一、Audit Vault 体系结构
Audit Vault的工作原理:如图所示:在源端,安装Audit Vault Agent对Oracle、SQL Server,Sybase ASE,IBM DB2进行采集,通过检索审计数据,然后将数据推送到Audit Vault Server端.对于Oracle数据库,会采集REDO,DBAUD和OSAUD等数据.
Oracle Database | DBAUD | Collects from the following audit trails:
Oracle Database Vault audit trail, where audit events are written to the DVSYS.AUDIT_TRAIL$ dictionary table |
OSAUD | Collects data from the following audit trails:
|
|
REDO | Collects audit data from logical change records (LCRs) from the REDO logs. If you plan to use the REDO collector, you can define the data to audit by creating capture rules for the tables from which the REDO collector will capture audit information. |
Charactenstic | OSAUD | DBAUD | REDO |
Select | √ | √ | √ |
DML | √ | √ | |
DDL | √ | √ | √ |
Befor and After Values | √ | ||
Success and Failure | √ | √ | |
SQL TEXT | √ | √ | |
SYS Auditing | √ | √ | |
Other considerations | Separation of Duties | FGA data | Supplemental logging may be required for values |
Audit Vault Server 10.3运行在一个定制的Oracle11g (11.2.0.3)数据仓库中,这个数据库由Database Vault提供安全性,OC4J提供Audit Vault控制台和数据库EM控制台.数据仓库中有一套维度表,通过这些维度表, AV auditor用户能够检索审计数据生成自定义的报表,也能发送邮件通知和设置预警。AV Admin用户对Audit Vault Server进行管理、配置.
二、Audit Vault 下载及平台支持
2.1 下载地址
Audit Vault Server 10.3和Agent 10.3 下载地址,支持各种平台: http://www.oracle.com/technetwork/products/audit-vault/downloads/index.html
2.2 平台支持
从10.3.0开始,就没有Windows服务器版本了.
Oracle Audit Vault Server Certification [ID 848408.1]
10.3.0的Agent,可以装Windows版本,不过只局限于64位,如果是32位的话,只能安装低版本的Agent.
Oracle Audit Vault Server Certification [ID 848408.1]
三、Audit Vault 10.3安装前检查
3.1硬件需求
3.1.1 内存需求
最少需要:1GB
推荐:2GB或者更多
[root@avserver ~]# grep MemTotal /proc/meminfo MemTotal: 2059632 kB
3.1.2 swap空间需求
swap空间需求如下表所示:
RAM | Swap Space |
Between 1 GB and 2 GB | 1.5 times the size of the RAM |
Between 2 GB and 16 GB | Equal to the size of RAM |
More than 16 GB | 16 GB |
[root@avserver ~]# grep SwapTotal /proc/meminfo SwapTotal: 4200988 kB
3.1.3 确认shared memory filesystem大于MEMORY_TARGET参数,自动共享内存管理才能工作
On the Initialization Parameters page, note the Memory Size (SGA and PGA), which sets the initialization parameter MEMORY_TARGET or MEMORY_MAX_TARGET. Note that the initialization parameters cannot be greater than the shared memory file system on the operating system.
