Versions: Oracle 10g and 11g
Collector: Oracle Database Collector
To configure an Oracle database server for the collection of log messages by TLC, complete the following steps:
1. | The following file contains a SQL script that defines a package, a single Oracle user account, and related permissions: |
<install_directory>\Schema\Oracle\Oracle_Database_Collector_Install_V0.sql
Open a text editor and change the account's password to a password of your choosing. When you create Log Sources for this Monitored Asset in TLC (see Working with Log Sources for an Oracle Database Collector), you will need this password.
2. | To open Oracle SQL Developer, select: |
Start > Programs > Oracle > Oracle-[Oracle_instance] > Application Development > SQL Developer
Where [Oracle_instance] is the name of the Oracle database instance.
Note |
If you do not have Oracle SQL Developer, you may configure the server with Oracle SQL *Plus. To do so: 1. Open Oracle SQL *Plus. 2. Connect to the Oracle database using the SYS account as DBA. 3. Run the following script: <install_directory>\Schema\Oracle\ Oracle_Database_Collector_Install_V0.sql 4. Proceed to step 5. |
---|
3. | To create a new connection for the Oracle database: |
a. | In the side bar, select the Connections tab and click the New Connection button. |
b. | In the New / Select Database Connection dialog, enter a Connection Name. |
c. | In the Username field, enter SYS. |
d. | Enter the Password for the SYS account. |
e. | From the Role drop-down, select SYSDBA. |
f. | In the Hostname field, enter the host name or IP address of the Oracle server. |
g. | In the SID field, enter the name of the Oracle database. |
h. | Click Test. |
i. | If the test is successful, click Save to close the New / Select Database Connection dialog. |
4. | To add the Tripwire Log Center package to the Oracle database: |
a. | Open the following file in the TLC Manager installation directory: |
<TLC_Manager_install_dir>\Schema\Oracle\Oracle_Database_Collector_Install_V0.sql
b. | To run the script with the SYS user account, press CTRL + ENTER (or mark the whole script and press F5). |
c. | In the Connections panel, select the Packages group and click the Refresh button. |
Oracle SQL Developer adds the TRIPWIRE_LOGCENTER package to the Packages group.
5. | To open Oracle SQL*Plus: |
a. | Select: |
Start > Programs > Oracle > Oracle-[Oracle_instance] > Application Development > SQL*Plus
Where [Oracle_instance] is the name of the Oracle database instance.
b. | Log in with the SYS user account. |
6. | To configure the AUDIT_TRAIL parameter, enter the following commands at the Oracle SQL*Plus command prompt: |
ALTER SYSTEM SET audit_trail='db' SCOPE=SPFILE;
ALTER SYSTEM SET audit_sys_operations=true SCOPE=SPFILE;
SHUTDOWN IMMEDIATE;
STARTUP;
Tips |
To review the current settings for your AUDIT and AUDIT_TRAIL parameters, enter: SHOW PARAMETERS AUDIT; If you enter audit_trail='db_extended', rather than audit_trail='db', Oracle will include the values from the SQL_TEXT and SQL_BIND columns in generated log messages. The SQL_TEXT column will contain the SQL sentence that generated the logged event. |
---|
7. | In Oracle SQL Developer, enter the following commands in the tab for the new connection (created above) to enable the AUDIT parameters of your choosing. For example: |
AUDIT ALL BY ACCESS
AUDIT SESSION;
AUDIT DELETE ANY TABLE;
AUDIT SELECT TABLE, INSERT TABLE, DELETE TABLE, EXECUTE PROCEDURE;
AUDIT ALL;
AUDIT ALL PRIVILEGES;
AUDIT ALL ON DEFAULT;
AUDIT NETWORK;
For more information about AUDIT parameters, refer to your Oracle documentation.
8. | (Optional) Now, you can enable Fine-Grained Auditing for any database table or view by creating policies. |
To create a policy for a table or view, enter the following commands in the connection tab, mark the whole statement, and then press F5:
BEGIN
DBMS_FGA.add_policy(
<object_schema> => 'user',
<object_name> => 'object',
<policy_name> => 'policy_name',
<audit_condition> => 'table_field evaluator condition',
<audit_column> => 'field to audit',
<statement_types> => 'SELECT,INSERT,UPDATE,DELETE');
END;
Where:
<object_schema> is the name of the user account creating the policy (e.g. rwilson).
<object_name> is the database table or view to be audited (e.g. EMP).
<policy_name> is the name of the policy (e.g. SALARY_CHK_AUDIT1).
<audit_condition> is the condition determining when the policy will generate logs (e.g. SAL>500000).
<audit_column> is the applicable column or field (e.g. SAL).
<statement_types> are the statements with which the table or view will be audited.
Tip |
For optimal performance, you should regularly purge old log messages from the Oracle views cited in Maintaining your Oracle Auditing Views. |
---|
Next |
If you are performing initial configuration of your TLC environment, see Configuring your TLC Environment. Otherwise, see Adding a Monitored Asset for a new Log Source. |
---|
If you have a Monitored Asset that represents an Oracle database, you should complete the steps below whenever the total number of log messages in one of the following views exceeds 1,000,000.
sys.dba_audit_trail
sys.dba_common_audit_trail
sys.dba_fga_audit_trail
Note |
For this procedure, the Audit Logger must be assigned as an Output Destination in the properties dialog of the Oracle Asset. For more information, see Changing the Output Destinations for a Monitored Asset. |
---|
When the number of log messages in one of these views exceeds 1,000,000, complete the following steps:
1. | In the Audit Logger: |
a. | Run a search for 'raw' log messages collected from the Oracle database by specifying the database with the Monitored Assets drop-downs in the Query Criteria tab (see Querying the Audit Logger for 'Raw' Log Messages). |
b. | In the search results presented in the Raw Logs tab, make a note of the Timestamp for the oldest log message. Typically, the oldest log message appears as the first entry in the search results. |
2. | Delete all log messages from the view that are older than the Timestamp. |