Learn about configuring Oracle Audit Vault Server.
This chapter explains how to perform the initial Oracle Audit Vault Server configuration.
Note:
Oracle Audit Vault Server and Oracle Database Firewall server are software appliances. You must not make changes to the Linux operating system through the command line on these servers unless you are following procedures as described in the official Oracle documentation or you are working under the guidance of Oracle Support.
The main steps involved in the configuration process are as follows:
Perform the initial configuration tasks at the Audit Vault Server. For example, confirm system services and network settings, and set the date and time.
Configure the Audit Vault agents.
(Optional) Define resilient pairs of servers for high availability.
(Optional) Add each Oracle Database Firewall at Oracle Audit Vault Server.
(Optional) Configure Oracle Audit Vault and Database Firewall to work with F5 BIG-IP Application Security Manager (ASM).
(Optional) Configure Oracle Audit Vault and Database Firewall to work with the HP ArcSight Security Information Event Management (SIEM) system.
Note:
Micro Focus Security ArcSight SIEM (previously known as HP ArcSight Security Information Event Management (SIEM)) is deprecated in 12.2.0.8.0
and is desupported in 12.2.0.9.0
. Use the syslog
integration feature instead.
Check that the system is functioning correctly.
See Also:
Managing A Resilient Audit Vault Server Pair for more information about configuring a resilient pair of Oracle Audit Vault Servers for high availability. Perform the initial configuration that is described in this chapter for both Oracle Audit Vault Servers
Summary of Configuration Steps to understand the high-level workflow for configuring Oracle Audit Vault and Database Firewall
Learn how to change the UI certificate for Oracle Audit Vault Server.
When you first access the Oracle Audit Vault Server console, you see a certificate warning or message. To avoid this type of message, you can upload a new UI certificate signed by a relevant certificate authority.
Prerequisite
Log in to Oracle Audit Vault Server console as a super administrator. See Logging in to the Audit Vault Server Console UI for more information
To change the UI certificate for the Audit Vault Server:
Note:
You may need to install the public certificate of the Certificate Authority in your browser, particularly if you are using your own public key infrastructure.
Topics
Learn how to specify the Oracle Audit Vault server date, time, and keyboard settings.
Super administrators can change the Oracle Audit Vault Server date, time, and keyboard settings. It is important to ensure that the date and time that you set for Oracle Audit Vault Server are correct. This is because events that the server performs are logged with the date and time at which they occur according to the server's settings. In addition, archiving occurs at specified intervals based on the server's time settings.
About Time Stamps
Oracle Audit Vault Server stores all data in UTC. Time stamps are displayed as follows:
If you are accessing data interactively, for example using the Oracle Audit Vault Server UI or AVCLI command line, then all time stamps are in your time zone. In the UI, the time zone is derived from the browser time zone. If you are using AVCLI, then the time zone is derived from the "shell" time zone (usually set by the TZ
environment variable).
If you log in to Oracle Audit Vault Server as root
or support
, then time stamps are displayed in UTC, unless you change the TZ
environment variable for that session.
If you are looking at a PDF or XLS report or email that is generated by the system, then the time stamps displayed reflect the Time Zone Offset setting in the Audit Vault Server Manage page (see procedure below).
WARNING:
Do not change the Oracle Audit Vault Server database time zone or change the time zone through any configuration files. Doing so causes serious problems in Oracle Audit Vault Server.
If you are looking at the Oracle Database Firewall UI, then all time zones are displayed in UTC.
Prerequisite
Log in to Oracle Audit Vault Server console as super administrator. See Logging in to the Audit Vault Server Console UI for more information.
To set the server date, time, and keyboard settings
Click the Settings tab.
From the System menu, click Manage.
From the Timezone Offset drop-down list, select your local time in relation to Coordinated Universal Time (UTC).
For example, -5:00 is five hours behind UTC. You must select the correct setting to ensure that the time is set accurately during synchronization.
From the Keyboard drop-down list, select the keyboard setting.
In the System Time field, select Manually Set or NTP Synchronization.
Selecting NTP Synchronization keeps the time synchronized with the average of the time recovered from the time servers specified in the Server 1/2/3 fields.
If you selected NTP Synchronization, then select Enable NTP Time Synchronization to start using the NTP Server time.
If you do not enable time synchronization in this step, then you can still enter NTP Server information in the steps below and enable NTP synchronization later.
(Optional) Select Synchronize Time After Save if you want the time to be synchronized when you click Save.
In the Server 1, Server 2, and Server 3 sections, use the default server addresses, or enter the IP addresses or names of your preferred time servers.
If you specify a name, then the DNS server that is specified in the System Services page is used for name resolution.
Click Test Server to display the time from the server.
Click Apply Server to update the Audit Vault Server time from this NTP server. The update will not take effect until you click Save.
Click Save.
To enable time synchronization, you may also need to specify the IP address of the default gateway and a DNS server.
Topics
Learn how to change the Audit Vault Server network configuration.
The Oracle Audit Vault and Database Firewall installer configures the initial network settings for Audit Vault Server during installation. You can change the network settings after installation.
Note:
If you change the Audit Vault Server network configuration, then you must also do the following:
Restart all audit trails.
Reconfigure the resilient pair of Database Firewalls if you previously configured them.
If the IP address of Audit Vault Server was changed, then update this information in Database Firewall.
Prerequisite
Log in to the Audit Vault Server console as an administrator or super administrator. See Logging in to the Audit Vault Server Console UI for more information.
To configure the Audit Vault Server network settings:
Learn how to configure and change Oracle Audit Vault Server sevices.
Prerequisite
Log in to the Oracle Audit Vault Server console as a super administrator. See Logging in to the Audit Vault Server Console UI for more information.
To configure the Oracle Audit Vault Server services:
Use this procedure to change the IP address of a live registered host without impacting the functionality of the Audit Vault Agent.
Prerequisites
Stop Audit Trails. See section Stopping, Starting, and Autostart of Audit Trails in the Audit Vault Server for more information.
Stop the Audit Vault Agent before changing the IP address of the Secured Target Server. See section Stopping, Starting, and Other Agent Operations for more information to stop the Audit Vault Agent.
To change the IP address of a live Registered Host
Learn how to configure Oracle Audit Vault Server syslog destinations.
Use the following procedure to configure the types of syslog messages to send from Oracle Audit Vault Server. The message categories are Debug, Info, or System. You can also forward Alert messages to the syslog.
Configuring Syslog enables integration with popular SIEM vendors such as Splunk, IBM QRadar, LogRhythm, ArcSight and others.
Prerequisites
Log in to the Oracle Audit Vault Server console as an administrator. See Logging in to the Audit Vault Server Console UI for more information.
Ensure that the IP addresses provided for syslog destinations are on a different host than the Oracle Audit Vault Server.
Topics
Learn about Oracle Audit Vault and Database Firewall email notifications.
An auditor can configure Oracle Audit Vault and Database Firewall to send users email notifications when alerts or reports are generated. To do this, you must configure an SMTP server to enable email notifications. The email notifications can be sent in text format to mobile devices or they can be routed through an SMS gateway.
Note:
See Also:
Oracle Audit Vault and Database Firewall Auditor's Guide for information about configuring alerts and generating reports.
Learn how to configure email notification for Oracle Audit Vault and Database Firewall.
Prerequisite
Log in to Audit Vault Server console as a super administrator. See Logging in to the Audit Vault Server Console UI for more information.
To configure the email notification service:
Learn about configuring archive locations and retention policies.
Remember the following rules while archiving and restoring tablespaces:
The restore policy must follow the guidelines in this section.
Check the tablespace that needs to be archived and the corresponding tablespace that needs to be purged as explained in the policy.
