8 Enabling and Using Host Monitoring

Learn about enabling and using host monitoring.

8.1 About Host Monitoring

Learn about host monitoring.

Host Monitor can be deployed in a distributed environment which has many small databases. Oracle Audit Vault and Database Firewall can monitor SQL traffic to all of the small databases centrally with a single Database Firewall instance. To do this, a monitoring point is created in Monitoring (Host Monitor) mode, and a NETWORK audit trail is added for every target.

Host Monitor captures SQL traffic from the network interface cards of all the database hosts and uses ports as filters. This is effective in capturing relevant traffic as compared to capturing all the network traffic in other modes like Monitoring (Out-of-Band). The Host Monitor gets a copy of SQL traffic and hence it can only monitor, and cannot block the SQL traffic. The captured SQL data is securely sent over the network to a Database Firewall instance. The data is then available for reports generated by Oracle Audit Vault and Database Firewall.

In other cases where there are many network paths to target databases running on a single machine, monitoring SQL activity using Host Monitor is easier. For larger databases, the SQL traffic captured by Host Monitor increases the network traffic. In this case, the Host Monitor can be configured to capture traffic on ports that the database is listening. In this case the SQL traffic is monitored and the rest of the traffic reaching the target database is ignored. Host Monitor then forwards the SQL traffic to the Database Firewall over the network. The network bandwidth of the target database is used based on the SQL traffic.

Note:

  • Host Monitoring is supported on Linux, Solaris, AIX, and Windows platforms, and can monitor any database supported by the Database Firewall. See Table C-1 for supported databases.

  • Host Monitor Agent supports link type Solaris IPNET on Oracle Solaris SPARC64 and x86-64.

  • Host Monitor Agent supports Ethernet (EN10MB) link type for all supported platforms.

8.2 Installing and Enabling Host Monitoring

Learn about installing and enabling host monitoring.

8.2.1 Host Monitor Requirements

Learn about Host Monitor requirements.

Host Monitor enables the Database Firewall to directly monitor SQL traffic in a database.

Prerequisites for installing Host Monitor on Windows platform:

  1. Ensure Audit Vault Agent is running on the host machine.
  2. Verify and allow communication on ports 2050 - 5100 for Database Firewall.
  3. Install Npcap that is available in the avdf20-utility.zip bundle in ARU. It is part of the Oracle Audit Vault and Database Firewall installable files.
  4. Ensure to install Npcap in WinPcap-API-compatible mode.
  5. Install the latest version of OpenSSL (1.1.1g or higher) libraries.
  6. Ensure the Windows target machine has the latest update of Visual C++ Redistributable for Visual Studio 2015 (MSVCRT.dll (*) or later) package from Microsoft installed. This is a must to use Host Monitor on Windows.

Prerequisites for installing Host Monitor on Linux/Unix/AIX/Solaris platforms:

  1. Ensure Audit Vault Agent is running on the host machine.
  2. Host Monitor must be installed by root user.
  3. Ensure Libcap is installed for Linux hosts.
  4. Apply the latest security patches of libraries (LibPcap, OpenSSL) available from the OS vendor for the specific OS version on the host machine.
  5. Ensure gmake is installed. This is needed for linking the Host Monitor executables with LibPcap and OpenSSL libraries.
  6. Check directory permissions. All the directories in the path of the Host Monitor install location should have 755 as the permission bits starting from the root directory. Also, Host Monitor must be installed in a root owned location.
  7. Verify and allow communication on ports 2050 - 5100 for Database Firewall.
  8. Ensure the Input Output Completion Ports (IOCP) is set to available for IBM AIX on Power Systems (64-bit). It is set to defined by default.

See Also:

Enabling and Using Host Monitoring for host monitoring instructions and prerequisites.

8.2.2 Step 1: Register the Computer that will Run the Host Monitor

Learn how to register the computer that runs the host monitor.

To register a host in the Audit Vault Server, see "Registering Hosts on Oracle Audit Vault Server".

8.2.3 Deploy the Audit Vault Agent and Install the Host Monitor

Learn how to deploy the Oracle Audit Vault Agent and install the Host Monitor.

8.2.3.1 Deploying the Agent and Host Monitor on Microsoft Windows Hosts

Learn how to deploy Host Monitor on Windows platform.

Oracle Audit Vault and Database Firewall 20.1 supports Host Monitoring on Windows. This functionality is supported by additionally installing OpenSSL and Npcap. This section contains the necessary details to be followed before upgrading from an older release in 12.2 or for a fresh installation of 20.1.

