7 Enabling and Using Host Monitoring

Topics

7.1 About Host Monitoring

Host monitoring is designed for situations in which you have many small databases in a distributed environment, and you want Oracle Audit Vault and Database Firewall to monitor SQL traffic to all of these databases centrally with one Database Firewall. This allows flexibility in the choice of the network point at which the traffic is monitored. For example, this is helpful in situations where it is not easy to route the traffic through a bridge or to get it from a mirror port.

The host monitor captures the SQL traffic from the network card and sends it over the network to a Database Firewall. This SQL data is then available for reports generated by Oracle Audit Vault and Database Firewall. Host monitoring is used only for monitoring SQL traffic (DAM mode) and cannot be used to block or substitute SQL statements.

To use Host Monitor, you deploy the Audit Vault Agent on the host machine on which you want to deploy the Host Monitor. It should be the same machine as the database. For larger databases, the SQL traffic captured by a host monitor will increase network traffic. In this case, you can install the host monitoring software onto a server that is different from the database server. It is recommended to use a spanning port to connect this database server to the server used for the Host Monitor.

You can use one Database Firewall to monitor multiple secured target databases on the same host using one host monitor installation. To do this, you create an enforcement point in DAM mode, and a NETWORK audit trail, for each secured target.

To monitor all network traffic for a secured target, the Oracle Audit Vault and Database Firewall auditor must select a firewall policy that will log events, for example, Log Unique.

Note:

Host monitoring is supported on Linux, Solaris, AIX, and Windows platforms, and can monitor any database supported by the Database Firewall. See Table B-1 for supported databases.
Host Monitor Agent supports link type Solaris IPNET on Oracle Solaris SPARC64 and x86-64.
Host Monitor Agent supports Ethernet (EN10MB) link type for all supported platforms.

7.2 Installing and Enabling Host Monitoring

Topics

7.2.1 Host Monitor Requirements

Host Monitor enables the Database Firewall to directly monitor SQL traffic in a database.

Recommended requirements for installing Host Monitor:

User installing the Host Monitor must have root privileges.
Ensure Audit Vault Agent is running on the host machine.
Ensure the latest version of the following packages from the OS vendor for the specific OS version are installed on the host machine:
- Libcap (for Linux hosts only)
- LibPcap
- OpenSSL
Ensure gmake is installed. This is required for Host Monitor to run successfully.
Verify and allow communication on ports 2050 - 5100 for Database Firewall.
Check directory permissions. All the directories in the path of the Host Monitor install location should have 755 as the permission bits starting from the root directory. Also, Host Monitor must be installed in a root owned location.

Specific requirements for installing Host Monitor on Windows platform:

Host Monitor must be installed by user belonging to Administrator group.
Install Npcap that is available in the avdf12.2.0.13.0-utility.zip bundle in Oracle Software Delivery Cloud. It is part of the Oracle Audit Vault and Database Firewall installable files. Ensure to install Npcap in WinPcap-API-compatible mode.
Install the latest version of OpenSSL (1.1.1g or higher) libraries. Use OpenSSL version 1.1.1i for release Oracle AVDF 12.2.0.14.0.
Ensure the Windows target machine has the latest update of Visual C++ Redistributable for Visual Studio 2010 (MSVCRT.dll (*) or later) package installed. This is a must to use Host Monitor on Windows.

Specific requirements for installing Host Monitor on Linux/Unix/AIX/Solaris platforms:

Host Monitor must be installed by root user.
Ensure the Input Output Completion Ports (IOCP) is set to available for IBM AIX on Power Systems (64-bit). It is set to defined by default.
Ensure Libcap is installed for Linux hosts.

See Also:

Enabling and Using Host Monitoring for host monitoring instructions and prerequisites.

7.2.2 Register the Computer that will Run the Host Monitor

To register a host in the Audit Vault Server, see "Registering Hosts in the Audit Vault Server".

7.2.3 Deploying the Agent and Host Monitor on Microsoft Windows Hosts

Oracle Audit Vault and Database Firewall 12.2.0.13.0 (and later) supports Host Monitoring on Windows. This functionality is supported by additionally installing OpenSSL and Npcap. This section contains the necessary details to be followed before upgrading from older releases in 12.2 (other than 12.2.0.11.0, 12.2.0.12.0), or for a fresh installation of 12.2.0.13.0 (or later).

Installing OpenSSL

OpenSSL 1.1.1g or a higher version must be installed on the Windows host machine. Use OpenSSL 1.1.1i for release Oracle AVDF 12.2.0.14.0. Follow these steps to make system related changes before installing OpenSSL:

In the Windows machine, navigate to Control Panel.
Click System, and then click Advanced system settings.
In the Advanced tab, click on Environment Variables button.
The Environment Variables dialog is displayed. In the System variables box, select Path under the Variable column.
Click Edit button. The Edit environment variable dialog is displayed.
Add the location of the OpenSSL bin directory at the beginning of the Path variable.

Note:
While installing OpenSSL on Windows machine, you are prompted to choose a location to copy the OpenSSL DLLs as an additional configuration step. It is recommended that you choose the Windows System Directory option, as this location is added to the Path environment variable on Windows machine by default. Else, if you choose the OpenSSL bin directory option, then ensure the location is added to the Path environment variable.
Click OK to save the changes, and then exit all the dialogs.

New Installation of Host Monitor for Windows

Host Monitoring on Windows functionality is supported by additionally installing Npcap. Follow these steps to install Npcap for a fresh installation of Host Monitor in release 12.2.0.13.0 (or later):

Log in to ARU.
Install Npcap that is available in the utility.zip bundle in Oracle Software Delivery Cloud. It is part of the Oracle Audit Vault and Database Firewall installable files.
Complete the Npcap installation on the Windows host machine. Ensure to install in WinPcap-API-compatible mode.

Note:
Installing Npcap in WinPcap API compatible mode removes any existing installation of WinPcap from the Windows machine.
In addition to the Windows System directory, Npcap copies the DLL files to the Npcap sub-directory inside the Windows System directory. Do not remove the DLL files from the Windows System directory.

Note:
Installing Npcap in WinPcap API compatible mode, adds the Npcap DLL files to the Windows System directory which is already there in the system Path environment variable.
Optionally add the Npcap sub directory inside the Windows System directory to the Path environment variable, by following the steps below:
1. Navigate to Control Panel.
2. Click System, and then click Advanced system settings.
3. In the Advanced tab, click on Environment Variables button.
4. The Environment Variables dialog is displayed. In the System variables box, select Path under the Variable column.
5. Click Edit button. The Edit environment variable dialog is displayed.
6. Add the location of the Npcap DLL files at the beginning of the Path variable. For example: C:\Windows\System32\Npcap
7. Click OK to save the changes, and then exit all the dialogs.
Confirm the changes in the Path environment variable.

Upgrading Host Monitor on Windows

Host Monitoring on Windows functionality is supported by additionally installing Npcap. Follow these steps to continue using Host Monitor on Windows on releases 12.2.0.9.0; 12.2.0.10.0; or 12.2.0.13.0; before upgrading to Oracle AVDF release 12.2.0.14.0:

Stop the Audit Vault Agent running on the Windows host machine.
Log in to the Audit Vault Server console.
Verify the audit trails and the Audit Vault Agent are in STOPPED state.
Log in to ARU, and download Npcap software that is available with Oracle AVDF utility.zip bundle of the specific release.
Complete the Npcap installation on the Windows host machine. Ensure to install in WinPcap-API-compatible mode.

Note:
Installing Npcap in WinPcap API compatible mode removes any existing installation of WinPcap/Npcap from the Windows machine.
In addition to the Windows System directory, Npcap copies the DLL files to the Npcap sub-directory inside the Windows System directory. Do not remove the DLL files from the Windows System directory.

Note:
Installing Npcap in WinPcap API compatible mode, adds the Npcap DLL files to the Windows System directory which is already there in the system Path environment variable.
Optionally add the Npcap sub-directory inside the Windows System directory to the Path environment variable, by following the steps below:
1. Navigate to Control Panel.
2. Click System, and then click Advanced system settings.
3. In the Advanced tab, click on Environment Variables button.
4. The Environment Variables dialog is displayed. In the System variables box, select Path under the Variable column.
5. Click Edit button. The Edit environment variable dialog is displayed.
6. Add the location of the Npcap DLL files at the beginning of the Path variable. For example: C:\Windows\System32\Npcap
7. Click OK to save the changes, and then exit all the dialogs.
Confirm the changes in the Path environment variable.
Restart the Audit Vault Agent on the Windows host machine.
The Host Monitor is now powered by Npcap during runtime. Verify the network trail collection.
Proceed with the appliance upgrade.

Note:

Ensure the audit trails and the Audit Vault Agent are in STOPPED state, before installing Npcap. Else, an error may be encountered.
Do not delete the DLL files as they are created newly by Npcap installation.

See Also:

7.2.4 Deploying the Agent and Host Monitor on Unix Hosts

Prerequisites

Deploy the Audit Vault Agent. See Deploying the Audit Vault Agent on the Host Computer.

To install the Host Monitor:

Log in as root and identify a root-owned directory on the local hard disk, such as /usr/local, where you will install the host monitor.

Note: The entire directory hierarchy must be root-owned. All the directories in this hierarchy must have read and execute permission for other users or groups, but not write permission.
Log in to the Audit Vault Server console as an administrator.
Click on the Hosts tab, and then click Agent.
Click the Download button corresponding to your Unix version, and then save the .zip file to the root-owned directory (on the local hard disk) you identified in Step 1, for example /usr/local.
As root user, unzip the host monitor file.

This creates a directory named hm. This is your HM_Home directory, which in this example is /usr/local/hm.
Ensure that the hostmonsetup file (in the hm directory) has execute permission.
Run the following command:
```
HM_Home/hostmonsetup install [agentuser=Agent_Username] [agentgroup=Agent_Group]
```
- HM_Home - The directory created in Step 5.
- Agent_Username - (Optional) Enter the username of the user who installed the Audit Vault Agent (the user who executed the java -jar agent.jar command).
- Agent_Group - (Optional) Enter the group to which the Agent_Username belongs.
See Also:

Logging in to the Audit Vault Server Console UI

7.2.5 Create a Secured Target for the Host-Monitored Database

To create a secured target, see "Registering or Removing Secured Targets in the Audit Vault Server".

7.2.6 Create an Enforcement Point for the Host Monitor

For Host Monitor only deployment, create an enforcement point in Database Activity Monitoring (DAM) mode to receive and process the data sent from the Host Monitor.

A network interface card (NIC) must be configured while creating the enforcement point for Database Firewall with Host Monitor only deployment. This must be different from the Management Interface that is used for communication to Audit Vault Server.

See Also:

Configuring Enforcement Points

7.2.7 Create a Network Audit Trail

Learn how to create network audit trails.

Create an audit trail for each target you are monitoring with a Host Monitor. Specify NETWORK for the Audit Trail Type.

Note:

Ensure the collection attribute network_device_name_for_hostmonitor is mandatorily configured for the targets which are monitored by Host Monitor. The name of the network interface card is the attribute value. The network interface card receives all the network traffic of the target database.

Linux/AIX/Solaris hosts

Follow these steps to determine the value of the network_device_name_for_hostmonitor collection attribute:

Determine the IP address on which the target database is configured to accept TCP traffic. Make a note of the IP address.
Execute the following command to list the network device details present in the host machine:
```
ifconfig -a
```
From the output displayed, search for the IP address that was noted in the initial step. The corresponding name of the network card is the value of the collection attribute network_device_name_for_hostmonitor.

Windows hosts

Follow these steps to determine the value of the network_device_name_for_hostmonitor collection attribute:

Determine the IP address on which the target database is configured to accept TCP traffic. Make a note of the IP address.
Execute the following command to list the network device details present in the host machine:
```
ipconfig /all
```
Note:
This command displays the Physical Address, IPv4 Address, and other details for every device.
From the output displayed, search for the device which has an IPv4 Address that was noted in the initial step. Make a note of the corresponding Physical Address.
Execute the command getmac. This will display the device name against the corresponding Physical Address. Make a note of the Device Name for the Physical Address determined in the previous step.
After the Device Name is determined, observe it is in the following form:
\Device\Tcpip_{********-****-****-****-************}
Copy this Device Name to use as the attribute value by replacing Tcpip with NPF. Hence for a network card with the name \Device\Tcpip_{********-****-****-****-************} the attribute value is \Device\NPF_{********-****-****-****-************}.

Note:
This does not involve changing the network device name at a system level.

See Also:

Adding an Audit Trail in the Audit Vault Server for instructions on adding audit trails.

7.3 Starting, Stopping, and Other Host Monitor Operations

Topics

7.3.1 Starting the Host Monitor

Learn how to start the host monitor.

Starting the host monitor consists of starting collection for the NETWORK audit trail on the host you are monitoring.

