B Plug-in Reference

Topics

B.1 About Oracle Audit Vault and Database Firewall Plug-ins

Oracle Audit Vault and Database Firewall supports different types of secured targets by providing a plug-in for each secured target type. Oracle Audit Vault and Database Firewall ships with a set of plug-ins out-of-the-box. These plug-ins are packaged and deployed with the Audit Vault Server.

You can also develop your own plug-ins, or get new available plug-ins, and add them to your Oracle Audit Vault and Database Firewall installation.

This appendix contains high-level data for each plug-in shipped with Oracle Audit Vault and Database Firewall. The appendix also contains look-up information you will need to complete the procedures for registering secured targets and configuring audit trails. These procedures link directly to the relevant section of this appendix.

See Also:

Oracle Big Data Appliance Owner's Guide. Oracle Audit Vault and Database Firewall also supports Oracle Big Data A ppliance as a secured target.
Deploying Plug-ins and Registering Plug-in Hosts

B.2 Plug-ins Shipped with Oracle Audit Vault and Database Firewall

This section describes each plug-in shipped with Oracle Audit Vault and Database Firewall.

See Also:

Oracle Audit Vault and Database Firewall Installation Guide for the latest detailed platform support for the current release.

In addition, you can find platform information for prior releases in Article 1536380.1 at My Oracle Support.

Topics

B.2.1 Out-of-the Box Plug-ins at a Glance

Oracle Audit Vault and Database Firewall out-of-the-box plug-ins support the secured target versions listed in Table B-1. Click the link for each secured target to get detailed information.

Table B-1 Out-of-the-Box Plug-ins and Features Supported in Oracle Audit Vault and Database Firewall

Secured Target Version	Audit Trail Collection	Audit Policy Creation, Entitlement Auditing	Stored Procedure Auditing	Audit Trail Cleanup	Database Firewall	Host Monitor	Database Interrogation
Oracle Database 9i	No	No	No	No	Yes	No	No
Oracle Database 10g, 11g, 12c	Yes	Yes (except Unified Audit Policies)	Yes	Yes	Yes	Yes	Yes
Oracle Database 18c (18.3) in release 12.2.0.9.0 and later	Yes	Yes	Yes	Yes	Yes	Yes	Yes
Oracle Database 19c in release 12.2.0.11.0 and later	Yes	Yes	Yes	Yes	Yes	Yes	Yes
Microsoft SQL Server 2008, 2008 R2, 2012, 2014, 2016	Yes	No	Yes (Versions 2000, 2005, 2008, 2008 R2)	Yes	Yes	Yes (on Windows 2008 and onwards)	Yes (Microsoft SQL Server 2005, 2008, 2008 R2)
Sybase ASE 12.5.4 to 15.7	Yes	No	Yes	No	Yes	Yes	No
Sybase SQL Anywhere 10.0.1	No	No	Yes	No	Yes	Yes	Yes
IBM DB2 9.5 - 11.1	Yes	No	Yes	No	Yes Versions 9.1 - 10.5	Yes	No
MySQL 5.5 - 5.7	Yes	No	Yes	Yes	Yes	Yes	No
Oracle Solaris 10 and 11, on SPARC64 and x86-64 platforms	Yes	No	No	No	No	Yes Versions 11, 11.1, 11.2	No
Oracle Solaris - other versions, see Note below.	Yes	No	No	No	No	No	No
Oracle Linux 5.8, 6.0 - 6.9, 7.0 - 7.3	Yes	No	No	No	No	Yes	No
Red Hat Enterprise Linux 6.7 - 6.9 7.0 - 7.3	Yes	No	No	No	No	Yes	No
SUSE Linux Enterprise Server 11-12	No	No	No	No	No	Yes	No
IBM AIX 6.1 - 7.2 on Power Systems (64-bit)	Yes	No	No	Yes	No	Yes	No
Microsoft Windows Microsoft Windows Server 2008, 2008 R2, 2012, 2012 R2, and 2016 on x86-64	Yes	No	No	No	No	No	No
Microsoft Active Directory 2008, 2008 R2, 2012, and 2016 on 64 bit	Yes	No	No	No	No	No	No
Oracle ACFS 12c Rel ease 1 (12.1)	Yes	No	No	No	No	No	No
Oracle Big Data Appliance 2.3, 4.3	Yes	No	No	No	No	No	No

Note:

Audit data can also be collected from Solaris version 2.3 or later (contact Oracle Support for guidance).

B.2.2 Oracle Database

Table B-2 lists features of the Oracle Database Plug-in.

Table B-2 Oracle Database Plug-in

Plug-in Specification	Description
Plug-in directory	`AGENT_HOME/av/plugins/com.oracle.av.plugin.oracle`
Secured Target Versions	Oracle 10g Oracle 11g Oracle 12c Release 1 (12.1) Oracle 12c Release 2 (12.2) Note: Oracle 12c Release 2 (12.2) as a secured target is supported from Oracle Audit Vault and Database Firewall release 12.2.0.4.0 and onwards for audit data collection. 18c (18.3) in release 12.2.0.9.0 and later 19c in release 12.2.0.11.0 and later
Secured Target Platforms	Linux/x86-64 Solaris /x86-64 Solaris /SPARC64 AIX/Power64 Windows /x86-64 HP-UX Itanium See Audit Vault Agent: Supported Platforms and Versions in Oracle Audit Vault and Database Firewall Installation Guide for complete details on supported target platforms and versions.
Setup Script(s)	Yes. See "Oracle Database Setup Scripts" for instructions.
Secured Target Location (Connect String)	`jdbc:oracle:thin:@//hostname:port/service`
Collection Attribute(s)	ORCLCOLL.NLS_LANGUAGE ORCLCOLL.NLS_TERRITORY ORCLCOLL.NLS_TERRITORY ORCLCOLL.MAX_PROCESS_TIME ORCLCOLL.MAX_PROCESS_RECORDS ORCLCOLL.RAC_INSTANCE_ID ORCLCOLL.HEARTBEAT_INTERVAL ORCLCOLL.HEARTBEAT_INTERVAL See Table B-19 for details.
AVDF Audit Trail Types	`TABLE` `DIRECTORY` `TRANSACTION LOG` `SYSLOG` (Linux only) `EVENT LOG` (Windows only) `NETWORK` See Table B-17 for descriptions of audit trail types.
Audit Trail Location	For `TABLE` audit trails: `SYS.AUD$`, `SYS.FGA_LOG$`, `DVSYS.AUDIT_TRAIL$`, `UNIFIED_AUDIT_TRAIL` For `DIRECTORY` audit trails: Full path to directory containing `AUD` or `XML` files. For `SYSLOG` audit trails: Use `DEFAULT` or the full path to directory containing the syslog file. For `TRANSACTION LOG`, `EVENT LOG`, and `NETWORK` audit trails: no trail location required. Note: Oracle Audit Vault and Database Firewall queries and collects records from Unified Audit trail which fetches unified audit records from operating system spillover audit files. The Database Audit Management manages the clean up of Unified Audit trail and the underlying operating system spillover audit files.
Audit Trail Cleanup Support	Yes. See Oracle Database Audit Trail Cleanup for instructions.
OS user running the Agent	For Oracle Database Directory Audit Trail: Any user who has read permission on audit files, i.e oracle user, or user in DBA group. For Table Trail: Any database user (preferably not DBA). For any other directory audit trail: Any user who has read permission on audit files.
Cluster support	Yes

B.2.3 Microsoft SQL Server

Table B-3 lists the features of the Microsoft SQL Server plug-in.

Table B-3 Microsoft SQL Server Plug-in

Plug-in Specification	Description
Plug-in directory	`AGENT_HOME\av\plugins\com.oracle.av.plugin.mssql`
Secured Target Versions	Enterprise Edition 2000, 2005, 2008, 2008 R2, 2012, 2014. Enterprise Edition 2016 is supported in release 12.2.0.2.0 and later. Enterprise Edition 2017 is supported in release 12.2.0.10.0 and later.
Secured Target Platforms	Windows/x86-64 See Audit Vault Agent: Supported Platforms and Versions in Oracle Audit Vault and Database Firewall Installation Guide for complete details on supported target platforms and versions.
Setup Script(s)	Yes. "Microsoft SQL Server Setup Scripts" for instructions.
Secured Target Location (Connect String for SQL server authentication)	`jdbc:av:sqlserver://hostname:port`
Secured Target Location (Connect String for Windows Authentication)	`jdbc:av:sqlserver://<Host Name>:<Port>;authenticationMethod=ntlmjava` Use Windows user credentials along with domain. For example: `<domain name>\<user name > and password`
Collection Attribute(s)	None
AVDF Audit Trail Types	`DIRECTORY` `EVENT LOG` `NETWORK` See Table B-17 for descriptions of audit trail types.
Audit Trail Location	For DIRECTORY audit trail: `.sqlaudit` files, or `.trc` (trace) files. Examples: `directory_path\.sqlaudit` `directory_path`\`prefix`.sqlaudit `directory_path\prefix.trc` For `prefix`, you can use any prefix for the `.trc` or `.sqlaudit` files. `#C2_DYNAMIC` and `#TRACE_DYNAMIC` are only supported for SQL Server 2000, 2005, and 2008 versions. For EVENT LOG audit trail: `application` `security` (SQL Server 2008 and 2012 only)
Audit Trail Cleanup Support	Yes. See "SQL Server Audit Trail Cleanup" for instructions.
Cluster support	Yes
Secured Target Platform for Cluster	Windows 2012 R2 Version 2012 R2 for audit collection on Windows platform, starting Oracle Audit Vault and Database Firewall release 12.2.0.12.0
Cluster Collection Attribute	Attribute Name: `av.collector.clusterEnabled` Attribute Value: `1`

Note:

Oracle Audit Vault and Database Firewall does not support audit collection and Database Firewall monitoring of Microsoft SQL Server cluster.