Installing OpenSSL

OpenSSL 1.1.1g or a higher version must be installed on the Windows host machine. Follow these steps to make system related changes before installing OpenSSL:

  1. In the Windows machine, navigate to Control Panel.
  2. Click System, and then click Advanced system settings.
  3. In the Advanced tab, click on Environment Variables button.
  4. The Environment Variables dialog is displayed. In the System variables box, select Path under the Variable column.
  5. Click Edit button. The Edit environment variable dialog is displayed.
  6. Add the location of the OpenSSL bin directory at the beginning of the Path variable.

    Note:

    While installing OpenSSL on Windows machine, you are prompted to choose a location to copy the OpenSSL DLLs as an additional configuration step. It is recommended that you choose the Windows System Directory option, as this location is added to the Path environment variable on Windows machine by default. Else, if you choose the OpenSSL bin directory option, then ensure the location is added to the Path environment variable.
  7. Click OK to save the changes, and then exit all the dialogs.

New Installation of Host Monitor for Windows

Host Monitoring on Windows functionality is supported by additionally installing Npcap. Follow these steps to install Npcap for a fresh installation of Host Monitor in release 20.1:

  1. Log in to ARU.
  2. Install Npcap that is available in the avdf20-utility.zip bundle in ARU. It is part of the Oracle Audit Vault and Database Firewall installable files.
  3. Complete the Npcap installation on the Windows host machine. Ensure to install in WinPcap-API-compatible mode.

    Note:

    Installing Npcap in WinPcap API compatible mode removes any existing installation of WinPcap from the Windows machine.
  4. In addition to the Windows System directory, Npcap copies the DLL files to the Npcap sub-directory inside the Windows System directory. Do not remove the DLL files from the Windows System directory.

    Note:

    Installing Npcap in WinPcap API compatible mode, adds the Npcap DLL files to the Windows System directory which is already there in the system Path environment variable.
  5. Optionally add the Npcap sub directory inside the Windows System directory to the Path environment variable, by following the steps below:

    1. Navigate to Control Panel.
    2. Click System, and then click Advanced system settings.
    3. In the Advanced tab, click on Environment Variables button.
    4. The Environment Variables dialog is displayed. In the System variables box, select Path under the Variable column.
    5. Click Edit button. The Edit environment variable dialog is displayed.
    6. Add the location of the Npcap DLL files at the beginning of the Path variable. For example: C:\Windows\System32\Npcap
    7. Click OK to save the changes, and then exit all the dialogs.
  6. Confirm the changes in the Path environment variable.

Upgrading Host Monitor on Windows

Host Monitoring on Windows functionality is supported by additionally installing Npcap. Follow these steps to continue using Host Monitor on Windows from 12.2.0.9.0 or 12.2.0.10.0, before upgrading to Oracle Audit Vault and Database Firewall release 20.1:

  1. Stop the Audit Vault Agent running on the Windows host machine.
  2. Log in to the Audit Vault Server console.
  3. Verify the audit trails and the Audit Vault Agent are in STOPPED state.
  4. Log in to ARU, and download Npcap that is available with Oracle Audit Vault and Database Firewall release 20.1 installable files.
  5. Complete the Npcap installation on the Windows host machine. Ensure to install in WinPcap-API-compatible mode.

    Note:

    Installing Npcap in WinPcap API compatible mode removes any existing installation of WinPcap from the Windows machine.
  6. In addition to the Windows System directory, Npcap copies the DLL files to the Npcap sub-directory inside the Windows System directory. Do not remove the DLL files from the Windows System directory.

    Note:

    Installing Npcap in WinPcap API compatible mode, adds the Npcap DLL files to the Windows System directory which is already there in the system Path environment variable.
  7. Optionally add the Npcap sub directory inside the Windows System directory to the Path environment variable, by following the steps below:

    1. Navigate to Control Panel.
    2. Click System, and then click Advanced system settings.
    3. In the Advanced tab, click on Environment Variables button.
    4. The Environment Variables dialog is displayed. In the System variables box, select Path under the Variable column.
    5. Click Edit button. The Edit environment variable dialog is displayed.
    6. Add the location of the Npcap DLL files at the beginning of the Path variable. For example: C:\Windows\System32\Npcap
    7. Click OK to save the changes, and then exit all the dialogs.
  8. Confirm the changes in the Path environment variable.
  9. Restart the Audit Vault Agent on the Windows host machine.
  10. The Host Monitor is now powered by Npcap during runtime. Verify the network trail collection.
  11. Proceed with the appliance upgrade.

Note:

  • Ensure the audit trails and the Audit Vault Agent are in STOPPED state, before installing Npcap. Else, an error may be encountered.
  • Do not delete the DLL files as they are created newly by Npcap installation.
8.2.3.2 Deploying the Agent and Host Monitor on Unix Hosts

Learn about deploying the agent and host monitor on Unix hosts.

