Core Audit Features
Core Audit is an Oracle Database Auditing (Database Activity Monitoring) solution for Compliance and Security. It was built from the ground up to meet the exact and unique demands of Oracle customers that need to comply with various regulations and enhance the security of their Oracle databases.
Core Audit is a simple yet powerful solution with cutting edge technology designed for the most demanding of environments. From our unique low overhead Full Capture agent technology through the processing engine and presentation layers, you will find nothing but the best, and it’s all targeted to make your life easier.
While Core Audit contains mountains of technology, Easy is one of the most important features in it. Easy to install, easy to use, trivial to accomplish common tasks, and once configured it just works. Easy means you get to spend more time doing the many other things you have to do, and not worry about Oracle auditing.
Compliance & Declarative Auditing
Core Audit contains everything needed to comply with the Oracle database auditing requirements of any regulation (including PCI-DSS, SOX, HIPAA, FFIEC, and many others). From low overhead Full Capture agents, through wizards, rules, repositories, reports and much more.
Declarative Auditing allows you to tell Core Audit what you want to audit, and Core Audit will record the information and produce the reports. Wizards make this task extremely simple, and full customization is not much more involved.
Deploy Core Audit on a single Oracle instance or throughout your entire data center with no service interruption and achieve your compliance goals.
Incident investigation, Postmortem Analysis, and LiveTap
Core Audit contains a graphical interactive direct investigation tool that allows slicing and navigating through all the information in the system. There are several repositories that contain ample details from different points of view of everything that happened in the database. You can play with these tools by going to the Dataview in the Online Demo.
LiveTap is another unique feature in Core Audit that allows viewing of live database activity as it happens. With no additional overhead or impact to the system, LiveTap lets you tap into the activity stream online and see what is currently running in your database.
Complete Picture is based on the revolutionary security repository in Core Audit. This feature is on by default and it keeps an abbreviated record of everything that happens in the Oracle database. For a few megabytes per day, Complete Picture ensures that any internal or external breach will be documented. Complete Picture is stored in the security repository independently of the compliance repository, giving you the comfort of knowing that whether you thought of monitoring for it or not, there will always be a record of everything that happened.
Automatic Security Anomaly Detection & Intelligent Auditing
Intelligent Auditing allows Core Audit to tell you when something suspicious is happening in your database. The security repository behind Complete Picture is the foundation for this state of the art anomaly detection engine.
Anomaly detection is not signature based, and can therefore detect Zero Day Attacks, any type of SQL Injection, Privilege abuse, Backdoors, and various other attacks. The Anomaly engine can also identify spikes in activity volume, suspicious origins, abnormal activity hours, and more.
The anomaly detection engine is built into the reporting engine and can therefore be delivered in a report, alert, email, syslog or any other reporting option.
Full Capture & Low Overhead
Core Audit gives you more than a mere compliance checkbox or security tagline. The trick to doing it right is to capture everything that happens in the Oracle database engine. Core Audit’s Full Capture technology can do just that.
Full capture can see beyond the local and remote connection. It can see straight into the database engine and tell you exactly which SQLs executed in a stored procedure, trigger, or anonymous block. It can show dynamic SQLs initiated from inside the database engine and much more. The Full Capture technology cannot be circumvented, and that’s what makes it invaluable to you.
While Full Capture is precious, it would not be as valuable had it slowed down the database server. That’s why Full Capture was designed to have an extremely low overhead. Full Capture can log every SQL in every procedure from every user at less then 3% overhead. This ability to see and audit everything without impacting the Oracle database enables some unique features like LiveTap and Complete Picture.
But CPU is not everything, and the Core Audit agent has been optimized to have a minimal footprint in terms of network, memory, and I/O. As a result, Core Audit agents can be deployed on any production system at any time without modifications, tuning, or service interruption.
Reporting, Alerting, Email, Syslog, and more
Reports are a vital feature of any compliance or security tool and Core Audit comes built-in with a powerful Reporting engine. The reporting engine is both easy to use and flexible enough to generate all the needed reports. Automatic scheduling, Ad-hoc reporting, simple customization and more are built-in with no additional products or licenses.
While reporting is paramount, sometimes it is better to be alerted as things happen and not wait for the next morning to find out. This is where Alerting comes in, and it is built into the reporting engine to provide all the flexibility available in any of our reports. Alerting has significant benefits in certain situations and like all the features in Core Audit, it’s completely built-in and integrated seamlessly.
Both Reports and Alerts can be delivered in a variety of methods that include Files, Email, HTML, CSV, SYSLOG, and CEF (ArcSight format). As a result Core Audit can add additional value to any security or compliance system you might already be using by adding a database auditing component to it.
Core Audit has powerful integration and customization capabilities that can provide significant value in many environments:
Change Control integration allows Core Audit to identify changes designated as change control and tag them with the change control number. This information can be viewed in the product as well as in the reports and allows for benefits such as a faster reconciliation process and identification of changes that are not designated as change control.
Real Application User identification is a capability that is dependent on the application, but can be performed in many bundled and home grown applications. When possible, identification of the real application user can add significant value to a report or an investigation.
SIEM integration is possible through syslog or CEF and can provide your SIEM system with the valuable database perspective that it is lacking.
Many other integration options exist depending on the environment, through the programmable rule and reporting engines.
Scalability, Repository, and Integrity
Core Audit was designed and optimized to process extremely high SQL volumes (200,000 SQLs per second per CPU core on average). This makes the Audit Server ideal to run on a virtual machine, as well as allowing a single Audit Server to monitor a large numbers of Oracle databases of any size.
But processing in memory is not enough, which is why the Core Audit repository uses a built-in proprietary high performance storage engine. The Core Audit repository is capable of storing vast amounts of SQLs in a fraction of the space otherwise required. This translates to direct value to you as you’ll be to record everything you need, and retain it online for extended periods of time.
An ordinary desktop computer has sufficient computing power and disk space to audit an entire data center and store everything needed for years. Long term retention is required by many compliance regulations and keeping everything online just makes the process a lot simpler.
Another important feature of any compliance and security system is the ability to ensure data integrity and resist tampering or manipulation. This is especially true in Oracle database auditing where administrators are considered part of the risk. Core Audit’s Full Capture technology prevents tampering on the collection side, while the security features built into the repository prevent tampering with the data on disk.
No small print, or other limitations
Many products claim to do a lot and in small print have disclaimers about consequences, side effects, limitations, additional costs and so forth. Core Audit has no small print.
When we say we capture everything, that means everything. It includes remote activity, local activity, internal database activity, encrypted communication and every other type of activity. We capture it all, and we do it as part of the standard default installation. There are no additional modules to buy or deploy, no additional overhead, and no other surprises.
When we say we have a repository, reporting etc, that means it’s part of the product and included in the standard installation. There are no additional licenses to buy, no external tools to purchase or deploy, and no other small print.
When we say we scale to monitor hundreds of thousands of SQLs per second, that means on a standard 1-2 year old average desktop PC, not a dual quad core xeon that released yesterday and was tuned specifically for the task.
It’s impossible to list everything we’re not doing, so we try to make it clear – there is no small print.