Ho st monitoring is designed for situations in which you have many small databases in a distributed environment, and you want Oracle AVDF to monitor SQL traffic to all of these databases centrally with one Database Firewall. This allows flexibility in the choice of the network point at which the traffic is monitored. For example, this is helpful in situations where it is not easy to route the traffic through a bridge or to get it from a mirror port.
The host monitor captures the SQL traffic from the network card and sends it over the network to a Database Firewall. This SQL data is then available for reports generated by Oracle AVDF. Host monitoring is used only for monitoring SQL traffic (DAM mode) and cannot be used to block or substitute SQL statements.
To use host monitoring, you deploy the Audit Vault Agent on the host machine that you want to deploy the host monitor on, usually the same machine as the database. For larger databases, the SQL traffic captured by a host monitor will increase network traffic. In this case, you can install the host monitoring software onto a server that is different from the database server. Then you must use a spanning port to connect this database server to the server used for the host monitor.
You can use one Database Firewall to monitor multiple secured target databases on the same host using one host monitor installation. To do this, you create an enforcement point in DAM mode, and a NETWORK audit trail, for each secured target.
To monitor all network traffic for a secured target, the Oracle AVDF auditor must select a firewall policy that will log events, for example, Log Unique. See Oracle Audit Vault and Database Firewall Auditor's Guide for instructions.
Host monitoring is supported on Linux and Windows platforms, and can monitor any database supported by the Database Firewall. See Table B-1 for supported databases.
Step 1: Register the Computer that will Run the Host Monitor
Step 2: Deploy the Audit Vault Agent and Install the Host Monitor
Step 3: Create a Secured Target for the Host-Monitored Database
The host monitor runs on Linux and Windows x86-64 platforms. The host monitor is not supported on 32-bit platforms. For additional details and the latest supported platform matrix, see Article 1536380.1 at the Oracle Support website: https://support.oracle.com
The host machine on which the host monitor will run must have the following (these may be in any of the system default directories such as /usr/lib, /lib, or /lib64 on a linux system):
OpenSSL - Full version (not "Light"). See http://www.openssl.org/.
For Windows: OpenSSL 1.0.1c or higher
For Linux: OpenSSL 0.9.8i or higher
For Linux hosts: The libpcap library, version 0.9.4 or higher. See http://www.tcpdump.org/. Install the following packages on the host computer:
libpcap
libpcap-devel
For example, on an Oracle Linux system execute the following command as root:
yum -y install libpcap libpcap-devel
For Windows hosts: The wincap library, version 4.1.2 or higher. See http://www.winpcap.org/.
To register a host in the Audit Vault Server, see "Registering Hosts in the Audit Vault Server".
For Windows hosts, the host monitor is automatically installed when the Audit Vault Agent is deployed. See "Deploying the Audit Vault Agent on the Host Computer".
See also: "Registering or Unregistering the Audit Vault Agent as a Windows Service".
Follow one of the procedures below depending on which version of Oracle AVDF you have installed:
Installing a Host Monitor in Oracle AVDF 12.1.2 on Linux Hosts
Installing a Host Monitor in Oracle AVDF 12.1.1 on Linux Hosts
Installing a Host Monitor in Oracle AVDF 12.1.2 on Linux Hosts
To install the Host Monitor:
If you have not already done so, deploy the Audit Vault Agent. See "Deploying the Audit Vault Agent on the Host Computer".
Log in as root and identify a root-owned directory on the local hard disk, such as /usr/local, where you will install the host monitor.
Note: The entire directory hierarchy must be root-owned, and must not contain any directories with write permission for other users or group.
Log in to the Audit Vault Server console as an administrator, click the Hosts tab, and then click Agent.
Click the Download button next to Host Monitor (Linux x86-64), and then save the .zip file to the root-owned directory (on the local hard disk) you identified in Step 2, for example /usr/local.
As root user, unzip the host monitor file.
This creates a directory named hm. This is your HM_Home directory, which in this example is /usr/local/hm.
Ensure that the hostmonsetup file (in the hm directory) has execute permission.
Run the following command:
HM_Home/hostmonsetup install agenthome=Agent_Home agentuser=Agent_Username agentgroup=Agent_Group
HM_Home - The directory created in Step 5.
Agent_Home - Enter the Audit Vault Agent installation directory.
Agent_Username - Enter the username of the user who installed the Audit Vault Agent (the user who executed the java -jar agent.jar command).
Agent_Group - Enter the group to which the Agent_Username belongs.
Installing a Host Monitor in Oracle AVDF 12.1.1 on Linux Hosts
To install the Host Monitor:
If you have not already done so, deploy the Audit Vault Agent. See "Deploying and Activating the Audit Vault Agent on Host Computers".
Log in as root and identify a root-owned directory on the local hard disk, such as /usr/local, where you will install the host monitor.
