Академический Документы
Профессиональный Документы
Культура Документы
Abstract: This is the functional design specification of Oracle Audit Vault and
Database Firewall Alert Event Security Parser
Feature(s): -
Author: sshahed
Version: 1.0(Draft)
Reviewers
Date Who Team Comments
Approvers
Date Who Title Comments
Delivery Checklist
Item Date Comments
Function Design Document 19-May-
2017
OSEF Mapping 19-May- Attached to confluence page
2017
Sample Logs 19-May- Attached to confluence page
2017
Base parser (logtypes) 19-May- Attached to confluence page
2017
Extended parsing and tagging 19-May- Attached to confluence page
(sources,efd,etc) 2017
Oracle JSON validation TBD
Oracle production signoff TBD
2 Background
This document is to track design and implementation discussions surrounding SEF normalization of Oracle Audit
Vault and Database Firewall (AVDF) Syslog Messages. It will not discuss how to setup and configure an AVDF
system instead will focus on how to parser and do SEF normalization and tagging of Audit Vaults file based log
file.
Once an AVDF system is running, the Audit Vault Server (AVS) can be configured to send the AVS audit logs onto
another host machines syslog file. This syslog file from that host which is outside of AVDF system can then be
consumed and processed by OMCs Log Analytics and eventually in Security Analytics.
Initial implementation for OMC Security Monitoring and Analytics (SMA) is focused on Audit Vault logs using Unix
Syslog files. In near future, we should also be able to access same audit log data from AVS database table(s).
2.1 Terminology
Oracle AVDF includes the Audit Vault Server, the Database Firewall, and the Audit Vault Agent.
1. For each secured target, the Audit Vault Agent has been deployed, and/or the Database Firewall has
been placed in the network and configured to protect that target.
If the agent has been deployed, Oracle AVDF is configured to collect the appropriate audit trail from the
secured target. If the Database Firewall is protecting the target, a firewall policy has been applied for that
target.
You can configure multiple secured targets from different database product families, as well as non-
database products, using the same Audit Vault Server.
2. The Audit Vault Agent retrieves the audit data from secured targets and sends this data to the Audit Vault
Server.
The Database Firewall monitors SQL traffic to database secured targets and sends that data to the Audit
Vault Server. The firewall can be configured to monitor and raise alerts only, or to block SQL traffic and
optionally substitute statements according to a policy.
The data warehouse organizes this data into a set of internal dimension tables. The Audit Vault Server
stores other information as well, for both the auditor and the administrator.
4. Once the audit data is in the data warehouse dimension tables, an auditor can generate and customize
reports, as well as configure email notifications.
Any settings that you create, such as security settings, are contained in this server.
Oracle AVDF includes the Audit Vault Server, the Database Firewall, and the Audit Vault Agent.
2.2 References:
1. https://docs.oracle.com/cd/E37100_01/doc.121/e27777/intro.htm
2. https://docs.oracle.com/cd/E37100_01/doc.121/e27777/schema.htm
3. http://docs.oracle.com/cd/E69292_01/index.html
4. https://docs.oracle.com/cd/E37100_01/doc.121/e27777/schema.htm#SIGAU40278
1. Oracle AVDF needs to create all required security policies that are relevant for OMC SMA
2. Oracle AVS server needs to forward Audit logs to Syslog in a host machine that can run an OMC LA
agent.
3. OMC 1.18+ that includes Oracle AVDF LA parser.
3 Design Contacts
OSEF team lead developer: sumon.shahed@oracle.com
Backup developer:
5 LA Parser Considerations
Outline the components of the parser.
6 Analysis
OMC LAs base Syslog file parser processes each log entry and creates following fields:
TIMESTAMP
srvrhostname
service
ospid
msg
In case of AVDF log as shown in Appendix->Sample Data, base parser will extract:
TIMESTAMP (e.g. Feb 6 16:55:27)
srvrhostname (e.g. avs)
service (e.g. logger)
msg (e.g. [AVDFAlert@111 (EVENT(1/1)=(AN= )
An Extended field parser was created to further parse the payload in LA base fields named msg to required
fields needed for SMA. Please note the order of relative positions of these fields in AVDF log is fixed.
The SEF tagging will be done by avdfalert_tags using all the fields created by Extended field parser.
7 Design Discussion
This section describes required SEF mapping for useful AVDF fields for OMC SMA.
7.3 SEF Mappings for AVDF Alert Events (in AVS Database Tables)
In progress: needs to be implemented and tested first. Need access to AVS DB populated with useful
data.
AVSYS.EVENT_LOG Table
Column Name LA Field Name SEF Field Name Comment.
ACTION TBD
AV_TIME sefEndEventTime
SECURED_TTARGET_NAME sefSourceEPName
SECURED_TARGET_TYPE sefSourceEPType
EVENT_NAME eventid
EVENT_TIME sefStartEventTime
EVENT_STATUS status
COMMAND_CLASS sefCommand
USER_NAME sefSourceEPAccountName
CLIENT_HOST_NAME sefActorEPName
CLIENT_IP sefActorEPNwAddress
TARGET_OBJECT eventtarget
TARGET_TYPE eventtargettype
THREAT_SEVERITY sefSourceEPAccountSummaryRisk
AVSYS.ATERT_STORE Table
Field Name LA Field Name SEF Field Name Comment.
ALERT_NAME sefAction TBD
ALERT_SEVERITY sevlvl
8 Example JSON
{
"id":"b6a99afb511a3dd2b2e5d858058c28020a7A0",
"mguid":"b6a99afb511a3dd2b2e5d858058c28020a7",
"mlogent":"Joydip_EMCSAS-3839.log",
"mtgtguid":"AA84B1E5C965AB239FE2095158EEFBA2",
"muploadid":-462246114838981815,
"mtgttype":"omc_host_linux",
"mtgt":"AVDFJoydipData",
"msrcid":-1988864882359077022,
"time":"2017-02-06T16:56:06Z",
"mparserid":-1353330754,
"mdstime":"2017-04-26T20:00:31.796Z",
"mprtime":"2017-04-26T20:00:35.264Z",
"sefLogFormat":"em_host_syslog_avdfalert",
"detailloc":"https://192.168.56.200/console/f?p=7700:33:::NO::P33_ALERT_ID:2244",
"sefCommand":"EXECUTE",
"sefSourceEPName":"DBSecOS",
"status":"SUCCESS",
"eventtargettype":"PROGRAM",
"mseccategory":"alert",
"sefSourceEPAccountName":"oracle",
"mbody":"Feb 6 16:56:06 avs logger: [AVDFAlert@111 (EVENT(1/1)=(AN=\"Super User
Login\" AT=\"2017-02-06T21:56:06.619261-05:00\" ASE=\"Critical\" AST=\"New\" AD=\" \"
URL=\"https://192.168.56.200/console/f?p=7700:33:::NO::P33_ALERT_ID:2244\" AID=\"2244\"
STN=\"DBSecOS\" STT=\"Linux\" EN=\"SUDO_SUDO\" ET=\"2/6/2017 11:55:33 AM UTC\" ES=\"SUCCESS\"
CC=\"EXECUTE\" OSUN=\"oracle\" UN=\"oracle\" CHN=\"\" CIP=\"\" CP=\"/usr/bin/sudo\"
TOBJ=\"/usr/bin/sudo\" TTYPE=\"PROGRAM\" TOWN=\"root\" ATT=\"DIRECTORY\"
ATL=\"/var/log/audit/audit.log\" EP=\"\" EPM=\"\" ACTION=\"\" PN=\"\" TS=\"\" CT=\"\"
CID=\"\" GV=\"\" LC=\"\" EC=\"\"))]",
"msg":"[AVDFAlert@111 (EVENT(1/1)=(AN=\"Super User Login\" AT=\"2017-02-
06T21:56:06.619261-05:00\" ASE=\"Critical\" AST=\"New\" AD=\" \"
URL=\"https://192.168.56.200/console/f?p=7700:33:::NO::P33_ALERT_ID:2244\" AID=\"2244\"
STN=\"DBSecOS\" STT=\"Linux\" EN=\"SUDO_SUDO\" ET=\"2/6/2017 11:55:33 AM UTC\" ES=\"SUCCESS\"
CC=\"EXECUTE\" OSUN=\"oracle\" UN=\"oracle\" CHN=\"\" CIP=\"\" CP=\"/usr/bin/sudo\"
TOBJ=\"/usr/bin/sudo\" TTYPE=\"PROGRAM\" TOWN=\"root\" ATT=\"DIRECTORY\"
ATL=\"/var/log/audit/audit.log\" EP=\"\" EPM=\"\" ACTION=\"\" PN=\"\" TS=\"\" CT=\"\"
CID=\"\" GV=\"\" LC=\"\" EC=\"\"))]",
"eventid":"SUDO_SUDO",
"srvrhostname":"avs",
"sefObserverEPProduct":"Oracle Audit Vault and Database Firewall",
"eventtarget":"/usr/bin/sudo",
"service":"logger",
"sefObserverEPType":"AVDF",
"sevlvl":"Critical",
"sefSourceEPType":"Host",
"sefAction":"Super User Login",
"sefObserverEPManufacturer":"Oracle",
"norm_hashid":5897917602427668891,
"sefRecordType":"base",
"sefRecordGuid":"5ff63992-a773-3a1b-904f-7318620ef76f",
9 Issues
Need real AVDF Audit Logs to cover above mentioned use cases