12 Oracle Audit Vault and Database Firewall on Oracle Cloud Infrastructure

You can deploy Oracle AVDF on Oracle Cloud Infrastructure (OCI).

12.1 About Oracle AVDF on Oracle Cloud Infrastructure

Learn about Oracle AVDF on Oracle Cloud Infrastructure (OCI).

Oracle Cloud Infrastructure Marketplace is an online store that offers solutions specifically for customers of Oracle Cloud Infrastructure (OCI). Oracle Cloud Marketplace images are templates of virtual hard drives that determine the operating system and software to run on an instance. Oracle AVDF instances (Audit Vault Server instance or Database Firewall instance) can be provisioned on Oracle Cloud Infrastructure's Virtual Machine standard shapes using Oracle AVDF Cloud Marketplace images.

Oracle AVDF Cloud Marketplace images consist of the Audit Vault Server image and the Database Firewall image that is used to provision Audit Vault Server and Database Firewall instances respectively.

See Also:

Oracle Cloud Marketplace

12.2 Benefits of Provisioning Oracle AVDF on Oracle Cloud Infrastructure

Learn about the benefits of provisioning Oracle AVDF on Oracle Cloud Infrastructure (OCI).

Quick Provisioning

Oracle AVDF instances can be provisioned within minutes, without the need to procure and manage hardware.

Ease of Scaling up

Scaling up Oracle AVDF instance to meet increased workload needs, is simple and easy. Ease of scaling up gives you the option to start with a small VM shape and scale up as workload increases.

12.3 Supported Oracle Cloud Infrastructure Virtual Machine Shapes

List of supported VM standard shapes for deploying Oracle AVDF on Oracle Cloud Infrastructure (OCI).

The following Oracle Cloud Infrastructure VM standard shapes are supported for Oracle AVDF instances:

• VM.Standard2.2
• VM.Standard2.4
• VM.Standard2.8
• VM.Standard2.16
• VM.Standard2.24
• VM.Standard1.2
• VM.Standard1.4
• VM.Standard1.8
• VM.Standard1.16
• VM.Standard.E3.Flex
• VM.Standard.E4.Flex (Supported starting with Oracle AVDF release 20.7)

See Also:

Oracle Cloud Infrastructure compute shapes

12.4 Provisioning Oracle AVDF with the Oracle Cloud Marketplace Image

Learn about provisioning Audit Vault Server or Database Firewall with Oracle Cloud Marketplace image.

The following are required prior to provisioning Oracle AVDF instances using the Oracle Cloud Marketplace image:

1. A VM standard shape with a minimum memory of 8GB.

2. Block storage with a minimum of 220 GB.

3. A Virtual Cloud Network (VCN) in your tenancy.

4. SSH key pair for ssh access to the instance. Oracle AVDF instance accepts the following key types:

   • ssh-ed25519
   • ssh-ed25519-cert-v01@openssh.com
   • ecdsa-sha2-nistp384
   • ecdsa-sha2-nistp384-cert-v01@openssh.com
   • rsa-sha2-512 key types

Generate an SSH key pair of these types. For example: Run the following command to generate a public key of ssh-ed25519 type:

ssh-keygen -t ed25519

12.4.1 Accessing the Oracle AVDF Cloud Marketplace Image

Learn how to access the Oracle AVDF Cloud Marketplace image.

The Oracle AVDF Cloud Marketplace image is available on the Oracle Cloud Marketplace website. Follow these steps:

1. Go to Oracle Cloud Marketplace.
2. In the Applications search field, enter Oracle Audit Vault and Database Firewall.
3. Click Go.
4. Under the search results, click Oracle Audit Vault and Database Firewall to navigate to the Oracle AVDF Cloud Marketplace page.

   Note:

   Access the latest Audit Vault Server 20.x for Audit Vault Server image or Database Firewall 20.x for Database Firewall image from Oracle Cloud Marketplace website. Other artifacts (or installable files) can be downloaded from Oracle Software Delivery Cloud. Refer to About Oracle AVDF Installable Files.

12.4.2 Creating an Oracle AVDF instance with Oracle Cloud Marketplace Image

Learn how to create an Oracle AVDF instance with Oracle Cloud Marketplace image.

Follow these steps:

1. In the Oracle AVDF Cloud Marketplace page, click the Get App button.
2. If you already have an OCI account, select the OCI region, and then click Sign In. Else, click Sign Up to create a new account.
3. In the Get Version menu, select the latest Audit Vault Server 20.x for Audit Vault Server image or Database Firewall 20.x for Database Firewall image.
4. In the Compartment menu, select a compartment.
5. Check the I have reviewed the terms and conditions box.
6. Click Launch Instance.
7. The Create Compute Instance page is displayed. Fill in the required details:
   1. Provide a NAME for the Oracle AVDF instance.
   2. Choose the AVAILABILITY DOMAIN.
   3. Under Shape, click Change Shape.
   4. Choose Virtual Machine as the Instance Type.
   5. Select the Shape series.
   6. Then click Select Shape. Choose the shape for the instance.
8. In the Configure networking section, select the following fields:
   1. VIRTUAL CLOUD NETWORK COMPARTMENT
   2. SELECT A VIRTUAL CLOUD NETWORK
   3. SUBNET COMPARTMENT
   4. SUBNET
9. Check one of the following options for IP address:
   • ASSIGN A PUBLIC IP ADDRESS
   • DO NOT ASSIGN A PUBLIC IP ADDRESS

   Note:

   See IP Addresses in your VCN (Virtual Cloud Network) to understand more about public and private IP addresses in Oracle Cloud Infrastructure.
10. In the Add SSH Keys section, provide your ssh public key by selecting Choose public key files or Paste public keys. If you select any other option, you will not be able to connect to the Oracle AVDF instance.
11. Under Boot volume section, specify a custom boot volume size if you want the boot volume to be larger than the default size of 220 GB.

    Note:

    The custom boot volume size should not exceed 2TB. Refer to Scaling Up Oracle AVDF Instances section for more details on expanding storage.
12. Click Advanced Options, and then choose the default options in all the tabs.
13. Click Create to start creating the instance.
14. After the instance state changes to Running in the Oracle Cloud Infrastructure console, wait for a few minutes for the underlying services to start up before accessing the instance.
15. Perform the post instance creation steps.

    Note:

    For production workload, follow the sizing guidelines (My Oracle Support Doc ID 2092683.1) to calculate shape and storage requirements.

    See Also:

    Creating an instance in Oracle Cloud Infrastructure

12.4.3 Post Instance Creation Steps

Perform one time post instance creation steps.

After the instance creation is completed, you must perform these steps once.

For Audit Vault Server Instance

1. Connect to the instance through SSH using the ssh utility. See section Connecting to Oracle AVDF Instance.

2. Change root user password by running the following command. The root password is required to troubleshoot the instance using OCI instance console connection.

   sudo passwd root

3. Generate a one time passphrase by running the command:

   sudo -u oracle /usr/local/dbfw/bin/generate_post_install_passphrase

4. Copy the passphrase that is returned by the above command.
5. Access the Audit Vault Server console by entering https://<IP address of the instance> as the URL in the browser.
6. Enter the passphrase copied from the earlier step in the Post Install Authentication page of the Audit Vault Server console.
7. Fill in the details in the Post Install Configuration page.

8. In the AVS IP for Agent Communication section, specify the public IP of the Audit Vault Server if you are expecting to collect audit data from any target outside of OCI. See section Deploying Audit Vault Agents for more details.

   Note:

   After the post installation step is complete, changing the AVS IP for Agent communication is not supported.

9. DNS is automatically set to 169.254.169.254. However, you can specify a different DNS setting.

   See Also:

   DNS in Your Virtual Cloud Network
10. Click Save.

For Database Firewall Instance

1. Connect to the instance through SSH using the ssh utility. See section Connecting to Oracle AVDF Instance.

2. Change root user password by running the following command. The root password is required to troubleshoot the instance using OCI instance console connection.

   sudo passwd root

12.5 Connecting to Oracle AVDF Instance

Learn how to access Audit Vault Server and Database Firewall instances on Oracle Cloud Infrastructure (OCI).

Connecting through SSH

Prerequisite: OCI virtual firewall for your VCN must be configured to allow ingress traffic on SSH port 22. See OCI Access and Security for complete information.

The public key specified during instance creation is installed on Oracle AVDF instance for SSH authentication. After the instance creation is completed, connect to the instance as opc user using the matching private key.

Using the ssh utility, run the following command:

ssh -i <path to private key file> opc@<IP address of Oracle AVDF instance>

See Also:

• Unable to Connect to Audit Vault Server through Console or SSH
• Connecting to Oracle Cloud Infrastructure Instance
• Oracle Cloud Infrastructure Access and Security
• IP Addresses in your VCN

Note:

Oracle AVDF instances accept the following public key types:

• ssh-ed25519
• ssh-ed25519-cert-v01@openssh.com
• ecdsa-sha2-nistp384
• ecdsa-sha2-nistp384-cert-v01@openssh.com
• rsa-sha2-512

Connecting through Audit Vault Server console

Prerequisite: OCI virtual firewall for your VCN must be configured to allow ingress traffic on port 443. See OCI Access and Security for complete information.

Access the Audit Vault Server console by entering https://<IP address of the Audit Vault Server instance> as the URL in your browser.

12.6 Scaling Up Oracle AVDF Instances

Learn to scale up Oracle AVDF instances on OCI.

CPU, memory, network bandwidth, and repository storage of Oracle AVDF instance can be scaled up without recreating the instance. This allows for increased performance to meet growing workload needs.

Changing the Shape of Oracle AVDF Instance

CPU, memory, and network bandwidth can be scaled up by changing the shape of the instance to one of the supported VM standard shapes.

Use the OCI console to edit the shape of the instance. Refer to Using the Console for more details.

Note:

Changing a shape to a smaller one than the current shape is not supported. For example, changing the shape from VM.Standard2.4 to VM.Standard2.2 is not supported.

Expanding Repository Storage for Audit Vault Server

Each Audit Vault Server instance has a repository that stores the collected audit and network event data. The storage requirements increase as the collection workload grows. To meet the storage needs, expand the Audit Vault Server repository storage in the following ways:

• During Instance creation: When specifying the boot volume larger than the default for Audit Vault Server instance, the underlying repository storage is automatically expanded. Refer to section Creating an Oracle AVDF instance with Oracle Cloud Marketplace Image on how to specify custom boot volume size.

• Post instance creation: Follow these steps:

  1. Attach additional OCI Block storage to the instance. Follow the steps listed in Attaching the Volume to an Instance.

  2. Ensure the disks are visible at the OS level, by running the following command:

     lsblk

  3. Expand the repository storage. See Adding Local Disks to the Audit Vault Server ASM Disk Groups.

Note:

• Ensure the attached OCI Block storage is not shared with any other instance as it may lead to data loss.
• SAN storage is not supported.

12.7 Changes in Functionality for Oracle AVDF Instances on OCI

Learn about the changes in functionality of Oracle AVDF deployed on Oracle Cloud Infrastructure (OCI).

Table 12-1 Functional Differences Between Oracle AVDF Deployed On-premises and on OCI

Functionality	Oracle AVDF instance deployed on-premises	Oracle AVDF instances deployed on OCI
SSH authentication	Password based authentication	Key based authentication
Network settings (IP address and Host Name)	Network settings can be modified using the Audit Vault Server console.	These settings are read only in the Audit Vault Server console. However, they can be modified from the OCI console.
Time synchronization	NTP settings can be modified using the Audit Vault Server console.	NTP is automatically configured during instance creation and the NTP server settings cannot be changed.
DNS	DNS setting can be modified using the Audit Vault Server console.	DNS is automatically set to 169.254.169.254 during instance creation. The settings can be changed on the Audit Vault Server console.
Repository storage expansion	SAN Storage	OCI Block Storage must be used for storage expansion.
Archive or backup location	NFS	OCI File Storage (Recommended)
Database Firewall deployment modes	Monitoring / Blocking (Proxy) Monitoring (Host Monitor) Monitoring (Out-of-Band)	Monitoring / Blocking (Proxy) Monitoring (Host Monitor) Monitoring (Out-of-Band) is not supported.
Secondary Network Interface Cards on Audit Vault Server	Supported	Not supported. (Only the primary network interface card that is associated with the primary Audit Vault Server's private IP address of the instance is supported.)
Secondary Network Interface Cards on Database Firewall	Supported	Not supported

12.8 Ports for Communication between Oracle AVDF Components

Learn about different ports used by Oracle AVDF for communication between different components.

The list of ports used by Oracle AVDF is listed in Ports Used by Oracle Audit Vault and Database Firewall.

See Also:

Security Lists in OCI

12.9 High Availability for Oracle AVDF Instance

Learn about high availability for Oracle AVDF instance.

High availability in Oracle AVDF makes the deployment more reliable by ensuring continuity of functionality (for example, audit and network event data collection).

Configuring High Availability in Audit Vault Server

Prerequisite: OCI virtual firewall for your VCN must be configured to allow ingress traffic on port 7443, 1521, and 1522. See OCI Access and Security for complete information.

To configure high availability you need two Audit Vault Server instances. The first instance is the primary server and the other as the secondary server. The steps to configure high availability is similar to on-premises deployment. However, private IP addresses of the Audit Vault Server instances must be used during high availability configuration.

Configuring High Availability in Database Firewall

Configuring high availability for Database Firewall instance is supported only for Monitoring / Blocking (Proxy) mode.

Prerequisite: OCI virtual firewall for your VCN must be configured to allow ingress traffic on proxy ports for Database Firewall nodes. See OCI Access and Security for complete information.

To configure high availability you need two Database Firewall instances. The first instance is the primary and the other as the secondary. The steps to configure high availability is similar to on-premises deployment.

See Also:

High Availability in Oracle AVDF

12.10 Deploying Audit Vault Agents

Learn about deploying Audit Vault Agents.

Audit Vault Agent is a component of Oracle AVDF that you deploy on a machine (usually the same host as the target) to collect audit data from targets.

Prerequisite: OCI virtual firewall for your VCN must be configured to allow ingress traffic on ports 1521 and 1522 for Audit Vault Server. See OCI Access and Security for complete information.

Follow these steps to deploy an Audit Vault Agent:

1. Register the Audit Vault Agent machine on Audit Vault Server. In some cases, you need to specify AGENT_PHYSICAL_ADDRESS_XX (where XX can be a number from 01 to 99) Agent attribute. See Registering Hosts on the Audit Vault Server for complete information.
2. Download the Audit Vault Agent software from Audit Vault Server console to the Agent machine.
3. Install the Audit Vault Agent software on the Agent machine.
4. Activate and start the Audit Vault Agent.

See Also:

Registering Hosts and Deploying the Agent

Audit Vault Agent communicates to Audit Vault Server using a JDBC connect string that contains the IP address of the Audit Vault Server. The connect string is automatically generated after post instance creation steps. Specify the IP address that must be used in the connect string by filling in the AVS IP for Agent Communication section in the Post installation configuration page of the Audit Vault Server console. If an IP address is not specified, the private IP address of the Audit Vault Server is used.

Follow these guidelines for the type of IP address to be specified in the Post installation configuration page of the Audit Vault Server:

• If you are expecting to collect audit data from any target outside of OCI, then specify a public IP address of the Audit Vault Server.
• If you are expecting to collect audit data from targets only in OCI, then specify a private IP address of the Audit Vault Server.
• If you are expecting to deploy Database Firewall in Monitoring (Host Monitor) mode for targets only in OCI, then specify the private IP address of the Audit Vault Server.

Table 12-2 Platform Support Matrix for Audit Vault Agent and Host Monitor Agent Deployment

Platform	Audit Vault Agent Deployment	Host Monitor Agent Deployment
Oracle Linux 64 bit (OCI)	Yes	Yes
Oracle Linux 64 bit (outside OCI)	Yes	No
Microsoft Windows Server (x86-64) (OCI)	Yes	Yes
Microsoft Windows Server (x86-64) (outside OCI)	Yes	No

12.11 Configuring Audit Trail Collection

Learn how to configure audit trails.

The steps to configure audit trails is similar to on-premises deployment.

See Also:

• Deploying Audit Vault Agents
• Configuring and Managing Audit Trail Collection

12.12 Deploying Database Firewall for Monitoring

Learn about deploying Database Firewall on Oracle Cloud Infrastructure (OCI).

The following Database Firewall deployment modes are supported on OCI:

• Monitoring / Blocking (Proxy)
• Monitoring (Host Monitor)

Prerequisites:

• For Database Firewall deployed in Monitoring (Host Monitor) mode, the virtual firewall for your Database Firewall VCN must be configured to allow ingress traffic on ports ranging from 2051 to 5100. See OCI Access and Security for complete information.
• For Database Firewall deployed in Monitoring / Blocking (Proxy) mode, the virtual firewall for your Database Firewall VCN must be configured to open the specific proxy port.
• For Audit Vault Server to collect network event data from Database Firewall, you must configure virtual firewall of your Database Firewall VCN to allow ingress traffic on port 1514.

When deploying Database Firewall, consider these points:

• You can use either public or private IP address of the Database Firewall to register with the Audit Vault Server.
• When configuring a Database Firewall monitoring point, use the primary VNIC as the network interface card.
• Use private IP address of the target when enabling native network encrypted traffic monitoring for Oracle Database.
• When configuring the Database Firewall monitoring point for Oracle Real Application Clusters (Oracle RAC), enter the FQDN of the SCAN Listener as the host name.

See Also:

• Configuring Database Firewall for Databases That Use Native Network Encryption
• Configuring Database Firewall

Note:

• Database Firewall monitoring and protection is not supported for targets outside OCI.
• For deploying Host Monitor Agent follow the same guidelines mentioned in section Deploying Audit Vault Agents.
• To setup native network encryption, the dbfw-utility.zip needs to be downloaded from Oracle Software Delivery Cloud and copied to the Audit Vault Server. Refer to Installing Oracle Audit Vault and Database Firewall for more information.

12.13 Monitoring Oracle Autonomous Database Services

Learn how to monitor Oracle Autonomous Database services with Oracle Audit Vault and Database Firewall on Oracle Cloud Infrastructure (OCI).

Clients connect to Autonomous Database services by using a public or private endpoint. Use the public endpoint when configuring the Autonomous Database services as a target on the Audit Vault Server.

Configuring Audit Trails

To configure audit trails for collection, see Configuring Audit Trail Collection, with the following changes:

• Provide the public endpoint, credentials wallet, and user credentials of your Autonomous Database during target registration. See Step 2: Create User Accounts on Oracle Cloud Instances.
• Deploy the Audit Vault Agent remotely and ensure access to the public endpoint.

Configuring Audit Provisioning and Entitlement Retrieval

For Audit Provisioning and Entitlement Retrieval, the Audit Vault Server connects to the Autonomous Database by using the audit connection details that you provided during target registration. Ensure that the Audit Vault Server can access the public endpoint of your Autonomous Database.

Configuring Database Firewall

To configure the Database Firewall to connect to an Autonomous Database, see Configuring a Database Firewall to Connect to an Oracle Autonomous Database.

12.14 Monitoring DB Systems on OCI

Learn how to monitor DB Systems with Oracle AVDF on OCI.

OCI DB Systems allow you to configure SSH key based access to the machine hosting the database. You can install the Audit Vault Agent on the DB Systems.

In addition, all SQL connections use native network encryption by default.

Configuring Audit Trail Collection

Refer to the following sections:

• Deploying Audit Vault Agents
• Configuring Audit Trail Collection

Configuring Audit Provisioning and Entitlement Retrieval

For Audit Provisioning and Entitlement Retrieval, the Audit Vault Server connects to the DB Systems on OCI using the audit connection details provided during the target registration. Therefore, you must ensure that Audit Vault Server has JDBC access to your database.

Configuring Database Firewall Monitoring

Refer to section Deploying Database Firewall for Monitoring.

12.15 Backup and Restore of Oracle AVDF Instances in OCI

Learn about back up and restore functionality for Oracle AVDF instances in OCI.

The purpose of backup and restore is to protect against data loss and to restore the instance from a backup taken earlier.

Backup and Restore of Audit Vault Server

The steps to perform backup and restore of Audit Vault Server is similar to on-premises deployment with the following changes:

• Use OCI File Storage when configuring backup location.
• When configuring restore, you must set USE_NEW_IP parameter to Y.

See Also:

Backup and Restore of Audit Vault Server

Backup and Restore of Database Firewall

The Database Firewall does not need to be backed up. As part of Audit Vault Server backup, all the existing configuration is backed up. After restoring the Audit Vault Server, the existing configuration to the Database Firewall is restored. Follow the steps mentioned in section Backing Up and Restoring the Database Firewall to complete the restore process.

12.16 Archiving and Retrieving Audit Data

Learn about archiving and retrieving audit data of Oracle AVDF on OCI.

Archiving and retrieving audit data is similar to the on-premises deployment. Use OCI File Storage when specifying the archive locations.

To comply with corporate guidelines, all enterprises have data retention policies for audit and network event data. Retention policies define how long the collected data is kept online (so it is visible in reports) and for how long it is to be kept in archive. Using Oracle AVDF, you can set the data retention policies for every target. Data is visible in reports during the online period. For archiving, Oracle AVDF supports both manual and automatic modes. When manual archiving mode is enabled, as soon as the online period expires, data is made offline, but stays on Audit Vault Server. It has to be moved manually to a remote location. If the mode is set to automatic archiving, data is automatically moved to an NFS configured location, after the online period expires. Oracle AVDF allows switching between manual and automatic archiving modes. For Audit Vault Server deployed in OCI, use OCI File Storage for configuring NFS locations.

See Also:

Archiving and Retrieving Audit Data

12.17 Starting or Stopping the Oracle AVDF Instance

Learn how to start or stop the Oracle AVDF instance.

Audit Vault Server console or the OCI console can be used to start or stop the instances. Instances that are stopped can only be started using the OCI console.

Refer to Stopping and Starting an Instance using OCI console.

From the Audit Vault Server console, you can stop or reboot the Oracle AVDF instance.

To Power Off or Reboot the Audit Vault Server instance

1. Log in to the Audit Vault Server console as a super administrator.
2. Click Settings tab.
3. Click System tab in the left navigation menu.
4. In the main page to the top right corner, click Power Off to stop the instance. Click Reboot to restart the instance.

To Power Off or Reboot the Database Firewall instance

The Database Firewall instance must be registered in the Audit Vault Server console.

1. Log in to the Audit Vault Server console as a super administrator.
2. Click Database Firewalls tab.
3. Select the checkbox against the specific Database Firewall instance.
4. Click Power Off to stop the instance. Click Reboot to restart the instance.

12.18 Terminating Oracle AVDF Instance

Learn about terminating Oracle AVDF instance.

You can terminate the Oracle AVDF instance using the OCI console by following the steps in section Terminating an Instance.

Note:

When the instance is terminated, all audit and network event data is permanently lost, unless you have taken a backup from which you can restore. Terminated instances are temporarily visible in the list of instances with the status Terminated.