Infrastructure at your Service

Grégory Steulet

Oracle AVDF post-installation configuration

In one of my last blog, named: “Oracle Audit Vault and Database Firewall (AVDF) 12.1 – installation on VirtualBox” I explained how to install AVDF on VirtualBox. Since some of you asked for a blog on “How to configure AVDF”, I decided to write this posting on AVDF post-installation configuration. This one only concerns the post-installation phase, a third blog will be dedicated to practical cases concerning the configuration of Database Firewall Policies.

Specifying the Audit Vault Server Certificate and IP Address

You must associate each Database Firewall with an Audit Vault Server by specifying the server’s certificate and IP address, so that the Audit Vault Server can manage the firewall. If you are using a resilient pair of Audit Vault Servers for high availability, you must associate the firewall to both servers.

1. Log in to the Audit Vault Server as an administrator, and then click the Settings tab.
2. In the Security menu, click Certificate. The server’s certificate is displayed.

avdf001.png

3. Copy the server’s certificate.
4. Log in to the Database Firewall administration console
5. In the System menu, click Audit Vault Server.
6. Enter the IP Address of the Audit Vault Server.
7. Paste the Audit Vault Server’s Certificate in the next field.

avdf002.png

8.  Click Apply.

Registering Oracle Secured Target

Ensure That Auditing Is Enabled in the Oracle Secured Target

[email protected]:/home/oracle/ [DUMMY] SOUK
******** dbi services Ltd. ********
STATUS         : OPEN
DB_UNIQUE_NAME : SOUK
OPEN_MODE      : READ WRITE
LOG_MODE       : NOARCHIVELOG
DATABASE_ROLE  : PRIMARY
FLASHBACK_ON   : NO
FORCE_LOGGING  : NO
VERSION        : 11.2.0.3.0
***********************************
[email protected]:/home/oracle/ [SOUK] sqlplus "/as sysdba"SQL*Plus: Release 11.2.0.3.0 Production on Sun Sep 15 22:35:49 2013Copyright (c) 1982, 2011, Oracle.¬† All rights reserved.
Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - 64bit ProductionSQL>SQL>
SQL> SHOW PARAMETER AUDIT_TRAILNAME                                 TYPE        VALUE
------------------------------------ ----------- ---------------------------
audit_trail                          string      DB

 

If the output of the SHOW PARAMETER command is NONE or if it is an auditing value that you want to change, then you can change the setting as follows.For example, if you want to change to XML, and if you are using a server parameter file, you would enter the following:

SQL> ALTER SYSTEM SET AUDIT_TRAIL=XML SCOPE=SPFILE;
SQL> SHUTDOWN IMMEDIATE;
SQL> STARTUP;

Registering Hosts in the Audit Vault Server

1. Log in to the Audit Vault Server console as an administrator.
2. Click the Hosts tab. A list of the registered hosts, if present, appears in the Hosts page. To control the view of this list see “Working With Lists of Objects in the UI”.
3. Click Register.
4. Enter the Host Name and Host IP address.

avdf003.png

5. Click Save.

Deploying and Activating the Audit Vault Agent on Secured Target Hosts

1. Log in to the Audit Vault Server console as an administrator.
2. Click the Hosts tab, and then from the Hosts menu, click Agent.
3. Click ‚ÄúDownload Agent‚ÄĚ and save the agent.jar file to a location of your choice.

avdf004.png

4. Using an OS user account, copy the agent.jar file to the secured target’s host computer.
5. On the host machine, set JAVA_HOME to the installation directory of the jdk1.6 (or higher version), and make sure the java executable corresponds to this JAVA_HOME setting.

avdf005.png

6. Start a command prompt with Run as Administrator. In the directory where you placed the agent.jar file, extract it by running:

java -jar agent.jar -d Agent_Home

avdf006.png

Request agent Activation

To request activation of the Audit Vault Agent:

1. On the secured target host computer, go to the following directory:

Agent_Home/bin

2. Agent_Home is the directory created in the step 7 above.  Run the following command:

./agentctl activate

avdf007.png

Activate and Start the Agent

In this step, you approve the agent activation request in the Audit Vault Server, then start the agent on the secured target host machine.To activate and start the agent:

1. Log in to the Audit Vault Server console as an administrator.
2. Click the Hosts tab.
3. Select the host you want to activate, and then click Activate.

avdf008.png

This will generate a new activation key under the Agent Activation Key column.You can only activate a host if you have completed the procedures in Step 1: Deploy the Audit Vault Agent on the Host Machine. Otherwise the Agent Activation Status for that host will be No Request.

