DCAP Central RDS integration

DCAP Central supports Oracle RDS DBaaS and merges logs from this platform existing DCAP Central data models and workflows. All reports, workflows and applications are then supportive of RDS databases.

RDS-Oracle Setup for DCAP Central Integration

This document assumes an Oracle DB is already running on RDS. Follow these steps during your implementation:

  • The security group and access privileges allow the DCAP Central machine access to your Oracle-RDS instance.
  • Audit trail is set to XML, EXTENDED is set for your instances. This is done using parameter groups.

Consult RDS documentation on how that is enabled. In the simpl case you need to:

  1. Create a parameters group if you do not already have one: Go to Parameters Groups. Click “Create Parameter Group” and select the relevant Type for the DB created (For example: oracle-se1-11.2). Provide a name and description. Click “Create”.
  2. Associate the new group with the DB created: Go to the “Instances” tab. Select the DB under “Instance Actions”. Select “Modify”. Go to the “Database Options” and select the newly created “DB Parameter Group”. Click “Continue”. Click “Modify DB instance”. Wait to see it changes from “Applying” to “pending reboot”. Reboot the instance (“Instance Actions” –> “Reboot”) and click “Reboot”. Wait for the reboot to complete.
  3. Edit the parameters group: Select the Parameter Group associated with your DB (click ” Edit Parameters”). Find the “Audit_trail” field and set it to: “XML,EXTENDED”. Click “Save Changes”. Reboot your DB instance for the changes to take effect.
  • Set audit for required actions/events using Oracle audit and FGA commands.

Consult Oracle documentation (e.g. http://docs.oracle.com/cd/B19306_01/server.102/b14200/statements_4007.htm#g2274817) on audit options, but here are a few simple examples:

SQL> audit all by access;
SQL> audit select any table by access;
SQL> audit update any table by access;
SQL> audit insert any table by access;
SQL> audit alter any table by access;
SQL> audit delete any table by access;

Configure DCAP Central RDS options

In order to download the log files DCAP Central needs to use a user with adequate credentials to use the AWS-API and to download the logs (“DownloadDBLogFilePortion” permission). DCAP Central uses the user’s “access key ID” and “Secret Access Key”.

Open DCAP Central GUI and log in with a user that has admin permissions. Click on the “cloud DBaaS”. Click on “Amazon AWS RDS”.

Select “+ Add RDS Instance”:

_images/Doc_rds3.png

Fill in the information in the popup (type a name, select a region and fill in the key information) and click “Load RDS Instance”.

_images/Doc_rds4.png

Select the DB-instance you wish to import logs from and click “+ Add RDS Instance”:

_images/Doc_rds5.png

Once loaded you need to activate it using the “Enabled” control and watch the “status” indicator (will become green once data is flowing).

_images/Doc_rds6.png