176267-238C-40B5-B1F2-BB8BB9518950.htm#REFRN10005
AUDIT_TRAIL https://docs.oracle.com/database/121/REFRN/GUID-BD86F593-B606-4367-9FB6-8DAB2E47E7FA.htm#REFRN10006
AUDIT_FILE_DEST https://docs.oracle.com/database/121/REFRN/GUID-82C7E258-EEF7-48D2-B06B-7F949686E54B.htm#REFRN10004 AUDIT_SYSLOG_LEVEL https://docs.oracle.com/database/121/REFRN/GUID-EBBAD1D4-A4F8-49A4-9C4E-7CF6A085CB53.htm#REFRN10263
DATAPLUS Omega Core Audit NT Agent for Oracle Database - User’s Guide 1.2.0
DATAPLUS 28
3. Other Docs:
The AUDIT command https://docs.oracle.com/cd/E11882_01/server.112/e41084/statements_4007.htm#SQLRF01107
Verifying Security Access with Auditing https://docs.oracle.com/cd/E11882_01/network.112/e36292/auditing.htm#DBSEG006 SYSDBA and SYSOPER System Privileges https://docs.oracle.com/database/121/ADMQS/GUID-2033E766-8FE6-4FBA-97E0-2607B083FA2C.htm#ADMQS12004
What Do the Operating System and Database Audit Trails Have in Common? https://docs.oracle.com/cd/E11882_01/network.112/e36292/auditing.htm#DBSEG353
Oracle Database Auditing: Performance Guidelines http://www.oracle.com/technetwork/products/audit-vault/learnmore/twp-security-auditperformance-166655.pdf
Monitoring a Database on Windows https://docs.oracle.com/database/121/NTQRF/monitor.htm#NTQRF080
DATAPLUS Omega Core Audit NT Agent for Oracle Database - User’s Guide 1.2.0
DATAPLUS 29
5.6 Appendix B - Technical Support and Copyrights
Support:
The Omega Core Audit NT Agent Edition is free to use in live, production, commercial and test systems!
DATAPLUS is committed to its further development and improvement, as this work is a courtesy of DATAPLUS to all Oracle database security related professionals!
For product documentation, forum and knowledge base, please visit our site: www.dataplus-al.com
For technical issues, comments, ideas and impressions, please e-mail us at: [email protected]
Support Levels:
1. Basic new versions, upgrades, fixes and new vulnerability controls, documentations. 2. Medium general software usage issues, for both the NT Agent and the Splunk interface.
3. Advanced Oracle databases auditing for security compliance support.
The first level Basic is free and no strings attached! The Medium and Advanced are commercial options. Details
on all the three options are found at our website, Omega Core Audit NT (Agent and App for Splunk) pages. SLA:
Response Time SLA: 2 Business Days Support Call/Online: 09:00 GMT to 21:00 GMT, Monday to Friday
Emergencies: we are here to help
Resolution Time: case-related
For commercial support levels, please e-mail us at: [email protected]
DATAPLUS
Tirana, Albania Street Address: Bul. Zog I, P. “Edicom”, 8F.
E-Mail: [email protected] Cel: +355 68 2061664
Tel: +355 42419275
Follow us on the following social media sites:
YouTube DATAPLUS channel: https://www.youtube.com/channel/UCa59qQuGg5tvd2vIe1MsMOw
LinkedIn DATAPLUS page: https://www.linkedin.com/company/dataplus-al
Peerlyst DATAPLUS page: https://www.peerlyst.com/companies/dataplus/dashboard Copyright:
Copyright © 2007-2017 DATAPLUS. All rights reserved. Omega Core Audit NT Agent is protected by US, EU and international copyright laws. No part of this work may be reproduced, stored in a retrieval system, adopted or transmitted in any form or by any means, electronic or otherwise, translated in any language or computer language, without the prior written permission of DATAPLUS. Omega Core Audit NT Agent and the DATAPLUS logo are trademarks of DATAPLUS. All other trademarks are the property of their respective owners.