Audit Vault 10.3实施文档

一、Audit Vault 体系结构

clip_image002[4]

Audit Vault的工作原理:如图所示:在源端,安装Audit Vault Agent对Oracle、SQL Server,Sybase ASE,IBM DB2进行采集,通过检索审计数据,然后将数据推送到Audit Vault Server端.对于Oracle数据库,会采集REDO,DBAUD和OSAUD等数据.

Oracle Database DBAUD Collects from the following audit trails:

  • Oracle Database audit trail, where standard audit events are written to the SYS.AUD$ dictionary table
  • Oracle Database fine-grained audit trail, where audit events are written to the SYS.FGA_LOG$ dictionary table

Oracle Database Vault audit trail, where audit events are written to the DVSYS.AUDIT_TRAIL$ dictionary table

OSAUD Collects data from the following audit trails:

  • On Linux and UNIX platforms:The Oracle database audit files written to the operating system (.aud) files, and syslog files (but not compressed syslog files)
  • On Windows platforms:The operating system Windows Event Log and operating system logs (audit logs) XML (.xml) files
REDO Collects audit data from logical change records (LCRs) from the REDO logs. If you plan to use the REDO collector, you can define the data to audit by creating capture rules for the tables from which the REDO collector will capture audit information.
Charactenstic OSAUD DBAUD REDO
Select
DML
DDL
Befor and After Values    
Success and Failure  
SQL TEXT  
SYS Auditing  
Other considerations Separation of Duties FGA data Supplemental logging may be required for values

Audit Vault Server 10.3运行在一个定制的Oracle11g (11.2.0.3)数据仓库中,这个数据库由Database Vault提供安全性,OC4J提供Audit Vault控制台和数据库EM控制台.数据仓库中有一套维度表,通过这些维度表, AV auditor用户能够检索审计数据生成自定义的报表,也能发送邮件通知和设置预警。AV Admin用户对Audit Vault Server进行管理、配置.

二、Audit Vault 下载及平台支持

2.1 下载地址

Audit Vault Server 10.3和Agent 10.3 下载地址,支持各种平台: http://www.oracle.com/technetwork/products/audit-vault/downloads/index.html

clip_image004[4]

2.2 平台支持

从10.3.0开始,就没有Windows服务器版本了.
Oracle Audit Vault Server Certification [ID 848408.1]

clip_image006[4]

10.3.0的Agent,可以装Windows版本,不过只局限于64位,如果是32位的话,只能安装低版本的Agent.
Oracle Audit Vault Server Certification [ID 848408.1]

clip_image008[4]

三、Audit Vault 10.3安装前检查

3.1硬件需求
3.1.1 内存需求

最少需要:1GB
推荐:2GB或者更多

[root@avserver ~]# grep MemTotal /proc/meminfo
MemTotal:      2059632 kB
3.1.2 swap空间需求

swap空间需求如下表所示:

RAM Swap Space
Between 1 GB and 2 GB 1.5 times the size of the RAM
Between 2 GB and 16 GB Equal to the size of RAM
More than 16 GB 16 GB
[root@avserver ~]# grep SwapTotal /proc/meminfo
SwapTotal:     4200988 kB
3.1.3 确认shared memory filesystem大于MEMORY_TARGET参数,自动共享内存管理才能工作

On the Initialization Parameters page, note the Memory Size (SGA and PGA), which sets the initialization parameter MEMORY_TARGET or MEMORY_MAX_TARGET. Note that the initialization parameters cannot be greater than the shared memory file system on the operating system.

[root@avserver ~]# umount tmpfs
[root@avserver ~]# mount -t tmpfs shmfs -o size=1500m /dev/shm
[root@avserver ~]# df -h
Filesystem            Size  Used Avail Use% Mounted on
/dev/sda3              16G  2.9G   12G  20% /
/dev/sda1              99M   12M   83M  13% /boot
shmfs                 1.5G     0  1.5G   0% /dev/shm

使其永久生效需要在/etc/fstab下添加

tmpfs                   /dev/shm                tmpfs   size=1500m       0 0
3.2.系统需求
3.2.1 磁盘空间需求

/tmp至少需要1GB的空间

[root@avserver ~]# df -h /tmp

安装至少需要6.75G空间,程序文件是4.45G空间,数据文件是2.30G空间

Installation Type Requirement for Software Files (GB)
Oracle Audit Vault Server RAM4.45
Installation Type Disk Space for Data Files (GB)
Oracle Audit Vault Server 2.30
3.2.2 软件包需求

软件包需求清单如下:

