Oracle AVDF configuration,

Oracle AVDF configuration,

Next: Introduction to Oracle audit and database firewall (AVDF)

Oracle AVDF Installation

1. OracleAVDF Application Experiment in HIS

Next, we will use the configuration to demonstrate an application case of Oracle AVDF for HIS. First, after completing the basic configuration above, after logging on to the AuditVault Server as an auditor again, you can see significant changes in the main console interface throughout the interface. For example, the "Report" and "policy" Labels appear in the "control label" column, the following sections describe the most recently generated alarm information, the top five protected targets ranked by warning, the most recent failed logon, and the verification operation, this shows the current production environment overview. You can also obtain more detailed reports on firewall warnings and audits from the reports. However, auditors must define audit and firewall policies in advance.

Oracle AVDF main console interface

You can see that under the "Policy" tab of the console, there are audit settings and firewall policies in the policy category. Policy setting is relatively simple, but all policies need to be formulated for specific applications, but this is often complicated. Therefore, we only set the Audit Policy and firewall policy based on two simple requirements:

1. Audit the insert operations on the outpatient expense record table in HIS;

2. the firewall intercepts the call operation of zl_Parameters_Update.

1.1. Audit Configuration

To meet the preceding two small requirements, select the "Audit Settings" menu under the "Policy" tab. Then select the target to be implemented in the list of protected targets. The selected audit settings page will automatically jump to the audit settings related to this target. The page will display an overview of the current audit settings for this target, for example, whether to audit the sys user, the number of statements, or the like being audited. Of course, the specific information needs to be viewed in specific categories.

Configure audit for outpatient expense record table (1)

The overview page of the current audit settings. Because we want to audit the insert operation of the outpatient expense record table, select "Object" here. Of course, you can choose Statement Audit, permission audit, or fine-grained audit based on your needs.

Configure audit for outpatient expense record table (2)

On the Object audit settings page, click "CREATE", enter the Object information to be audited, and save the settings. As required, the Audit object type is table, and the Object Name Is ZLHIS. The outpatient expense record, and the audit action is Insert.

Configure audit for outpatient expense record Table (3)

This audit policy is displayed on the image (Object) Audit settings page after creation. You can use the function button on the right to set whether to enable the selected policy on the page.

Configure audit for outpatient expense record table (4)

In this way, an audit policy is set for the insert operation of the outpatient expense record table. The process for setting other types of audit policies is similar to this, but there are differences when entering audit information.

1.2. Firewall Configuration

Next, set the firewall's policy to block stored procedure calls. Select the firewall policy menu and click Create Policy. Determine the type of the application database, the name of the policy, and other information. Some people may have some questions. How can we create a policy like this? Does the policy know which stored procedure I want to intercept? People who have never been familiar with the firewall may have such questions here. In fact, there is also a concept called rule under the firewall policy, what really works is the rules defined in the policy.

Configure the firewall for the zl_Parameters_Update Process (1)

After the policy is created, the rule definition page is automatically displayed. Because we need to intercept the Stored Procedure zl_Parameters_Update, We need to select the rules for setting SQL ANALYSIS ON THE RULE definition page. Previously, some operations have been performed to connect to the target database using the ZLHIS program, and the firewall has recorded common SQL statements in our program. Find the SQL statement to be blocked in the main report, and then select the setting policy on the right, in the dialog box that appears, specify the information such as the log record level and threat severity to block the SQL statement.

Configure the firewall for the zl_Parameters_Update Process (2)

Set a control policy. Set the operation to block, the log is recorded once, and the threat severity is moderate. This is only for the previous requirements. Therefore, we must first clarify the application requirements when formulating the rules. After setting the rule, you must publish the policy you just defined on the right side of the policy definition control page.

Configure the firewall for the zl_Parameters_Update process (3)

After completing the preceding steps, you can apply the defined policy to the security target. In this case, you can see which policies have been defined under the firewall policy main menu, and which policies have been applied to the security target database (if the status is NO in the deployment time bar, the newly defined policy has NO application, and if the status is Yes, the policy is applied ).

Configure the firewall for the zl_Parameters_Update process (4)

Go to the "target" menu under the "protected targets" tab, select the target to be protected by the firewall policy, select the policy that was just defined above in the firewall policy bar, and save it. You can also set audit policies, stored procedure audits, and user authorization on this page.

Configure the firewall for the zl_Parameters_Update process (5)

Finally, after all policies and rules have been defined and applied, let's take a look at the report, which is the most important content for every auditor. The original intention of deploying Oracle Audit Vault and Database Firewall is to protect security objectives and warn potential security threats to effectively avoid security risks.

In Oracle Audit Vault and DatabaseFirewall, a considerable number of reports have been built in advance, basically meeting the needs of most Audit work. OracleAudit Vault and Database Firewall also supports Custom reports. You can modify the report templates provided by OracleAudit to meet special requirements. The report console page is as follows:

Oracle AVDF master by interface (6)

There are many formats, contents, and presentation formats for different reports as needed, which cannot be listed one by one in this article.

1.3. effect display

The following is an example of the report generated by the two policies that meet the preceding requirements. To generate data, we need to first run the ZLHIS application to trigger the insertion of the outpatient expense record table and call the zl_Parameters_Update stored procedure.

Because it is a hypothetical requirement, we first set the parameters in the outpatient billing module of the ZLHSI program. When this operation is confirmed, the zl_Parameters_Update stored procedure will be called.

ZLHIS software operation (1)

Subsequently, You need to insert the outpatient expense record table. Therefore, the next simulation of an outpatient expense record operation will insert data into the outpatient expense record table.

ZLHIS software operation (2)

After completing the preceding operations, you can view the corresponding report in the report. As shown in:

Oracle AVDF Report (1)

Click the blank page icon on the far left of the audit report to get more detailed information, including the client from which the operation came from, the operating system process ID, and the variable value bound to the SQL statement.

Oracle AVDF Report (2)

Report of the firewall policy on the interception of zl_Parameters_Update stored procedure call.

Oracle AVDF report (3)

In addition to viewing various reports online using a browser, you can also specify to generate offline reports in PDF or XLS format. Reports in XLS format.

Oracle AVDF Report (4)

The installation, configuration, and Application Deployment of Oracle AuditVault and Database Firewall may be slightly more complex than other Oracle products used in the past. However, for the application of this product, it is more important to clarify the business needs, which operations need to be audited, which need to be blocked, and which are only warnings. No matter how complicated it is, the installation and configuration are all fixed steps, so you will be familiar with the installation and configuration, but the business needs are changing. Oracle Audit Vault and Database Firewall can achieve the expected protection goals only by clearly understanding the business needs and developing good policies.