Following a question to the blog post Database Audit and Audit trail purging, I noticed something interesting about the DEFAULT_CLEANUP_INTERVAL parameter. On one hand, it is mandatory to initialize the audit trail and to define a DEFAULT_CLEANUP_INTERVAL, on the other hand, the parameter is not used at all. Oracle explains this in the MOS note Parameter DEFAULT_CLEANUP_INTERVAL of DBMS_AUDIT_MGMT.INIT_CLEANUP procedure [1243324.1]
Quote Oracle Support (MOS Note 1243324.1):
The dbms_audit_mgmt.init_cleanup parameter DEFAULT_CLEANUP_INTERVAL is not intended to be used to control the frequency of execution of audit management automatic cleanup. This parameter, although assigned a value during initialisation of audit infrastructure, is unused in current releases. However, in future releases it is intended to be used to control functionality which automatically partitions audit tables based on their archive frequency. This functionality already exists in the DBMS_AUDIT_MGMT package but is disabled in current releases. This is not a classified product bug, but expected behaviour.
According to the MOS Note DBMS_AUDIT_MGMT.CLEAN_AUDIT_TRAIL Not Clearing FGA Audit Trail When Using Last Archive Timestamp [1532676.1] it could be a no go for audit purging if DEFAULT_CLEANUP_INTERVAL has not or never been. Conclusion initialize the audit trail and define a value for the default cleanup interval but manualy setup a purge job.
I’m curious what Oracle plans for the future. Unified and self purging audit trail
A few Metalink Notes related to Audit and Audit Management.
- Master Note For Oracle Database Auditing
- Known Issues When Using: DBMS_AUDIT_MGMT
- How to Truncate, Delete, or Purge Rows from the Audit Trail Table AUD$
- DBMS_AUDIT_MGMT.CLEAN_AUDIT_TRAIL Not Clearing FGA Audit Trail When Using Last Archive Timestamp
- Parameter DEFAULT_CLEANUP_INTERVAL of DBMS_AUDIT_MGMT.INIT_CLEANUP procedure
As I announced a while ago in SOUG Special Interest Group Baden March 21st I’ll speak again about some improvements in the latest generation of Oracle Database. The content of the presentation is a mixture of the presentations I’ve lectured at SOUG SIG Baden and DOAG SIG Security Munich. It covers the following possible new features. The features will explained by several practical examples.
- Data Redaction
- Unified Database Auditing
- Role and Privilege Analysis
More Information on the Event is available on the DOAG website.
Due to the fact that this presentation contains preliminary information, the slides will not be available for download yet. But I will make the download link available once the dust settles on the latest Generation of Database Technology…
Just a couple of hours ago I’ve lecture a presentation about the latest Generation of Database Technology at the DOAG SIG Security in München. It is a sneak preview on a few upcoming security improvements. Unfortunately I do not yet have the permission to provide the presentation for download. But I will make the download link available once the dust settles on the latest Generation of Database Technology…
so stay tuned.
In the hustle and bustle of the Christmas season, it went under that Oracle had released a new version of Oracle Audit Vault respectively Oracle Audit Vault and Database Firewall. This weekend I found some time to take a first look into the new release.
About a year ago Oracle released the Audit Vault Server 10.3. (see New release of Oracle Audit Vault). During this update Oracle mainly moved internally to a 126.96.36.199 database. The architecture has remained more or less the same. But this has changed now. Oracle is trying to complete its security portfolio. Therefore Oracle has merged the two Oracle Audit Vault and Oracle Database Firewall into the new Oracle Audit Vault and Database Firewall. From the security officer point of view it is definitely more interesting to only have one platform. On the other hand a software appliance is one of the favorites of the DBA and Unix admins. What about, updates, HA, backup & recovery etc? I’ll try to consider these thoughts in a later post on installing and configuring the new Oracle Audit Vault and Database Firewall.
Some short notes on the new features:
- Oracle Audit Vault and Database Firewall is released as a software appliance-based platform
- Internally Oracle does use Oracle 188.8.131.52 including Advance Security and Database Vault to enforce Database security and segregation of duties
- One simple setup does install and configure the operating system, software, database, web frontend etc
- Audit Vault Agents for:
- Oracle Database 10g
- Oracle Database 11g
- Microsoft SQL Server 2000
- Microsoft SQL Server 2005
- Microsoft SQL Server 2008
- Sybase Adaptive Server Enterprise (ASE) versions 12.5.4 to 15.0.x
- IBM DB2 version 9.x (Linux, UNIX, Microsoft Windows)
- Solaris operating system
- Oracle ACFS
- Microsoft Windows Server 2008
- Microsoft Windows Server 2008 R2
- Microsoft Active Directory 2008
- Microsoft Active Directory 2008 R2 on 64 bit
As initially mentioned Audit Vault and Database Firewall are moving closer. Oracle Audit Vault is now also the data storage and analysis platform for the Oracle Database Firewall. Former Database Firewall Management Server is eliminated and thus is replaced with Oracle Audit Vault.