Asianux Server 3, Oracle Linux 5, and Red Hat Enterprise Linux 5 The following packages (or later versions) must be installed:
binutils-2.17.50.0.6
compat-libstdc++-33-3.2.3
compat-libstdc++-33-3.2.3 (32 bit)
elfutils-libelf-0.125
elfutils-libelf-devel-0.125
gcc-4.1.2
gcc-c++-4.1.2
glibc-2.5-24
glibc-2.5-24 (32 bit)
glibc-common-2.5
glibc-devel-2.5
glibc-devel-2.5 (32 bit)
glibc-headers-2.5
ksh-20060214
libaio-0.3.106
libaio-0.3.106 (32 bit)
libaio-devel-0.3.106
libaio-devel-0.3.106 (32 bit)
libgcc-4.1.2
libgcc-4.1.2 (32 bit)
libstdc++-4.1.2
libstdc++-4.1.2 (32 bit)
libstdc++-devel 4.1.2
make-3.81
numactl-devel-0.9.8.x86_64
sysstat-7.0.2
3.2.3 设置网络参数

在/etc/sysctl.conf下增加

net.ipv4.ip_local_port_range = 9000 65500

然后运行sysctl -p使其永久生效

3.2.4 创建操作系统帐号和组

建立oinstall,dba,oper组,和Oracle用户,如下所示:

[root@avserver ~]# groupadd -g 501 oinstall
[root@avserver ~]# groupadd -g 502 dba
[root@avserver ~]# groupadd -g 503 oper
[root@avserver ~]# useradd -u 501 -g oinstall -G dba,oper oracle
[root@avserver ~]# passwd oracle
Changing password for user oracle.
New UNIX password:
BAD PASSWORD: it is based on a dictionary word
Retype new UNIX password:
passwd: all authentication tokens updated successfully.
[root@avserver ~]# id oracle
uid=501(oracle) gid=501(oinstall) groups=501(oinstall),502(dba),503(oper)
3.2.5 设置资源限制

在/etc/security/limits.conf下增加

oracle              soft    nproc   2047
oracle              hard    nproc   16384
oracle              soft    nofile  1024
oracle              hard    nofile  65536
oracle              soft    stack   10240
3.2.6 设置内核参数

在/etc/sysctl.conf下增加

fs.aio-max-nr = 1048576
fs.file-max = 6815744
kernel.shmall = 2097152
kernel.shmmax = 1054531584
kernel.shmmni = 4096
kernel.sem = 250 32000 100 128
net.ipv4.ip_local_port_range = 9000 65500
net.core.rmem_default = 262144
net.core.rmem_max = 4194304
net.core.wmem_default = 262144
net.core.wmem_max = 1048586

然后运行sysctl -p使其永久生效

3.2.7 设置安装目录
[root@avserver ~]# mkdir -p /oracle/app/oracle/product/10.3.0/av_1
[root@avserver ~]# chown -R oracle:oinstall /oracle
[root@avserver ~]# chmod -R 755 /oracle
3.2.8 设置Oracle用户环境变量

登录到Oracle用户修改.bash_profile

TMP=/tmp
TMPDIR=/tmp
export TMP TMPDIR
ORACLE_BASE=/oracle/app/oracle; export ORACLE_BASE
ORACLE_HOME=/oracle/app/oracle/product/10.3.0/av_1; export ORACLE_HOME
ORACLE_HOSTNAME=avserver.localdomain; export ORACLE_HOSTNAME
ORACLE_SID=av; export ORACLE_SID
PATH=/usr/sbin:$PATH; export PATH
PATH=$ORACLE_HOME/bin:$PATH; export PATH
LD_LIBRARY_PATH=$ORACLE_HOME/lib:/lib:/usr/lib; export LD_LIBRARY_PATH
CLASSPATH=$ORACLE_HOME/jlib:$ORACLE_HOME/rdbms/jlib; export CLASSPATH
3.2.9 设置主机名和IP地址的映射

在/etc/hosts下添加

192.168.56.1    avserver.localdomain    avserver
3.2.10 安装cvuqdisk包

上传安装介质并解压,如下所示目录

./Disk1/stage/cvu/cv/remenv/cvuqdisk-1.0.9-1.rpm
[root@avserver remenv]# rpm -Uvh cvuqdisk-1.0.9-1.rpm
Preparing...             ########################################### [100%]
Using default group oinstall to install package
1:cvuqdisk               ########################################### [100%]

四、Audit Vault 10.3安装

clip_image010[4]

clip_image012[4]

clip_image014[4]

clip_image016[4]

clip_image018[4]

clip_image020[4]

clip_image022[4]

clip_image024[4]

clip_image026[4]

clip_image028[4]

clip_image030[4]

clip_image032[4]

clip_image034[4]

clip_image036[4]

clip_image038[4]

clip_image040[4]

clip_image042[4]

clip_image044[4]

clip_image046[4]

clip_image048[4]

clip_image050[4]

clip_image052[4]

clip_image054[4]

