PFCLATK - Audit Trail Toolkit
PeteFinnigan.com Limited have developed a toolkit that can be used to rapidly deploy an audit trail to an Oracle database. The toolkit is alert and policy driven. It comes with 28 policies that includes 28 pre-defined alerts. The whole ethos of the toolkit was to allow customers to be able to define an audit trail for the Oracle database easily and quickly that adds value. The audit trail policies that are shipped are aimed at auditing the database engine itself with the goal of capturing any attack of the database itself.
Customers can easily define their own policies, alerts and factors. This makes the toolkit easy to expand and use. The policies can target both standard audit and also trigger based audit. Policies can be defined to audit data access and functional access as well. The toolkit is rich and its main goal is to be easy to deploy quickly and get meaningful audit trails.
There are plans to add a GUI interface to PFCLATK but at the moment we supply our PL/SQL based toolkit to customers who hire us to design and implement an audit trail for them. The high level steps in a piece of work like this are:
- We sit down (in person or virtually over Teams/Webex/Zoom etc) and agree a plan and budget of what the client would like to achieve. We also agree at a high level what events/issues the client would like to capture in their database, such as detecting sharing of accounts, possible attacks, changes to security and more. These are audit events
- PeteFinnigan.com Limited will then produce an initial design of the audit trail and the main part of the design is a table of events. We also suggest and add our suggestions
- Next the design is presented for review and a meeting takes place to agree the audit events that should be captured.
- After agreeing the events we expand the table of events in the design to identify what raw audit should be captured and also how each event should be recognised and eventually reported as an alert. An example for detecting users sharing accounts is to audit connections and then for the event to be true detect any use of the same account from different locations
- We then review the final design with the customer before implementing the events for the customer as policies in our PFCLATK toolkit. This is easy and uses a declorative framework
- The customer can then add his own factors that define different type of information such as support users, DBA accounts, relevant IP addresses and more
- The PFCLATK toolkit is then deployed by the customer and tested to see that the designed audit events are capturing what is needed
- The design is signed off and the customer can deploy to all of their databases
This is a fast and simple way to get a comprehensive audit trail in your database using our toolkit and expertise. The toolkit also goes much further as it supports extract to syslog, archival to a central database and more.
PFCLATK can be deployed to target databases to enable audit but it can also be deployed in central mode where a central database can be set up to gather and collate the audit trails from all target databases. This is easy to deploy and get running and requires just two deploy scripts to be run. Centralised reporting can then take place against this database for all target databases.
Like to Purchase, More Details?, Want To Partner?
Please email info@petefinnigan.com to enquire about the toolkit; the toolkit can be used as part of a consulting engagement with PeteFinnigan.com where we can define your audit trail design and policy and help you configure and use the toolkit. Alternately you can purchase a license for the toolkit from us. Please email for details.