1 Introducing Oracle Audit Vault and Database Firewall
Downloading the Latest Version of This Manual
You can download the latest version of this manual from the following website:
http://www.oracle.com/pls/topic/lookup?ctx=avdf121
You can find documentation for other Oracle products at the following website:
Supported Platforms
See Oracle Audit Vault and Database Firewall Installation Guide for detailed platform support for the current release.
In addition, you can find platform information for prior releases in Article 1536380.1 at the following website:
Understanding System Features and Concepts
About Audit Vault and Database Firewall
Oracle Audit Vault and Database Firewall (AVDF) secures databases and other critical components of IT infrastructure (such as operating systems) in these key ways:
-
Provides a database firewall that can monitor activity and/or block SQL statements on the network based on a firewall policy.
-
Collects audit data, and makes it available in audit reports.
-
Provides dozens of built-in, customizable activity and compliance reports, and lets you proactively configure alerts and notifications.
This section provides a brief overview of the administrative and auditing features of Oracle AVDF.
Oracle AVDF auditing features are described in detail in Oracle Audit Vault and Database Firewall Auditor's Guide.
System Requirements
For complete hardware and software requirements, refer to the AVDF pre-installation requirements in Oracle Audit Vault and Database Firewall Installation Guide.
Supported Secured Targets
A secured target is a database or nondatabase product that you secure using either the Audit Vault Agent, the Database Firewall, or both. If the secured target is a database, you can monitor or block its incoming SQL traffic with the Database Firewall. If the secured target, whether or not it is a database, is supported by the Audit Vault Agent, you can deploy the agent on that target's host computer and collect audit data from the internal audit trail tables and operating system audit trail files.
Oracle AVDF supports various secured target products out of the box in the form of built-in plug-ins. See the following for information about plug-ins and currently supported secured target versions:
-
Appendix B, "Plug-in Reference" for detailed information on each plug-in.
-
Table B-1 for supported secured target products and versions.
-
Table B-13 for the data collected and platforms supported for each audit trail type.
You can also create custom plug-ins to capture audit trails from more secured target types using the Oracle AVDF SDK. For information about the SDK, see Oracle Audit Vault and Database Firewall Developer's Guide.
Oracle AVDF also supports Oracle Big Data Appliance as a secured target. For details, see Oracle Big Data Appliance Owner's Guide.
Administrative Features
Oracle AVDF administrative features allow an administrator to configure and manage the following:
-
Secured Targets and their host computers
-
Database Firewalls
-
High Availability
-
Third party integrations
-
Audit Vault Agent deployment
-
Audit trail collection
-
Audit data lifecycle, archiving, and purging
Auditing Features
Oracle AVDF auditing features allow an auditor to configure and manage the following:
-
Firewall policies
-
Audit policies for Oracle Database
-
Reports and report schedules
-
Entitlement auditing for Oracle Database
-
Stored procedure auditing
-
Alerts and email notifications
See Oracle Audit Vault and Database Firewall Auditor's Guide for detailed information on these auditing features.
Integrations With Third-Party Products
You can integrate Oracle AVDF with the following third-party products:
-
BIG-IP Application Security Manager (ASM): This product from F5 Networks, Inc. is an advanced Web Application Firewall (WAF) that provides comprehensive edge-of-network protection against a wide range of Web-based attacks. It analyzes each HTTP and HTTPS request, and blocks potential attacks before they reach the Web application server. For more information, see Chapter 9, "Configuring Integration with BIG-IP ASM."
-
ArcSight Security Information Event Management (SIEM): This product is a centralized system for logging, analyzing, and managing syslog messages from different sources. For more information, see Chapter 10, "Configuring Integration with ArcSight SIEM."
Overview of the Oracle AVDF Component Architecture
Components of Oracle AVDF
How Oracle AVDF Components Work Together
Oracle AVDF includes the Audit Vault Server, the Database Firewall, and the Audit Vault Agent. Figure 1-1 provides a high-level overview of how these components work together.