4. Change directory as follows:

cd Agent_Home/bin

Agent_Home is the directory created in the step 7 above.

5. On the secured target host machine, run the following command and provide the activation key from Step 3:

./agentctl start -k key

Note: the -k argument is not needed after the initial agentctl start command.

avdf009.png

avdf010.png

Stopping and Starting the Audit Vault Agent

To stop or start the Audit Vault Agent after initial activation and start, run one of the following commands from the Agent_Home/bin directory on the secured target host machine:

./agentctl stop

./agentctl start

Changing the Logging Level for the Audit Vault Agent

The logging level you set affects the amount of information written to the log files. You may need to take this into account for disc space limitations.The following logging levels are listed in the order of amount of information written to log files, with debug providing the most information:

  • error – Writes only error messages
  • warn – (Default) Writes warning and error messages
  • info – Writes informational, warning, and error messages
  • debug – Writes detailed messages for debugging purposes

To change the logging level for an Audit Vault Agent:

1. Ensure that you are logged into AVCLI on the Audit Vault Server.
2. Run the ALTER HOST command. The syntax is as follows:

ALTER HOST host_name SET LOGLEVEL=av.agent:log_level     

In this specification:

  • ¬†host_name: The name of the host where the Audit Vault Agent is deployed.
  • ¬†log_level: Enter a value of info, warn, debug, or error.

Registering Secured Targets

1. If you will collect audit data from a secured target, do stored procedure auditing (SPA), entitlements auditing, or enable database interrogation, create a user account on the secured target, with the appropriate privileges to allow Oracle AVDF to access the required data.

Setup scripts: Scripts are available to configure user account privileges for these secured target types:- “Oracle Database Setup Scripts”

  • “Sybase ASE Setup Scripts”
  • “Microsoft SQL Server Setup Scripts”
  • “IBM DB2 for LUW Setup Scripts”
  • “MySQL Setup Scripts”
  • “Sybase SQL Anywhere Setup Scripts”

Linux secured targets: Assign the Oracle AVDF user to the log_group parameter in the Linux /etc/audit/auditd.conf configuration file. This user must have execute permission on the folder that contains the audit.log file (default folder is /var/log/audit).

Other types of secured targets: You must create a user that has the appropriate privileges to access the audit trail required. For example, for a Windows secured target, this user must have administrative permissions in order to read the security log.

Note: Oracle AVDF does not accept user names with quotation marks. For example, “JSmith” would not be a valid user name for an Audit Vault and Database Firewall user account on secured targets.

avdf011.png

2. Log in to the Audit Vault Server console as an administrator.
3. Click the Secured Targets tab. The Secured Targets page lists the configured secured targets to which you have access. You can sort or filter the list of targets. See “Working With Lists of Objects in the UI”.
4. Click Register, and in the Register Secured Target page, enter a name and description for the new target.
5. In the Secured Target Location field, enter the connect string for the secured target.¬†¬†¬†¬†¬† See “Secured Target Locations (Connect Strings)” for the connect string format for a specific secured target type. For example, for Oracle Database, the string might look like the following:

jdbc:oracle:thin:@//HOSTNAME:PORT/SERVICE_NAME

6. In the Secured Target Type field, select the secured target type, for example, Oracle Database.
7. In the User Name, Password, and Re-enter Password fields, enter the credentials for the secured target user account you created in Step 1.
8. If you will monitor this secured target with a Database Firewall, in the Add Secured Target Addresses area, for each available connection of this database enter the following information, and then click Add.

  • IP Address (or Host Name)
  • Port Number
  • Service Name (Oracle Database only)

9. If required, enter values for Attribute Name and Attribute Value at the bottom of the page, and click Add. Collection attributes may be required by the Audit Vault Agent depending on the secured target type. See “Collection Attributes” to look up requirements for a specific secured target type.
10. If you will monitor this secured target with a Database Firewall, you can increase the processing resource for this secured target by adding the following Collection Attribute:

  • Attribute Name: MAXIMUM_ENFORCEMENT_POINT_THREADS
  • Attribute Value: A number between 1 – 16 (default is 1)

This defines the maximum number of Database Firewall processes (1 – 16) that may be used for the enforcement point associated with this secured target. You should consider defining this if the number of secured targets you are monitoring is less than the number of processing cores available on the system running the Database Firewall. Setting a value when it is not appropriate wastes resources.

avdf012.png

11. Click Save.

Configuring an Audit Trail in the Audit Vault Server

In order to start collecting audit data, you must configure an audit trail for each secured target in the Audit Vault Server, and then start the audit trail collection manually. Before configuring an audit trail for any secured target, you must:

  • Add the secured target in the Audit Vault Server. See “Registering or Removing Secured Targets in the Audit Vault Server” for details.
  • Register the secured target host machine and deploy and activate the agent on that machine. See “Registering Hosts”.

This procedure assumes that the Audit Vault Agent is installed on the same computer as the secured target.

To configure an audit trail for a secured target:

1. Log in to the Audit Vault Server console as an administrator.
2. Click the Secured Targets tab.
3. Under Monitoring, click Audit Trails. The Audit Trails page appears, listing the configured audit trails and their status.
4. In the Audit Trails page, click Add.
5. From the Collection Host drop-down list, select the host computer of the secured target.
6. From the Secured Target Name drop-down list, select the secured target’s name.
7. From the Audit Trail Type drop-down list, select one of the following:

  • CUSTOM
  • DIRECTORY
  • EVENT LOG
  • NETWORK
  • SYSLOG
  • TABLE
  • TRANSACTION LOG

See Table B-13 for details on which type(s) of audit trails can be collected for a specific secured target type, and “Data Collected for Each Audit Trail Type” for descriptions of data collected.

8. In the Trail Location field, enter the location of the audit trail on the secured target computer, for example, sys.aud$.¬†¬†¬†¬†¬† The trail location depends on the type of secured target. See “Audit Trail Locations” for supported trail locations.¬†¬†¬†¬†¬† Note: If you selected DIRECTORY for Audit Trail Type, the Trail Location must be a directory mask.
9. If you have deployed plug-ins for this type of secured target, select the plug-in in the Collection Plug-in drop-down list. For more information on plug-ins, see “About Agent Plug-ins”.

avdf013.png

10. Click Save.

Starting and Stopping Audit Trails in the Audit Vault Server

To start or stop audit trail collection for a secured target:

1. Log in to the Audit Vault Server console as an administrator.
2. Click the Secured Targets tab.
3. Click Audit Trails.
4. Select the audit trail(s) you want to start or stop, and then click Start or Stop. avdf014.png

I very do hope that this blog will help you delpoying AVDF. Do not hesitate to post comments if you have any questions.

11 Comments

  • Bharath Mahadeva says:

    Hi,
    What is the directory mask that needs to be set as trail location for DIRECTORY audit trail type ? can u give me an example of the same

  • This is a nice blog! I read this and find so many information about Oracle audit. This blog includes the information about how to secure our database content from any malicious attack. It is all about that how, when and who access your database for what purpose.

  • Arnaud says:

    Hi Dear ,
    Thanks a lot , but I get a problem during the installation of the agent . See the error :
    [[email protected] bin]# ./agentctl activate
    The activate command has been deprecated.
    [[email protected] bin]#
    I dont know to find the issue.
    Regards,
    Arnaud

  • Tabita says:

    Hi Guys

    Please help. I am a newbie.
    When you create the DB user that collects the audit trails. Which permission do you grant.?
    I have granted CONNECT, SELECT_CATALOG_ROLE.
    However, it is failing to collect.

  • abhishek says:

    my setup is
    avdf server .12R2
    database server : 12r2
    Audit trail set to pure unified audit trail
    Audit Trails showing in avdf server –Stopped
    Stopped wiz12c2.com AUDSYS.AUD$UNIFIED TABLE wiz12c2 Oracle Database Status: Enabled
    Attempts: 2
    Last start: 28/04/2018 17:52:49

    my question is possible is audit on AUDSYS.AUD$UNIFIED through avd server

  • Siaka Kone says:

    I’m not able to use the avcli command.When I tape it,they say avcli is not a INTERNAL cammand .Otherwise they said avcli is installed successfully

  • Guru says:

    I’m sure if you still respond to question, but will post my question anyway.
    I’m having issue register the database. I’m using a VM, my AV, DF and database are all using the same VLAN 192.16X.56.XXX. When I tried to register the host by providing the host and the IP, it does not generate the Agent activation key. The Agent Status column shows: No request.

    Thanks in advance

  • Guru says:

    Nevermind my question. I was able to fix the issue by adding https:// in front of the IP address.

    Thanks!

  • fazla rabbi says:

    i am facing this error when start audit trail
    av.collector.FAILED_TO_GET_VALID_TEMPLATE_FILE
    can any onehave solution .
    Database version 12.2 and advf is 12.1.

  • Muhammad Shoaib says:

    Hi,

    Can I migrate old data from release AVDF 12.2.0.3 to 20.3? I have installed AVDF 20.3 and want to migrate old data into it.

    Regards,

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Grégory Steulet
Grégory Steulet

Chief Financial Officer (CFO) and Partner Manager
Delivery Manager