Device Configuration Guide for Cisco Security MARS, Release 6.x - Oracle Database Applications [Cisco Security Monitoring, Analysis and Response System]

Table Of Contents

Oracle Database Server Generic

Configure the Oracle Database Server to Generate Audit Logs

Add the Oracle Database Server to MARS

Configure Interval for Pulling Oracle Event Logs

Oracle Database Server Generic

Database applications are typically high-value assets, and as such, they are common targets for attacks. Database applications provide MARS with user activity, such as successful and failed login attempts, session durations, and activities indicative of privilege escalation. This chapter explains how to bootstrap and add database applications to MARS.

To configure CS-MARS to collect information from the Oracle database server, you must perform three tasks:

•configure the Oracle database server to generate a audit trail and record those events the database.

•represent the device in the web interface

•configure the interval at which MARS should pull the logs from the Oracle database server.

Configuring the pull interval is a one-time operation that applies to all of the Oracle database servers monitored by the MARS Appliance.

This chapter contains the following topics:

•Configure the Oracle Database Server to Generate Audit Logs

•Add the Oracle Database Server to MARS

•Configure Interval for Pulling Oracle Event Logs

Configure the Oracle Database Server to Generate Audit Logs

You must configure the Oracle database server to write audit logs to the database. You may need your DBA support to perform most of these configurations. Once configured, MARS can retrieve the audit logs from your Oracle database server. The following examples are for an Oracle instance running on a UNIX/Linux application host.

To configure an Oracle database server to write audit logs, follow these steps:

Step 1 As sysdba execute cataudit.sql to create audit trail views:
 [oracle@server]$ sqlplus /nolog
SQL> conn / as sysdba;
SQL> @$ORACLE_HOME/rdbms/admin/cataudit.sql
Step 2 Enable auditing to the database by adding the following entry to the Oracle instance initialization file, usually named init<SID>.ora
    AUDIT_TRAIL=DB
This file is usually located in $ORACLE_BASE/admin/<SID>/pfile, where <SID> is the name of the Oracle instance.

If a binary initialization file is used for this instance, make sure you update it first. This file is usually located in $ORACLE_HOME/dbs and named spfile<SID>.ora. Ask your DBA about the location of these files as well as the policies applied for this server.

Step 3 Restart the database to activate the change made to the initialization file.
 [oracle@server]$ sqlplus /nolog
SQL> conn / as sysdba;
SQL> shutdown immediate;
SQL> startup;
Step 4 Turn on all the logs that you want to audit. The following example is turning on the "audit session".
SQL> audit session;
Audit succeeded.
Note Support for new AUDIT_ACTIONS found in Oracle 11g is supported as of Cisco Secure MARS releases 4.3.3/5.3.3.

Step 5 Repeat the previous step for all the logs that you want to audit.

Step 6 Create a user account on this server and grant select privilege for the view dba_audit_trail. Our example assumes the user has login name "pnuser".
 SQL> grant select on dba_audit_trail to pnuser
You'll use "pnuser" as the value for "User Name" in the MARS setup.

Step 7 To test that everything was properly configured, audit logs are written to the database and "pnuser" has read access to them, execute the following commands:
 [oracle@server]$ sqlplus pnuser/<password>@<oracle_server>
 SQL> select count(*) from dba_audit_trail;
  COUNT(*)
----------
         3
If the above count is anything but zero, congratulations, you have successfully configured the Oracle Server! You will have to repeat the above procedure for every Oracle server that you want to report audit logs to MARS.

Add the Oracle Database Server to MARS

To represent the Oracle database server in the web interface, follow these steps:

Step 1 ClickAdmin > System Setup > Security and Monitor Devices > Add.

Step 2 From the Device Type list, select Add SW Security apps on a new host or Add SW security apps on existing host.

Step 3 Enter the Device Name and IP addresses if adding a new host.

Step 4 Click Apply.

Step 5 From the Select Application list, select Oracle Database Server Generic.

Step 6 Click Add.

Step 7 Enter values for the following fields:

•User Name—The Oracle Database User Name.

•Password—The Oracle Database User password.

•Oracle Service Name—The Oracle Service Name.

The Oracle Service Name is the GLOBAL_DBNAME=username.server found inside the file named listener.ora.

Step 8 Click Test Connectivity to verify the configuration.

Step 9 Click Submit .

Configure Interval for Pulling Oracle Event Logs

To specify the interval at which MARS should pull the event logs from all Oracle database servers on your network, follow these steps:

Step 1 Click Admin > System Parameters > Oracle Event Log Pulling Time Interval.

Step 2 Enter the new time interval in seconds.

The default value is 300 (five minutes).

Step 3 Click Submit.

	Device Configuration Guide for Cisco Security MARS, Release 6.x
	Oracle Database Applications
Device Configuration Guide for Cisco Security MARS, Release 6.x Preface Part 1: Concepts Configuring Reporting and Mitigation Devices in MARS Part 2: Intrusion Detection and Prevention (Network based) Cisco IPS Devices (4.x and 5.x) NetScreen IDP Devices and Servers Cisco IPS 6.x Devices and Virtual Sensors Enterasys Dragon Devices Snort Devices McAfee Intrushield Symantec ManHunt Cisco IPS Modules IBM SiteProtector Devices IBM RealSecure Devices Part 3: Vulnerability Assessment Qualys QualysGuard Devices eEye REM Devices McAfee Foundstone Part 4: Switches Cisco Switches Extreme Switches Part 5: Routers Cisco Routers Routers (Generic) Part 6: Firewalls Cisco Firewall Devices Cisco ASA, Version 8.1.X and 8.2.X and NetFlow Check Point Devices NetScreen ScreenOS Devices Part 7: Network Access Control Cisco NAC Appliance Part 8: Virtual Private Network Gateways Cisco VPN 3000 Concentrator Part 9: WLAN Controller Cisco Wireless LAN Controller Part 10: AAA Servers Cisco Secure ACS Devices Part 11: Intrusion Detection and Prevention (Host based) Cisco Security Agent Entercept Devices Part 12: Virus Protection Symantec AntiVirus McAfee EPO Management Devices Cisco Incident Controller Server Part 13: Content Management Cisco CSC SSM Part 14: Database Applications Oracle Database Applications Part 15: Web Servers Web Server Devices Part 16: Web Proxies Network Appliance NetCache Generic Part 17: Host Nodes Generic, Solaris, Linux, and Windows Application Hosts Index	Download this chapter Oracle Database Applications Download the complete book Device Configuration Guide for Cisco Security MARS Release 6.x (PDF - 5 MB) Table Of Contents Oracle Database Server Generic Configure the Oracle Database Server to Generate Audit Logs Add the Oracle Database Server to MARS Configure Interval for Pulling Oracle Event Logs Oracle Database Server Generic Database applications are typically high-value assets, and as such, they are common targets for attacks. Database applications provide MARS with user activity, such as successful and failed login attempts, session durations, and activities indicative of privilege escalation. This chapter explains how to bootstrap and add database applications to MARS. To configure CS-MARS to collect information from the Oracle database server, you must perform three tasks: •configure the Oracle database server to generate a audit trail and record those events the database. •represent the device in the web interface •configure the interval at which MARS should pull the logs from the Oracle database server. Configuring the pull interval is a one-time operation that applies to all of the Oracle database servers monitored by the MARS Appliance. This chapter contains the following topics: •Configure the Oracle Database Server to Generate Audit Logs •Add the Oracle Database Server to MARS •Configure Interval for Pulling Oracle Event Logs Configure the Oracle Database Server to Generate Audit Logs You must configure the Oracle database server to write audit logs to the database. You may need your DBA support to perform most of these configurations. Once configured, MARS can retrieve the audit logs from your Oracle database server. The following examples are for an Oracle instance running on a UNIX/Linux application host. To configure an Oracle database server to write audit logs, follow these steps: Step 1 As sysdba execute cataudit.sql to create audit trail views: [oracle@server]$ sqlplus /nolog SQL> conn / as sysdba; SQL> @$ORACLE_HOME/rdbms/admin/cataudit.sql Step 2 Enable auditing to the database by adding the following entry to the Oracle instance initialization file, usually named init<SID>.ora AUDIT_TRAIL=DB This file is usually located in $ORACLE_BASE/admin/<SID>/pfile, where <SID> is the name of the Oracle instance. If a binary initialization file is used for this instance, make sure you update it first. This file is usually located in $ORACLE_HOME/dbs and named spfile<SID>.ora. Ask your DBA about the location of these files as well as the policies applied for this server. Step 3 Restart the database to activate the change made to the initialization file. [oracle@server]$ sqlplus /nolog SQL> conn / as sysdba; SQL> shutdown immediate; SQL> startup; Step 4 Turn on all the logs that you want to audit. The following example is turning on the "audit session". SQL> audit session; Audit succeeded. Note Support for new AUDIT_ACTIONS found in Oracle 11g is supported as of Cisco Secure MARS releases 4.3.3/5.3.3. Step 5 Repeat the previous step for all the logs that you want to audit. Step 6 Create a user account on this server and grant select privilege for the view dba_audit_trail. Our example assumes the user has login name "pnuser". SQL> grant select on dba_audit_trail to pnuser You'll use "pnuser" as the value for "User Name" in the MARS setup. Step 7 To test that everything was properly configured, audit logs are written to the database and "pnuser" has read access to them, execute the following commands: [oracle@server]$ sqlplus pnuser/<password>@<oracle_server> SQL> select count() from dba_audit_trail; COUNT() ---------- 3 If the above count is anything but zero, congratulations, you have successfully configured the Oracle Server! You will have to repeat the above procedure for every Oracle server that you want to report audit logs to MARS. Add the Oracle Database Server to MARS To represent the Oracle database server in the web interface, follow these steps: Step 1 ClickAdmin > System Setup > Security and Monitor Devices > Add. Step 2 From the Device Type list, select Add SW Security apps on a new host or Add SW security apps on existing host. Step 3 Enter the Device Name and IP addresses if adding a new host. Step 4 Click Apply. Step 5 From the Select Application list, select Oracle Database Server Generic. Step 6 Click Add. Step 7 Enter values for the following fields: •User Name—The Oracle Database User Name. •Password—The Oracle Database User password. •Oracle Service Name—The Oracle Service Name. The Oracle Service Name is the GLOBAL_DBNAME=username.server found inside the file named listener.ora. Step 8 Click Test Connectivity to verify the configuration. Step 9 Click Submit . Configure Interval for Pulling Oracle Event Logs To specify the interval at which MARS should pull the event logs from all Oracle database servers on your network, follow these steps: Step 1 Click Admin > System Parameters > Oracle Event Log Pulling Time Interval. Step 2 Enter the new time interval in seconds. The default value is 300 (five minutes). Step 3 Click Submit.
	© 1992-2009 Cisco Systems, Inc. All rights reserved. Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks of Cisco Systems, Inc.