Figure 1-1 Audit Vault and Database Firewall Architecture
Description of ''Figure 1-1 Audit Vault and Database Firewall Architecture''
The process flow for the Audit Vault and Database Firewall components is as follows:
-
For each secured target, the Audit Vault Agent is deployed, and/or the Database Firewall is placed in the network and configured to protect that target.
If the agent is deployed, Oracle AVDF is configured to collect the appropriate audit trail from the secured target. If the Database Firewall is protecting the target, a firewall policy is applied for that target.
You can configure multiple secured targets from different database product families, as well as nondatabase products, using the same Audit Vault Server.
-
The Audit Vault Agent retrieves the audit data from secured targets and sends this data to the Audit Vault Server.
The Database Firewall monitors SQL traffic to database secured targets and sends data to the Audit Vault Server according to a firewall policy. The firewall can be configured to monitor and raise alerts only, or to block SQL traffic and optionally substitute statements according to a policy.
-
The Audit Vault Server stores the Oracle AVDF configuration data, and the collected audit data, in its internal data warehouse.
-
Once the audit data is in the data warehouse, an auditor can generate and customize reports, as well as configure email notifications, on the Audit Vault Server.
The Audit Vault Server
The Audit Vault Server contains the tools necessary to configure Audit Vault and Database Firewall components, and to collect audit data from, and apply firewall policies to, your secured targets. Any settings that you, the administrator, create, such as security settings, are contained in this server.
The Audit Vault Server also contains an Oracle database, and makes it available to reporting tools through a data warehouse.
This embedded Oracle Database has Database Vault automatically enabled and configured. Database Vault provides greater security by restricting access to sensitive areas of the Oracle Database for any user, including those with administrative access.
Note:
You should not attempt to administer or set password policies for the Oracle Database embedded in the Audit Vault Server.The Audit Vault Server provides the following services:
-
Audit data collection and lifecycle management
-
Audit Vault Agent management
-
Database Firewall management
-
Audit and firewall policy management
-
Alerting and notification management
-
User entitlement auditing
-
Stored procedure auditing (SPA)
-
Reporting
-
Archiving data
-
High availability mode
-
Published data warehouse schema that can be used with reporting tools such as Oracle Business Intelligence Publisher to create customized reports
-
User access management
-
Third party integrations
The Database Firewall
The Database Firewall is a dedicated server that runs the Database Firewall software. Each Database Firewall monitors SQL traffic on the network from database clients to secured target databases. The Database Firewall then sends SQL data, according to a defined firewall policy, to the Audit Vault Server to be analyzed and presented in reports.
An Oracle AVDF auditor can create firewall policies that define rules for how the Database Firewall handles SQL traffic to the database secured target. The firewall policy specifies the types of alerts to be raised in response to specific types of SQL statements, and when to log specific statements. The policy also specifies when to block potentially harmful statements, and optionally substitute harmless SQL statements for blocked statements. To do this, the Database Firewall can operate in one of two monitoring modes:
-
DPE Mode: Database Policy Enforcement. When in this mode, the Database Firewall applies rules in a firewall policy to monitor SQL traffic to your secured target database and raise alerts, block traffic, and/or substitute benign SQL statements for potentially destructive ones.
-
DAM Mode: Database Activity Monitoring. When in this mode, the Database Firewall applies rules in a firewall policy to monitor and raise alerts about potentially harmful SQL traffic to your secured target database, but it does not block or substitute SQL statements.
In order to control how the Database Firewall protects a database secured target, you configure enforcement points for each secured target. The enforcement point specifies whether the firewall operates in DPE or DAM mode, which firewall policy to apply to the secured target, and other settings. For more information, see "Configuring Enforcement Points".
The Database Firewall can be placed in your network in various ways: inline, out of band, or configured as a proxy. For more information, see:
The Audit Vault Agent
The Audit Vault Agent retrieves the audit trail data from a secured target database and sends it to the Audit Vault Server. If the Audit Vault Agent is stopped, then the secured target database will still create an audit trail (assuming auditing is enabled). The next time you restart the Audit Vault Agent, the audit data that had been accumulating since the Audit Vault Agent was stopped is retrieved.