Restoring data into empty tablespaces is not possible. Check accordingly.
In case the tablespace enters the delete period, it is deleted automatically from Oracle Audit Vault Server.
Every tablespace is uniquely identified using the name of the month that it moves offline and the month that it is purged. The tablespaces are created automatically based on the policies that you create.
When the retention policy changes, the new policy is applied to the incoming data in the following month. It does not affect the existing tablespaces which adhere to the old policy.
You can archive the tablespace when it enters the offline period.
After restoring the tablespace, it is actually online. After you release the tablespace, it goes offline. You must rearchive the tablespace after it is released.
You can archive data files in Oracle Audit Vault and Database Firewall as part of your information life cycle strategy. To do so, you must create archiving (or retention) policies, and configure archive locations to which data will be transferred according to the policies. We recommend that you archive regularly in accordance with your corporate policy.
Oracle recommends that you use NFS to transfer data to an archive location. If you use Secure Copy (SCP) or Windows File Sharing (SMB) to transfer data to an archive location, then your data files are first copied to a staging area in the Audit Vault Server. Therefore, you must ensure that there is additional space in the file system. Otherwise the data file copying may fail. Be aware that transferring large files using SCP or SMB may take a long time.
What is a Retention (or Archiving) Policy?
Retention policies determine how long data is retained in the Audit Vault Server, when data is available for archiving, and for how long archived data can be retrieved to the Audit Vault Server. An administrator creates retention (or archiving) policies and an auditor assigns a specific policy to each secured target, as well as to scheduled reports. The settings are specified in a retention policy are as follows:
Months Online: The audit data is available in the Audit Vault Server for the number of months online specified. During this period, data is available for viewing in reports. When this period expires, the audit data files are available for archiving, and are no longer visible for reports. When the administrator archives these data files, the data is physically removed from the Audit Vault Server.
Months Archived: The archived audit data can be retrieved to the Audit Vault Server for the number of months specified in Months Archived. If the data is retrieved during this period, it will be available again in reports. When the months archived period expires, the data can no longer be retrieved to the Audit Vault Server.
Retention times are based on the time that the audit events occurred in the secured target. If the auditor does not select a retention policy for a secured target or scheduled report, the default retention policy will be used (12 months retention online and 12 months in archives).
Example
Suppose your retention policy is:
Months Online: 2
Months Archived: 4
With this retention policy, data that is newer than two months ago is available in the Audit Vault Server. Data that becomes older than two months ago is available for archiving, and is no longer visible in reports. Archived data is available to retrieve for four months. This data is older than two months ago but newer than six months ago, and can be retrieved from the archives to the Audit Vault Server. Data that becomes older than six months ago is no longer available.
When new Data Collected is Older than Retention Policy Limits
When you collect audit data for a newly configured secured target, or from a new audit trail on an existing secured target, the data collected from that secured target may be older than the Months Online period, and may even be older than the Months Archived period.
For instance, suppose your retention policy is the same as the above Example. Now suppose you start collecting audit data from a newly configured secured target. If some of this data is over six months old, it is older than the months online period and the months archived period combined. In this case, Oracle Audit Vault and Database Firewall automatically drops any newly collected audit records that are older than six months.
However, if some of this audit data is older than two months but newer than six months (that is, it falls within the months archived period), Oracle Audit Vault and Database Firewall does one of the following:
If this is an audit trail for a newly configured secured target, Oracle Audit Vault and Database Firewall automatically archives that data as the audit trail is collected.
If this is a new audit trail for an existing secured target, Oracle Audit Vault and Database Firewall attempts to archive these records automatically as the audit trail is collected. However, you may have to make required data files available during this process.
Note:
In case the archive location is not defined, once the months online period expires and before the completion of offline period, the audit data for the specific target is moved offline. The data remains on the Audit Vault Server and can be retrieved and viewed in the Reports section of the Audit Vault Server console. This is applicable for the default and user defined archival and retention policy.
See Also:
Handling new Audit Trails with Expired Audit Records for information to make required data files available.
Learn about defining archive locations.
You must define one or more locations as destinations for archive files before you can start an archive job. An archiving destination specifies the archive storage locations and other settings.
Oracle recommends that you use NFS to transfer data to an archive location. If you use Secure Copy (SCP) or Windows File Sharing (SMB) to transfer data to an archive location, then your data files are first copied to a staging area in Oracle Audit Vault Server. Therefore, you must ensure that there is sufficient space in the file system. Otherwise the data file copying may fail. Transferring large files using SCP or SMB may take a long time.
Note:
The backup functionality does not backup archived files. The data files in the archive location are not backed up by avbackup
because they may be located on a remote file system. In case those files are on NFS mount point, then they are accessible after restoring on a new system with the same mount points that were previously configured.
Prerequisite
Log in to the Audit Vault Server as an administrator. See Logging in to the Audit Vault Server Console UI for more information.
To create an archive location:
Managing NFS locations in high availability environment
Oracle Audit Vault and Database Firewall supports archiving. Prior to release 12.2.0.11.0, archiving was configured only on the primary Audit Vault Server and there was no ability to configure archiving on the standby server. After a failover, archive locations had to be manually set on the former standby (new primary). Starting with release 12.2.0.11.0, you can now configure NFS archive locations on both the primary and standby Audit Vault Servers, reducing the amount of manual work that needs to be performed following a failover.
Follow these steps to create a new NFS archive location:
Field |
Description |
Location Name |
The name of the archiving destination. |
Remote Filesystem |
Select an existing filesystem, or one will be created automatically based on the details of this archive location. |
Primary Server Address |
NFS Server IP address for primary Audit Vault Server. |
Secondary Server Address |
NFS Server IP address for standby Audit Vault Server. |
Primary Server Export Directory |
Export directory on the NFS server for primary Audit Vault Server. |
Secondary Server Export Directory |
Export directory on the NFS server for standby Audit Vault Server. |
Primary Server Path |
The destination path relative to the export directory on the NFS server for primary Audit Vault Server. |
Secondary Server Path |
The destination path relative to the export directory on the NFS server for standby Audit Vault Server. |
Note:
After you create a retention policy, an Oracle AVDF auditor can apply it to secured targets.
Prerequisite
Log in to the Audit Vault Server console as an administrator. See Logging in to the Audit Vault Server Console UI for more information.
Learn how to delete archiving policies.
You can only delete user-defined archiving policies.
Prerequisite
Log in to Oracle Audit Vault Server console as an administrator. See Logging in to the Audit Vault Server Console UI for more information.
To delete an archiving (retention) policy:
Learn about managing Oracle Audit Vault and Database Firewall data archival and retrieval in high availability environments.
Oracle Audit Vault and Database Firewall supports archiving. Prior to release 12.2.0.11.0, archiving was configured only on the primary Audit Vault Server and there was no ability to configure archiving on the standby server. After a failover, archive locations had to be manually set on the former standby (new primary). Starting with release 12.2.0.11.0, you can now configure NFS archive locations on both the primary and standby Audit Vault Servers, reducing the amount of manual work that needs to be performed following a failover.
Oracle Audit Vault and Database Firewall release 12.2.0.11.0 and later ensures that the primary and secondary Oracle Audit Vault Servers have the same number of NFS archive locations. Having the same number of locations is crucial for the effective operation of archiving and file management in high availability environments.
Note:
Prerequisite
Ensure that all of the requirements mentioned in Prerequisites for Configuring a Resilient Pair of Audit Vault Servers are satisfied before configuring your high availability environment.
