Using Audit Vault with Oracle E-Business Suite

Oracle Audit Vault is a database option that automates the collection and consolidation of audit data to support regulatory compliance and reduce security risks.  Audit Vault provides compliance and entitle reports, alert notifications, and centralized audit policy management.  Audit Vault provides compliance reports to address regulatory requirements for database activity monitoring and auditing for:
  • Sarbanes-Oxley (SOX) Act
  • Health Insurance Portability and Accountability Act (HIPAA)
  • Payment Card Industry (PCI) Data Security Standards (DSS)

Conceptual diagram showing audit data tracked by Oracle Audit Vault

 From the Oracle Audit Vault FAQ:

Audit Vault extracts audit records produced by the database's native audit facility so no special certification is required by the application since it is transparent. Any packaged application such as Oracle E-Business Suite, PSFT, Siebel, and SAP work seamlessly with Audit Vault to collect the native audit records.

E-Business Suite suggests that auditing and monitoring of privileged users, user sessions, database links, and database changes is a key element in monitoring and securing your applications. Please see Metalink Note 189367.1. Audit Vault supports all versions of E-Business Suite that sit on top of Oracle database versions 9.2.x forward.

In addition, the Oracle database column, client_identifier, can be used to pass the end application user to the native audit record. E-Business Suite updates client_identifier automatically starting with version 12 of the application, PeopleTools starting with 8.50, and SAP kernal version starting with 7.10. The client_identifier value can be used in the Audit Vault reports to view the application user, OS user, and database connection user information for forensic analysis.

No special setups required for EBS

In other words, you can use Audit Vault's generic documentation for E-Business Suite databases.  No special EBS-specific documentation or setups are required to enable Audit Vault in EBS instances.

Related Articles


Comments:

Does Audit Vault still require it be disabled when applying an Apps patch? If so, it still won't meet all of my clients' auditor requirements.

Posted by Jay Weinshenker on July 14, 2011 at 07:27 AM PDT #

Jay,

I checked with our architects and nobody seems to understand the Audit Vault issue that you're alluding to.

Are you thinking of *DATABASE* Vault? In an earlier version of Database Vault, you needed to disable it to apply patches. That's no longer the case today, though. You can apply patches to Database Vault-enabled EBS environments without disabling that option.

Regards,
Steven

Posted by Steven Chan on July 15, 2011 at 03:25 AM PDT #

Yep, I've got the products mixed up. My fault, sorry about that.

Another question though - where does this fit in for a company running EBS compared to Oracle GRC (Governance Risk and Compliance) which is also for SOX auditing, compliance and entitle reports, alert notifications, and centralized audit policy management?

I recall GRC is very specific to versions of Oracle Apps (or Peoplesoft, and I think another program) but as you wrote above this works with any version of the Apps as long as it's a 9.2.0.X DB or above..

Posted by Jay Weinshenker on July 15, 2011 at 07:58 AM PDT #

Jay,

Audit compliance falls pretty far outside of my area of expertise. I can't really comment on the relative positioning of those two products for compliance coverage. I'd recommend asking your Oracle account manager to get a specialist in to brief you on the relative strengths of those two products for different audit requirements.

Regards,
Steven

Posted by Steven Chan on July 18, 2011 at 02:57 AM PDT #

Does this show column before and after values on data updates.
So If I change column abc from 1 to 2 does it record both values and who changed it.

Posted by guest on July 26, 2011 at 11:45 AM PDT #

Hello, Guest,

Our Audit Vault team replied:

"The Audit Vault REDO collector will display both the old and new values of the column that changed, who changed it, and when.

"In fact, the REDO collector will collect all 'inserts', which displays all values that were inserted. And on 'deletes', it will display the column values of the record before it was deleted.

Based on the primary key values or a combination of columns, you can determine which record has been updated."

Regards,
Steven

Posted by Steven Chan on July 27, 2011 at 02:37 AM PDT #

Hi Steven,

I am trying to implement audit vault to our E-Biz application (11.5.10.2). My problem right now is in audit vault report, data access show the schema user, not the application user.

For example, user 'JHAVOC' updates the sales order, in Audit Vault report, the user who updated the sales order is 'APPS', not 'JHAVOC'.