You configure one Audit Vault Agent for each host and one or more audit trails for each individual secured target database. For example, if a host contains four databases, then you would configure one Audit Vault Agent for that host and one or more audit trails for each of the four databases. The number and type of audit trails that you configure depends on the secured target database type and the audit trails that you want to collect from it. See Table B-13 for information on the types of audit trails that can be configured for each secured target type.
You can create the Audit Vault Agent on one computer and manage multiple audit trails from there. For example, suppose you have 2 secured target databases on 2 servers. You must configure an audit trail for each of these secured target databases, but you do not need to configure an Audit Vault Agent on each of the 2 servers. Instead, just create one Audit Vault Agent to manage the 2 audit trails. Be aware, however, that for Oracle Databases, you cannot use a remote Audit Vault Agent to collect audit data from users who have logged in with the SYSDBA or SYSOPER privilege because an audit trail is on to the local file system, and therefore you need file system access.
The Audit Vault Agent also contains Host Monitor capability, which enables AVDF to directly monitor SQL traffic in a database. This can be useful for monitoring many small databases centrally. See "Enabling and Using Host Monitoring" for detailed information.
For information on deploying the Audit Vault Agent, see "Deploying and Activating the Audit Vault Agent on Host Computers".
Note:
The Audit Vault Agent is supported on x86-64, x86-32, x64, and HP-UX Itanium platforms, and requires Java SE 6 or 7 on the host computer. See Oracle Audit Vault and Database Firewall Installation Guide for platform support details for the current release. For supported platforms in prior releases, see Article 1536380.1 at the Oracle Support website:https://support.oracle.comPlacing Oracle AVDF Within Your Enterprise Architecture
When you deploy Oracle AVDF you set up the Audit Vault Server, then you can choose to deploy the Audit Vault Agent only, the Database Firewall only, or both.
Figure 1-2 shows Audit Vault and Database Firewall in an enterprise environment. This figure shows only one secured target for simplicity. A typical architecture will have many secured targets such as databases or nondatabase secured targets.
Figure 1-2 Oracle AVDF in the Enterprise Architecture
Description of ''Figure 1-2 Oracle AVDF in the Enterprise Architecture''
An Audit Vault Agent is deployed on the host computer of the secured target, which in this case, is a database that is also protected by the Database Firewall. The Database Firewall has two connections, one for management and one for monitoring database traffic. They are treated the same way in the switch.
Database Firewalls use different network ports (network devices, and therefore, network paths) to connect to the Audit Vault Server. The Network Switch in this diagram shows two port connections for each of the Database Firewalls.
The Database Firewall can connect to the database network in one of three ways:
-
Through a hub, tap or network switch configured with a "spanning port": A spanning port is also known as a "mirror port" on some switches. This method sends a copy of all database traffic to the Database Firewall. This configuration enables a Database Firewall to operate as an out-of-band audit and monitoring system, and produce warnings of potential attacks, but it cannot block potentially harmful traffic.
For more information about connecting hubs, taps or switches, see the following Web site:
-
Inline between the database clients and database: This method enables Database Firewall to both block potential attacks and/or operating as an audit or monitoring system.
-
As a proxy: Using this method, the Database Firewall acts as a traffic proxy, and the database client applications connect to the database using the Database Firewall's proxy IP and port address.
High-Availability Modes
You can configure pairs of Database Firewalls or pairs of Audit Vault Servers, or both, to provide a high-availability system architecture. These pairs are known as resilient pairs. The resilient pair configuration works in Database Activity Monitoring (DAM) mode only. See "The Database Firewall" for information on DAM mode.
Figure 1-3 shows a pair of Database Firewalls and a pair of Audit Vault Servers being used to protect a single database.
Figure 1-3 Audit Vault and Database Firewall High Availability
Description of ''Figure 1-3 Audit Vault and Database Firewall High Availability''
For details on configuring resilient pairs, see "Configuring High Availability".