Copy the two host monitor .zip files from the Agent_Home/stage/plugins directory, for example:
agent-linux-x86-64-deps.zip agent-linux-x86-64-hmon.zip
The file names should match your supported Linux platform.
Place the copied files in the root-owned directory (on the local hard disk) that you identified in Step 2, and unzip them.
This creates a directory named hm. This is your HM_Home directory, which in this example is /usr/local/hm.
Ensure that the hostmonsetup file permissions include execute.
Run the following command:
HM_Home/hostmonsetup install agenthome=Agent_Home
To create a secured target, see "Registering or Removing Secured Targets in the Audit Vault Server".
You must create an enforcement point in the Audit Vault Server for each database that you will monitor remotely with a host monitor. This enforcement point must use Database Activity Monitoring (DAM) as the Monitoring Mode. See "Configuring Enforcement Points".
Create an audit trail for each secured target you are monitoring with a host monitor, specifying the following:
For Audit Trail Type, select NETWORK.
(AVDF 12.1.1 only) For Trail Location, enter NETWORK.
For instructions for adding audit trails see "Adding an Audit Trail in the Audit Vault Server".
Starting the host monitor consists of starting collection for the NETWORK audit trail on the host you are monitoring.
To start the host monitor from the Audit Vault Server console:
Log in to the Audit Vault Server console as an administrator.
Start the audit trail(s) you created for host monitoring in "Step 5: Create a NETWORK Audit Trail".
See "Stopping and Starting Audit Trails in the Audit Vault Server".
To stop the host monitor, stop the audit trail you created for the secured target that is being monitored. See "Stopping and Starting Audit Trails in the Audit Vault Server".
To check the status of a host monitor:
Log in to the Audit Vault Server console as an auditor.
Click the Secured Targets tab, and then from the Monitoring menu, click Audit Trails.
The collection status of a host monitor audit trail is listed in the Audit Trails page. A host monitor audit trail has NETWORK in the Audit Trail Type column.
This procedure applies to Linux hosts only. There is no install or uninstall for Windows hosts.
Uninstalling Host Monitor Versions 12.1.1 BP2 and Later
Log in to the host computer as root.
From the HM_Home directory (where you installed the host monitor in Step 7) run the following command:
hostmonsetup uninstall
Uninstalling Host Monitor Versions 12.1.1 BP1 and Earlier
To uninstall a host monitor:
Log in to the host computer as root.
From the Agent_Home/bin/ directory run the following command:
hostmonsetup uninstall
As of Oracle AVDF 12.1.2, when you update the Audit Vault Server to a future release, the host monitor is automatically updated.
If your current release is prior to 12.1.2, refer to the README included with upgrade software or patch updates for instructions on how to update the host monitor.
Information on downloading upgrade software is detailed in Oracle Audit Vault and Database Firewall Installation Guide.
By default, the Database Firewall allows the host monitor connection based on verifying the host's (originating) IP address.
If you want the additional security of using certificate-based authentication for the host monitor, follow these procedures after the host monitor is installed:
To require a signed certificate for host monitor connections:
Stop the host monitor if it is running.
At the Database Firewall, log in as root, and run the following commands:
cp /usr/local/dbfw/etc/controller.crt /usr/local/dbfw/etc/fw_ca.crt chown dbfw:dbfw /usr/local/dbfw/etc/fw_ca.crt chmod 400 /usr/local/dbfw/etc/fw_ca.crt
Run the following command to restart the monitor process:
/etc/init.d/monitor restart
Follow this procedure for each host running host monitor. The host monitor should already be installed.
To get a signed certificate from the Audit Vault Server:
Log in to the Audit Vault Server as root.
Go to the directory /usr/local/dbfw/etc.
Run the following two commands:
openssl genrsa -out hmprivkey.perm 2048
openssl req -new -key hmprivkey.perm -out hmcsr.csr -subj "/CN=Hostmonior_Cert_hostname/"
The hostname is the name of the host machine where the Audit Vault Agent is installed.
To generate one signed certificate, run the following command:
/usr/local/dbfw/bin/generate_casigned_hmcert.sh
The signed certificate file hmcert.crt is generated in the directory /usr/local/dbfw/etc.
Copy the following files from the Audit Vault Server to the Agent_Home/hm directory on the host machine where the Audit Vault Agent is installed:
/usr/local/dbfw/etc/hmcert.crt /usr/local/dbfw/etc/hmprivkey.perm
(Linux Hosts Only) As root, run the following commands:
chown root:root Agent_Home/hm/hmcert.crt Agent_Home/hm/hmprivkey.perm chmod 400 Agent_Home/hm/hmcert.crt Agent_Home/hm/hmprivkey.perm
(Windows Hosts Only) Ensure that the files hmcert.crt and hmprivkey.perm have Agent user ownership and appropriate permissions to prevent unwanted user access.
Start the host monitor to capture network traffic. See "Starting the Host Monitor".
Repeat this procedure for every host running host monitor.