Oracle database auditing and correlation rule
We are looking forward to integrate our Oracle database systems with RSA enVision. The integration method is very generic and also details auditing might also impact the performance of the oracle database.
We would like to know,
- To start with at what level should we start doing auditing and what are areas of database should we lookinto.
- What sort of correlation should we expect from this. Any help.
Thanks in advance.
The integration of any Database (Oracle, MSSQL, DB2) to RSA enVision is very limited. According to RSA enVision manual of integration, usually is limited to Logins, Logout activity.
I recomend you to read the book: Implementing Database Security and Auditing: A guide for DBAs, information
security administrators and auditors by Ron Ben Natan. This book is a good guide to made a tunning to audit logs in databases.
Explain what we need to activate and how to do it.
After activate the log granularity in the database, RSA enVision can receive it and process it.
Do not expect any kind of correlation rule for databases, usually we need to take our hands on and create our own rules.
Thanks for your information. I am not Dba guy, hence my knowledge in this is still very low. However I will go through with the book to understand in details.
Actually my intention of this discussion is to know if anybody had done any correlation in their organization as well as to know what sort of information/logs/audits should we look for.
Doing auditing in Oracle may hamper the performance of the database. Hence we would like to start with minimum audit. So we need to know which minimum auditing should we look look for to start with.
As you, I am not DBA guy, but to integrate any kind of technologies to RSA enVision we need to understand the basics things.
When you follow the instructions supplied by RSA, to integrate DB you will recieve a minimal set of events and message ID.
To create correlations rules you need to activate more events and message ID at the DB.
Which messages you must activate, depends of your requirements, do not activate more than you need. (The book help you in this step), each organization has a set of differents requirements
Correlations rules are great to check multiple events coming from one or multiples devices at the same time. They are very tricky to tuned it.