装完之后检查下AV的状态

[oracle@avserver ~]$ avctl show_av_status
Oracle Audit Vault 10g Database Control Release 10.3.0.0.0
Copyright (c) 2006, 2011 Oracle Corporation. All rights reserved.
https://avserver.localdomain:1158/av
Oracle Audit Vault 10g is running.
------------------------------------
Logs are generated in directory /oracle/app/oracle/product/10.3.0/av_1/av/log

五、Audit Vault Agent安装

安装完Audit Vault Server后,我们开始安装Audit Vault Agent.我们在一台Oracle 11g for Oracle Enterprise Linux 5.4环境的机器上安装.

5.1. 使用avca命令添加agent端(server端运行)

首先我们需要在/etc/hosts下面添加一行关于agent端的IP映射

----From Audit Serve
[root@avserver Server]# more /etc/hosts
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1 avserver.localdomain avserver localhost.localdomain localhost
::1 localhost6.localdomain6 localhost6
192.168.56.149 avserver.localdomain avserver
192.168.56.115 oracle11g.localdomain oracle11g

然后我们使用avca命令添加agent端

----From Audit Serve
[oracle@avserver ~]$ avca add_agent -agentname agent1 -agenthost oracle11g.localdomain
Enter agent user name: agentuser1
Enter agent user password:
Re-enter agent user password:
Agent added successfully.
5.2. Agent端安装

首先我们需要在/etc/hosts下面添加一行关于avserver端的IP映射

----From Source DB
[root@oracle11g ~]# more /etc/hosts
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1 localhost.localdomain localhost
::1 localhost6.localdomain6 localhost6
192.168.56.115 oracle11g.localdomain oracle11g
192.168.56.149 avserver.localdomain avserver

clip_image056[4]

Connet String需要填Hostname:Port:Service Name
Hostname我们需要在/etc/hosts下做个映射,Port是Server端监听的端口,Service Name可以从Server端的tnsnames.ora文件里面查到.

clip_image058[4]

clip_image060[4]

clip_image062[4]

clip_image064[4]

[oracle@oracle11g bin]$ cd /oracle/app/oracle/product/avagent/bin/
[oracle@oracle11g bin]$ ./avctl show_oc4j_status
————————————
Agent is running
————————————

六、注册Source Database和Collectors

6.1 在Source Database上创建用户
----From Source DB
SQL> CREATE USER srcuser_ora IDENTIFIED BY srcuser;
User created.
[oracle@oracle11g source]$ sqlplus / as sysdba
SQL*Plus: Release 11.2.0.3.0 Production on Tue Jun 26 23:06:45 2012
Copyright (c) 1982, 2011, Oracle. All rights reserved.
Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
SQL> @/oracle/app/oracle/product/avagent/av/scripts/streams/source/zarsspriv.sql
Enter value for 1: srcuser_ora
Enter value for 2: setup
Granting privileges to SRCUSER_ORA ... Done.

Value 1 输入你刚才建立的用户名.
Value 2 有以下选择.这里我们选择SETUP.
SETUP: For the OSAUD and DBAUD collectors, and for policy management
REDO_COLL: For the REDO log collector; includes all privileges that are granted using the argument mode SETUP

6.2检查Source Database与Collector的兼容性
----From Source DB
lsnrctl status
cat $ORACLE_HOME/network/admin/tnsnames.ora
SQL> show parameter audit
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
audit_trail string DB

在Source Database上需要打开监听,并且audit_trail参数必须设置.这里我们可以设置DB,也可以设置OS,或者是XML. 这里我使用的是XML,EXTENDED来保存.

ALTER SYSTEM SET audit_trail= XML, EXTENDED scope=spfile;
SQL> show parameter audit
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
audit_trail string XML, EXTENDED

----From Audit Server
[oracle@avserver ~]$ avorcldb verify -src oracle11g.localdomain:1521:db11g -colltype ALL
Enter Source user name: srcuser_ora
Enter Source password:
source DB11G verified for OS File Audit Collector collector
source DB11G verified for Aud$/FGA_LOG$ Audit Collector collector
parameter _JOB_QUEUE_INTERVAL is not set; recommended value is 1
parameter UNDO_RETENTION = 900 is not in recommended value range [3600 - ANY_VALUE]
parameter GLOBAL_NAMES = false is not set to recommended value true
ERROR: source database must be in ARCHIVELOG mode to use REDO LOG collector
ERROR: set the above init.ora parameters to recommended/required values

验证完毕,它推荐把一些参数设置成推荐值.如果要对Redo进行采集,需要将Source Database开启到归档模.在Source Database上改完参数后输出如下所示.

