Simple Self-Guided Walk-through

This introductory walk-through will point out the main screens in Core Audit and explain their purpose.

Starting up

This guide can be read while using the Core Audit Web Console in a different window. To open the Core Audit Web Console in a new window, click the launch button above.
The Web Console has 5 panels on the left that contain 5 areas of functionality:
  • Home – mostly contains guide and assistance options
  • Overview – contains a summary of all the policies and reports defined in Core Audit
  • Wizards – contains wizards that can build out-of-the-box policies & reports customized to your environment.
  • Dataview – contains a graphical interactive tool for slicing and navigating through all the information in the system.
  • Policies & Reports – contains all the policies and reports in the product, the ability to modify, add or delete them, as well as Ad-Hoc execution of reports.

Wizards

The best place to start a walk-through of Core Audit is the Wizards panel. The Wizards can create various combinations of policies and reports to achieve specific compliance or security goals. The wizards can be selected on the left panel, and each wizard is a single page with a small number of parameters.
For example, the Tables wizard is designed to monitor access to sensitive tables. It asks for the names of the sensitive tables and will create a variety of reports and underlying policies to help monitor those tables.
Similarly, the DBA wizard is designed to monitor the activity of DBAs & Privileged users. It asks for the Oracle account names to monitor and will create a variety of reports and underlying policies to achieve that.
Once the Create button is clicked, the desired policies will be created and activated, and the desired reports will be created and scheduled to run the next morning. As a read-only user you will not be able to create policies & reports, but all the policies & reports you see in the online demo were created using these wizards.

Policies & Reports

The Policies & Reports panel shows all the policies and reports currently active in Core Audit and allows adding, deleting, or editing them. Policies & Reports are grouped into bundles, and each wizards creates one bundle.
If you select the DBA bundle on the left panel, you will see if contains one policy, two session reports, and four SQL reports. The policy tells the Core Audit Rule Engine which SQLs to record in the compliance repository. The Session Reports are reports on successful and failed logons, and the SQL reports are reports on SQL activity.
If you select the DBA accounts usage report on the left panel, you will see the report definition on the main screen. Below the report definition, you will see the Ad-Hoc execution panel. If you click the preview report link, the Core Audit Server will generate the report for the selected time frame and display it in the console. As you can see, this report shows the number of logons for each user, program, and machine.
If you look at the Columns tab in the report definition, you will see the columns the report is grouped by. Being a summary report, this report has no detail columns. Since you have read-only access, you will not be able to save changes to the report, but selecting other columns in the grouping or detail will change the report.
Now select the DBA Non CC DML activity report, and click the preview link again. This is a SQL report of Non Change Control DBA Activity. This report is grouped by sessions and have the SQL information in the details.
If you preview at the DBA DML activity report, you will see it has a tabbed layout instead of the regular layout. This layout was selected but entering the word tab in the HTML format field under the General tab.
In addition to the Session and SQL reports, there are Redo reports and Anomaly reports. Have a look at the AppSecurity SQL Injection report in the Application Security bundle. This is an anomaly report that looks for new SQL constructs that haven’t been seen in the application recently.
Take some time to look through the various reports in the various bundles. Keep in mind that this is only a small selection from the reports that can be built by the wizards.

Dataview

The Dataview panel contains a graphical interactive tool for slicing and navigating through all the information in Core Audit. There are four information sources available for investigation:
  • Security Repository – Contains summary information about all the SQL activity in the database.
  • Compliance Repository – Contains detail SQL and session information.
  • Redo Log Repository – Contains information about data value changes for specific tables defined for the Logminer collector.
  • LiveTap – Allows Tapping into the live activity stream from the database. LiveTap does not store information in a repository, but streams the relevant activity directly into the Console. Since the online demo only contains recorded information, LiveTap is not available in it.
Each repository has a different perspective on the database activity and facilitates in a different type of investigation. Together, the repositories provide an unparalleled tool for Incident investigation and Postmortem Analysis.

Complete Picture

The security repository is the foundation of Complete Picture and gives a comprehensive view of everything that happened in the database. This automatic collection does not depend on policy definitions.
With the Reduced SQL button selected, pick the AIX-11g database, and click the Apply button. The graph on top shows the SQL volume over time, and the two grids below show the usernames, programs, and all the SQLs executed.
Select the first line (TOM/Toad) from the left grid and click the Filter Users & Programs button. The graph on top updates to show when there was SQL activity from TOM/Toad (4:00pm – 4:05pm) and the grid on the right shows the SQLs executed from that user and program.
Type salaries in the quick search box above the SQL list, and you’ll see only SQLs that contain that word. These are all the SQLs from Toad that accessed the salaries table. Click the Filter SQLs button and the graph will update to show these executions.
Click the Reset Filters button at the top right to empty all the filters, and type salaries again in the search box about the SQL list. The list now shows all the SQLs in the database that accessed the salaries table. Click the Filter SQLs button again and the left grid will show the users and programs that executed those.
You can drill down and up all you want, search, and sort the grids by any column.
Clicking on the SQL Source button on the left panel will show a similar investigation tool in the security repository focusing on the source of the SQL. The same filtering and drilling features apply.
Select TOM from the right column and press the Filter button. The rest of the grids show where user TOM executed SQLs from, and the graph shows when. Selecting sqlplus.exe from the second column and clicking the Filter button will where TOM used SQL*Plus to execute SQLs from and when.
While it has some drawbacks, Complete Picture gives you the comfort of knowing that whether you thought of monitoring for it or not, there will always be a record of everything that happened.

Compliance Repository

While the compliance repository automatically stores all the sessions in the database, SQL activity is stored based on the rules of the policies.
Select the By Session button from the left panel and the main display will show all the sessions in the database. You can use the filters on top to refine your search (and click Apply), or the quick search box to search the information already retrieved.
Click the By SQL button on the left panel, and the main display will show all the SQLs recorded in the compliance repository (up to the limit specified in the left panel). Type Tom in the Username box, Salaries in the Text in SQL box, and click the Apply button. The display will now show all the SQLs in the compliance repository that were executed by Tom and accessed the salaries table.
Keep in mind that only SQLs recorded by a policy rule can be views in the compliance repository.
The first line shows declare in the SQL Text. Click anywhere on the line to expand it and show the full text. This expansion method applies to all the Dataviews (including the security repository).
The SES ID column shows the internal session ID Core Audit assigned to the session. Click it to see all the SQLs recorded from that session. Since this session has a lot of recursive SQLs (the Depth Zero filter is hiding those), increase the limit on the left panel to 10,000 and click the Apply button again.
What you see is a detailed transcript of this session. This particular session was fully recorded due to the DBA policy.

Home & Overview

The Home panel is where Core Audit will launch initially. As a read-only user, you can only see the various help screens in the tree view on the left. The Getting started guide contains a deep walk through all the functionality in Core Audit.
The Home panel also allows you to see the license information and change passwords. For Administrators, the home panel contains the various administrative options.
The Overview panel contains a summary of all the policies and reports defined in Core Audit. It also contains the database tree editing tool on the left panel. This database tree is used throughout the product. As a read-only user you cannot save modification to the tree, but changes you make will be used throughout your session.

Summary

Thank you for taking the time to walk-through Core Audit. Feel free to play with Core Audit and get comfortable with what it offers.
There additional guides available on the Online Demo page, and we will be happy to give you a Personal Tour of Core Audit.
To experience the full functionality of Core Audit, we encourage you to download our Free Trial and test Core Audit on your systems.