B.2.4 Sybase ASE

Table B-4 lists the features of the Sybase ASE plug-in.

Table B-4 Sybase ASE Plug-in

Plug-in Specification	Description
Plug-in directory	`AGENT_HOME/av/plugins/com.oracle.av.plugin.sybase`
Target Versions	15.7 16.0 is supported in release `12.2.0.11.0` and later.
Secured Target Platforms	All platforms
Setup Script(s)	Yes. See "Sybase ASE Setup Scripts" for instructions.
Secured Target Location (Connect String)	`jdbc:av:sybase://hostname:port`
Collection Attribute(s)	None
AVDF Audit Trail Types	`TABLE` `NETWORK` See Table B-17 for descriptions of audit trail types.
Audit Trail Location	`SYSAUDITS`
Audit Trail Cleanup Support	No
Cluster support	No

Sybase Password Encryption

In case you are using password encryption on SAP Sybase database, incorporate the following changes on Oracle Audit Vault and Database Firewall:

Use the following connection string in Audit Vault Server console while setting up the audit trail for SAP Sybase database:

jdbc:sybase:Tds:<host>:<port>/sybsecurity?ENCRYPT_PASSWORD=TRUE&JCE_PROVIDER_CLASS=com.sun.crypto.provider.SunJCE
Copy the jconn4.jar file from /opt/sybase/jConnect-16_0/classes in Sybase server to Agent_Home/av/jlib.

Note:

If you are using Sybase 15.7, then fetch the jconn4.jar file from the latest Sybase server version 16.0.
Restart the Audit Vault Agent.
Start the collection.

B.2.5 Sybase SQL Anywhere

Table B-5 lists the features of the Sybase SQL Anywhere plug-in.

Table B-5 Sybase SQL Anywhere Plug-in

Plug-in Specification	Description
Plug-in directory	`AGENT_HOME/av/plugins/com.oracle.av.plugin.sqlanywhere`
Secured Target Versions	10.0.1
Secured Target Platforms	All platforms
Setup Script(s)	Yes. See "Sybase SQL Anywhere Setup Scripts" for instructions.
Secured Target Location (Connect String)	`jdbc:av:sybase://hostname:port`
Collection Attributes	None
AVDF Audit Trail Types	`NETWORK` (used for host monitoring only) See Table B-17 for descriptions of audit trail types.
Audit Trail Lo cation	Not required
Audit Trail Cleanup Support	No

B.2.6 IBM DB2

Table B-6 lists the features of the IBM DB2 plug-in.

Table B-6 IBM DB2 Plug-in

Plug-in Specification	Description
Plug-in directory	`AGENT_HOME/av/plugins/com.oracle.av.plugin.db2`
Secured Target Versions	9.1 - 11.1
Secured Target Platforms	Linux (x86-64): OL 5.x, 6.x, 7.x and RHEL 5.x, 6.x, 7.x Microsoft Windows (x86-64): 8 Microsoft Windows Server (x86-64): 2008, 2008R2, 2012, 2012R2, 2016 IBM AIX on Power Systems (64-bit): 7.1 is supported from release 12.2.0.12.0 and onwards
Setup Script(s)	Yes. See "IBM DB2 for LUW Setup Scripts" for instructions.
Secured Target Location (Connect String)	`jdbc:av:db2://hostname`:`port/dbname` Note: Connect string is not required from release 12.2.0.11.0 and onwards. Connect string is not required for IBM DB2 cluster.
Collection Attribute(s)	`av.collector.databasename` (case sensitive) - (Required) Specifies the IBM DB2 for LUW database name.
AVDF Audit Trail Types	`DIRECTORY` `NETWORK` See Table B-17 for descriptions of audit trail types.
Audit Trail Loca tion	Path to a directory, for example: `d:\temp\trace`
Audit Trail Cleanup Support	No
Cluster Support	Yes HADR (High Availability and Disaster Recovery)
Secured Target Platform for Cluster	HADR on OL 7.x

B.2.7 MySQL

Table B-7 lists the features of the MySQL plug-in.

Table B-7 MySQL Plug-in

Plug-in Specification	Description
Plug-in directory	`AGENT_HOME/av/plugins/com.oracle.av.plugin.mysql`
Secured Target Versions	For Database Firewall: Enterprise Edition 5.0, 5.1, 5.5, 5.6. For audit data collection the following Enterprise Edition versions are supported: 5.5.29 to 5.5.59 5.6.10 to 5.6.39 5.7.0 to 5.7.21 (supported in release 12.2.0.7.0 and later) 8.0 (supported in release 12.2.0.11.0 and later)
Secured Target Platforms	Linux (x86-64): OL 5.x, 6.x, 7.x and RHEL 5.x, 6.x, 7.x Microsoft Windows (x86-64): 8 Microsoft Windows Server (x86-64): 2008, 2008R2, 2012, 2012R2, 2016
Setup Script(s)	Yes. See "MySQL Setup Scripts".
Secured Target Location (Connect String)	`jdbc:av:mysql://hostname:port/mysql` Note: Connect string is not required from release 12.2.0.11.0 and onwards.
Collection Attributes	`av.collector.securedTargetVersion` - (Required) Specifies the MySQL version. Default is 8.0. `av.collector.AtcTimeInterval` - (Optional) Specifies the audit trail cleanup file update time interval in minutes. Default is 20. Note: Collection Attribute `av.collector.securedTargetVersion` is not required from release 12.2.0.11.0 and onwards.
AVDF Audit Trail Types	`DIRECTORY` `NETWORK` See Table B-17 for descriptions of audit trail types.
Audit Trail Cleanup Support	Yes.

Audit Trail Location

The path to the directory where the converted files are created.

The default audit format for MySQL 5.5 and 5.6 is old. The default audit format for MySQL 5.7 is new. The audit format can be changed by modifying the configuration on MySQL Server.

The Audit Trail Location is as follows:

For old audit format, the path to the directory is where the converted XML files are created when you run the MySQL XML transformation utility.
For new audit format, the path to the directory is where the audit.log files are generated by MySQL Server.

Table B-8 Old Audit Format

Audit Trail Location Value

Audit Trail Location	Value
Input path format before MySQL 5.7.21	`<Path of the converted XML location.>` For example: `\ConvertedXML`
Input path format of MySQL 5.7.21 onwards	`<Path of the converted XML location.>` For example: `\ConvertedXML`

Input path format before MySQL 5.7.21

<Path of the converted XML location.>

For example: \ConvertedXML

Input path format of MySQL 5.7.21 onwards

<Path of the converted XML location.>

For example: \ConvertedXML

Table B-9 New Audit Format

Audit Trail Location Value

Audit Trail Location	Value
Input path format before MySQL 5.7.21	`<Path of the audit.log location.>` For example: `\MySQLLog`
Input path format for MySQL 5.7.21 onwards	`<Path of the audit log file>/<log file name>..log` Where `` is the time stamp in `YYYYMMDDThhmmss` format. For example: `MySQLLog/audit*.log`

Input path format before MySQL 5.7.21

<Path of the audit.log location.>

For example: \MySQLLog

Input path format for MySQL 5.7.21 onwards

<Path of the audit log file>/<log file name>.*.log

Where * is the time stamp in YYYYMMDDThhmmss format.

For example: MySQLLog/audit*.log

Note:

In the old format audit data is collected from converted XML files. In the new format audit data is collected from both active log and rotated logs.

Best Practice:

Enable automatic size-based audit log file rotation, by setting audit_log_rotate_on_size property. See Audit Log File Space Management and Name Rotation in MySQL Reference Manual for further details.

See Also:

B.2.8 Oracle Solaris

Table B-10 lists the features of the Oracle Solaris plug-in.

Table B-10 Oracle Solaris Plug-in

Plug-in Specification	Description
Plug-in directory	`AGENT_HOME/av/plugins/com.oracle.av.plugin.solaris`
Secured Target Versions	Version 10, Version 11, on SPARC64 and x86-64 platforms
Secured Target Platforms	Solaris/x86-64 Solaris/SPARC64
Setup Script(s)	No
Secured Target Location (Connect String)	`hostname` (fully qualified machine name or IP address)
Collection Attribute(s)	None
AVDF Audit Trail Types	`DIRECTORY` See Table B-17 for descriptions of audit trail types.
Audit Trail Location	`hostname:path_to_trail` The `hostname` matches the hostname in the audit log names, which look like this: `timestamp1.timestamp2.hostname`
Audit Trail Cleanup Support	No

B.2.9 Linux

Table B-11 lists the features of the Linux plug-in that collects audit data from Oracle Linux (OL) and Red Hat Enterprise Linux (RHEL).

Table B-11 Linux Plug-in

Plug-in Specification	Description
Plug-in directory	`AGENT_HOME/av/plugins/com.oracle.av.plugin.linux`
Secured Target Versions	Oracle Linux (OL) OL 5.8 (with `auditd` package 1.8) OL 6.0 (with `auditd` package 2.0) OL 6.1 - 6.5 (with `auditd` package 2.2.2) OL 6.6 - 6.7 (with `auditd` package 2.3.7) OL 6.8 - 6.10 (with `auditd` package 2.4.5) OL 7.0 (with `auditd` package 2.3.3) OL 7.1 - 7.2 (with `auditd` package 2.4.1) OL 7.3 (with `auditd` package 2.6.5) OL 7.4 - 7.5 (with `auditd` package 2.7.6) Red Hat Enterprise Linux (RHEL) RHEL 6.7 (with `auditd` 2.3.7) RHEL 6.8 (with `auditd` 2.4.5) RHEL 6.9 (with `auditd` 2.4.5) RHEL 6.10 (with `auditd` 2.4.5) RHEL 7.0 (with `auditd` 2.3.3) RHEL 7.1 (with `auditd` 2.4.1) RHEL 7.2 (with `auditd` 2.4.1) RHEL 7.3 (with `auditd` 2.6.5) RHEL 7.4 (with `auditd` 2.7.6) RHEL 7.5 (with `auditd` 2.7.6) Run `rpm -q audit` to get the audit package version.
Secured Target Platforms	Linux/x86-64
Setup Script(s)	No. However, the following user/group access rights are needed to start a Linux audit trail: If the agent process is started with `root` user, no changes to access rights are needed. If the agent process is started with a user other than `root`: Assign the group name of the Agent user (the one who will start the Agent process) to the `log_group` parameter in the `/etc/audit/auditd.conf` file. The Agent user and group must have read and execute permissions on the folder that contains the `audit.log` file (default folder is `/var/log/audit`). Restart the Linux audit service after you make the above changes.
Secured Target Location (Connect String)	`hostname` (fully qualified machine name or IP address)
Collection Attribute(s)	None
AVDF Audit Trail Types	`DIRECTORY` See Table B-17 for descriptions of audit trail types.
Audit Trail Location	Default location of `audit.log` (`/var/log/audit/audit*.log`) or any custom location configured in the `/etc/audit/auditd.conf` file
Audit Trail Cleanup Support	No

B.2.10 IBM AIX

Table B-12 lists the features of the IBM AIX plug-in.

Table B-12 IBM AIX Plug-in

Plug-in Specification	Description
Plug-in directory	`AGENT_HOME/av/plugins/com.oracle.av.plugin.aixos`
Secured Target Versions	AIX 6.1 - 7.2
Secured Target Platforms	Power Systems (64-bit)
Setup Script(s)	No. However, the following user/group access rights are needed to start an AIX audit trail: If the Agent process is started with `root` user, no changes to access rights are needed. If the Agent process is started with a user other than `root`, run the following commands in the AIX system as `root` to authorize another user: Create a new role and and grant it `aix.security.audit` authorization: `mkrole authorizations= (aix.security.audit) (role_name)` Alter the Agent user to assign the newly created role: `chuser roles=role_name agent_user_name` Update the kernel table with the newly created role by running the command: `setkst` Add the Agent user to the same group as that of the AIX audit files. Ensure you have set read permission on the `/audit` directory where the audit trail files are located. To start the Agent with the Agent user, log in to the AIX terminal with `agent_user_name` and switch to the role created in this procedure: `swrole` `role_name`
Secured Target Location (Connect String)	`hostname` (fully qualified machine name or IP address)
Collection Attribute(s)	None
AVDF Audit Trail Types	DIRECTORY See Table B-17 for descriptions of audit trail types.
Audit Trail Location	Default location of trail (`/audit/trail`) or any custom location configured in the `/etc/security/audit/config` file
Audit Trail Cleanup Support	Yes. The AIX plug-in will create a `.atc` file at: `AGENT_HOME/av/atc/SecuredTargetName_TrailId.atc` The `.atc` file contains the following information: `trail_location end_time_of_audit_event_collection`

B.2.11 Microsoft Windows

Table B-13 lists the features of the Microsoft Windows plug-in.

Table B-13 Microsoft Windows Plug-in

Plug-in Specification	Description
Plug-in directory	`AGENT_HOME\av\plugins\com.oracle.av.plugin.winos`
Secured Target Versions	Microsoft Windows Server 2008, 2008 R2, 2012, 2012 R2, and 2016
Secured Target Platforms	Windows/x86-64
Setup Script(s)	No
Secured Target Location (Connect String)	`hostname` (fully qualified machine name or IP address)
Collection Attribute(s)	None
AVDF Audit Trail Types	`EVENT LOG` See Table B-17 for descriptions of audit trail types.
Audit Trail Location	`security` (case-sensitive)
Audit Trail Cleanup Support	No

B.2.12 Microsoft Active Directory

Table B-14 lists the features of the Microsoft Active Directory plug-in.

Table B-14 Microsoft Active Directory Plug-in

Plug-in Specification	Description
Plug-in directory	`AGENT_HOME\av\plugins\com.oracle.av.plugin.msad`
Secured Target Versions	2008, 2008 R2, 2012, and 2016 on 64 bit
Secured Target Platforms	Windows/x86-64
Setup Script(s)	No
Secured Target Location (Connect String)	`hostname` (fully qualified machine name or IP address)
Collection Attribute(s)	None
AVDF Audit Trail Types	`EVENT LOG` See Table B-17 for descriptions of audit trail types.
Audit Trail Location	`directory service` or `security` (case-sensitive)
Audit Trail Cleanup Support	No

B.2.13 Oracle ACFS

Table B-15 lists the features of the Oracle ACFS plug-in.

Table B-15 Oracle ACFS Plug-in

Plug-in Specification	Description
Plug-in directory	`AGENT_HOME/av/plugins/com.oracle.av.plugin.acfs`
Secured Target Versions	12c Release 1 (12.1)
Secured Target Platforms	Linux/x86-64 Solaris/x86-64 Solaris/SPARC64 Windows 2008, 2008 R2 64-bit
Setup Script(s)	No
Secured Target Location (Connect String)	`hostname` (fully qualified machine name or IP address)
Collection Attribute(s)	`av.collector.securedtargetversion` - (Required) Specify the Oracle ACFS version.
AVDF Audit Trail Types	`DIRECTORY` See Table B-17 for descriptions of audit trail types.
Audit Trail Location	The path to the directory containing XML audit files. For example, for a file system mounted at `$MOUNT_POINT`, the audit trail location is: `$MOUNT_POINT/.Security/audit/`
Audit Trail Cleanup Support	No

B.2.14 Oracle Big Data Appliance

Table B-16 lists the features of the Oracle Big Data Appliance.

Table B-16 Big Data Appliance Plug-in

Plug-in Specification	Description
Plug-in directory	`AGENT_HOME/av/plugins/com.oracle.av.plugin.bda`
Secured Target Versions	2.3, 4.3
Secured Target Platforms	Linux x86-64
Setup Script(s)	No
Secured Target Location (Connect String)	`hostname` (fully qualified machine name or IP address)
Collection Attribute(s)	`av.collector.securedtargetversion` - (Required) Specify the Oracle Big Data Appliance version.
AVDF Audit Trail Types	`DIRECTORY` See Table B-17 for descriptions of audit trail types.
Audit Trail Location	`/var/log/hadoop-hdfs/hdfs-audit.log`
Audit Trail Cleanup Support	No

B.2.15 Summary of Data Collected for Each Audit Trail Type

When you configure an audit trail for a secured target, you select the type of audit trail in the Audit Trail Type field. The audit trail type depends on your secured target type. Table B-17 describes the types of audit trails that can be configured for each secured target type.

Refer to the product documentation for your secured target type for details on its auditing features and functionality. Refer to the following documentation for Oracle products:

Oracle Database 12c Release 1 (12.1): Oracle Database Security Guide
Oracle Database 11g Release 2 (11.2): Oracle Database Security Guide
Oracle Solaris 11.1
Oracle Solaris 10.6
Oracle ACFS 12c Release 1 (12.1): Oracle Automatic Storage Management Administrator's Guide

Table B-17 Summary of Audit Trail Types Supported for Each Secured Target Type

Secured Target Type	Trail Type	Description
Oracle Database	TABLE Releases 10.2.x, 11.x, and 12.x	Collects from the following audit trails: Oracle Database audit trail, where standard audit events are written to the `SYS.AUD$` dictionary table Oracle Database fine-grained audit trail, where audit events are written to the `SYS.FGA_LOG$` dictionary table Oracle Database Vault audit trail, where audit events are written to the `DVSYS.AUDIT_TRAIL$` dictionary table Oracle database 12.x Unified Audit trail, where audit events are written to the `UNIFIED_AUDIT_TRAIL` data dictionary view Note: The SYS.AUD$ and SYS.FGA_LOG$ tables have an additional column RLS$INFO. The Unified Audit trail table has RLS_INFO column. This column describes row level security policies configured. This is mapped to the extension field in Audit Vault and Database Firewall. In order to populate this column, the user needs to set the `AUDIT_TRAIL` parameter of the secured target to `DB EXTENDED`.
Oracle Database	DIRECTORY Releases 10.2.x, 11.x, and 12.x	Collects data from the following audit trails: On Linux and UNIX platforms: The Oracle database audit files written to the operating system (`.aud` and`.xml`) files On Windows platforms: The operating system Windows Event Log and operating system logs (audit logs) XML (`.xml`) files
Oracle Database	TRANSACTION LOG 11.2 for REDO connection	Collects audit data from logical change records (LCRs) from the REDO logs. If you plan to use this audit trail type, you can define the data to audit by creating capture rules for the tables from which the Transaction Log trail type will capture audit information. See Also: Oracle Audit Vault and Database Firewall Auditor's Guide for more information. Note: For Oracle Database 12c, the Transaction Log audit trail is only supported when not using a PDB/CDB. Transaction Log audit trail is not supported for Oracle Database versions 18c and 19c.
Oracle Database	SYSLOG	Collects Oracle audit records from either `syslog` or `rsyslog` audit files on Linux and Unix platforms only. If the system has both `syslog` and `rsyslog` installed, the exact `rsyslog` audit file location must be specified in order to collect data from `rsyslog` files. The following `rsyslog` formats are supported: `RSYSLOG_TraditionalFileFormat` (has low-precision time stamps) `RSYSLOG_FileFormat` (has high-precision time stamps and time zone information) Events from both formats appear the same on reports, however with `RSYSLOG_FileFormat`, the `AVSYS.EVENT_LOG` table shows `EVENT_TIME` with microsecond precision. See Also: Oracle Audit Vault and Database Firewall Auditor's Guide for details on this table, and Audit Vault Server schema documentation.
Oracle Database	EVENT LOG	Collects Oracle audit records from Microsoft Windows Event Log on Windows platforms only
Oracle Database	NETWORK	Collects network traffic (all database operations using a TCP connection). Used for host monitor.
Microsoft SQL Server	DIRECTORY	Collects audit data from C2 audit logs, server-side trace logs, and `sqlaudit` log files
Microsoft SQL Server	EVENT LOG	Collects audit data from Windows Application Event Logs. For Microsoft SQL Server 2008 and 2012, collection from the Security Event Log is also supported.
Microsoft SQL Server	NETWORK	Collects network traffic (all database operations using a TCP connection). Used for host monitor.
Sybase ASE	TABLE	Collects audit data from system audit tables (`sysaudits_01` through `sysaudits_08`) in the `sybsecurity` database
Sybase ASE	NETWORK	Collects network traffic (all database operations using a TCP connection). Used for host monitor.
Sybase SQL Anywhere	NETWORK	(For host monitoring only) Collects network traffic (all database operations using a TCP connection).
IBM DB2 for LUW	DIRECTORY	Collects audit data from ASCII text files extracted from the binary audit log (`db2audit.log`). These files are located in the `security` subdirectory of the DB2 database instance.
IBM DB2 for LUW	NETWORK	Collects network traffic (all database operations using a TCP connection). Used for host monitor.
MySQL	DIRECTORY	Collects XML-based audit data from a specified location
MySQL	NETWORK	Collects network traffic (all database operations using a TCP connection). Used for host monitor.
Oracle Solaris	DIRECTORY	Collects Solaris Audit records (version 2) generated by the `audit_binfile` plug-in of Solaris Audit
Linux	DIRECTORY	Collects audit data from `audit.log`
Windows OS	EVENT LOG	Collects audit data from Windows Security Event Log
Microsoft Active Directory	EVENT LOG	Collects audit data from Windows Directory Service, and Security Event Logs
Oracle ACFS	DIRECTORY	Collects audit data from ACFS encryption and ACFS security sources.
Oracle Linux	DIRECTORY	Collects audit data from `audit.log`
Oracle Big Data Appliance	DIRECTORY	Collects audit data from `hdfs-audit.log`

B.3 Scripts for Oracle AVDF Account Privileges on Secured Targets

Topics

B.3.1 About Scripts for Setting up Oracle Audit Vault and Database Firewall Account Privileges

You must set up a user account with appropriate privileges on each secured target for Oracle Audit Vault and Database Firewall to use in performing functions related to monitoring and collecting audit data. Oracle Audit Vault and Database Firewall provides setup scripts for database secured targets. Depending on the type of secured target, the scripts set up user privileges that allow Oracle Audit Vault and Database Firewall to do the following functions:

Audit data collection
Audit policy management
Stored procedure auditing
User entitlement auditing
Database interrogation
Audit trail cleanup (for some secured targets)

When you deploy the Audit Vault Agent on a host computer (usually the same computer as the secured target), the setup scripts for creating the user permissions for Oracle Audit Vault and Database Firewall are located in the following directory (Linux example below):

$AGENT_HOME/av/plugins/com.oracle.av.plugin.secured_target_type/config/

B.3.2 Oracle Database Setup Scripts

The Oracle Audit Vault and Database Firewall setup scripts for an Oracle Database secured target, oracle_user_setup.sql and oracle_drop_db_permissions.sql, are located in the following directory (Linux example below):

$AGENT_HOME/av/plugins/com.oracle.av.plugin.oracle/config/

These scripts are used to set up or revoke user privileges on the Oracle Database in order for Oracle Audit Vault and Database Firewall to do the following functions:

Audit data collection
Audit policy management
Stored procedure auditing (SPA)
User entitlement auditing

To set up or revoke Oracle Audit Vault and Database Firewall user privileges on an Oracle Database secured target:

Create a user account for Oracle Audit Vault and Database Firewall on the Oracle Database. For example:

SQL> CREATE USER username IDENTIFIED BY password

You will use this username and password when registering this Oracle Database as a secured target in the Audit Vault Server.
Connect as user SYS with the SYSDBA privilege. For example:

SQL> CONNECT SYS / AS SYSDBA
To set up Oracle Audit Vault and Database Firewall user privileges, run the setup script as follows:

SQL> @oracle_user_setup.sql username mode
- username: Enter the name of the user you created in Step 1.
- mode: Enter one of the following:
  - SETUP: To set up privileges for managing the Oracle Database audit policy from Oracle Audit Vault and Database Firewall, and for collecting data from any audit trail type except the REDO logs. For example, use this mode for a TABLE audit trail in Oracle Audit Vault and Database Firewall.
  - REDO_COLL: To set up privileges for collecting audit data from the REDO logs. Use this mode only for a TRANSACTION LOG audit trail in Oracle Audit Vault and Database Firewall.
  - SPA: To enable stored procedure auditing for this database
  - ENTITLEMENT: To enable user entitlement auditing for this database
Note:

When setting up audit collection for a CDB, create a separate local user in the CDB and each PDB instance. Execute the oracle_user_setup.sql script for each user. For each PDB instance first alter the session to switch to the PDB before running the script.
If Database Vault is installed and enabled on the Oracle database, log in as a user who has been granted the DV_OWNER role do the following:
1. Grant the Oracle Audit Vault and Database Firewall user the DV_SECANALYST role on this Oracle Database. For example:
```
SQL> GRANT DV_SECANALYST TO username;
```
  For username, enter the user name you created in Step 1.
  