Understanding the Administrator's Role
Oracle AVDF Administrator Tasks
As an administrator, you configure Audit Vault and Database Firewall. The administrator's tasks include the following:
-
Configuring system settings on the Audit Vault Server
-
Configuring connections to the host computers where the Audit Vault Agent is deployed (usually the same computer as the secured targets)
-
Creating secured targets in the Audit Vault Server for each database or operating system you are monitoring
-
Deploying and activating the Audit Vault Agent on the secured target host computers
-
Configuring audit trails for secured targets that are monitored by the Audit Vault Agent
-
Configuring Database Firewalls on your network
-
Creating enforcement points for secured targets that are monitored by a Database Firewall.
-
Backing up and archiving audit and configuration data
-
Creating administrator users and managing access (super administrator only)
Administrator Roles in Oracle AVDF
There are two administrator roles in Oracle AVDF, with different levels of access to secured targets:
-
Super Administrator - This role can create other administrators or super administrators, has access to all secured targets, and grants access to specific secured targets and groups to an administrator.
-
Administrator - Administrators can only see data for secured targets to which they have been granted access by a super administrator.
Summary of Configuration Steps
With Oracle AVDF, you can deploy the Audit Vault Agent, the Database Firewall or both. This section provides suggested high-level steps for configuring the Oracle AVDF system when you are:
Configuring Oracle AVDF and Deploying the Audit Vault Agent
This is a general workflow for configuring Oracle AVDF and deploying the Audit Vault Agent:
-
Configure the Audit Vault Server. See "Configuring the Audit Vault Server".
-
Register the host computers where you will deploy the Audit Vault Agent. Then deploy and activate the Audit Vault Agent on those hosts. See "Registering Hosts and Deploying the Agent".
-
Create user accounts on your secured targets for Oracle AVDF to use. See "Scripts for Oracle AVDF Account Privileges on Secured Targets".
-
Register the secured targets you are monitoring with the agent in the Audit Vault Server, and configure audit trails for these secured targets. See "Configuring Secured Targets, Audit Trails, and Enforcement Points".
After you have configured the system as an administrator, the Oracle AVDF auditor creates and provisions audit policies for Oracle Database secured targets, and generates various reports for other types of secured targets.
Configuring Oracle AVDF and Deploying the Database Firewall
This is a general workflow for configuring Oracle AVDF and deploying the Database Firewall:
-
Configure the Audit Vault Server, and associate each Database Firewall with this server. See "Configuring the Audit Vault Server".
-
Configure the Database Firewall basic settings, and associate the firewall with the Audit Vault Server. Then configure the firewall on your network. See "Configuring the Database Firewall".
-
Register the secured targets you are monitoring with the Database Firewall in the Audit Vault Server. Then configure enforcement points for these secured targets. Optionally, if you want to also monitor database response to SQL traffic, use the scripts and configuration steps to do so. See "Configuring Secured Targets, Audit Trails, and Enforcement Points".
After you have configured the system as an administrator, the Oracle AVDF auditor creates firewall policies and assigns them to the secured targets. The auditor's role and tasks are described in Oracle Audit Vault and Database Firewall Auditor's Guide.
Planning the System Configuration
Questions to Help You Plan the Oracle AVDF Configuration
When planning the Oracle AVDF system configuration, you will need to think about the following questions:
-
What types of targets do I need to secure? Your secured targets may be databases, operating systems, or other types of targets.
-
To secure the types of targets I have, will I deploy the Audit Vault Agent, use Database Firewalls, or both?
-
If I deploy the Audit Vault Agent, what types of audit trails do I need to collect? What audit settings do I need on my secured target?
-
If I use Database Firewalls, how many do I need and where will they be on the network? Will they be inline, out of band (for example, using a span port), or configured as proxies?
-
Do I need to configure the system for high availability?
-
Who are the super administrators and administrators? For which secured targets should they have access?
The steps in this section provide information for your planning process.
Step 1: Plan the Audit Vault Server Configuration
In this step, plan whether to configure a resilient pair of servers, whether to change the network configuration settings made during the installation, and optional services configuration.
