Home » SECURITY » Oracle Audit Vault: A Primer

Oracle Audit Vault: A Primer

So, what is Audit Vault?

Audit Vault is one part of Oracle AVDF (Audit Vault & Database Firewall).  It consolidates and secures audit event data from one or more Oracle or non-Oracle sources, and provides extensive and customizable reporting abilities to fulfil an organizations security and compliance requirements.

What is the architecture of Audit Vault?

Audit Vault is distributed as a software appliance and can be deployed on a standalone server or a virtual machine.  It is comprised of the following two components.

  • Audit Vault Server
    • Central repository that stores audit data from one or more sources (secured targets)
    • Encrypted data using TDE (Transparent Database Encryption)
    • Provides a web interface to accomplish these tasks among others
      • Configure Secured Targets
      • Configure Audit Trails
      • Configure data retention policies
      • Set up high availability
      • Configure external storage
      • Set up access control

blog_av1

blog_av2

  • Audit Vault Agent
    • Deployed one per host, usually where the audit data is generated but can also be installed remotely
    • Retrieves audit data from various secured targets and sends it to the AV Server
    • Secured Targets can be Oracle or non-Oracle databases, operating systems or file systems

blog_av3

Can Audit Vault be configured in a high availability architecture?

Audit Vault can be configured in a high availability architecture.  It is configured from within the AV GIU; however, standard Data Guard is configured in the background, including the Data Guard Broker.  Any attempt to connect to the secondary AV server is automatically re-routed to the primary.  Switchover or failover is managed from with the AV GUI.

How can I manage the amount of data held within Audit Vault?

Data in Audit Vault can be archived as part of your company’s retention policy.  This is accomplished by creating an archive location and a retention policy.  Retention times are based on the time that the audit event happened in the secured target.  Currently, archiving has to be started manually but this is easily done via the AV GUI.

Data from the archive area can’t be reported on; however, archive data can be restored online via the AV GUI.

What can you do with the data in Audit Vault?

As an Audit Vault Auditor, you can run reports to examine data across various secured targets as well as Database Firewall if that has also been deployed.

The reports are organized into different categories, for example activity reports or compliance reports.  In order for your company to meet compliance requirements, the following reports can be produced.

blog_av4

Reports can be saved or scheduled in either PDF or Excel format.  Filters can also be applied to reports that you view online.

Alerts can also be configured in Audit Vault.  Notifications can also be set up to enable users or a security officer to be alerted where appropriate.

How can I backup Audit Vault data?

Audit Vault comes with a backup utility which ultimately runs RMAN in the background.  As expected, you can run a full or incremental backup strategy as well as cold backups if desired.

How can I monitor Audit Vault?

Audit Vault can be monitored via OEM.  To accomplish this, you must download and deploy the AV Enterprise Manager plug-in and discover the targets.  The Audit Vault home page displays a high level view from which you can drill down to display individual components.

The Summary section of the home page displays the following.

  • AV Server version
  • Status of the AV Console
  • AV Repository Name and status
  • Number of AV agents
  • Number of source databases
  • Number of collectors

blog_av5

You can also see information on your AV agents, Audit Trails and historical information on any upload issues.

blog_av6

Written by Les Hopkins, Lead DBA, Cintra NY – June 2017

© This website and its content is copyright of © Cintra Software and Services 2011. All rights reserved.