[root@avserver ~]# umount tmpfs [root@avserver ~]# mount -t tmpfs shmfs -o size=1500m /dev/shm [root@avserver ~]# df -h Filesystem Size Used Avail Use% Mounted on /dev/sda3 16G 2.9G 12G 20% / /dev/sda1 99M 12M 83M 13% /boot shmfs 1.5G 0 1.5G 0% /dev/shm
使其永久生效需要在/etc/fstab下添加
tmpfs /dev/shm tmpfs size=1500m 0 0
3.2.系统需求
3.2.1 磁盘空间需求
/tmp至少需要1GB的空间
[root@avserver ~]# df -h /tmp
安装至少需要6.75G空间,程序文件是4.45G空间,数据文件是2.30G空间
Installation Type | Requirement for Software Files (GB) |
Oracle Audit Vault Server | RAM4.45 |
Installation Type | Disk Space for Data Files (GB) |
Oracle Audit Vault Server | 2.30 |
3.2.2 软件包需求
软件包需求清单如下:
Asianux Server 3, Oracle Linux 5, and Red Hat Enterprise Linux 5 | The following packages (or later versions) must be installed: binutils-2.17.50.0.6 compat-libstdc++-33-3.2.3 compat-libstdc++-33-3.2.3 (32 bit) elfutils-libelf-0.125 elfutils-libelf-devel-0.125 gcc-4.1.2 gcc-c++-4.1.2 glibc-2.5-24 glibc-2.5-24 (32 bit) glibc-common-2.5 glibc-devel-2.5 glibc-devel-2.5 (32 bit) glibc-headers-2.5 ksh-20060214 libaio-0.3.106 libaio-0.3.106 (32 bit) libaio-devel-0.3.106 libaio-devel-0.3.106 (32 bit) libgcc-4.1.2 libgcc-4.1.2 (32 bit) libstdc++-4.1.2 libstdc++-4.1.2 (32 bit) libstdc++-devel 4.1.2 make-3.81 numactl-devel-0.9.8.x86_64 sysstat-7.0.2 |
3.2.3 设置网络参数
在/etc/sysctl.conf下增加
net.ipv4.ip_local_port_range = 9000 65500
然后运行sysctl -p使其永久生效
3.2.4 创建操作系统帐号和组
建立oinstall,dba,oper组,和Oracle用户,如下所示:
[root@avserver ~]# groupadd -g 501 oinstall [root@avserver ~]# groupadd -g 502 dba [root@avserver ~]# groupadd -g 503 oper [root@avserver ~]# useradd -u 501 -g oinstall -G dba,oper oracle [root@avserver ~]# passwd oracle Changing password for user oracle. New UNIX password: BAD PASSWORD: it is based on a dictionary word Retype new UNIX password: passwd: all authentication tokens updated successfully. [root@avserver ~]# id oracle uid=501(oracle) gid=501(oinstall) groups=501(oinstall),502(dba),503(oper)
3.2.5 设置资源限制
在/etc/security/limits.conf下增加
oracle soft nproc 2047 oracle hard nproc 16384 oracle soft nofile 1024 oracle hard nofile 65536 oracle soft stack 10240
3.2.6 设置内核参数
在/etc/sysctl.conf下增加
fs.aio-max-nr = 1048576 fs.file-max = 6815744 kernel.shmall = 2097152 kernel.shmmax = 1054531584 kernel.shmmni = 4096 kernel.sem = 250 32000 100 128 net.ipv4.ip_local_port_range = 9000 65500 net.core.rmem_default = 262144 net.core.rmem_max = 4194304 net.core.wmem_default = 262144 net.core.wmem_max = 1048586
然后运行sysctl -p使其永久生效
3.2.7 设置安装目录
[root@avserver ~]# mkdir -p /oracle/app/oracle/product/10.3.0/av_1 [root@avserver ~]# chown -R oracle:oinstall /oracle [root@avserver ~]# chmod -R 755 /oracle
3.2.8 设置Oracle用户环境变量
登录到Oracle用户修改.bash_profile
TMP=/tmp TMPDIR=/tmp export TMP TMPDIR ORACLE_BASE=/oracle/app/oracle; export ORACLE_BASE ORACLE_HOME=/oracle/app/oracle/product/10.3.0/av_1; export ORACLE_HOME ORACLE_HOSTNAME=avserver.localdomain; export ORACLE_HOSTNAME ORACLE_SID=av; export ORACLE_SID PATH=/usr/sbin:$PATH; export PATH PATH=$ORACLE_HOME/bin:$PATH; export PATH LD_LIBRARY_PATH=$ORACLE_HOME/lib:/lib:/usr/lib; export LD_LIBRARY_PATH CLASSPATH=$ORACLE_HOME/jlib:$ORACLE_HOME/rdbms/jlib; export CLASSPATH
3.2.9 设置主机名和IP地址的映射
在/etc/hosts下添加
192.168.56.1 avserver.localdomain avserver
3.2.10 安装cvuqdisk包
上传安装介质并解压,如下所示目录
./Disk1/stage/cvu/cv/remenv/cvuqdisk-1.0.9-1.rpm [root@avserver remenv]# rpm -Uvh cvuqdisk-1.0.9-1.rpm Preparing... ########################################### [100%] Using default group oinstall to install package 1:cvuqdisk ########################################### [100%]
四、Audit Vault 10.3安装
装完之后检查下AV的状态
[oracle@avserver ~]$ avctl show_av_status Oracle Audit Vault 10g Database Control Release 10.3.0.0.0 Copyright (c) 2006, 2011 Oracle Corporation. All rights reserved. https://avserver.localdomain:1158/av Oracle Audit Vault 10g is running. ------------------------------------ Logs are generated in directory /oracle/app/oracle/product/10.3.0/av_1/av/log
五、Audit Vault Agent安装
安装完Audit Vault Server后,我们开始安装Audit Vault Agent.我们在一台Oracle 11g for Oracle Enterprise Linux 5.4环境的机器上安装.
5.1. 使用avca命令添加agent端(server端运行)
首先我们需要在/etc/hosts下面添加一行关于agent端的IP映射
----From Audit Serve [root@avserver Server]# more /etc/hosts # Do not remove the following line, or various programs # that require network functionality will fail. 127.0.0.1 avserver.localdomain avserver localhost.localdomain localhost ::1 localhost6.localdomain6 localhost6 192.168.56.149 avserver.localdomain avserver 192.168.56.115 oracle11g.localdomain oracle11g
然后我们使用avca命令添加agent端
----From Audit Serve [oracle@avserver ~]$ avca add_agent -agentname agent1 -agenthost oracle11g.localdomain Enter agent user name: agentuser1 Enter agent user password: Re-enter agent user password: Agent added successfully.
5.2. Agent端安装
首先我们需要在/etc/hosts下面添加一行关于avserver端的IP映射
----From Source DB [root@oracle11g ~]# more /etc/hosts # Do not remove the following line, or various programs # that require network functionality will fail. 127.0.0.1 localhost.localdomain localhost ::1 localhost6.localdomain6 localhost6 192.168.56.115 oracle11g.localdomain oracle11g 192.168.56.149 avserver.localdomain avserver
Connet String需要填Hostname:Port:Service Name
Hostname我们需要在/etc/hosts下做个映射,Port是Server端监听的端口,Service Name可以从Server端的tnsnames.ora文件里面查到.
[oracle@oracle11g bin]$ cd /oracle/app/oracle/product/avagent/bin/
[oracle@oracle11g bin]$ ./avctl show_oc4j_status
————————————
Agent is running
————————————
六、注册Source Database和Collectors
6.1 在Source Database上创建用户
----From Source DB SQL> CREATE USER srcuser_ora IDENTIFIED BY srcuser; User created. [oracle@oracle11g source]$ sqlplus / as sysdba SQL*Plus: Release 11.2.0.3.0 Production on Tue Jun 26 23:06:45 2012 Copyright (c) 1982, 2011, Oracle. All rights reserved. Connected to: Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - 64bit Production With the Partitioning, OLAP, Data Mining and Real Application Testing options SQL> @/oracle/app/oracle/product/avagent/av/scripts/streams/source/zarsspriv.sql Enter value for 1: srcuser_ora Enter value for 2: setup Granting privileges to SRCUSER_ORA ... Done.
Value 1 输入你刚才建立的用户名.
Value 2 有以下选择.这里我们选择SETUP.
SETUP: For the OSAUD and DBAUD collectors, and for policy management
REDO_COLL: For the REDO log collector; includes all privileges that are granted using the argument mode SETUP
6.2检查Source Database与Collector的兼容性
----From Source DB lsnrctl status cat $ORACLE_HOME/network/admin/tnsnames.ora SQL> show parameter audit NAME TYPE VALUE ------------------------------------ ----------- ------------------------------ audit_trail string DB
在Source Database上需要打开监听,并且audit_trail参数必须设置.这里我们可以设置DB,也可以设置OS,或者是XML. 这里我使用的是XML,EXTENDED来保存.
ALTER SYSTEM SET audit_trail= XML, EXTENDED scope=spfile; SQL> show parameter audit NAME TYPE VALUE ------------------------------------ ----------- ------------------------------ audit_trail string XML, EXTENDED ----From Audit Server [oracle@avserver ~]$ avorcldb verify -src oracle11g.localdomain:1521:db11g -colltype ALL Enter Source user name: srcuser_ora Enter Source password: source DB11G verified for OS File Audit Collector collector source DB11G verified for Aud$/FGA_LOG$ Audit Collector collector parameter _JOB_QUEUE_INTERVAL is not set; recommended value is 1 parameter UNDO_RETENTION = 900 is not in recommended value range [3600 - ANY_VALUE] parameter GLOBAL_NAMES = false is not set to recommended value true ERROR: source database must be in ARCHIVELOG mode to use REDO LOG collector ERROR: set the above init.ora parameters to recommended/required values
验证完毕,它推荐把一些参数设置成推荐值.如果要对Redo进行采集,需要将Source Database开启到归档模.在Source Database上改完参数后输出如下所示.