After you successfully pair your high availability servers, the NFS locations pertaining to both the primary and secondary Oracle Audit Vault Servers are displayed under Manage Archive Locations on the primary Oracle Audit Vault Server console. These NFS locations include those that you created on both the primary and secondary Oracle Audit Vault Servers before and after configuring high availability. The names of these NFS locations have the primary location name or the name that you specified when you created the location after high availability is configured. The Oracle Audit Vault Server console provides details of the host, export directory, and destination path for both the primary and secondary Oracle Audit Vault Servers.
Upgrade and archiving functionality in high availability environment
Archiving functionality is disabled during the upgrade process only when there are datafiles archived to the NFS locations. Upon completion of the upgrade process, the admin user must enable the archive functionality.
Updating or Deleting NFS locations
The super admin can update or delete the NFS locations after high availability pairing of primary and secondary Oracle Audit Vault Servers. You can update or delete the NFS locations on both the primary and secondary Oracle Audit Vault Servers. If the datafiles are archived, then you cannot update or delete the locations. The Location Name and the Primary Server Path or the Secondary Server Path can be updated when high availability is enabled.
See Also:
You can define resilient pairs of Audit Vault Servers, Database Firewalls, or both.
When you define a resilient pair of Audit Vault Servers, you do all configuration tasks, such as adding Database Firewalls to the server and registering secured targets, on the primary Audit Vault Server.
See Also:
Learn how to register Database Firewall in Audit Vault Server.
Use this procedure to register an Database Firewall in Audit Vault Server.
Prerequisites
If you are deploying more than one Database Firewall, then you must register each firewall in Audit Vault Server to enable communication among the servers. We suggest that you first configure Database Firewall using the instructions in Configuring the Database Firewall.
You must register Database Firewalls in Audit Vault Server before you can pair them for high availability. See Managing A Resilient Database Firewall Pair for more information.
Provide the Audit Vault Server certificate and IP address to the Database Firewall that you are registering. See Specifying the Audit Vault Server Certificate and IP Address.
Log in to Audit Vault Server as an administrator. See Logging in to the Audit Vault Server Console UI for more information.
To register Database Firewall in Audit Vault Server:
Learn about testing Audit Vault Server system operations.
Verify that your system is fully operational before beginning your normal, day-to-day operations.
Prerequisite
Log in to Audit Vault Server as an administrator. See Logging in to the Audit Vault Server Console UI for more information.
To test your system's operation:
Learn about configuring fiber channel-based storage for Audit Vault Server.
Oracle Audit Vault Server supports fiber channel-based storage. You can configure this storage during installation by performing this procedure.
Note:
Fiber channel-based storage is supported on Oracle Audit Vault and Database Firewall release 12.2.0.0 and later only.
To configure fiber channel-based storage for Audit Vault Server:
You can add Network Address Translation (NAT) IP addresses to Audit Vault Agent.
Network Address Translation (NAT) is a method of remapping one IP address space into another. This is done by modifying network address information in the IP header of packets when they are in transit across traffic routing devices. Use this procedure to manually add the NAT IP address of the Audit Vault Server to the Audit Vault Agent.
In some deployments, Audit Vault Servers are within NAT networks. The Agents are deployed in a network outside of the NAT configured network with actual IP addresses of Audit Vault Server. In such cases, the Agents cannot reach Audit Vault Server.
In this case, you can add the NAT IP address and port mapping information to the dbfw.conf
file of Audit Vault Server. This ensures adding an extra connection string in the Agent's bootstrap.prop
file so that Agents can be deployed in both NAT and non NAT networks. This functionality is available from Oracle AVDF 12.2.0.8.0 and later.
Use Cases
Case | Configuration Type | Description |
---|---|---|
Case 1 |
Audit Vault Server configuration without high availability. |
|
Case 2 |
Audit Vault Server configuration with high availability. |
|
Case 3 |
Primary and secondary Audit Vault Servers with different NAT IP addresses. |
|
To add the NAT IP address of Audit Vault Server into Audit Vault Agent, follow these steps: