13 Oracle Audit Vault And Database Firewall Hybrid Cloud Deployment
To use Oracle Audit Vault and Database Firewall Hybrid Cloud Deployment, you must perform some preliminary tasks.
13.1 Oracle Audit Vault and Database Firewall Hybrid Cloud Deployment and Prerequisites
You can configure Oracle Audit Vault and Database Firewall for hybrid cloud deployments.
Oracle AVDF hybrid cloud deployment models:
- Audit Vault Server deployed on-premises and the targets are deployed in cloud or on-premises
- Audit Vault Server deployed on cloud and the targets are deployed in cloud or on-premises
In Oracle Public Cloud deployment model, the Audit Vault Server is either deployed on-premises or in Oracle Cloud. It monitors Oracle Database Cloud Service, Oracle Exadata Cloud Service, and on-premises database instances. It uses Audit Vault Agents that can collect audit data from on-premises or cloud targets. These Agents connect to the target database and to the Audit Vault Server. Connections to the Audit Vault Server are made through JDBC on ports 1521 and 1522. This chapter uses Oracle Public Cloud as an example.
For non-Oracle clouds, the concepts are similar but the actual execution of configuring network connectivity between Agents and databases differ. There is a wide variety of network configurations, firewalls, and cloud providers, each with their own unique ways of configuring network connectivity. When using the hybrid cloud deployment model for Oracle Databases running in non-Oracle clouds, support is limited to Agent interaction with the database. Due to wide variety of network configuration paradigms used by different cloud providers, support for network connectivity issues must remain with the cloud provider.
When using the hybrid cloud deployment model for Oracle Databases running on-premises, the Audit Vault Server is running in Public Cloud. In such cases, the configuration of the on-premises network to enable connectivity between the Agents and Audit Vault Server is the responsibility of the customer. Oracle AVDF support is limited to the Audit Vault Agent, and not to the underlying network components involved in allowing the connections.
TCP and TCPS are the two connection options in Oracle Database Cloud Service. Setting up connections for TCP and TCPS is similar. The difference is the port numbers. The following are the key characteristics of Oracle Database Cloud Service cloud target configuration settings:
-
TCP connections have encryption enforced by default.
-
TCPS connections are configured between Audit Vault Agents and cloud targets.
-
On the Audit Vault Server the TCPS option must be set for cloud targets.
-
Additional Audit Vault Agents can be used to collect audit data from on-premises databases, directories, and operating systems.
Note:
-
The user can have multiple Audit Vault Agents to collect data from DBCS instances.
-
Only one Audit Vault Agent can be installed on a host for a single Audit Vault Server. Multiple audit trail collections can be started using a single Audit Vault Agent.
-
-
This deployment offers great flexibility for customers to address consistent audit or security policies across on-premises and cloud environments.
-
Prerequisites for deploying Audit Vault and Database Firewall Hybrid Cloud
There are many factors to consider before deploying Oracle Audit Vault and Database Firewall Hybrid. The table outlines the availability of Audit Vault and Database Firewall features for databases on-premises against OPC, in case of DBCS and for Exadata Express Cloud Service.
Feature | DBs On-premises | DBs in OPC | Exadata Express Cloud Service | Data Warehouse Cloud Service |
---|---|---|---|---|
Database Table based audit collection (SYS.AUD$; SYS.FGA_LOG$ etc..) |
Yes |
Yes |
No |
No |
Unified Audit Table Trail |
Yes |
Yes |
Yes |
Yes |
Database File based audit collection |
Yes |
No |
No |
No |
REDO log support |
Yes |
No |
No |
No |
OS audit collection |
Yes |
No |
No |
No |
Retrieve Entitlements |
Yes |
Yes |
Yes |
Yes |
Policy retrieval/provisioning for Traditional audit trails |
Yes |
Yes |
No |
No |
View Interactive reports |
Yes |
Yes |
Yes |
Yes |
View Scheduled reports |
Yes |
Yes |
Yes |
Yes |
Stored Procedure Auditing |
Yes |
No |
No |
No |
Prerequisites for auditing Oracle Audit Vault and Database Firewall Hybrid Cloud
There are multiple aspects that have to be considered while auditing DBCS targets. Audit requirements and audit policies on DBCS cloud targets are critical as the number and type of enabled audit policies directly affects the number of audit records sent to the Audit Vault Server. DBCS instances may have various audit settings. Hence users must review this information either on the Audit Vault Server or directly on the database instance.
Note:
The audit data collection from table based audit trails is only supported. The version specific information is listed below:
Release | Audit information supported |
---|---|
Oracle Database 11g Release 11.2 |
|
Oracle Database 12c and later |
|
Note:
The SYS.AUD$ and SYS.FGA_LOG$
tables have an additional column RLS$INFO. The Unified
Audit trail table has RLS_INFO column. This column
describes row level security policies configured. This is mapped to the
extension field in Oracle Audit Vault and Database Firewall. In order to
populate this column, the user needs to set the AUDIT_TRAIL
parameter of the target to DB EXTENDED
.
13.2 Opening Ports on Oracle Database Cloud Service
You can open ports on Oracle Database Cloud Service.
This procedure is used to open up a specific port. This is one of the pre-requisites before deploying Audit Vault and Database Firewall Hybrid Cloud.
To open a port, execute the following procedure:
- Log in to the DBCS service.
- Click on the navigation menu that is located next to the Oracle logo on the top.
- Select Oracle Cloud Infrastructure Compute for Oracle Public Cloud service.
- In the next screen, click on Network tab that is located at the top of setup port or allowlist.
- Click the Security Application tab to display the list of available ports.
- Click Create Security Application and specify the port that must be enabled.
- Click Security Rules tab, and then click Create Security Rule button.
- In the Security Application field select the application previously chosen.
- Enter the remaining fields.
- Click Create.
13.3 Configuring Hybrid Cloud Target Using TCP
You can configure cloud targets for DBCS instances in TCP mode. The Audit Vault server and Audit Vault agent are installed on-premises.
13.3.1 Step 1: Registering On-premises Host on the Audit Vault Server
This configuration step registers the on-premises host in the Audit Vault server.
In case there is already a registered on-premises host in the Audit Vault server installed on the agent for monitoring Oracle Database Cloud Services instances, bypass this procedure. Otherwise, the steps are similar for all target databases that are on-premises.
13.3.2 Step 2: Installing Audit Vault Agent on Registered On-premises Hosts
This configuration step installs Oracle Audit Vault agents on registered on-premises hosts.
Note:
If there is already an Audit Vault agent installed on an on-premises host that is planned for monitoring DBCS instances then ignore this step. In case there are no agents installed, there are specific requirements for the Audit Vault agents that monitor DBCS instances. The requirements or features are as follows:
-
The agent has to run on-premise.
-
A minimum of one agent must be dedicated to monitor only DBCS instances. There may be multiple agents dedicated to monitor only DBCS instances.
-
The agent should not run on the Audit Vault server.
13.3.3 Step 3: Creating User Accounts on Oracle Database Cloud Service Target Instances
This configuration step creates user accounts on Oracle Database Cloud Service target instances.
Note:
The connection methodology is different in case on-premises deployment, for TCP connections.
Prerequisite
-
Port 1521 has to be opened on the DBCS instance for TCP connection so that later SQL*Plus and SQL*Developer can be used. TCP connection is encrypted by default. It utilizes the native encryption. See Opening Ports on Oracle Database Cloud Service for detailed steps.
Procedure for installation:
13.3.4 Step 4: Setting Up or Reviewing Audit Policies on Target Oracle Database Cloud Service Instances
This configuration step explains how to manage audit policies on target Oracle Database Cloud Service instances.
Check the audit polices that are enabled and change them as needed. For Oracle Database 11g release 11.2 and Oracle Database 12c instances where the Unified audit is not enabled, it is possible to provision audit policies from the Audit Vault server. If the Unified Trail is enabled on Oracle12c instances, ensure to change the audit policies manually on the DBCS instance.
Note:
Ensure to understand the audit settings on the DBCS instances before starting the audit data collection process. Currently one Audit Vault agent supports up to a maximum of 10 cloud target audit trails. The collection speed is up to 25 million audit records per target audit trail, per day. The recommended Audit Vault agent configuration can be found in the Oracle Audit Vault and Database Firewall Installation Guide.
Run the DBMS_AUDIT_MGMT
package on the DBCS instances for audit clean up, after the data is collected by on-premises Audit Vault Server. The Audit Vault Server supports data retention policies for every target and meets compliance requirements. It allows configuring different retention policies for on-premises and DBCS instances.
Storage requirements on the Audit Vault Server also must be reviewed to ensure enough storage is available, while adding more on-premises or DBCS instance targets to the Audit Vault Server.
13.3.5 Step 5: Creating Targets on Oracle Audit Vault Server for Oracle Database Cloud Service Instances
This configuration step creates targets on Oracle Audit Vault Servers for Oracle Database Cloud Service instances.
13.3.6 Step 6: Starting Audit Trail on Audit Vault Server for Oracle Database Cloud Service Instances
This configuration step starts the audit trail on Oracle Audit Vault Server for Oracle Database Cloud Service instances.
Use this procedure to start an audit trail on the Audit Vault Server for the DBCS instance.
-
Log in to the Audit Vault console as an administrator.
-
In the Targets tab, select the newly registered target.
-
Under Audit Data Collection section, click Add. The Add Audit Trail dialog is displayed.
-
Select Audit Trail Type as
TABLE
.Note:
Other trail types are not supported for DBCS target instances.
-
Select the appropriate values in the Trail Location from the drop down menu.
The supported table trails for Oracle DBCS target are:
-
UNIFIED_AUDIT_TRAIL
-
SYS.AUD$
-
SYS.FGA_LOG$
-
DVSYS.AUDIT_TRAIL$
-
-
Select the Agent Host.
-
Click Save to add the audit trail.
13.4 Configuring TCPS Connections for DBCS Instances
Learn how to configure TCPS connections for DBCS instances.
13.4.1 Step 1: Creating Server Wallet and Certificate
This configuration step shows you how to create server wallets and certificates.
13.4.2 Step 2: Creating Client (Agent) Wallet and Certificate
This configuration step explains how to create client wallets and certificates.
13.4.3 Step 3: Exchanging Client (Agent) and Server Certificates
This configuration step explains how to exchange client (agent) and server certificates.
13.4.4 Step 4: Configuring Server Network
This step explains how to configure the server network.
Data security between an Audit Vault Server and an Oracle Database target is achieved by default, through network encryption over TCP connection. Data security can also be achieved by using a TCPS/SSL connection.
13.5 Configuring Hybrid Cloud Target Using TCPS
Learn how to configure cloud targets for DBCS instances in TCPS mode. The Audit Vault server and Audit Vault agent are installed on-premises.
13.5.1 Step 1: Registering On-premises Host on Oracle Audit Vault Server
Follow this configuration procedure to register on-premises hosts on Oracle Audit Vault Server.
This step registers the on-premises host on the Audit Vault server.
Note:
If there is already a registered on-premises host in the Audit Vault Server installed on the Agent for monitoring DBCS instances, then skip this procedure. Otherwise, the steps are similar for all target databases that are on-premises. See Registering Hosts on the Audit Vault Server for detailed steps.
13.5.2 Step 2: Installing Oracle Audit Vault Agent on Registered On-premises Hosts and Configuring TCPS
This configuration procedure installs Oracle Audit Vault Agent on registered on-premises hosts and configures TCPS.
Note:
If there is already an Audit Vault agent installed on an on-premises host that is planned for monitoring DBCS instances then ignore this step. In case there are no agents installed, there are specific requirements for the Audit Vault agents that monitor DBCS instances. The requirements or features are as follows:
-
The agent has to run on-premise.
-
A minimum of one agent must be dedicated to monitor only DBCS instances. There may be multiple agents dedicated to monitor only DBCS instances.
-
The agent should not run on the Audit Vault server.
- Install the Audit Vault agent on the on-premises host. See Deploying the Audit Vault Agent on Host Computers for detailed steps on installing on-premises host.
- Start the Audit Vault agent.
13.5.3 Step 3: Creating User Accounts on Oracle Database Cloud Service Target Instances
This step creates a user account on the Oracle Database Cloud Service instance.
Note:
The connection methodology and scripts utilized are different in case on-premises deployment.
Prerequisite
-
Port 1522 has to be opened up on the DBCS instance for TCP connection so that later SQL*Plus and SQL*Developer can be used. TCP connection is encrypted by default. It utilizes the native encryption. See Opening Ports on Oracle Database Cloud Service for detailed steps.
Procedure:
13.5.4 Step 4: Setting Up or Reviewing Audit Policies on Target Oracle Database Cloud Service Instances
Use this procedure to set up and review audit policies on target Oracle Database Cloud Service instances.
Check the audit polices that are enabled and change them as needed. For Oracle Database 11g, Oracle Database 11.2, and Oracle Database 12c release instances where the unified audit is not enabled, you can provision audit policies from the Audit Vault Server. If the Unified Trail is enabled on Oracle Database 12c instances, change the audit policies manually on the DBCS instance.
Note:
-
Understand the audit settings on the DBCS instances, before starting the audit data collection process. Currently one Audit Vault Agent supports up to a maximum of 10 cloud target audit trails. The collection speed is up to 25 million audit records per target audit trail, in a day. The recommended Audit Vault Agent configuration can be found in the Oracle Audit Vault and Database Firewall Installation Guide.
-
Run the DBMS_AUDIT_MGMT package on the DBCS instances for audit clean up, once the data is collected by the on-premises Audit Vault Server. The Audit Vault Server supports data retention policies for every target and meets compliance requirements. It allows configuring different retention policies for on-premises and DBCS instances.
13.5.5 Step 5: Creating Targets on Audit Vault Server for Oracle Database Cloud Service Instances
This configuration step creates target on Oracle Audit Vault Servers for Oracle Database Cloud Service instances.
The user must define these specific settings on the target configuration page. Use the following procedure:
13.5.6 Step 6: Starting Audit Trail on Audit Vault Server for Oracle Database Cloud Services Instances
This configuration step starts an audit trail on Oracle Audit Vault Server for Oracle Database Cloud Service instances.
Use this procedure to start audit trail on the Audit Vault Server for the DBCS instance:
13.6 Configuring Oracle Database Exadata Express Cloud Service Target Using TCPS
Learn how to configure Oracle Database Exadata Express Cloud Service targets in TCPS mode.
13.6.1 Step 1: Installing Audit Vault Agent on registered On-premises Hosts and Configuring TCPS
This step installs Oracle Audit Vault Agent on registered on-premises hosts and configures TCPS.
See Step 2: Installing Oracle Audit Vault Agent on Registered On-premises Hosts and Configuring TCPS.
Prerequisites
-
Ensure the right version of JDK is installed. The supported JDK versions are:
-
JDK7u80 or higher
-
JDK8u71
-
JCE Unlimited Strength Jurisdiction Policy Files with both JDK7 and JDK8. JDK 8 .jar files can be downloaded from: http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html
-
13.7 Configuring Oracle Database Exadata Express Cloud Service Target Using TCP
Learn how to configure Exadata Express Cloud Targets in TCP mode. The Audit Vault Server and Audit Vault Agent are installed on-premises.
13.7.1 Step 1: Registering On-premises Hosts on Oracle Audit Vault Server
This configuration step explains how to register on-premises hosts on Oracle Audit Vault Server.
13.7.2 Step 2: Installing Audit Vault Agents on Registered On-Premises Hosts
This configuration step installs agents on registered on-premises hosts.
13.7.3 Step 3: Creating User Accounts on Oracle Exadata Express Cloud Target Instances
This configuration step creates user accounts on Oracle Exadata Express Cloud targets.
13.7.4 Step 4: Setting Up or Reviewing Audit Policies on Target Oracle Exadata Express Cloud Instances
This configuration step enables you to set up and review audit policies on target Oracle Exadata Express Cloud instances.
Note:
This is not supported for Oracle Exadata Express Cloud Service instance.
13.7.5 Step 5: Creating Targets on Oracle Audit Vault Servers for Oracle Exadata Express Cloud Instances
This configuration step creates targets on Oracle Audit Vault Servers for Oracle Exadata Express Cloud instances.
13.7.6 Step 6: Starting Audit Trail on Oracle Audit Vault Server for Oracle Exadata Express Cloud Instances
This configuration step starts audit trails on Oracle Audit Vault Server for Oracle Exadata Express Cloud instances.
Use this procedure to start audit trail on Oracle Audit Vault Server for Oracle Exadata Express Cloud instances:
13.8 Configuring Autonomous Data Warehouse and Autonomous Transaction Processing
Learn how to configure Oracle Database Cloud Service types as targets in TCPS mode for Autonomous Data Warehouse and Autonomous Transaction Processing.
13.8.1 Step 1: Install Audit Vault Agent on Registered Host
This configuration step installs Audit Vault Agents on registered host.
Prerequisites
Ensure the right version of JDK is installed. The supported JDK versions are:
- JDK7u80 or higher
- JDK8u71
- JCE Unlimited Strength Jurisdiction Policy Files with both JDK7 and JDK8. JDK 8 .jar files can be downloaded from: http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html
Follow these steps:
- Install the Audit Vault Agent on the host machine. See Deploying the Audit Vault Agent on Host Computers for detailed steps.
- Start the Audit Vault Agent.
13.8.2 Step 2: Create User Accounts on Oracle Cloud Instances
This configuration step creates user account on Oracle Cloud instances.
Complete this procedure to create a user account on an Autonomous Data Warehouse or on an Autonomous Transaction Processing Cloud instance:
13.8.3 Step 3: Create Targets on Audit Vault Server for the Cloud Instances
This configuration step creates a target on Audit Vault Server for the Autonomous Data Warehouse and Autonomous Transaction Processing Cloud instances.
Prerequisites
-
The user must download the client wallet using Oracle Cloud Infrastructure Console. See Download Client Credentials (Wallets) for complete information.
- Unzip the client wallet. The wallet contains the Single Sign On Wallet file (cwallet.sso).
- The user can get connection string Using Oracle Cloud Infrastructure Console.
The user must enter these details and specific settings on the target configuration page. Follow the below steps:
- Log in to Audit Vault Server console as an administrator.
- Click Targets tab.
- Click the Register button on the right.
- Enter a Name for the target and select the Type as Oracle Database.
- Optionally fill in the Description field.
- Under the Audit Connection Details sub tab, choose the Advanced option.
- In the Protocol menu, select
TCPS
. - In the Wallet field, upload the Single Sign On Wallet
file (
cwallet.sso
). - Enter the TCPS connection string in the Target Location
field:
jdbc:oracle:thin:@<Connection string from OCI Console>
- Enter the User Name and Password.
- Click Save to save the configuration changes.
13.8.4 Step 4: Start Audit Trail on Audit Vault Server for the Autonomous Data Warehouse and Autonomous Transaction Processing Cloud Instances
This configuration step starts an audit trail on Audit Vault Server for the Autonomous Data Warehouse and Autonomous Transaction Processing Cloud instances.
Create audit trail using the Audit Vault Server console for the Autonomous Data Warehouse and Autonomous Transaction Processing Cloud instances. See Step 6: Starting Audit Trail on Audit Vault Server for Oracle Database Cloud Services Instances for complete information.
13.8.5 Step 5: (Optional) Revoke Audit Vault and Database Firewall Privileges for a User
Use this configuration step to revoke user privileges on Oracle Cloud instances.
oracle_AVDF_dbcs_drop_db_permissions.sql
.