An important note here is that Oracle Audit Vault can not be installed on different platforms as before. It is rather a software appliance like the Oracle Database Firewall. The license for each Oracle Audit Vault and Oracle Database Firewall includes always a license for Oracle Enterprise Linux as well. To install only the appropriate hardware is required. This can be a virtual or a physical host. To setup my test environment, I’ve use as usual virtual servers.
Oracle AVDF Requirements
To install Oracle AVDF the following minimal Hardware Requirements must be met. See as the online installation guide for more details on the installation requirements in particular for the supported secured target products (agents).
- x86 64-bit Server
- 2 GB Ram
- single hard drive 125 GB
- 1 NIC for Audit Vault Server
- 1 NIC for Database Firewall Proxy Mode
- 2 NICs for Database Firewall DAM Mode (monitoring)
- 3 NICs for Database Firewall DPE Mode (blocking)
In addition to the hardware the following software is required to begin the installation:
- Oracle Linux Release 5 Update 8 for x86_64 (64 Bit) V31120-01 (3.7GB)
- Oracle Audit Vault and Database Firewall (184.108.40.206.0) – Server V35715-01 (3.4GB)
- Oracle Audit Vault and Database Firewall (220.127.116.11.0) – Database Firewall V35716-01 (3.1GB)
The server can not be used for other activities, setup of either Oracle Audit Vault or Oracle Database Firewall will completely reimage the server. But I’ll post more details on the installation later this month.
Links all around the new Oracle Audit Vault and Database Firewall…
I haven’t found time to provide any blog post in the past weeks. Never the less I would like to inform about the upcoming security lounge in Basel at which I’ll give two lectures about Oracle Security. It’s a small even with just one speaker Ok it was planned to have a second one but it did not work. The event is organized by the DOAG regional group Freiburg and SOUG. It will start at 17:30 on the 24th of April.
Have a look at the DOAG Webpage for a detailed Agenda of the Event and the location. Looking forward to see you there.
I’ll post the slides for both presentations shortly after the event on this page.
Somewhen beginning of 2012 Oracle has secretly released an update of Oracle Audit Vault. So far just for Linux x86-64bit but I guess other OS will follow. The new release is available trough OTN or Oracle eDelivery. You’ll have to download around 2.3GB for the Audit Vault Server and an other 620MB for the Audit Vault Collection Agent. According the Oracle Audit Vault documentation this release has the following new features.
- Starting with this release Oracle use a 18.104.22.168 Database as Audit Vault repository
- change of console URL respectively port from old http://host:5700/av to new https://host:1158/av
- Updated MS SQL Server JDBC Driver. MS SQL Server JDBC Driver version 3.0 has to be used to configure Microsoft SQL Server source databases
- Support for Sybase Adaptive Server Enterprise 15.5 and IBM DB2 9.7 for Linux, UNIX and MS Windows
- SSL and HTTPS is automatically configured. Due to this a two avca command have been removed (secure_agent,secure_av)
OK the update to 11gR2 was somehow foreseeable. I wonder more why it took that long. Any way, I’ll setup a VM to do a short test installation and check how to new Audit Vault does look like. I’ll post my experience on the installation a bit later.
More details on these new features as well on all changes for 10.2.3.2 and 10.2.3.1 can be found in Oracle® Audit Vault Administrator’s Guide and Oracle Audit Vault Auditor’s Guide on OTN.
A while ago I found an Oracle white paper discussing the performance impact of Oracle database audit (Oracle Database Auditing: Performance Guidelines) It’s pretty obvious that Oracle audit can have an impact on performance. But I’ve never compare different audit trails and audit settings in terms of performance. According to the figures it is recommended to use file-based audit trails for performance critical applications rather than database-based. On the other hand database-based audit trails are easier to query and to analyse.
The test in the white paper have been done with a TPC-C like workload which generates aprox 250 audit records per seconds. Unfortunately it was not clearly stated which audit settings has been used to generate this amount of records. Are just 11g standard audit settings used or as well custom defined object auditing?
According to my experience the performance impact isn’t that critical when just a set of system privilege are audited. On the other hand when enabling object auditing for a bunch of objects can cause a high amount of audit records. Therefor it is quite crucial to have a clear idea what to audit when defining the audit concept and the audit trail.
If time permits, I will try to have a closer look into the performance impact of Oracle database audit.
What kind of experience on the performance impact of database audit did you made? Are you using file based audit trails (OS, XML) rather than database audit trails? What do you audit? Just a few system privilege or also a lot of DML on tables? Any feedback / comment is welcome.