Starting in AVDF 12.1.2, due to additional space requirements for certain archive data transfer methods, configure archiving as part of the initial configuration of the Audit Vault Server.
For information on the Audit Vault Server configuration settings, see "Configuring the Audit Vault Server".
For information on setting up resilient pairs of Audit Vault Servers, see "Configuring High Availability".
Step 2: Plan the Database Firewall Configuration
If you are using Database Firewalls, plan how many you will need, which secured target databases they will protect, where to place them in the network, whether they will be in DAM (monitoring only) or DPE (monitoring and blocking) mode, and whether to configure a resilient pair of firewalls. Also plan whether to change the Database Firewall network configuration specified during installation.
For information on the Database Firewall configuration settings, see "Configuring the Database Firewall".
For information on setting up resilient pairs of firewalls, see "Configuring High Availability".
Step 3: Plan the Audit Vault Agent Deployments
If you are deploying the Audit Vault Agent(s), determine the secured targets for which you want to collect audit data, and identify their host computers. You will register these hosts with Oracle AVDF and deploy the Audit Vault Agent on each of them. Then you will register each secured target in the Audit Vault Server.
For more information, see:
Step 4: Plan the Audit Trail Configurations
If you are deploying the Audit Vault Agent to collect audit data, you will need to configure audit trails. This section provides guidelines for planning the audit trail configuration for the secured targets from which you want to extract audit data. The type of audit trail that you select depends on the secured target type, and in the case of an Oracle Database secured target, the type of auditing that you have enabled in the Oracle Database.
To plan the secured target audit trail configuration:
-
Ensure that auditing is enabled on the secured target.
For an Oracle Database secured target, find the type of auditing that the Oracle Database uses. See Oracle Audit Vault and Database Firewall Auditor's Guide for more information about the Oracle Database requirements.
-
Ensure that the agent is installed on the same computer as the secured target.
For a Sybase ASE secured target, ensure that the Audit Vault Agent is installed on a computer in which SQL*Net can communicate with the Sybase ASE database.
For more information, see "Deploying and Activating the Audit Vault Agent on Host Computers".
-
Determine what type of audit trail to collect.
Table B-13 lists the types of audit trails that can be configured for each secured target type and supported platforms.
-
Familiarize yourself with the procedures to register a secured target and configure an audit trail. See the following topics for details:
-
If you are collecting audit data from MySQL or IBM DB2 secured targets, there are additional steps you need to take. See the following topics:
Step 5: Plan Integration Options
Oracle AVDF can be integrated with the following third party products:
-
BIG-IP Application Security Manager (ASM), from F5 Networks, Inc. See "Configuring Integration with BIG-IP ASM" for information on implementing this integration.
-
ArcSight Security Information Event Management (SIEM). See "Configuring Integration with ArcSight SIEM" for information on implementing this integration.
Step 6: Plan for High Availability
In this step, consider the high availability options outlined in "Configuring High Availability".
Step 7: Plan User Accounts and Access Rights
As a super administrator, you can create other super administrators and administrators. Super administrators will be able to see and modify any secured target. Administrators will have access to the secured targets you allow them to access. In this planning step, determine how many super administrators and administrators you will create accounts for, and to which secured targets the administrators will have access.
For more information, see "Managing User Accounts and Access".
Logging in to the Audit Vault Server Console UI
Logging in to the Audit Vault Server Console
When you first log in after installing the Audit Vault Server, you are required to set up a password. See Oracle Audit Vault and Database Firewall Installation Guide for information on post-installation tasks.
To log in to the Audit Vault Server console:
-
From a browser, enter the following URL:
https://host/where
hostis the server where you installed Audit Vault Server.For example:
https://192.0.2.1/
If you see a message saying that there is a problem with the Web site security certificate, this could be due to a self-signed certificate. Click the Continue to this website (or similar) link.
-
In the Login page, enter your user name and password, and then click Login.
The Dashboard page appears.
Understanding the Tabs and Menus in the Audit Vault Server Console
The Audit Vault Server console UI includes the following five tabs:
-
Home - Displays a dashboard showing high level information and status for:
-
Server Throughput
-
Disks Usage
-
CPU
-
RAM
-
Hosts
-
Database Firewalls
At the top of the page, you can select the time range for the data displayed and the refresh interval, as shown in Figure 1-4.
Figure 1-4 Selecting the Time Range for the Dashboard in the Home Tab
Description of ''Figure 1-4 Selecting the Time Range for the Dashboard in the Home Tab''
-
-
Secured Targets - Provides menus for registering secured targets, managing secured target groups, managing access rights, and monitoring audit trails and enforcement points.
-
Firewalls - Provides menus for registering Database Firewalls in the Audit Vault Server, and creating resilient pairs of firewalls for high availability.
-
Hosts - Provides menus for registering and managing host computers (where the agent is deployed), and downloading and activating the Audit Vault Agent on those hosts.
-
Settings - Provides menus for managing security, archiving, and system settings. From here, you can also download the AVCLI command line utility.
Working with Lists of Objects in the UI
Throughout the Audit Vault Server UI, you will see lists of objects such as users, secured targets, audit trails, enforcement points, etc. You can filter and customize any of these lists of objects in the same way as you can for Oracle AVDF reports. This section provides a summary of how you can create custom views of lists of objects. For more detailed information, see the Reports chapter of Oracle Audit Vault and Database Firewall Auditor's Guide.
To filter and control the display of lists of objects in the Audit Vault Server UI:
-
For any list (or report) in the UI, there is a search box and Actions menu:
Description of the illustration ''actions_menu.gif''
-
To find an item in the list, enter its name in the search box, and then click Go.
-
To customize the list, from the Actions menu, select any of the following:
-
Select Columns: Select which columns to display.
-
Filter: Filter the list by column or by row using regular expressions with the available operators. When done, click Apply.
-
Rows Per Page: - Select the number of rows to display per page.
-
Format: Format the list by selecting from the following options:
-
Sort
-
Control Break
-
Highlight
-
Compute
-
Aggregate
-
Chart
-
Group By
Fill in the criteria for each option as needed and click Apply.
-
-
Save Report: Save the current view of the list. Enter a name and description and click Apply.
-
Help: Display the online help.
-
Download: Download the list. Select the download format (CSV or HTML) and click Apply.
-
Logging in to the Database Firewall Console UI
Logging in to the Database Firewall Console UI
When you first log in after installing the Database Firewall, you are required to set up a password. See Oracle Audit Vault and Database Firewall Installation Guide for information on post-installation tasks.
To log in to the Database Firewall Console UI:
-
From a browser, enter the following URL:
https://host/where
hostis the server where you installed the Database Firewall.For example:
https://192.0.2.2/
If you see a message saying that there is a problem with the Web site security certificate, this could be due to a self-signed certificate. Click the Continue to this website (or similar) link.
-
In the Login page, enter your user name and password, and then click Login.
The Dashboard page appears.
Using the Database Firewall UI
An administrator uses the Database Firewall UI to configure network, services, and system settings on the Database Firewall server, identify the Audit Vault Server that will be managing each firewall, and configure network traffic sources so that the firewall can monitor or block threats to your secured target databases.
See "Configuring the Database Firewall" for detailed information on configuring the Database Firewall using the Database Firewall console UI.
Using the AVCLI Command Line Interface
You can download the AVCLI command line utility and use it, as an alternative to the Audit Vault Server console GUI, for configuring and managing Oracle AVDF.
For information on downloading and using AVCLI, see "Downloading and Using the AVCLI Command Line Interface".
For details of available commands and syntax, see "AVCLI Commands Reference".
Using the AVDF Enterprise Manager Plug-in
If you have Oracle Enterprise Manager Cloud Control installed, you can install an Oracle AVDF plug-in to manage and monitor Oracle AVDF through the Enterprise Manager.
For more information see Oracle Enterprise Manager System Monitoring Plug-in Installation Guide for Audit Vault and Database Firewall.