  1. Before you install the host monitor, ensure that you have deployed the Audit Vault Agent.
  2. Log in as root and identify a root-owned directory on the local hard disk, such as /usr/local, where you will install the host monitor.

    Note: The entire directory hierarchy must be root-owned. All the directories in this hierarchy must have read and execute permission for other users or groups, but not write permission.

  3. Log in to the Audit Vault Server console as an administrator.
  4. Click on the Agents tab.
  5. In the left navigation menu, select Agent Software.
  6. On the page listing the agent software, click the Download button corresponding to your Unix version, and then save the .zip file to the root-owned directory (on the local hard disk) you identified in Step 2, for example /usr/local.
  7. As root user, unzip the host monitor file.

    This creates a directory named hm. This is your HM_Home directory, which in this example is /usr/local/hm.

  8. Ensure that the hostmonsetup file (in the hm directory) has execute permission.
  9. Run the following command:
    HM_Home/hostmonsetup install [agentuser=Agent_Username] [agentgroup=Agent_Group]
    
    • HM_Home - The directory created in Step 7.

    • Agent_Username - (Optional) Enter the username of the user who installed the Audit Vault Agent (the user who executed the java -jar agent.jar command).

    • Agent_Group - (Optional) Enter the group to which the Agent_Username belongs.

8.2.4 Step 3: Create a Target for the Host-Monitored Database

Learn how to create a target for the host-monitored database.

8.2.5 Step 4: Create a Monitoring Point for the Host Monitor

Learn how to create a monitoring point for Host Monitoring.

For Host Monitor only deployment, create a monitoring point in Monitoring (Host Monitor) mode to receive and process the data sent from the Host Monitor.

A network interface card (NIC) must be configured while creating the monitoring point for Database Firewall with Host Monitor only deployment. This must be different from the Management Interface that is used for communication to Audit Vault Server.

8.2.6 Step 5: Create a Network Audit Trail

Learn how to create network audit trails.

Create an audit trail for each target you are monitoring with a Host Monitor. Specify NETWORK for the Audit Trail Type.

Note:

Ensure the collection attribute network_device_name_for_hostmonitor is mandatorily configured for the targets which are monitored by Host Monitor. The name of the network interface card is the attribute value. The network interface card receives all the network traffic of the target database.

Linux/AIX/Solaris hosts

Follow these steps to determine the value of the network_device_name_for_hostmonitor collection attribute:

  1. Determine the IP address on which the target database is configured to accept TCP traffic. Make a note of the IP address.
  2. Execute the following command to list the network device details present in the host machine:

    ifconfig -a
  3. From the output displayed, search for the IP address that was noted in the initial step. The corresponding name of the network card is the value of the collection attribute network_device_name_for_hostmonitor.

Windows hosts

Follow these steps to determine the value of the network_device_name_for_hostmonitor collection attribute:

  1. Determine the IP address on which the target database is configured to accept TCP traffic. Make a note of the IP address.
  2. Execute the following command to list the network device details present in the host machine:
    ipconfig /all

    Note:

    This command displays the Physical Address, IPv4 Address, and other details for every device.
  3. From the output displayed, search for the device which has an IPv4 Address that was noted in the initial step. Make a note of the corresponding Physical Address.
  4. Execute the command getmac. This will display the device name against the corresponding Physical Address. Make a note of the Device Name for the Physical Address determined in the previous step.
  5. After the Device Name is determined, observe it is in the following form:
    \Device\Tcpip_{********-****-****-****-************}
  6. Copy this Device Name to use as the attribute value by replacing Tcpip with NPF. Hence for a network card with the name \Device\Tcpip_{********-****-****-****-************} the attribute value is \Device\NPF_{********-****-****-****-************}.

    Note:

    This does not involve changing the network device name at a system level.

    See Also:

    Adding Audit Trails in Audit Vault Server for instructions on adding audit trails.

8.3 Starting, Stopping, and Other Host Monitor Operations

Learn about starting, stopping, and other host monitor operations.

8.3.1 Starting the Host Monitor

Learn how to start the host monitor.

Starting the host monitor consists of starting collection for the NETWORK audit trail on the host you are monitoring.

To start the host monitor from the Audit Vault Server console:

  1. Log in to the Audit Vault Server console as an administrator.
  2. Start the audit trail(s) you created for host monitoring in Step 5: Create a Network Audit Trail.

8.3.2 Stopping the Host Monitor

Learn how to stop the host monitor.

To stop the host monitor, stop the audit trail you created for the target that is being monitored. See "Stopping, Starting, and Autostart of Audit Trails in Oracle Audit Vault Server".

8.3.3 Changing the Logging Level for a Host Monitor

Learn about changing the logging level for host monitors.

8.3.4 Viewing Host Monitor Status and Details

Learn how to view the host monitor status and details.

You can view whether a host monitor is installed, and information such as its location, version, update time, and other details.

To view host monitor status and details:

  1. Log in to the Audit Vault Server console as an auditor.
  2. Click the Agents tab.
  3. In the left navigation menu, select Agent Hosts.
  4. In the page that appears, check the Host Monitor Status and the Host Monitor Details columns for the host you are interested in.

8.3.5 Checking the Status of a Host Monitor Audit Trail

Learn how to check the status of a host monitor audit trail.

  1. Log in to the Audit Vault Server console as an auditor.
  2. Click the Targets tab, and then from the left navigation menu, select Audit Trails.
  3. In the status page that appears, in the Audit Trail Type column, search for audit trails of type NETWORK to find audit trails for host monitors.

8.3.6 Uninstalling the Host Monitor (Unix Hosts Only)

Learn about unistalling the host monitor on Unix systems.

This procedure applies to Unix hosts only. There is no install or uninstall for Windows hosts.

To uninstall a host monitor:

  1. Log in to the host computer as root.
  2. From the HM_Home directory (where you installed the host monitor in Step 7) run the following command:

    hostmonsetup uninstall

8.4 Updating the Host Monitor (Unix Hosts Only)

Learn how to update the host monitor on Unix systems.

When you update the Audit Vault Server to a future release, the host monitor is automatically updated.

If your current release is prior to 12.1.2, refer to the README included with upgrade software or patch updates for instructions on how to update the host monitor.

See Also:

Oracle Audit Vault and Database Firewall Installation Guide for information on downloading upgrade software.

8.5 Using Certificate-based Authentication for the Host Monitor

Learn to use certificate-based authentication for host monitors.

By default, the Database Firewall allows the host monitor connection based on verifying the host's (originating) IP address.

If you want the additional security of using certificate-based authentication for the host monitor, follow these procedures after the host monitor is installed:

8.5.1 Requiring a Signed Certificate for Host Monitor Connections to Oracle Database Firewall

Learn how to configure the requirement for a signed certificate for host monitor connections to Oracle Database Firewall.

To require a signed certificate for host monitor connections:

  1. Stop the host monitor if it is running.
  2. At the Database Firewall, log in as root, and run the following commands:
    cp /usr/local/dbfw/etc/controller.crt /usr/local/dbfw/etc/fw_ca.crt
    chown dbfw:dbfw /usr/local/dbfw/etc/fw_ca.crt
    chmod 400 /usr/local/dbfw/etc/fw_ca.crt
  3. Run the following command to restart the monitor process:

    /etc/init.d/monitor restart

Related Topics

8.5.2 Getting a Signed Certificate from Oracle Audit Vault Server

Learn how to obtain a signed certificate from Oracle Audit Vault server

Follow this procedure for each host running host monitor. The host monitor should already be installed.

To get a signed certificate from the Audit Vault Server:

  1. Log in to the Audit Vault Server as root.
  2. Go to the directory /usr/local/dbfw/etc.
  3. Run the following two commands:
    openssl genrsa -out hmprivkey.perm 2048
    openssl req -new -key hmprivkey.perm -out hmcsr.csr -subj "/CN=Hostmonior_Cert_hostname/"

    The hostname is the name of the host machine where the Audit Vault Agent is installed.

  4. To generate one signed certificate, run the following command:

    /usr/local/dbfw/bin/generate_casigned_hmcert.sh

    The signed certificate file hmcert.crt is generated in the directory /usr/local/dbfw/etc.

  5. Copy the following files from the Audit Vault Server to the Agent_Home/hm directory on the host machine where the Audit Vault Agent is installed:
    /usr/local/dbfw/etc/hmcert.crt
    /usr/local/dbfw/etc/hmprivkey.perm
    
  6. (Unix Hosts Only) As root, run the following commands:
    chown root:root Agent_Home/hm/hmcert.crt Agent_Home/hm/hmprivkey.perm
    chmod 400 Agent_Home/hm/hmcert.crt Agent_Home/hm/hmprivkey.perm
  7. (Windows Hosts Only) Ensure that the files hmcert.crt and hmprivkey.perm have Agent user ownership and appropriate permissions to prevent unwanted user access.
  8. Start the host monitor to capture network traffic.
  9. Repeat this procedure for every host running host monitor.

Related Topics