  The DV_SECANALYST role enables Oracle Audit Vault and Database Firewall to monitor and collect audit trail data for Oracle Database Vault, and run Oracle Database Vault reports.
2. For REDO_COLL mode (TRANSACTION LOG audit trail) only, execute one of these procedures depending on your Oracle Database version:
  
  For Oracle Database 12c:
```
SQL> GRANT DV_STREAMS_ADMIN TO username;
```
  For username, enter the user name you created in Step 1.
  
  For all other supported Oracle Database versions:
```
SQL> EXEC DBMS_MACADM.ADD_AUTH_TO_REALM('Oracle Data Dictionary', 'username', null, dbms_macutl.g_realm_auth_participant);
SQL> COMMIT;
```
  For username, enter the user name you created in Step 1.
To revoke Oracle Audit Vault and Database Firewall user privileges, connect to this database as user SYS with the SYSDBA privilege, and run the following script:

SQL> @oracle_drop_db_permissions.sql username mode
- username - Enter the name of the user you created in Step 1.
- mode - Enter one of the following:
  - SETUP: To revoke privileges for managing the Oracle Database audit policy from Oracle Audit Vault and Database Firewall, and for collecting data from any audit trail type except the REDO logs.
  - REDO_COLL: To revoke privileges for collecting audit data from the REDO logs.
  - SPA: To disable stored procedure auditing for this database
  - ENTITLEMENT: To disable user entitlement auditing for this database

B.3.3 Sybase ASE Setup Scripts

Topics

B.3.3.1 About the Sybase ASE Setup Scripts

The following scripts are provided for configuring necessary user privileges for Oracle Audit Vault and Database Firewall in a Sybase ASE secured target:

sybase_auditcoll_user_setup.sql
sybase_auditcoll_drop_db_permissions.sql
sybase_spa_user_setup.sql
sybase_spa_drop_db_permissions.sql

The scripts are located in the following directory (Linux example below):

$AGENT_HOME/av/plugins/com.oracle.av.plugin.sybase/config/

These scripts allow Oracle Audit Vault and Database Firewall to perform the following functions for Sybase ASE:

Audit data collection
Stored procedure auditing (SPA)

B.3.3.2 Setting Up Audit Data Collection Privileges for a Sybase ASE Secured Target

To set up or revoke a udit data collection privileges on a Sybase ASE secured target:

Create a user account for Oracle Audit Vault and Database Firewall in Sybase ASE with the user name avdf_sybuser. For example:

sp_addlogin avdf_sybuser, password

You will use the user name av_sybuser and password when registering this Sybase ASE database as a secured target in the Audit Vault Server.
Run the setup sybase_auditcoll_user_setup.sql script as follows:
```
isql -S server_name -U sa -i sybase_auditcoll_user_setup.sql
```
- server_name: Only use this argument if the database is remote. Enter the name of the remote server or its IP address. If you are running the script locally, then omit the -S server_name argument.
- sa: Enter the system administrator user name.
When prompted for a password, enter the system administrator password.
To revoke the Oracle Audit Vault and Database Firewall user privileges, run the sybase_auditcoll_drop_db_permissions.sql script as follows:
```
isql -S server_name -U sa -i sybase_auditcoll_drop_db_permissions.sql
```
- server_name: Only use this argument if the database is remote. Enter the name of the remote server or its IP address. If you are running the script locally, then omit the -S server_name argument.
- sa: Enter the system administrator user name.
- When prompted for a password, enter the system administrator password.

B.3.3.3 Setting Up Stored Procedure Auditing Privileges for a Sybase ASE Secured Target

To set up or revoke stored procedure auditing privileges on a Sybase ASE secured target:

If you have not already done so, create a user account for Oracle AVDF in Sybase ASE with the user name avdf_sybuser. For example:

sp_addlogin avdf_sybuser, password

You will use the user name av_sybuser and password when registering this Sybase ASE database as a secured target in the Audit Vault Server.
Run the sybase_spa_user_setup.sql script as follows:
```
isql -S server_name -U sa -i sybase_spa_user_setup.sql
```
- server_name: Only use this argument if the database is remote. Enter the name of the remote server or its IP address. If you are running the script locally, then omit the -S server_name argument.
- sa: Enter the system administrator user name.
When prompted for a password, enter the system administrator password.
To revoke the SPA user privileges, run the sybase_spa_drop_db_permissions.sql script as follows:
```
isql -S server_name -U sa -i sybase_spa_drop_db_permissions.sql
```
- server_name: Only use this argument if the database is remote. Enter the name of the remote server or its IP address. If you are running the script locally, then omit the -S server_name argument.
- sa: Enter the system administrator user name.
- When prompted for a password, enter the system administrator password.

B.3.4 Sybase SQL Anywhere Setup Scripts

The Oracle AVDF setup scripts for a Sybase SQL Anywhere secured target, sqlanywhere_spa_user_setup.sql and sqlanywhere_spa_drop_db_permissions.sql, are located in the following directory (Linux example below):

$AGENT_HOME/av/plugins/com.oracle.av.plugin.sqlanywhere/config/

These scripts are used to set up or revoke user privileges on the SQL Anywhere database for Oracle AVDF to do stored procedure auditing (SPA).

To set up or revoke stored procedure auditing for a SQL Anywhere secured target:

Log in to the database as a user who has privileges to create users and set user permissions.
Run the sqlanywhere_spa_user_setup.sql script as follows:
```
isql -S server_name -U sa -i sqlanywhere_spa_user_setup.sql -v username="username" password="password"
```
- server_name: Only use this argument if the database is remote. Enter the name of the remote server or its IP address. If you are running the script locally, then omit the -S server_name argument.
- sa: Enter the system administrator user name.
- username: Enter the name of the user you want to create for Oracle AVDF to use for SPA. Enclose this user name in double quotation marks.
- password: Enter a password for the Oracle AVDF SPA user you are creating. Enclose the password in double quotation marks.
After running the script, the user is created with privileges for SPA.
When prompted for a password, enter the system administrator password.
To revoke these privileges and remove this user from the database, run the sqlanywhere_spa_drop_db_permissions.sql as follows:
```
isql -S server_name -U sa -i sqlanywhere_spa_drop_db_permissions.sql -v username="username"
```
- server_name: Only use this argument if the database is remote. Enter the name of the remote server or its IP address. If you are running the script locally, then omit the -S server_name argument.
- sa: Enter the system administrator user name.
- username: Enter the name of the user you want to create for Oracle AVDF to use for SPA. Enclose this user name in double quotation marks.
- When prompted for a password, enter the system administrator password.

B.3.5 Microsoft SQL Server Setup Scripts

Topics

B.3.5.1 About the SQL Server Setup Script

The Oracle AVDF setup scripts for a Microsoft SQL Server secured target, mssql_user_setup.sql and mssql_drop_db_permissions.sql, are located in the following directory:

AGENT_HOME\av\plugins\com.oracle.av.plugin.mssql\config\

The scripts set up or revoke user privileges for Oracle AVDF to perform the following functions for SQL Server:

Audit data collection
Stored procedure auditing (SPA)

B.3.5.2 Setting Up Audit Data Collection Privileges for a SQL Server Secured Target

To set up or revoke Oracle AVDF user privileges for audit data collection:

Create a user account for Oracle Audit Vault and Database Firewall in SQL Server or use Windows authenticated user. For example:
In SQL Server 2000:
```
exec sp_addlogin 'username', 'password'
```
In SQL Server 2005, 2008, 2012, 2014, 2016:
```
exec sp_executesql N'create login username with password = ''password'', 
check_policy= off'

exec sp_executesql N'create user username for login username'
```
You will use this user name and password when registering this SQL Server database as a secured target in the Audit Vault Server.
Run the mssql_user_setup.sql script as follows:
For SQL Server authentication:
```
sqlcmd -S server_name -U sa -i mssql_user_setup.sql -v username="username" mode="AUDIT_COLL" all_databases="NA" database="NA"
```
For Windows Authentication:

sqlcmd -S localhost -U sa -i mssql_user_setup.sql -v username="[<domain name>\<user name>]" mode="AUDIT_COLL" all_databases="NA" database="NA"
- server_name: Only use this argument if the database is remote. Enter the name of the remote server or its IP address. If you are running the script locally, then omit the -S server_name argument.
- sa: Enter the system administrator user name.
- username: Enter the name of the user you created in Step 1.
When prompted for a password, enter the system administrator password.
To revoke audit data collection privileges run the mssql_drop_db_permissions.sql script as follows:
For SQL Server Authentication:
```
sqlcmd -S server_name -U sa -i mssql_drop_db_permissions.sql -v username="username" mode="AUDIT_COLL" all_databases="NA" database="NA"
```
For Windows Authentication:
1. sqlcmd -S server_name -U sa -i mssql_drop_db_permissions.sql -v username="[<domain name>\<user name>]" mode="AUDIT_COLL" all_databases="NA" database="NA"
  - server_name: Only use this argument if the database is remote. Enter the name of the remote server or its IP address. If you are running the script locally, then omit the -S server_name argument.
  - sa: Enter the system administrator user name.
  - username: Enter the name of the user you created in Step 1.
2. When prompted for a password, enter the system administrator password.

B.3.5.3 Setting Up Stored Procedure Auditing Privileges for a SQL Server Secured Target

To set up or revoke Oracle AVDF user privileges for stored procedure auditing:

If you have not already done so, create a user account for Oracle AVDF in SQL Server. For example:
In SQL Server 2000:
```
exec sp_addlogin 'username', 'password'
```
In SQL Server 2005 and 2008:
```
exec sp_executesql N'create login username with password = ''password'', 
check_policy= off'

exec sp_executesql N'create user username for login username'
```
You will use this user name and password when registering this SQL Server database as a secured target in the Audit Vault Server.
Run the mssql_user_setup.sql script as follows:
```
sqlcmd -S server_name -U sa -i mssql_user_setup.sql -v username="username" mode="SPA" all_databases="Y/N" 
database="NA/database_name"
```
- server_name: Only use this argument if the database is remote. Enter the name of the remote server or its IP address. If you are running the script locally, then omit the -S server_name argument.
- sa: Enter the system administrator user name.
- username: Enter the name of the user you created in Step 1.
- Y/N: Enter Y if all databases should be audited for stored procedures. Enter N to specify one database name in the database parameter.
- NA/database_name: If you entered Y for all_databases, enter NA. If you entered N for all_databases, enter the database name that should be audited for stored procedures.
When prompted for a password, enter the system administrator password.
To revoke SPA privileges run the mssql_drop_db_permissions.sql script as follows:
```
sqlcmd -S server_name -U sa -i mssql_drop_db_permissions.sql -v username="username" mode="SPA" all_databases="Y/N" 
database="NA/database_name"
```
- server_name: Only use this argument if the database is remote. Enter the name of the remote server or its IP address. If you are running the script locally, then omit the -S server_name argument.
- sa: Enter the system administrator user name.
- sa_password: Enter the system administrator password.
- Y/N: Enter Y if SPA privileges for all databases should be revoked. Enter N to specify one database name in the database parameter.
- NA/database_name: If you entered Y for all_databases, enter NA. If you entered N for all_databases, enter the database name for which SPA privileges should be revoked.
- When prompted for a password, enter the name of the user you created in Step 1.

B.3.6 IBM DB2 for LUW Setup Scripts

Topics

B.3.6.1 About the IBM DB2 for LUW Setup Scripts

The Oracle Audit Vault and Database Firewall setup scripts for a DB2 secured target, db2_auditcoll_user_setup.sql and db2_spa_user_setup.sql, are located in the following directory (Linux example below):

$AGENT_HOME/av/plugins/com.oracle.av.plugin.db2/config/

Note:

Connect string is not required from release 12.2.0.11.0 and onwards.

These scripts are used to set up or revoke user privileges on the DB2 database for Oracle AVDF to do the following functions:

Audit data collection
Stored procedure auditing (SPA)

B.3.6.2 Setting Up Audit Data Collection Privileges for IBM DB2 for LUW

To set up or r evoke Oracle AVDF user privileges for audit data collection:

Create a new user account in DB2 to be used by Oracle AVDF for audit data collection.

You will use this user name and password when registering this DB2 database as a secured target in the Audit Vault Server.
In the $AGENT_HOME/av/plugins/com.oracle.av.plugin.db2/config/ directory, locate the db2_auditcoll_user_setup.sql script and open it for editing.
In the script, put the user name of the account from Step 1 in the grant statement, then save the modified script.
Execute the modified script as follows:

$> db2 -tvf db2_auditcoll_user_setup.sql
To revoke audit collection privileges:
1. Modify the db2_auditcoll_drop_db_permissions.sql script as in Step 3 above.
2. Run the script as follows:
  
  $> db2 -tvf db2_auditcoll_drop_db_permissions.sql

B.3.6.3 Setting Up SPA Privileges for an IBM DB2 for LUW Secured Target

To set up or revoke Oracle AVDF user privileges for stored procedure auditing:

Create a new user account in DB2 to be used by Oracle AVDF for stored procedure auditing.

You will use this user name and password when registering this DB2 database as a secured target in the Audit Vault Server.
In the $AGENT_HOME/av/plugins/com.oracle.av.plugin.db2/config/ directory, locate the db2_spa_user_setup.sql script and open it for editing.
In the script, put the user name of the account from Step 1 in the grant statement, then save the modified script.
Execute the modified script as follows:

$> db2 -tvf db2_spa_user_setup.sql
To revoke SPA privileges:
1. Modify the db2_spa_drop_db_permissions.sql script as in Step 3 above.
2. Run the script as follows:
  
  $> db2 -tvf db2_spa_drop_db_permissions.sql

B.3.7 MySQL Setup Scripts

The Oracle AVDF setup scri pts for a MySQL secured target, mysql_spa_user_setup.sql and mysql_spa_drop_db_permissions.sql, are located in the following directory (Linux example below):

$AGENT_HOME/av/plugins/com.oracle.av.plugin.mysql/config/

These scripts are used to set up or revoke user privileges on the MySql database for Oracle AVDF to do stored procedure auditing (SPA).

To set up or revoke stored procedure auditing for a MySql secured target:

Log in to MySQL as a user who can create users and set user privileges.
Create a user for stored procedure auditing. For example:

create user 'username'@'hostname' identified by 'password'

You will use this user name and password when registering this MySQL database as a secured target in the Audit Vault Server.
In the $AGENT_HOME/av/plugins/com.oracle.av.plugin.mysql/config/ directory, locate the mysql_spa_user_setup.sql script and open it for editing.
Modify the script to provide the same values for username, hostname, and password that you used in Step 1.
Execute the mysql_spa_user_setup.sql script.
To revoke SPA privileges:
1. Modify the mysql_spa_drop_db_permissions.sql script as in Step 4 above.
2. Execute the mysql_spa_drop_db_permissions.sql script.

B.4 Audit Collection Consideration

Considerations for audit collection on other target types.

B.4.1 Additional Information for Audit Collection from Oracle Active Data Guard

Learn about additional information required to collect audit data from Oracle Active Data Guard.

Oracle Active Data Guard is a high availability solution which consists of one primary database and multiple standby databases. This section contains some additional information for configuring different audit trails.

Traditional Auditing

Follow these steps for collecting audit data from databases in Oracle Active Data Guard with traditional auditing:

Set AUDIT_TRAIL parameter to DB, EXTENDED, on all target databases.
Create a target in Oracle AVDF with a single connection string that contains the connection details of all the databases. This ensures that Oracle AVDF trail can read from sys.aud$ table of the current primary database even when failover or switchover occurs.
For the above mentioned target configure Oracle Database table trail in Oracle AVDF, to read the records from sys.aud$.
Create one target in Oracle AVDF for every database in Oracle Active Data Guard, with a connection string that contains connection details of only the specific database.
Configure one directory trail in Oracle AVDF for every target, to collect data from *.aud log file for the specific target database in Oracle Active Data Guard.

Unified Auditing

Audit data can be collected from the primary database in Oracle Active Data Guard with unified auditing. Follow these steps:

Create a target in Oracle AVDF with single connection string that contains the connection details of all the databases. This ensures that Oracle AVDF trail can read from unified_audit_trail table of the primary database even when failover or switchover occurs.
Create Oracle Database table trail in Oracle AVDF to read the records from unified_audit_trail of the primary database.

Note:

Oracle AVDF supports audit collection from the traditional audit trail in both the primary and standby databases of Oracle Active Data Guard. When unified audit is enabled, audit collection is supported only from the unified audit trail of the primary database, and not from the standby database.

B.5 Audit Trail Cleanup

Some Oracle AVDF plug-ins support audit trail cleanup. This section describes the available audit trail cleanup (ATC) utilities:

B.5.1 Oracle Database Audit Trail Cleanup

Topics

B.5.1.1 About Purging the Oracle Database Secured Target Audit Trail

You can use the DBMS_AUDIT_MGMT PL/SQL package to purge the database audit trail.

The DBMS_AUDIT_MGMT package lets you perform audit trail cleanup tasks such as scheduling purge jobs, moving the audit trail to a different tablespace, setting archive timestamps in the audit trail, and so on. You must have the EXECUTE privilege for DBMS_AUDIT_MGMT before you can use it.

Oracle Database 11g Release 2 (11.2) or higher, includes the DBMS_AUDIT_MGMT package and its associated data dictionary views installed by default. If your secured target database does not have this package installed, then you can download the package and data dictionary views from My Oracle Support.

Search for Article ID 731908.1.

For details about using the DBMS_AUDIT_MGMT PL/SQL package and views, refer to the following Oracle Database 11g Release 2 (11.2) documentation:

The section "Purging Audit Trail Records" in Oracle Database Security Guide for conceptual and procedural information
Oracle Database PL/SQL Packages and Types Reference for reference information about the DBMS_AUDIT_MGMT PL/SQL package
Oracle Database Reference for information about the DBA_AUDIT_MGMT_* data dictionary views

B.5.1.2 Scheduling an Automated Purge Job

Oracle Audit Vault and Database Firewall is integrated with the DBMS_AUDIT_MGMT package on an Oracle Database. This integration automates the purging of audit records from the UNIFIED_AUDIT_TRAIL, AUD$, and FGA_LOG$ tables, and from the operating system .aud and .xml files after they have been successfully inserted into the Audit Vault Server repository.

After the purge is completed, the Audit Vault Agent automatically sets a timestamp on audit data that has been collected. Therefore, you must set the USE_LAST_ARCH_TIMESTAMP property to TRUE to ensure that the right set of audit records are purged. You do not need to manually set a purge job interval.

To schedule an automated purge job for an Oracle Database secured target:

Log in to SQL*Plus on the secured target database as a user who has been granted the EXECUTE privilege for the DBMS_AUDIT_MGMT PL/SQL package.
For example:
```
sqlplus tjones
Enter password: password
```
Initialize the audit trail cleanup operation.
In the following example, the DEFAULT_CLEANUP_INTERVAL setting runs the job every two hours:
```
BEGIN
 DBMS_AUDIT_MGMT.INIT_CLEANUP(
  AUDIT_TRAIL_TYPE            => DBMS_AUDIT_MGMT.AUDIT_TRAIL_ALL,
  DEFAULT_CLEANUP_INTERVAL    => 2 );
END;
/
```
Note:

In case you are collecting audit data from CDB, then execute this step every time there is any change in the PDB instance.

Verify that the audit trail is initialized for cleanup.

For example:

SET SERVEROUTPUT ON
BEGIN
 IF
   DBMS_AUDIT_MGMT.IS_CLEANUP_INITIALIZED(DBMS_AUDIT_MGMT.AUDIT_TRAIL_ALL)
 THEN
   DBMS_OUTPUT.PUT_LINE('Database and OS audit are initialized for cleanup');
 ELSE
   DBMS_OUTPUT.PUT_LINE('Database and OS audit are not initialized for cleanup.');
 END IF;
END;
/

Use the DBMS_AUDIT_MGMT.CREATE_PURGE_JOB procedure to create and schedule the purge job.
In this procedure, ensure that you set the USE_LAST_ARCH_TIMESTAMP property to TRUE, so all records older than the timestamp can be deleted.

The following procedure creates a purge job called CLEANUP_OS_DB_AUDIT_RECORDS that will run every two hours to purge the audit records.
```
BEGIN
  DBMS_AUDIT_MGMT.CREATE_PURGE_JOB (
   AUDIT_TRAIL_TYPE            => DBMS_AUDIT_MGMT.AUDIT_TRAIL_ALL,
   AUDIT_TRAIL_PURGE_INTERVAL  => 2,
   AUDIT_TRAIL_PURGE_NAME      => 'CLEANUP_OS_DB_AUDIT_RECORDS',
   USE_LAST_ARCH_TIMESTAMP     => TRUE );
END;
/
```

B.5.2 SQL Server Audit Trail Cleanup

If the SQL Server audit trail has collected data from a trace or sqlaudit file and that file is inactive, then you can clean up this file. The SQL Server audit trail writes the names of the SQL Server audit text files to a plain text file with the .atc extension. The .atc file resides in the AGENT_HOME\av\atc directory on the computer on which the agent is installed.

To manually clean up files that Oracle AVDF has completed extracting audit records from:

Go to the AGENT_HOME\av\plugins\com.oracle.av.plugin.mssql\bin directory of the computer where the Audit Vault Agent is installed.

Ensure that the AGENT_HOME environment variable is correctly set to the directory path where the agent.jar file is extracted.
Run the following utility:
```
SQLServerCleanupHandler secured_target_name
```
For example:
```
SQLServerCleanupHandler mssqldb4
```
If you do not set the AGENT_HOME environment variable, you can provide the agent home location in the command line using the following syntax:
```
SQLServerCleanupHandler -securedtargetname secured_target_name agent_home_location
```
For example:
```
SQLServerCleanupHandler mssqldb4 c:\AV_agent_installation
```
Important: If the name of the Audit Vault Agent installation directory contains spaces, enclose the name in double quotes, for example "C:\Agent Directory".

To automate the cleanup of SQL Server trace files, you can use the Windows Scheduler.

Note:

If the SQL Server trace definition is redefined or reinitialized, then you must ensure that the file names of the trace files do not overlap with trace files that were created earlier.

For example, suppose you start SQL Server with a trace definition in which the trace files names use the following format:

c:\serversidetraces.trc
c:\serversidetraces_1.trc
c:\serversidetraces_2.trc
...
c:\serversidetraces_259.trc

Then you restart the SQL Server with a new trace definition. This new trace definition must use a different file name from the current trace files (for example, the current one named c:\serversidetraces.trc). If you do not, then when you purge the audit trail, the new trace files that have same names as the old ones will be deleted.

B.5.3 MySQL Audit Trail Cleanup

To run the MySQL audit trail cleanup utility:

On the host machine, go to the directory AGENT_HOME\av\plugins\com.oracle.av.plugin.mysql\bin
Run the following command:
MySQLServerCleanupHandler.bat secured_target_name AGENT_HOME

The above command has the following variables:
- secured_target_name - the name of the MySQL secured target
- AGENT_HOME - the path to the directory where the Audit Vault Agent is deployed.

B.6 Procedure Look-ups: Connect Strings, Collection Attributes, Audit Trail Locations

This section contains reference information you will need to complete procedures in this manual for registering secured targets and configuring audit trails. The procedural steps include links to the topics in this section.

Topics

B.6.1 Secured Target Locations (Connect Strings)

When registering a secured target in the Audit Vault Server console, you enter a connect string in the Secured Target Location field. Use a connect string format from Table B-18 depending on the secured target type.

Note: A connect string is not required for a Database Firewall-only deployment.

Table B-18 Secured Target Connect Strings (for Secured Target Location Field)

Secured Target Type	Connect String
Oracle Database	`jdbc:oracle:thin:@//hostname:port/service`
Sybase ASE	`jdbc:av:sybase://hostname:port`
Sybase SQL Anywhere	`jdbc:av:sybase://hostname:port`
Microsoft SQL Server (SQL Server Authentication)	`jdbc:av:sqlserver://hostname:port` When SSL Encryption is used with MSSQL sever and the server certificate validation is required. `jdbc:av:sqlserver://<MSSQL Host name>:<Port number>;encryptionMethod=SSL;validateServerCertificate=true;trustStore=<key store jks path>;trustStorePassword=<keystore password>;extendedOptions=enableCipherSuites=SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA` When SSL Encryption is used with MSSQL sever and the server certificate validation is not required. `jdbc:av:sqlserver://<MSSQL Host name>:<Port number>;encryptionMethod=SSL;validateServerCertificate=false`
Microsoft SQL Server (Windows Authentication)	`jdbc:av:sqlserver://<Host Name>:<Port>;authenticationMethod=ntlmjava` `(Use Windows user credentials along with domain. For example, <domain name>\<user name > and password.)` OR `jdbc:av:sqlserver://<Host Name>:<Port>;authenticationMethod=ntlmjava;domain=<domain name>` `Use Windows user credentials without domain. For example, <user name > and password.`
IBM DB2 for LUW	`jdbc:av:db2://hostname`:`port` Note: Connect string is not required from release 12.2.0.11.0 and onwards.
MySQL	`jdbc:av:mysql://hostname:port/mysql` Note: Connect string is not required from release 12.2.0.11.0 and onwards.
Oracle Solaris	`hostname` (fully qualified machine name or IP address)
Oracle Linux	`hostname` (fully qualified machine name or IP address)
Microsoft Windows	`hostname` (fully qualified machine name or IP address)
Microsoft Active Directory Server	`hostname` (fully qualified machine name or IP address)
Oracle ACFS	`hostname` (fully qualified machine name or IP address)

B.6.2 Collection Attributes

Topics

B.6.2.1 About Collection Attributes

Some types of secured targets have optional or required audit trail collection attributes. You can specify collection attributes when registering or modifying a secured target in the Collection Attributes fields.

The following secured target types do not require collection attributes:

M icrosoft SQL Server
Sy base ASE
Oracle So laris
Win dows
Lin ux
Microsoft Active Di rectory Server

B.6.2.2 Oracle Database Collection Attributes

You can specify collection attributes for a DIRECTORY audit trail for Oracle Database. Table B-19 describes the collection attributes you can use if you select DIRECTORY as the Audit Trail Type when registering an Oracle Database secured target in Oracle Audit Vault and Database Firewall.

Table B-19 Collection Attributes for DIRECTORY Audit Trail for Oracle Database

Attribute Name and Description	Required?	Default	Comments
`ORCLCOLL.NLS_LANGUAGE` The NLS language of the data source	Yes: If the started audit trail cannot establish a connection to the Oracle secured target (e.g., secured target is not running) No: If the started audit trail is able to connect to the Oracle secured target and get these parameter values from the secured target (e.g., the secured target is running when the trail is started)	NA	The value is not case sensitive.
`ORCLCOLL.NLS_TERRITORY` The NLS territory of the data source	Yes: If the started audit trail cannot establish a connection to the Oracle secured target (e.g., secured target is not running) No: If the started audit trail is able to connect to the Oracle secured target and get these parameter values from the secured target (e.g., the secured target is running when the trail is started)	NA	The value is not case sensitive.
`ORCLCOLL.NLS_CHARSET` The NLS character set of the data source	Yes: If the started audit trail cannot establish a connection to the Oracle secured target (e.g., secured target is not running) No: If the started audit trail is able to connect to the Oracle secured target and get these parameter values from the secured target (e.g., the secured target is running when the trail is started)	NA	The value is not case sensitive.
`ORCLCOLL.MAX_PROCESS_TIME` The maximum processing time, in centiseconds, for each call to process the audit trail	No	600	A valid value is an integer value from 10 to 10000. Cannot be reconfigured at run time. Indicates the maximum time for which the collection process records before sending a batch of records to the Audit Vault Server. If the value is too low it can affect performance. If the value is too high, it will take a longer time to stop the audit trail.
`ORCLCOLL.MAX_PROCESS_RECORDS` The maximum number of records to be processed during each call to process the audit trail	No	1000	A valid value is an integer value from 10 to 10000. Cannot be reconfigured at run time. Indicates the maximum number of records processed before sending a batch of records to the Audit Vault Server. If the value is too low it can affect performance. If the value is too high, it will take a longer time to stop the audit trail.
`ORCLCOLL.RAC_INSTANCE_ID` The instance ID in an Oracle RAC environment	No	1	None.
`ORCLCOLL.HEARTBEAT_INTERVAL` The interval, in seconds, to store the metric information	No	60	Cannot be reconfigured at run time. This interval determines how frequently metric information is updated. If the value is too low it creates overhead for sending metrics to the Audit Vault Server. If the value is too high it will skew the average metric information.
`ORCLCOLL.NT_ORACLE_SID` The Oracle SID name on a Microsoft Windows systems	No	No default	The value is not case sensitive. If no value is specified then the audit trail queries the value from the secured target.

B.6.2.3 IBM DB2 for LUW Collection Attribute

Table B-20 describes the collection attribute required when you register an IBM DB2 for LUW secured target in Oracle AVDF.

Table B-20 Collection Attribute for IBM DB2 for LUW Database

Attribute Name and Description Required? Default Comments

Attribute Name and Description	Required?	Default	Comments
`av.collector.databasename` The IBM DB2 for LUW database name	Yes	NA	This parameter is case sensitive. Note: The collection attribute is not required from release 12.2.0.11.0 and onwards.

av.collector.databasename

The IBM DB2 for LUW database name

Yes

This parameter is case sensitive.

Note: The collection attribute is not required from release 12.2.0.11.0 and onwards.

B.6.2.4 MySQL Collection Attributes

Table B-21 describes the required and optional collection attributes when you register a MySQL secured target in Oracle Audit Vault and Database Firewall.

Table B-21 Collection Attributes for MySQL Database

Attribute Name and Description Required? Default Comments

Attribute Name and Description	Required?	Default	Comments
`av.collector.securedTargetVersion` The MySQL database version	Yes	NA	NA
`av.collector.AtcTimeInterval` Specifies a time interval, in minutes, at which the audit trail cleanup time is updated	No	20	Example: If this value is 20, the audit trail cleanup time is updated every 20 minutes. Audit log files that have a time stamp before the audit trail cleanup time will be cleaned from the source folder when you run the audit trail cleanup utility.

av.collector.securedTargetVersion

The MySQL database version

Yes

av.collector.AtcTimeInterval

Specifies a time interval, in minutes, at which the audit trail cleanup time is updated

Example: If this value is 20, the audit trail cleanup time is updated every 20 minutes. Audit log files that have a time stamp before the audit trail cleanup time will be cleaned from the source folder when you run the audit trail cleanup utility.

See Also:

MySQL Audit Trail Cleanup

B.6.2.5 Oracle ACFS Collection Attributes

Table B-22 descr ibes the collection attribute required when you register an Oracle ACFS secured target in Oracle Audit Vault and Database Firewall.

Table B-22 Collection Attribute for Oracle ACFS

Attribute Name and Description Required? Default Comments

Attribute Name and Description	Required?	Default	Comments
`av.collector.securedtargetversion` The version number of Oracle ACFS	Yes	NA	Five integer values separated by dots, for example `12.1.0.0.0`.

av.collector.securedtargetversion

The version number of Oracle ACFS

Yes

Five integer values separated by dots, for example 12.1.0.0.0.

B.6.3 Audit Trail Locations

When you configure an audit trail for a secured target in the Audit Vault Server, you must specify a Trail Location. The trail location depends on the type of secured target. Use the format below that corresponds to your secured target type.

Important: Trail locations are case sensitive. To avoid duplicate data collection, we recommend that you provide the entire trail location either in all capital letters or all small letters.

Note: If you selected DIRECTORY for Audit Trail Type, the Trail Location must be a director y mask.

Table B-23 shows the supported formats for Trail Location.

Table B-23 Supported Trail Locations for Secured Targets

Secured Target Type	Trail Type	Supported Trail Locations
Oracle Database	Table	`SYS.AUD$`, `SYS.FGA_LOG$`, `DVSYS.AUDIT_TRAIL$`, `UNIFIED_AUDIT_TRAIL`
Oracle Database	Directory	Full path to directory containing `AUD` or `XML` files.
Oracle Database	syslog	Full path to directory containing the `syslog` or `rsyslog` file. Include the `syslog` or `rsyslog` file prefix in the path. For example, if the file names are `messages.0`, `messages.1`, and so on, an example path might be: `/scratch/user1/rsyslogbug/dbrecord/messages` You can also enter `Default` and the system will search for either the `syslog` or `rsyslog` location. If both are present, entering `Default` causes the audit trail to collect data from the `syslog` files.
Oracle Database	Transaction log, Event log, and Network	No trail location required.
Microsoft SQL Server	Directory	`.sqlaudit` files, or `.trc` (trace) files. Examples: `directory_path\.sqlaudit` `directory_path\prefix.sqlaudit` `directory_path\prefix.trc` For `prefix`, you can use any prefix for the `.trc` or `.sqlaudit` files. `#C2_DYNAMIC` and `#TRACE_DYNAMIC` are only supported for SQL Server 2000, 2005, 2008, 2012, 2014, 2016.
Microsoft SQL Server	Event log	`application or security (SQL Server 2008, 2012, 2014, and 2016)`
Sybase ASE	Table	`SYSAUDITS`
IBM DB2 for LUW	Directory	Path to a directory, for example: `d:\temp\trace`
MySQL	Directory	The path t o the directory where converted XML files are created when you run the MySQL XML transformation utility.
Oracle Solaris	Directory	`hostname:path_to_trail` The `hostname` matches the hostname in the audit log names, which look like this: `timestamp1.timestamp2.hostname`
Microsoft Windows	Event log	`security` (case-insensitive) You can use any case combination in the word `security`. However, once you start collecting a trail using a particular case case combination, you must use the same combination in subsequent collections, otherwise, a new audit trail will start collecting records from the start of the security event log.
Microsoft Active Directory Server	Event log	`directory service` or `security` (case-insensitive) You can use any case combination in the words `directory service` or `security`. However, once you start collecting a trail using a particular case combination, you must use the same combination in subsequent collections, otherwise, a new audit trail will start collecting records from the start of the security event log.
Oracle ACFS	Directory	The path to the directory containing XML audit files. For example, for a file system mounted at `$MOUNT_POINT`, the audit trail location is: `$MOUNT_POINT/.Security/audit/`
Linux	Directory	Default location of `audit.log` (`/var/log/audit/audit*.log`) or any custom location configured in the `/etc/audit/auditd.conf` file
AIX	Directory	`/audit/trail`

See Also: