12 Oracle Audit Vault and Database Firewall on Oracle Cloud Infrastructure

You can deploy Oracle AVDF on Oracle Cloud Infrastructure (OCI).

12.1 About Oracle AVDF on Oracle Cloud Infrastructure

Learn about Oracle AVDF on Oracle Cloud Infrastructure (OCI).

Oracle Cloud Infrastructure Marketplace is an online store that offers solutions specifically for customers of Oracle Cloud Infrastructure (OCI). Oracle Cloud Marketplace images are templates of virtual hard drives that determine the operating system and software to run on an instance. Oracle AVDF instances (Audit Vault Server instance or Database Firewall instance) can be provisioned on Oracle Cloud Infrastructure's Virtual Machine standard shapes using Oracle AVDF Cloud Marketplace images.

Oracle AVDF Cloud Marketplace images consist of the Audit Vault Server image and the Database Firewall image that is used to provision Audit Vault Server and Database Firewall instances respectively.

12.2 Benefits of Provisioning Oracle AVDF on Oracle Cloud Infrastructure

Learn about the benefits of provisioning Oracle AVDF on Oracle Cloud Infrastructure (OCI).

Quick Provisioning

Oracle AVDF instances can be provisioned within minutes, without the need to procure and manage hardware.

Ease of Scaling up

Scaling up Oracle AVDF instance to meet increased workload needs, is simple and easy. Ease of scaling up gives you the option to start with a small VM shape and scale up as workload increases.

12.3 Supported Oracle Cloud Infrastructure Virtual Machine Shapes

List of supported VM standard shapes for deploying Oracle AVDF on Oracle Cloud Infrastructure (OCI).

The following Oracle Cloud Infrastructure VM standard shapes are supported for Oracle AVDF instances:

  • VM.Standard2.1
  • VM.Standard2.2
  • VM.Standard2.4
  • VM.Standard2.8
  • VM.Standard2.16
  • VM.Standard2.24
  • VM.Standard1.2
  • VM.Standard1.4
  • VM.Standard1.8
  • VM.Standard1.16
  • VM.Standard.E3.Flex

12.4 Provisioning Oracle AVDF with the Oracle Cloud Marketplace Image

Learn about provisioning Audit Vault Server or Database Firewall with Oracle Cloud Marketplace image.

The following are required prior to provisioning Oracle AVDF instances using the Oracle Cloud Marketplace image:

  1. A VM standard shape with a minimum memory of 8GB.

  2. Block storage with a minimum of 220 GB.

  3. A Virtual Cloud Network (VCN) in your tenancy.

  4. SSH key pair for ssh access to the instance. Oracle AVDF instance accepts the following key types:

    • ssh-ed25519
    • ssh-ed25519-cert-v01@openssh.com
    • ecdsa-sha2-nistp384
    • ecdsa-sha2-nistp384-cert-v01@openssh.com
    • rsa-sha2-512 key types

Generate an SSH key pair of these types. For example: Run the following command to generate a public key of ssh-ed25519 type:

sh-keygen -t ed25519

12.4.1 Accessing the Oracle AVDF Cloud Marketplace Image

Learn how to access the Oracle AVDF Cloud Marketplace image.

The Oracle AVDF Cloud Marketplace image is available on the Oracle Cloud Marketplace website. Follow these steps:

  1. Go to Oracle Cloud Marketplace.
  2. In the Applications search field, enter Oracle Audit Vault and Database Firewall.
  3. Click Go.
  4. Under the search results, click Oracle Audit Vault and Database Firewall to navigate to the Oracle AVDF Cloud Marketplace page.

    Note:

    Access the latest Audit Vault Server 20.x for Audit Vault Server image or Database Firewall 20.x for Database Firewall image from Oracle Cloud Marketplace website. Other artifacts (or installable files) can be downloaded from Oracle Software Delivery Cloud. Refer to About Oracle AVDF Installable Files.

12.4.2 Creating an Oracle AVDF instance with Oracle Cloud Marketplace Image

Learn how to create an Oracle AVDF instance with Oracle Cloud Marketplace image.

Follow these steps:

  1. In the Oracle AVDF Cloud Marketplace page, click the Get App button.
  2. If you already have an OCI account, select the OCI region, and then click Sign In. Else, click Sign Up to create a new account.
  3. In the Get Version menu, select the latest Audit Vault Server 20.x for Audit Vault Server image or Database Firewall 20.x for Database Firewall image.
  4. In the Compartment menu, select a compartment.
  5. Check the I have reviewed the terms and conditions box.
  6. Click Launch Instance.
  7. The Create Compute Instance page is displayed. Fill in the required details:
    1. Provide a NAME for the Oracle AVDF instance.
    2. Choose the AVAILABILITY DOMAIN.
    3. Under Shape, click Change Shape.
    4. Choose Virtual Machine as the Instance Type.
    5. Select the Shape series.
    6. Then click Select Shape. Choose the shape for the instance.
  8. In the Configure networking section, select the following fields:
    1. VIRTUAL CLOUD NETWORK COMPARTMENT
    2. SELECT A VIRTUAL CLOUD NETWORK
    3. SUBNET COMPARTMENT
    4. SUBNET
  9. Check one of the following options for IP address:
    • ASSIGN A PUBLIC IP ADDRESS
    • DO NOT ASSIGN A PUBLIC IP ADDRESS

    Note:

    See IP Addresses in your VCN (Virtual Cloud Network) to understand more about public and private IP addresses in Oracle Cloud Infrastructure.
  10. In the Add SSH Keys section, provide your ssh public key by selecting Choose public key files or Paste public keys. If you select any other option, you will not be able to connect to the Oracle AVDF instance.
  11. Under Boot volume section, specify a custom boot volume size if you want the boot volume to be larger than the default size of 220 GB.

    Note:

    The custom boot volume size should not exceed 2TB. Refer to Scaling up Oracle AVDF Instance section for more details on expanding storage.
  12. Click Advanced Options, and then choose the default options in all the tabs.
  13. Click Create to start creating the instance.
  14. After the instance state changes to Running in the Oracle Cloud Infrastructure console, wait for a few minutes for the underlying services to start up before accessing the instance.
  15. Perform the post instance creation steps.

    Note:

    For production workload, follow the sizing guidelines (MOS Doc ID 2223771.1) to calculate shape and storage requirements.

12.4.3 Post Instance Creation Steps

Perform one time post instance creation steps.

After the instance creation is completed, you must perform these steps once.

For Audit Vault Server Instance

  1. Connect to the instance through SSH using the ssh utility. See section Connecting to Oracle AVDF Instance.
  2. Change root user password by running the following command. The root password is required to troubleshoot the instance using OCI instance console connection.

    sudo passwd root
  3. Generate a one time passphrase by running the command:

    sudo -u oracle /usr/local/dbfw/bin/generate_post_install_passphrase
  4. Copy the passphrase that is returned by the above command.
  5. Access the Audit Vault Server console by entering https://<IP address of the instance> as the URL in the browser.
  6. Enter the passphrase copied from the earlier step in the Post Install Authentication page of the Audit Vault Server console.
  7. Fill in the details in the Post Install Configuration page.
  8. In the AVS IP for Agent Communication section, specify the public IP of the Audit Vault Server if you are expecting to collect audit data from any target outside of OCI. See section Deploying Audit Vault Agents for more details.

    Note:

    After the post installation step is complete, changing the AVS IP for Agent communication is not supported.
  9. DNS is automatically set to 169.254.169.254. However, you can specify a different DNS setting.

  10. Click Save.

For Database Firewall Instance

  1. Connect to the instance through SSH using the ssh utility. See section Connecting to Oracle AVDF Instance.
  2. Change root user password by running the following command. The root password is required to troubleshoot the instance using OCI instance console connection.

    sudo passwd root

12.5 Connecting to Oracle AVDF Instance

Learn how to access Audit Vault Server and Database Firewall instances on Oracle Cloud Infrastructure (OCI).

Connecting through SSH

Prerequisite: OCI virtual firewall for your VCN must be configured to allow ingress traffic on SSH port 22. See OCI Access and Security for complete information.

The public key specified during instance creation is installed on Oracle AVDF instance for SSH authentication. After the instance creation is completed, connect to the instance as opc user using the matching private key.

Using the ssh utility, run the following command:

ssh -i <path to private key file> opc@<IP address of Oracle AVDF instance>

Note:

Oracle AVDF instances accept the following public key types:

  • ssh-ed25519
  • ssh-ed25519-cert-v01@openssh.com
  • ecdsa-sha2-nistp384
  • ecdsa-sha2-nistp384-cert-v01@openssh.com
  • rsa-sha2-512

Connecting through Audit Vault Server console

Prerequisite: OCI virtual firewall for your VCN must be configured to allow ingress traffic on port 443. See OCI Access and Security for complete information.

Access the Audit Vault Server console by entering https://<IP address of the Audit Vault Server instance> as the URL in your browser.

12.6 Scaling up Oracle AVDF Instance

Learn to scale up Oracle AVDF instances on OCI.

CPU, memory, network bandwidth, and repository storage of Oracle AVDF instance can be scaled up without recreating the instance. This allows for increased performance to meet growing workload needs.

Changing the Shape of Oracle AVDF Instance

CPU, memory, and network bandwidth can be scaled up by changing the shape of the instance to one of the supported VM standard shapes.

Use the OCI console to edit the shape of the instance. Refer to Using the Console for more details.

Note:

Changing a shape to a smaller one than the current shape is not supported. For example, changing the shape from VM.Standard2.4 to VM.Standard2.2 is not supported.

Expanding Repository Storage for Audit Vault Server

Each Audit Vault Server instance has a repository that stores the collected audit and network event data. The storage requirements increase as the collection workload grows. To meet the storage needs, expand the Audit Vault Server repository storage in the following ways:

  • During Instance creation: When specifying the boot volume larger than the default for Audit Vault Server instance, the underlying repository storage is automatically expanded. Refer to section Creating an Oracle AVDF instance with Oracle Cloud Marketplace Image on how to specify custom boot volume size.

  • Post instance creation: Follow these steps:

    1. Attach additional OCI Block storage to the instance. Follow the steps listed in Attaching the Volume to an Instance.
    2. Ensure the disks are visible at the OS level, by running the following command:

      lsblk
    3. Follow the manual steps listed in MOS note (Doc ID 1923751.1) to complete expanding repository storage.

Note:

  • Ensure the attached OCI Block storage is not shared with any other instance as it may lead to data loss.
  • SAN storage is not supported.

12.7 Changes in Functionality for Oracle AVDF Instances on OCI

Learn about the changes in functionality of Oracle AVDF deployed on Oracle Cloud Infrastructure (OCI).

Table 12-1 Functional Differences Between Oracle AVDF Deployed On-premises and on OCI

Functionality Oracle AVDF instance deployed on-premises Oracle AVDF instances deployed on OCI

SSH authentication

Password based authentication

Key based authentication

Network settings (IP address and Host Name)

Network settings can be modified using the Audit Vault Server console.

These settings are read only in the Audit Vault Server console. However, they can be modified from the OCI console.

Time synchronization

NTP settings can be modified using the Audit Vault Server console.

NTP is automatically configured during instance creation and the NTP server settings cannot be changed.

DNS

DNS setting can be modified using the Audit Vault Server console.

DNS is automatically set to 169.254.169.254 during instance creation. The settings can be changed on the Audit Vault Server console.

Repository storage expansion

SAN Storage

OCI Block Storage must be used for storage expansion.

Archive or backup location

NFS

OCI File Storage (Recommended)

Database Firewall deployment modes

  • Monitoring / Blocking (Proxy)
  • Monitoring (Host Monitor)
  • Monitoring (Out-of-Band)
  • Monitoring / Blocking (Proxy)
  • Monitoring (Host Monitor)
  • Monitoring (Out-of-Band) is not supported.

Secondary Network Interface Cards on Audit Vault Server

Supported

Not supported. (Only the primary network interface card that is associated with the primary Audit Vault Server's private IP address of the instance is supported.)

Secondary Network Interface Cards on Database Firewall

Supported

Not supported

12.8 Ports for Communication between Oracle AVDF Components

Learn about different ports used by Oracle AVDF for communication between different components.

The list of ports used by Oracle AVDF is listed in Ports Used by Oracle Audit Vault and Database Firewall.

12.9 High Availability for Oracle AVDF Instance

Learn about high availability for Oracle AVDF instance.

High availability in Oracle AVDF makes the deployment more reliable by ensuring continuity of functionality (for example, audit and network event data collection).

Configuring High Availability in Audit Vault Server

Prerequisite: OCI virtual firewall for your VCN must be configured to allow ingress traffic on port 7443, 1521, and 1522. See OCI Access and Security for complete information.

To configure high availability you need two Audit Vault Server instances. The first instance is the primary server and the other as the secondary server. The steps to configure high availability is similar to on-premises deployment. However, private IP addresses of the Audit Vault Server instances must be used during high availability configuration.

Configuring High Availability in Database Firewall

Configuring high availability for Database Firewall instance is supported only for Monitoring / Blocking (Proxy) mode.

Prerequisite: OCI virtual firewall for your VCN must be configured to allow ingress traffic on proxy ports for Database Firewall nodes. See OCI Access and Security for complete information.

To configure high availability you need two Database Firewall instances. The first instance is the primary and the other as the secondary. The steps to configure high availability is similar to on-premises deployment.

12.10 Deploying Audit Vault Agents

Learn about deploying Audit Vault Agents.

Audit Vault Agent is a component of Oracle AVDF that you deploy on a machine (usually the same host as the target) to collect audit data from targets.

Prerequisite: OCI virtual firewall for your VCN must be configured to allow ingress traffic on ports 1521 and 1522 for Audit Vault Server. See OCI Access and Security for complete information.

Follow these steps to deploy an Audit Vault Agent:

  1. Register the Audit Vault Agent machine on Audit Vault Server. In some cases, you need to specify AGENT_PHYSICAL_ADDRESS_XX (where XX can be a number from 01 to 99) Agent attribute. See Registering Hosts in the Audit Vault Server for complete information.
  2. Download the Audit Vault Agent software from Audit Vault Server console to the Agent machine.
  3. Install the Audit Vault Agent software on the Agent machine.
  4. Activate and start the Audit Vault Agent.

Audit Vault Agent communicates to Audit Vault Server using a JDBC connect string that contains the IP address of the Audit Vault Server. The connect string is automatically generated after post instance creation steps. Specify the IP address that must be used in the connect string by filling in the AVS IP for Agent Communication section in the Post installation configuration page of the Audit Vault Server console. If an IP address is not specified, the private IP address of the Audit Vault Server is used.

Follow these guidelines for the type of IP address to be specified in the Post installation configuration page of the Audit Vault Server:

  • If you are expecting to collect audit data from any target outside of OCI, then specify a public IP address of the Audit Vault Server.
  • If you are expecting to collect audit data from targets only in OCI, then specify a private IP address of the Audit Vault Server.
  • If you are expecting to deploy Database Firewall in Monitoring (Host Monitor) mode for targets only in OCI, then specify the private IP address of the Audit Vault Server.

Table 12-2 Platform Support Matrix for Audit Vault Agent and Host Monitor Agent Deployment

Platform Audit Vault Agent Deployment Host Monitor Agent Deployment

Oracle Linux 64 bit (OCI)

Yes

Yes

Oracle Linux 64 bit (outside OCI)

Yes

No

Microsoft Windows Server (x86-64) (OCI)

Yes

Yes

Microsoft Windows Server (x86-64) (outside OCI)

Yes

No

12.11 Configuring Audit Trail Collection

Learn how to configure audit trails.

The steps to configure audit trails is similar to on-premises deployment.

12.12 Deploying Database Firewall for Monitoring

Learn about deploying Database Firewall on Oracle Cloud Infrastructure (OCI).

The following Database Firewall deployment modes are supported on OCI:

  • Monitoring / Blocking (Proxy)
  • Monitoring (Host Monitor)

Prerequisites:

  • For Database Firewall deployed in Monitoring (Host Monitor) mode, the virtual firewall for your Database Firewall VCN must be configured to allow ingress traffic on ports ranging from 2051 to 5100. See OCI Access and Security for complete information.
  • For Database Firewall deployed in Monitoring / Blocking (Proxy) mode, the virtual firewall for your Database Firewall VCN must be configured to open the specific proxy port.
  • For Audit Vault Server to collect network event data from Database Firewall, you must configure virtual firewall of your Database Firewall VCN to allow ingress traffic on port 1514.

When deploying Database Firewall, consider these points:

  • You can use either public or private IP address of the Database Firewall to register with the Audit Vault Server.
  • When configuring a Database Firewall monitoring point, use the primary VNIC as the network interface card.
  • Use private IP address of the target when enabling native network encrypted traffic monitoring for Oracle Database.
  • When configuring the Database Firewall monitoring point for Oracle Real Application Clusters (Oracle RAC), use the IP address of the SCAN listener.

Note:

  • Database Firewall monitoring and protection is not supported for targets outside OCI.
  • For deploying Host Monitor follow the same guidelines mentioned in section Deploying Audit Vault Agents.

12.13 Monitoring Autonomous Database Services

Learn how to monitor Autonomous Database services with Oracle AVDF on OCI.

Clients connect to Autonomous Database Services using a public or private endpoint. Use the public endpoint when configuring the Autonomous Database Services as a target in the Audit Vault Server.

Configuring Audit Trail

To configure audit trail for collection, follow the instructions in section Configuring Audit Trail Collection with the following changes:

  • You must provide the public endpoint, credentials wallet, user credentials of your Autonomous database during target registration.
  • You must deploy the Audit Vault Agent remotely and ensure access to the public endpoint.

Configuring Audit Provisioning and Entitlement Retrieval

For Audit Provisioning and Entitlement Retrieval, the Audit Vault Server connects to the Autonomous Database using the audit connection details you have provided during target registration. Therefore, you must ensure the Audit Vault Server can access the public endpoint of your Autonomous database.

Configuring Database Firewall

Database Firewall monitoring is not supported for Autonomous Database services.

See Also:

Connecting to an Autonomous Database for more information on public or private endpoint of the Autonomous Database.

12.14 Monitoring DB Systems on OCI

Learn how to monitor DB Systems with Oracle AVDF on OCI.

OCI DB Systems allow you to configure SSH key based access to the machine hosting the database. You can install the Audit Vault Agent on the DB Systems.

In addition, all SQL connections use native network encryption by default.

Configuring Audit Trail Collection

Refer to the following sections:

Configuring Audit Provisioning and Entitlement Retrieval

For Audit Provisioning and Entitlement Retrieval, the Audit Vault Server connects to the DB Systems on OCI using the audit connection details provided during the target registration. Therefore, you must ensure that Audit Vault Server has JDBC access to your database.

Configuring Database Firewall Monitoring

Refer to section Deploying Database Firewall for Monitoring.

12.15 Backup and Restore of Oracle AVDF Instances in OCI

Learn about back up and restore functionality for Oracle AVDF instances in OCI.

The purpose of backup and restore is to protect against data loss and to restore the instance from a backup taken earlier.

Backup and Restore of Audit Vault Server

The steps to perform backup and restore of Audit Vault Server is similar to on-premises deployment with the following changes:

  • Use OCI File Storage when configuring backup location.
  • When configuring restore, you must set USE_NEW_IP parameter to Y.

Backup and Restore of Database Firewall

The Database Firewall does not need to be backed up. As part of Audit Vault Server backup, all the existing configuration is backed up. After restoring the Audit Vault Server, the existing configuration to the Database Firewall is restored. Follow the steps mentioned in section Backing Up and Restoring the Database Firewall to complete the restore process.

12.16 Archiving and Retrieving Audit Data

Learn about archiving and retrieving audit data of Oracle AVDF on OCI.

Archiving and retrieving audit data is similar to the on-premises deployment. Use OCI File Storage when specifying the archive locations.

To comply with corporate guidelines, all enterprises have data retention policies for audit and network event data. Retention policies define how long the collected data is kept online (so it is visible in reports) and for how long it is to be kept in archive. Using Oracle AVDF, you can set the data retention policies for every target. Data is visible in reports during the online period. For archiving, Oracle AVDF supports both manual and automatic modes. When manual archiving mode is enabled, as soon as the online period expires, data is made offline, but stays on Audit Vault Server. It has to be moved manually to a remote location. If the mode is set to automatic archiving, data is automatically moved to an NFS configured location, after the online period expires. Oracle AVDF allows switching between manual and automatic archiving modes. For Audit Vault Server deployed in OCI, use OCI File Storage for configuring NFS locations.

12.17 Starting or Stopping the Oracle AVDF Instance

Learn how to start or stop the Oracle AVDF instance.

Audit Vault Server console or the OCI console can be used to start or stop the instances. Instances that are stopped can only be started using the OCI console.

Refer to Stopping and Starting an Instance using OCI console.

From the Audit Vault Server console, you can stop or reboot the Oracle AVDF instance.

To Power Off or Reboot the Audit Vault Server instance

  1. Log in to the Audit Vault Server console as a super administrator.
  2. Click Settings tab.
  3. Click System tab in the left navigation menu.
  4. In the main page to the top right corner, click Power Off to stop the instance. Click Reboot to restart the instance.

To Power Off or Reboot the Database Firewall instance

The Database Firewall instance must be registered in the Audit Vault Server console.

  1. Log in to the Audit Vault Server console as a super administrator.
  2. Click Database Firewalls tab.
  3. Select the checkbox against the specific Database Firewall instance.
  4. Click Power Off to stop the instance. Click Reboot to restart the instance.

12.18 Terminating Oracle AVDF Instance

Learn about terminating Oracle AVDF instance.

You can terminate the Oracle AVDF instance using the OCI console by following the steps in section Terminating an Instance.

Note:

When the instance is terminated, all audit and network event data is permanently lost, unless you have taken a backup from which you can restore. Terminated instances are temporarily visible in the list of instances with the status Terminated.