[oracle@avserver ~]$ avorcldb verify -src oracle11g.localdomain:1521:db11g -colltype ALL
Enter Source user name: srcuser_ora
Enter Source password:
source DB11G verified for OS File Audit Collector collector
source DB11G verified for Aud$/FGA_LOG$ Audit Collector collector
source DB11G verified for REDO Log Audit Collector collector
6.3 在Audit Vault Server上注册Source Database

—-From Audit Server

[oracle@avserver ~]$ avorcldb add_source -src oracle11g.localdomain:1521:db11g -srcname db11g -agentname agent1
Enter Source user name: srcuser_ora
Enter Source password:
Adding source...
Source added successfully.
remember the following information for use in avctl
Source name (srcname): db11g
Credential stored successfully.
Mapping Source to Agent...

-srcname 这个名字是自己指定的,后面在添加Collector的时候要用到.
注册Source Database完成之后,会在tnsnames.ora下面文件增加如下一行:

[oracle@avserver~]$cat /oracle/app/oracle/product/10.3.0/av_1/network/admin/tnsnames.ora
# Alias for oracle11g
SRCDB1 = (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=oracle11g.localdomain)(PORT=1521))(CONNECT_DATA=(SERVICE_NAME=db11g)))
6.4 添加Collectors到Oralce Audit Vault

在添加之前,需要注意,如果你使用的是OSAUD,那么你需要设置一下AUDIT TRAIL的最大OS FILE MAX SIZE.如果使用DBAUD和REDO,则可以跳过这个设置.

BEGIN
DBMS_AUDIT_MGMT.SET_AUDIT_TRAIL_PROPERTY(
AUDIT_TRAIL_TYPE => DBMS_AUDIT_MGMT.AUDIT_TRAIL_OS,
AUDIT_TRAIL_PROPERTY => DBMS_AUDIT_MGMT.OS_FILE_MAX_SIZE,
AUDIT_TRAIL_PROPERTY_VALUE => 204800);
END;
/
PL/SQL procedure successfully completed.

接下来在Audit Vault Server上添加Collector.这里我做测试使用了OSAUD.

----From Audit Server
[oracle@avserver ~]$ avorcldb add_collector -srcname db11g -agentname agent1 -colltype OSAUD -orclhome /oracle/app/oracle/product/11.2.0/db_1
source db11g verified for OS File Audit Collector collector
Adding collector...
Collector added successfully.
remember the following information for use in avctl
Collector name (collname): OSAUD_Collector

—-参数说明
srcname:这个名字取决于你avorcldb add_source里面定义的名称.
agentname:这个名字取决于安装agent name的名称
colltype:可以输入dbaud,osaud,或者是redo.
Orclhome:输入source database的ORACLE_HOME.
创建完成后,会给你一个Collector name,这个名字要记住,后面启动Collector需要用到.

6.5 在Audit Agent上添加credentials
----From Audit Agent
[oracle@oracle11g ~]$ export ORACLE_HOME=/oracle/app/oracle/product/avagent/
[oracle@oracle11g ~]$ cd $ORACLE_HOME
[oracle@oracle11g avagent]$ cd bin
[oracle@oracle11g bin]$ ./avorcldb setup -srcname db11g
Enter Source user name: srcuser_ora
Enter Source password:
adding credentials for user srcuser_ora for connection [SRCDB1]
Credential stored successfully.
updated tnsnames.ora with alias [SRCDB1] to source database
verifying SRCDB1 connection using wallet
6.6 在Audit Server上启动Collector
----From Audit Server
[oracle@avserver ~]$ avctl start_collector -collname OSAUD_Collector -srcname db11g
Starting collector...
Collector started successfully.

运行完后,可以用avadmin帐号登录进行检查.如下所示.可以看到收集器的状态是UP的.

clip_image066[4]

七、演示示例

配置完这些东西后,只是安装和配置好了,具体的审计策略还有很多,我这里只做个小演示,有兴趣的话,可以和最终客户进行探讨,制订审计策略.

我们首先使用avauditor用户登录到https://192.168.56.149:1158/av/.如图所示:

clip_image068[4]

选择对象.添加下列设置.相当于

Audit delete,insert,select,update on test.t1 by access.

clip_image070[4]

clip_image072[4]

接着以test用户登录到Source Database中.做一些操作.如下:

insert into t1 select * from dba_tables;
delete from t1 where rownum<=20;
delete from t1 where rownum<=100;
select * from t1 where rownum<=100;

clip_image074[4]

点击审计报告->数据访问,看到如下结果

clip_image076[4]

分享到: 更多

Post a Comment

Your email is never published nor shared. Required fields are marked *