To start the host monitor from the Audit Vault Server console:

Log in to the Audit Vault Server console as an administrator.
Start the audit trail(s) you created for host monitoring in Create a Network Audit Trail.
See Also:
- Stopping, Starting, and Autostart of Audit Trails in the Audit Vault Server
- Logging in to the Audit Vault Server Console UI

7.3.2 Stopping the Host Monitor

To stop the host monitor, stop the audit trail you created for the secured target that is being monitored. See "Stopping, Starting, and Autostart of Audit Trails in the Audit Vault Server".

7.3.3 Changing the Logging Level for a Host Monitor

See "Changing the Logging Level for the Audit Vault Agent".

7.3.4 Viewing Host Monitor Status and Details

You can view whether a host monitor is installed, and information such as its location, version, update time, and other details.

To view host monitor status and details:

Log in to the Audit Vault Server console as an auditor.
Click the Hosts tab.
Check the Host Monitor Status and the Host Monitor Details columns for the host you are interested in.

See Also:

Logging in to the Audit Vault Server Console UI

7.3.5 Checking the Status of a Host Monitor Audit Trail

To check the status of a hos t monitor:

Log in to the Audit Vault Server console as an auditor.
Click the Secured Targets tab, and then from the Monitoring menu, click Audit Trails.

The collection status of a host monitor audit trail is listed in the Audit Trails page. A host monitor audit trail has NETWORK in the Audit Trail Type column.

See Also:

Logging in to the Audit Vault Server Console UI

7.3.6 Uninstalling the Host Monitor (Unix Hosts Only)

This procedure applies to Unix hosts only. There is no install or uninstall for Windows hosts.

To uninstall a host monitor:

Log in to the host computer as root.
From the HM_Home directory (where you installed the host monitor in Step 7) run the following command:

hostmonsetup uninstall

7.4 Updating the Host Monitor (Unix Hosts Only)

Learn how to update the host monitor on Unix systems.

When you update the Audit Vault Server to a future release, the host monitor is automatically updated.

If your current release is prior to 12.1.2, refer to the README included with upgrade software or patch updates for instructions on how to update the host monitor.

See Also:

Oracle Audit Vault and Database Firewall Installation Guide for information on downloading upgrade software.

7.5 Using Certificate-based Authentication for the Host Monitor

By default, the Database Firewall allows the host monitor connection based on verifying the host's (originating) IP address.

If y ou want the additional security of using certificate-based authentication for the host monitor, follow these procedures after the host monitor is installed:

7.5.1 Requiring a Signed Certificate for Host Monitor Connections to the Firewall

To require a signed certificate for host monitor connections:

Stop the host monitor if it is running.

At the Database Firewall, log in as root, and run the following commands:

cp /usr/local/dbfw/etc/controller.crt /usr/local/dbfw/etc/fw_ca.crt
chown dbfw:dbfw /usr/local/dbfw/etc/fw_ca.crt
chmod 400 /usr/local/dbfw/etc/fw_ca.crt

Run the following command to restart the monitor process:

/etc/init.d/monitor restart

See Also:

Stopping the Host Monitor

7.5.2 Getting a Signed Certificate from the Audit Vault Server

Follow this procedure for each host running host monitor. The host monitor should already be installed.

To get a signed certificate from the Audit Vault Server:

Log in to the Audit Vault Server as root.
Go to the directory /usr/local/dbfw/etc.

Run the following two commands:

openssl genrsa -out hmprivkey.perm 2048
openssl req -new -key hmprivkey.perm -out hmcsr.csr -subj "/CN=Hostmonior_Cert_hostname/"

The hostname is the name of the host machine where the Audit Vault Agent is installed.

To generate one signed certificate, run the following command:

/usr/local/dbfw/bin/generate_casigned_hmcert.sh

The signed certificate file hmcert.crt is generated in the directory /usr/local/dbfw/etc.
Copy the following files from the Audit Vault Server to the Agent_Home/hm directory on the host machine where the Audit Vault Agent is installed:
```
/usr/local/dbfw/etc/hmcert.crt
/usr/local/dbfw/etc/hmprivkey.perm
```

(Unix Hosts Only) As root, run the following commands:

chown root:root Agent_Home/hm/hmcert.crt Agent_Home/hm/hmprivkey.perm
chmod 400 Agent_Home/hm/hmcert.crt Agent_Home/hm/hmprivkey.perm

(Windows Hosts Only) Ensure that the files hmcert.crt and hmprivkey.perm have Agent user ownership and appropriate permissions to prevent unwanted user access.
Start the host monitor to capture network traffic.
Repeat this procedure for every host running host monitor.

See Also:

Starting the Host Monitor