SANS Institute Product Review:
Oracle Audit Vault
March 2012
A SANS Whitepaper
Written by: Tanya Baccam
Product Review: Oracle Audit Vault PAGE 2
Auditing PAGE 2
Reporting PAGE 4
Alerting PAGE 9
Sponsored by Oracle
Introduction
The number, scale and severity of successful data theft and espionage attacks rose considerably last year,
according to Verizon’s 2011 Data Breach Investigations Report.
1
While 92 percent of these attacks are executed
from outside the enterprise, many attacks made their way into databases, accounting for the majority of
nancial losses over the history of the report. Loss of records due to insider or outsider breach can have a
huge impact on organizations. The average organizational cost of a data breach is $7.2 million, or $214 per
compromised record, according to the most recent Ponemon Annual Study: U.S. Cost of Data Breach.
2
When breaches are related to customer personal data, there is no doubt that an investigation is needed to
apprise regulators, law enforcement and aected consumers. In the case of espionage against private and
government enterprises, investigations are an ongoing part of doing business. Such investigations help close
up vulnerabilities and improve overall security of operations.
When those investigations get down to the database level, how can auditors and responders determine what
databases were impacted, what access and commands were used, and what applications were utilized within
the database? Equally important, how can organizations be alerted to this activity occurring within their
databases in time to take action and prevent an attack from being successful?
This paper is a review of Oracle Audit Vault, which provides database log centralization, management, alerting
and reporting across multiple databases. With Oracle Audit Vault, investigators and auditors can gather
information about who accessed data, what applications were accessed, what was changed, and more. This

centralization makes it easier to identify and contain potential compromises before they occur, as well as
create reports for compliance and forensics. Oracle Audit Vault can be set to send alerts, which are critical for a
fast response to stop risky behavior and attacks, and provide out-of-the-box compliance reports and methods
of detecting unauthorized activities.
SANS Analyst Program 1
SANS Institute Product Review: Oracle Audit Vault
1
www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2011_en_xg.pdf
2
www.symantec.com/about/news/release/article.jsp?prid=20110308_01
Product Review: Oracle Audit Vault
Most organizations utilize multiple database types and versions that are dicult and time-consuming to audit
and report on individually. Oracle Audit Vault acts as a secure, centralized database audit trail repository. It
is able to collect audit trails from a variety of databases, including Microsoft SQL Server 2000, 2005, and 2008;
IBM DB2 UDB 8.2 through 9.5 and Sybase ASE 12.5.4 through 15.0.x as well as Oracle databases. These audit
trails can be automatically consolidated and reported on for audit and compliance purposes as well as for
early threat detection. With unied reporting against their disparate databases, organizations can get more
accurate reports and alerts without trying to manually tie events together across database systems.
Oracle Audit Vault uses collectors designed to collect data for the database audit trail, operating system audit
trail, and redo logs for Oracle to gather logs from multiple databases. Oracle Audit Vault centrally and securely
consolidates the audit data, making it easier to search and manage data drawn from multiple databases. The
ability to search and manage audit data from multiple databases can be used for alerting, notifying, following
trends, and for more comprehensive audit/compliance functionality. For example, a secure repository for logs
not only meets specic compliance needs, but also oers more scalability for searching and reporting.
In this functional review of the Oracle Audit Vault product, we used Oracle Database 11g to generate the audit
data to be collected by Oracle Audit Vault, then conducted the review in three phases: Auditing, Reporting,
and Alerting.
Auditing
In centralizing the audit data, database audit trails are stored in Oracle Audit Vault, which provides a
secure repository on a separate server. Leaving audit data on the originating system leaves the data open