I already applied patch 11870353 and followed note 1130254.1 but still it was not solved.

Do you have any idea on this??

Thanks,

Jay

Posted by Jay-A on July 28, 2011 at 06:56 PM PDT #

Hi, Jay,

I'm sorry to hear that you've encountered an issue with this.

No idea, I'm afraid. I don't have any personal experience with Audit Vault.

We can provide general conceptual guidance here, but I'm afraid that this blog isn't the best place to get technical support for specific issues like the one that you're working through.

Your best bet would be to log a formal Service Request via My Oracle Support (formerly Metalink) to get one of our specialists engaged.

Please feel free to forward your Service Request number to me if it gets stuck in the support process for some reason.

Regards,
Steven

Posted by Steven Chan on July 29, 2011 at 04:56 AM PDT #

Hello Steven,

Considering the fact the the Security analyst who defines/monitors AV may not be an apps DBA, are there any out of the box templates for Ebiz that will enable them to monitor activies based on business transactions without having knowledge of underlying tables.

Regards,
Anton

Posted by anton dsilva on February 01, 2012 at 10:24 PM PST #

Hello, Anton,

Sorry for the delay in responding to this.

No, we don't have any prebuilt Audit Vault templates for the E-Business Suite right now. We're evaluating this project, but other security-related initiatives are the focus of our development activities at this point.

Regards,
Steven

Posted by Steven Chan on February 09, 2012 at 10:23 AM PST #

Hi,

I have been searching "high and low" without success and will now try my luck with this blog.

I would like to know if it is possible using Audit Vault to accomplish the following:

- Track EBS user usage of all responsibilities.

The thing is that I have created a concurrent request automatically end dating all combinations of user / responsibilities not used within the last 90 days - it works fine when it comes to "Forms responsibilities", but I cannot seem to find information about last usage of either Self Service - or Discoverer responsibilities.

I'm looking in tables "APPLSYS.FND_LOGINS" and "APPLSYS.FND_LOGIN_RESPONSIBILITIES".

So my question is - will setting up Audit Vault do the trick or will you recommend a different approach to track usage of Self Service - and Discoverer responsibilities? Or do you have some other suggestion where I can find more information about this issue?

In my opinion it should be a standard feature as with Forms responsibilities - and maybe it is and just me not being able to find out how to (if so, it is very well hidden in all available documentation...;-)

BR Martin

Posted by Martin Zangger on April 25, 2012 at 11:03 AM PDT #

Hi again

Ok - doing a little more research and getting help from Oracle Support I found a solution to my problem: "Page Access tracking"

Enabling this for both "Web" and "Form" gives me the possibility to track all users usage of all responsibilities. Standard feature of course - nice ;-)

If someone has a similar problem or just wants to know about Page Access Tracking more information can be found looking up this document: [ID 402116.1]

BR Martin

Posted by Martin Zangger on April 27, 2012 at 08:07 AM PDT #

Martin,

I ran this by our security architects. Page Access Tracking under Oracle Application Manager was added for OA Framework-based pages. In addition, George Buzsaki (the grandfather of AOL) noted:

<snip>

The Sign-on Audit feature should allow you to track user access to responsibilities. Forms or OAF should not matter, the auditing should work in all cases. You don't need audit vault for this, Sign-on Audit is built into EBS. We don't ship a report of "responsibilities not accessed in a long time", but it should be possible to write this query by looking at the FND_LOGIN_RESPONSIBILITIES table.

</snip>

Regards,
Steven

Posted by Steven Chan on April 30, 2012 at 03:04 PM PDT #

Hello Experts,

Would you please provide any reference or whitepaper to integrate EBS R12 with Audit Vault?

Posted by guest on October 24, 2012 at 04:02 AM PDT #

Hello, Guest,

The article above states:

No special setups required for EBS

In other words, you can use Audit Vault's generic documentation for E-Business Suite databases. No special EBS-specific documentation or setups are required to enable Audit Vault in EBS instances.

Regards,
Steven

Posted by Steven Chan on October 24, 2012 at 07:45 AM PDT #

Post a Comment:
  • HTML Syntax: NOT allowed
About

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
4
5
6
7
8
9
10
11
12
13
14
19
20
21
24
25
26
27
28
29
30
   
       
Today