[oracle@avserver ~]$ avorcldb verify -src oracle11g.localdomain:1521:db11g -colltype ALL Enter Source user name: srcuser_ora Enter Source password: source DB11G verified for OS File Audit Collector collector source DB11G verified for Aud$/FGA_LOG$ Audit Collector collector source DB11G verified for REDO Log Audit Collector collector
6.3 在Audit Vault Server上注册Source Database
—-From Audit Server
[oracle@avserver ~]$ avorcldb add_source -src oracle11g.localdomain:1521:db11g -srcname db11g -agentname agent1 Enter Source user name: srcuser_ora Enter Source password: Adding source... Source added successfully. remember the following information for use in avctl Source name (srcname): db11g Credential stored successfully. Mapping Source to Agent...
-srcname 这个名字是自己指定的,后面在添加Collector的时候要用到.
注册Source Database完成之后,会在tnsnames.ora下面文件增加如下一行:
[oracle@avserver~]$cat /oracle/app/oracle/product/10.3.0/av_1/network/admin/tnsnames.ora # Alias for oracle11g SRCDB1 = (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=oracle11g.localdomain)(PORT=1521))(CONNECT_DATA=(SERVICE_NAME=db11g)))
6.4 添加Collectors到Oralce Audit Vault
在添加之前,需要注意,如果你使用的是OSAUD,那么你需要设置一下AUDIT TRAIL的最大OS FILE MAX SIZE.如果使用DBAUD和REDO,则可以跳过这个设置.
BEGIN DBMS_AUDIT_MGMT.SET_AUDIT_TRAIL_PROPERTY( AUDIT_TRAIL_TYPE => DBMS_AUDIT_MGMT.AUDIT_TRAIL_OS, AUDIT_TRAIL_PROPERTY => DBMS_AUDIT_MGMT.OS_FILE_MAX_SIZE, AUDIT_TRAIL_PROPERTY_VALUE => 204800); END; / PL/SQL procedure successfully completed.
接下来在Audit Vault Server上添加Collector.这里我做测试使用了OSAUD.
----From Audit Server [oracle@avserver ~]$ avorcldb add_collector -srcname db11g -agentname agent1 -colltype OSAUD -orclhome /oracle/app/oracle/product/11.2.0/db_1 source db11g verified for OS File Audit Collector collector Adding collector... Collector added successfully. remember the following information for use in avctl Collector name (collname): OSAUD_Collector
—-参数说明
srcname:这个名字取决于你avorcldb add_source里面定义的名称.
agentname:这个名字取决于安装agent name的名称
colltype:可以输入dbaud,osaud,或者是redo.
Orclhome:输入source database的ORACLE_HOME.
创建完成后,会给你一个Collector name,这个名字要记住,后面启动Collector需要用到.
6.5 在Audit Agent上添加credentials
----From Audit Agent [oracle@oracle11g ~]$ export ORACLE_HOME=/oracle/app/oracle/product/avagent/ [oracle@oracle11g ~]$ cd $ORACLE_HOME [oracle@oracle11g avagent]$ cd bin [oracle@oracle11g bin]$ ./avorcldb setup -srcname db11g Enter Source user name: srcuser_ora Enter Source password: adding credentials for user srcuser_ora for connection [SRCDB1] Credential stored successfully. updated tnsnames.ora with alias [SRCDB1] to source database verifying SRCDB1 connection using wallet
6.6 在Audit Server上启动Collector
----From Audit Server [oracle@avserver ~]$ avctl start_collector -collname OSAUD_Collector -srcname db11g Starting collector... Collector started successfully.
运行完后,可以用avadmin帐号登录进行检查.如下所示.可以看到收集器的状态是UP的.
七、演示示例
配置完这些东西后,只是安装和配置好了,具体的审计策略还有很多,我这里只做个小演示,有兴趣的话,可以和最终客户进行探讨,制订审计策略.
我们首先使用avauditor用户登录到https://192.168.56.149:1158/av/.如图所示:
选择对象.添加下列设置.相当于
Audit delete,insert,select,update on test.t1 by access.
接着以test用户登录到Source Database中.做一些操作.如下:
insert into t1 select * from dba_tables; delete from t1 where rownum<=20; delete from t1 where rownum<=100; select * from t1 where rownum<=100;
点击审计报告->数据访问,看到如下结果
Post a Comment