to alteration. Keeping the repository securely separated from the system is critical to most compliance
requirements that dictate that data cannot be altered. By storing the data in Oracle Audit Vault, administrators
can be restricted from the data completely, or simply provided a read-only role so they cannot change the
data inside the repository.
Oracle Audit Vault leverages Oracle Database Vault and Oracle Advanced Security to strictly control access
and prevent tampering with the audit data. Oracle Audit Vault includes Oracle Partitioning to enhance
manageability and performance and can, optionally, be deployed with Oracle Real Application Clusters (RAC)
and Oracle Data Guard for additional scalability and high-availability deployments. Oracle Audit Vault can also
be deployed on Oracle Exadata and the Oracle Database Appliance.
SANS Analyst Program 2
SANS Institute Product Review: Oracle Audit Vault
Product Review: Oracle Audit Vault (CONTINUED)
In the rst part of this review, we tested the Audit Policy features against a single Oracle Database 11g. This
involved clicking on the Audit Policy tab and then selecting the database being audited. We retrieved the
policy by clicking the Audit Settings radio button, which provided the link for the database and a summary of
what audit was occurring, as shown in Figure 1.

Figure 1: Summary of Audit Settings
Audit settings were easy to review. They enable users to easily obtain an understanding of what was being
audited and sent to Audit Vault. The In Use column notes the number of active settings from the database
sending records to Audit Vault. The Needed column notes the number of required audit settings the auditor
has specied. And, the Problem column notes the number of audit settings that require attention from the
auditor. Users can follow each of the links to get additional details about how the audit was set up.
SANS Analyst Program 3
SANS Institute Product Review: Oracle Audit Vault
Product Review: Oracle Audit Vault (CONTINUED)
Reporting
Next, we evaluated the default reports provided. Reports on access, database account management, system
management, entitlement, exceptions, alerts and more are provided by default with Audit Vault. Oracle Audit
Vault’s default report options are shown in Figure 2. By clicking on the links, we were able to review the log

reports, which provided basic audit information that might be required of any centralized logging solution
immediately.


Figure 2: Default Reports Provided by Audit Vault
SANS Analyst Program 4
SANS Institute Product Review: Oracle Audit Vault
Product Review: Oracle Audit Vault (CONTINUED)
Next, we tested what detail the reports would show. For example, to audit specic statements that might
indicate employee abuse, we issued the following queries in the database:
t
update oe.orders set order_total=54 where order_id=2458
tselect count (*) from HR.employees where salary>10000
The results appeared in the Data Access report showing all queries that matched the specied parameters, as
summarized in Figure 3.


Figure 3: Data Access Report under the Audit Reports Tab
SANS Analyst Program 5
SANS Institute Product Review: Oracle Audit Vault
Product Review: Oracle Audit Vault (CONTINUED)
Oracle Audit Vault can be used to query for specic data in order to identify signs of malicious intent or policy
violations. By clicking on the individual records, we could read each of the queries in order to understand
what data had been queried by which users. Figure 4 shows an example of what appears to be an employee
querying for specic employee salary information.

Figure 4: Observing the SELECT Query
The SQL Text in Figure 4 specied the query that was conducted. In this particular case, the user (SYSTEM) had
queried for a count of the employees that make over $10,000. Security personnel can use a number of the
reports to query the audit data being created. By centralizing all the data in a single location, it makes it easier

to investigate and identify potentially suspicious activity. We could also create customized queries based
on specic organizational data concerns such as who is viewing credit cards, Social Security numbers and
other such sensitive data. Of course, all of this is dependent on how auditing is set up in the source database,
because Audit Vault reects data that is sent to it.
SANS Analyst Program 6
SANS Institute Product Review: Oracle Audit Vault
Product Review: Oracle Audit Vault (CONTINUED)
Another type of access report provided is Entitlement reports. Entitlement reports are important for
organizations wanting to protect regulated data and intellectual property from those with privileged user
access to administer systems. We retrieved the entitlement information from our database by going to the
Audit Policy tab and selecting the User Entitlement option for the appropriate Audit Store. Then we clicked
the Retrieve button, as shown in Figure 5.

Figure 5: Retrieving Entitlement Reports Data
SANS Analyst Program 7
SANS Institute Product Review: Oracle Audit Vault
Product Review: Oracle Audit Vault (CONTINUED)
Once the entitlement information was retrieved, we needed to view the specic data via the Entitlement
reports. We found multiple built-in Entitlement reports for objects, users and systems that cover privileged
user accounts, roles, proles, privileges and more. In this case, we selected the User Privileges report and then
clicked Go. The data was displayed in Audit Vault as shown in Figure 6.

Figure 6: Privileged Users Entitlement Report
The Entitlement reports were simply reporting on the data from the databases related to privileges in use
when the snapshot was obtained. Reports can be automatically scheduled and generated for management
and compliance purposes. Auditors can be alerted when reports are available and an attestation process set
in motion for review and approval.
SANS Analyst Program 8
SANS Institute Product Review: Oracle Audit Vault
Product Review: Oracle Audit Vault (CONTINUED)

Alerting
Reports also provide data on login/logo, startup/shut down, failures, audit settings, changes, system events
and user activity, among other data revealed by database logs. These, and other access and system events,
provide valuable security intelligence that can be fed into Oracle Audit Vault alert reports, which can be
classied based on level of severity.
Reports can also create an alert in realtime as the data is analyzed. To review this feature, we created an
individual alert whenever a new user was added to the system. To set up the alert, we went to the Audit Policy
tab, chose Alerts, and clicked Create. Figures 7 and 8 show how the alert was congured.


Figure 7: Setting up an Alert
The alert was titled CREATE_USER, and the severity was set to Warning. We selected the audit source type
(ORCLDB) and the specic database to alert on. Each of the alerts can also be placed in a category, so we used
the Account Management category.
The audit event was set to occur when the CREATE USER activity occurs. Additionally, this was done for both
Success and Failure activities.
SANS Analyst Program 9
SANS Institute Product Review: Oracle Audit Vault
Product Review: Oracle Audit Vault (CONTINUED)
Once the alert was saved and properly set up, two accounts were created in the database. Once the accounts
had been created, we went to the Audit Reports tab and selected All Alerts to see whether the alerts had been
created. The alerts included the accounts that had been created for TANYA and PAUL. See Figure 8.

Figure 8: Completed Alerts
The alerts were easy to set up and allowed customization of the data that is important to a given organization.
Alerts could also be sent via e-mail or even SMS text messages.
SANS Analyst Program 10
SANS Institute Product Review: Oracle Audit Vault
Conclusion
Oracle Audit Vault automates the collection and consolidation of database audit data into a central, secure

repository so that investigators and auditors can gather information and report on who accessed the
data, what applications were accessed, what was changed, and more. Adding detective measures to a
comprehensive database security strategy can help protect sensitive customer data and comply with industry
and governmental compliance requirements.
Organizations need actionable data on who accessed the database, what methods they used, what they
accessed, and what actions were taken. Oracle Audit Vault can quickly and automatically detect unauthorized
activities that violate security and governance policies, thereby stopping perpetrators from covering their
tracks.
Overall, Oracle Audit Vault was easy to use for analyzing the Oracle Database 11g audit data with which it was
reviewed. By using the reports provided by Audit Vault, organizations can quickly identify and mitigate risks
in a more proactive manner, thus limiting the number of compromises that occur and their associated costs.
Although not covered in this review, centralizing and managing log data from heterogeneous databases
consolidates actionable information that can be queried for better alerting, quicker response and smoother
audit processes.
Oracle Audit Vault takes a deep approach to collecting and centralizing log data on a variety of database types
and schemas. As observed during this review, the combined auditing, alerting and reporting in realtime can
help address security events quicker. This is important to auditors and responders as well security personnel
charged with preventing breaches from occurring.
SANS Analyst Program 11
SANS Institute Product Review: Oracle Audit Vault
SANS Analyst Program 12
SANS Institute Product Review: Oracle Audit Vault
About the Author
Tanya Baccam is a SANS senior instructor as well as a SANS courseware author. She is the current author
for the SANS Security 509: Securing Oracle Databases course. Tanya works for Baccam Consulting, where
she provides many security consulting services for clients, including system audits, vulnerability and risk
assessments, database audits, and web application audits. Today much of her time is spent on the security
of databases and applications within organizations. Tanya has also played an integral role in developing
multiple business applications. She currently holds the CPA, GCFW, GCIH, CISSP, CISM, CISA, and OCP DBA
certications.

SANS would like to thank its sponsors: