top of page
Search

Oracle Fine-Grained Authorization Mini Lesson

  • Writer: Pavan Raja
    Pavan Raja
  • Apr 9, 2025
  • 5 min read

Summary:

This document provides a step-by-step guide for installing Oracle Fine Grain Auditing (FGA) in ArcSight ConApp or logger. The process involves creating a FlexConnector package for Oracle FGA to parse raw audit messages into a format that ArcSight can understand, followed by uploading the .properties and .csv files to the ConApp repository. Here is a summarized version of the guide: 1. **Create FlexConnector Package**: Develop a FlexConnector package to handle parsing of "raw" audit messages from Oracle FGA for integration with ArcSight. This will result in a .properties file which needs to be uploaded to the ConApp repository. 2. **Upload Files to Repository**: In the ConApp, navigate to Setup > Repositories and select “Flex Connector Files”. Click on “Upload to Repository”, then choose “Individual Files” and proceed with uploading the files under a specified subfolder (e.g., "flexagent/oraclefga"). 3. **File Upload**: Specify the .properties file details such as date, time, and size, enter its name ("oraclefga"), and upload it. Ensure successful upload by checking the repository for the .zip file matching your subfolder. 4. **Select Containers**: On the next screen, select the container(s) to which you wish to upload the .zip file. Wait until the upload completes successfully. This will update the ConApp repository and enable creation of a new connector. 5. **Add FlexConnector**: In the ConApp, go to “Manage” and find the site name (e.g., "localhost"). Now you are ready to add the FlexConnector for Oracle FGA integration. 6. **Select the Connector Type**: Find the connector uploaded and click "Add". Select "ArcSight FlexConnector Multiple DB" and proceed with configuration. 7. **Configure the JDBC Driver**: Select the JDBC Driver for Oracle: "Oracle.jdbc.driver.OracleDriver". Continue to configure other connection details such as URL, username, password, frequency, and configfolder (e.g., `oraclefga`). 8. **Select Forwarding Destination**: Choose a forwarding destination like an ESM/Express instance or Logger. 9. **Configure Hostname or IP, Port, Receiver Name, and Compression Mode**. 10. **Set Friendly Name and Additional Details**. 11. **Complete Connector Creation** and verify the connector status to ensure it is running without errors. 12. **Monitor Logs**: Check logs for any issues during the initial run and troubleshoot if necessary. This guide provides a simplified process for setting up Oracle FGA in ArcSight ConApp, including file upload details and configuration settings specific to an Oracle environment. For detailed steps on each task mentioned above, refer to the official documentation of your version of ArcSight or consult technical support for further assistance.

Details:

This document provides a step-by-step guide for installing Oracle Fine Grain Auditing (FGA) in ArcSight ConApp or logger. The process involves creating a FlexConnector package for Oracle FGA to parse raw audit messages into a format that ArcSight can understand, followed by uploading the .properties and .csv files to the ConApp repository. **Steps:** 1. **Create FlexConnector Package**: Develop a FlexConnector package to handle parsing of "raw" audit messages from Oracle FGA for integration with ArcSight. This will result in a .properties file which needs to be uploaded to the ConApp. 2. **Upload Files to Repository**: In the ConApp, navigate to Setup > Repositories and select “Flex Connector Files”. Click on “Upload to Repository”, then choose “Individual Files” and proceed with uploading the files under a specified subfolder (e.g., "flexagent/oraclefga"). 3. **File Upload**: Specify the .properties file details such as date, time, and size, enter its name ("oraclefga"), and upload it. Ensure successful upload by checking the repository for the .zip file matching your subfolder. 4. **Select Containers**: On the next screen, select the container(s) to which you wish to upload the .zip file. Wait until the upload completes successfully. This will update the ConApp repository and enable creation of a new connector. 5. **Add FlexConnector**: In the ConApp, go to “Manage” and find the site name (e.g., "localhost"). Now you are ready to add the FlexConnector for Oracle FGA integration. This guide simplifies the process of integrating Oracle Fine Grain Auditing with ArcSight by providing a structured method for file upload and repository management within the ConApp environment. To add and configure a connector for ArcSight FlexConnector Multiple DB to connect with an Oracle database, follow these steps: 1. **Select the Connector Type:**

  • Find the connector you uploaded and click "Add."

  • On the next screen, select "ArcSight FlexConnector Multiple DB" and then click "Next."

2. **Configure the JDBC Driver:**

  • Select the JDBC Driver for Oracle: "Oracle.jdbc.driver.OracleDriver".

  • Click "Next."

3. **Enter Connection Details:**

  • Under URL, input your connection string in the format: `jdbc:oracle:thin:@::`. For example: `jdbc:oracle:thin:@172.16.100.203:1521:orcl`.

  • Enter your username (usually "system") and password.

  • Set the frequency to 5.

  • In "configfolder" selection, input the same subfolder used earlier: `oraclefga`.

  • Click "Next."

4. **Select Forwarding Destination:**

  • Choose a forwarding destination such as an ESM/Express instance, Logger, etc.

  • Click "Next."

5. **Configure Hostname or IP, Port, Receiver Name, and Compression Mode:**

  • Input the necessary details and select compression mode.

  • Click "Next."

6. **Set Friendly Name and Additional Details:**

  • Enter a friendly name and optionally provide location and comments.

  • Click "Next."

7. **Complete Connector Creation:**

  • The ConApp will attempt to create the connector. Once complete, click "Done."

8. **Verify Connector Status:**

  • Drill down to the connector's status page and generate events in Oracle FGA. Check if the Input Events counter increments and confirm messages are forwarded to the intended host.

9. **Deploy Categorization File:**

  • Navigate to `Configuration > Repositories > Connector Properties`.

  • Click on the relevant file path (e.g., `/opt/arcsight/connector_1/current/user/agent/contrib/categorizer`).

  • Enter the required directory: `/contrib/categoriz`.

By following these steps, you will successfully configure and deploy a connector for ArcSight FlexConnector Multiple DB to connect with your Oracle database. The text provided appears to be a configuration file for a database auditing tool, likely used with Oracle databases. It contains various parameters and settings that define how the audit logs should be retrieved and processed. Here's a summary of its contents: 1. **File Listing**: The script lists several CSV files in a directory named `

# ls`, which includes names like `ace.csv`, `microsoft_windows.csv`, etc. These are presumably data files related to the audit logs or other database activities. 2. **Version Information**: There is version information for the Oracle Fine-Grained DB Audit Agent, specifying versions 10.x/11.x and a query to count session IDs from `dba_common_audit_trail`. 3. **SQL Query**: The main SQL query retrieves detailed audit trail data including OS user details, database sessions (SID), timestamp of actions, logoff time, object schema, name, action type, session actions, database user, terminal information, comment text, statement ID, entry ID, return code, privileges used, and the first 2000 characters of SQL text. It filters based on extended timestamp or logoff time. 4. **Timestamp Fields**: The `timestamp.field` is set to both `TIMESTAMP` and `LOGOFF_TIME`. 5. **Unique Identifier Fields**: These include `TIMESTAMP`, `SID`, `ENTRYID`, and `LOGOFF_TIME`. 6. **Additional Data Configuration**:

  • Enabled: Yes

  • Catalog queries are defined to fetch action names from `audit_actions` with associated actions.

  • Custom fields for additional data in the query are not specified but can be configured based on specific needs or default values.

7. **Event Mapping**: The script maps event details such as message, event name, and device action. Vendor information (`__getVendo`) is retrieved dynamically. This configuration file is tailored to configure auditing settings for Oracle databases, ensuring that detailed audit trails are captured accurately, including session details and extended logoff times if applicable. The provided text outlines the structure of an event being logged by Oracle, detailing various attributes and their corresponding labels as well as defining severity ranges for different levels (veryhigh, high, medium, low) based on a device severity value that includes codes such as 1034, 12154, etc. The text also mentions extra queries to gather additional information about the instance, including host name and version from V$Instance table.

Disclaimer:
The content in this post is for informational and educational purposes only. It may reference technologies, configurations, or products that are outdated or no longer supported. If there are any comments or feedback, kindly leave a message and will be responded.

Recent Posts

See All
Zeus Bot Use Case

Summary: "Zeus Bot Version 5.0" is a document detailing ArcSight's enhancements to its Zeus botnet detection capabilities within the...

 
 
 
Windows Unified Connector

Summary: The document "iServe_Demo_System_Usage_for_HP_ESP_Canada_Solution_Architects_v1.1" outlines specific deployment guidelines for...

 
 
 

Comments

@2021 Copyrights reserved.

bottom of page