O Monitoring Audit Vault Server

Learn how to monitor Audit Vault Server.

Monitoring enables investigation of suspicious activity, accountability for actions, and address auditing requirements for compliance. Monitoring involves configuring auditing (in both embedded repository and operating system) and collecting the generated records into a shadow Audit Vault Server for analysis and reporting.

Audit Vault Server automatically configures auditing for both the operating system and the embedded repository.

O.1 About Auditing Operating System

Learn all about auditing of the operating system.

Audit Vault Sever enables default Oracle Linux audit configuration. The configuration settings are available in /etc/audit/auditd.conf file and the audit logs are recorded in /var/log/audit directory.

O.2 About Auditing Audit Vault Server Repository

Learn all about auditing of Audit Vault Server repository.

Prior to Oracle AVDF release 20.7, Audit Vault Server enables the default mixed mode auditing with the following settings:


audit_file_dest = /var/lib/oracle/admin/dbfwdb/adump
audit_sys_operations = TRUE
audit_trail = DB

Note:

The above default configuration prior to release 20.7 audits SYS operations and does not audit application level schemas AVSYS and MANAGEMENT.

Starting with Oracle AVDF release 20.7, pure unified auditing is automatically enabled with additional policies to audit application schemas AVSYS and MANAGEMENT.

With pure unified auditing enabled, the Audit Vault Server centralizes all auditing to unified audit trail. For example, Database Vault audit records go to unified audit trail. The Unifed Audit Policies are configured by default. This includes fresh installation and upgrade of Audit Vault Server to release 20.7.

Table O-1 Oracle Predefined Policies Configured for Audit Vault Server

Policy Name Description

ORA_LOGON_FAILURES

Any failed log in events.

ORA_SECURECONFIG

Secure configuration defined by Oracle Database except for AVSYS and MANAGEMENT user.

AVSYS_DV_UA_POLICY

Database Vault protected AVSYS realm. The Database Vault AVSYS realm protects all objects owned by the AVSYS database schema.

MANAGEMENT_DV_UA_POLICY

Database Vault protected MANAGEMENT realm. The Database Vault MANAGEMENT realm protects all objects owned by the MANAGEMENT database schema.

AUDIT_DB_MGMT_POLICY

Database management operations.

AUDIT_SELECT_DICTIONARY_POLICY

Select any dictionary privilege.

AVSYS_DV_UA_POLICY

CREATE AUDIT POLICY statement shows the AVSYS_DV_UA_POLICY unified audit policy definition as follows:


create audit policy AVSYS_DV_UA_POLICY actions component=dv
realm violation on "Audit Vault Realm",
realm success on "Audit Vault Realm",
realm access on "Audit Vault Realm",
rule set failure on "AVSYS audit command",
rule set success on "AVSYS audit command",
rule set eval on "AVSYS audit command"

Unified Audit Policy for Database Vault AVSYS Realm

AVSYS Database Vault realm protects all AVSYS objects including AVSYS tables, packages, and others. AVSYS_DV_UA_POLICY audits all activities on the Database Vault AVSYS realm.

The following commands are audited by Database Vault AVSYS realm:

  • drop database link
  • drop index
  • drop package
  • drop package body
  • drop procedure
  • drop sequence
  • drop synonym
  • drop table
  • drop type
  • drop type body
  • drop view
  • delete
  • revoke
  • truncate table

MANAGEMENT_DV_UA_POLICY

CREATE AUDIT POLICY statement shows the MANAGEMENT_DV_UA_POLICY unified audit policy definition as follows:


create audit policy MANAGEMENT_DV_UA_POLICY actions component=dv
realm violation on "Audit Vault Account Manager Realm",
realm success on "Audit Vault Account Manager Realm",
realm access on "Audit Vault Account Manager Realm",
rule set failure on "MANAGEMENT audit command",
rule set success on "MANAGEMENT audit command",
rule set eval on "MANAGEMENT audit command"

Unified Audit Policy for Database Vault MANAGEMENT Realm

Management Database Vault realm protects all the MANAGEMENT object, includes MANAGEMENT tables, packages, etc. MANAGEMENT_DV_UA_POLICY audits all activities on the Database Vault MANAGEMENT realm.

The following commands are audited by Database Vault MANAGEMENT realm:

  • drop database link
  • drop index
  • drop package
  • drop package body
  • drop procedure
  • drop sequence
  • drop synonym
  • drop table
  • drop type
  • drop type body
  • drop view
  • delete
  • revoke
  • truncate table

AUDIT_DB_MGMT_POLICY

CREATE AUDIT POLICY statement shows the AUDIT_DB_MGMT_POLICY unified audit policy definition and audits all users:


create audit policy audit_db_mgmt_policy
privileges
ALTER PUBLIC DATABASE LINK,
AUDIT ANY, AUDIT SYSTEM,
CREATE ANY TRIGGER, CREATE PUBLIC DATABASE LINK,
DROP ANY DIRECTORY, DROP PUBLIC DATABASE LINK
actions
ALTER FUNCTION, ALTER PACKAGE, ALTER PROCEDURE, 
ALTER TRIGGER,
CREATE PACKAGE, CREATE PACKAGE BODY, CREATE PROCEDURE,
CREATE SPFILE, CREATE TRIGGER,
DROP FUNCTION, DROP PACKAGE, DROP PROCEDURE,
DROP TRIGGER;

AUDIT_SELECT_DICTIONARY_POLICY

CREATE AUDIT POLICY statement shows the AUDIT_SELECT_DICTIONARY_POLICY unified audit policy definition and audits all users except AVSYS and MANAGEMENT:


create audit policy audit_select_dictionary_policy
privileges
SELECT ANY DICTIONARY;

O.3 Collecting Audit Records to Shadow Audit Vault Server

Learn how to collect audit records to the shadow Audit Vault Server.

You can configure a shadow Audit Vault Server to monitor the audit trails of the main Audit Vault Server. For example, if someone logs in to the main Audit Vault Server and drops an AVSYS package, the activity is audited, and the trail is collected in the shadow Audit Vault Server for reporting and analysis. The audit records are found in the activity reports that an auditor can access in the Audit Vault Server console. For example, All Activity report.

When you configure a shadow Audit Vault Server, you should configure collection from both unified and OS audit trails.

Configuring these trails involves the following steps:

  1. Deploying Audit Vault Agent on the main Audit Vault Server
  2. Adding a trail on the shadow Audit Vault Server to collect data from unified audit trail in the main Audit Vault Server
  3. Adding a trail on the shadow Audit Vault Server to collect data from operating system audit trail in the main Audit Vault Server

O.4 Deploying the Audit Vault Agent on the Main Audit Vault Server

Learn how to deploy Audit Vault Agent on the main Audit Vault Server.

A shadow Audit Vault Server can be configured to monitor the audit trail of the main Audit Vault Server. To accomplish this an Audit Vault Agent must be deployed on the main Audit Vault Server.

Follow these steps:

  1. Log in to the shadow Audit Vault Server as an administrator.
  2. Register the main Audit Vault Server in the Agents tab.
  3. Log in to the main Audit Vault Server as root user.
  4. Run the following commands to create a /var/lib/oracle/avs_agent directory in the main Audit Vault Server:
    cd /var/lib/oracle
    mkdir avs_agent
    chown avsagent:osaudit avs_agent
  5. Run the sudo -u avsagent /bin/bash command to create a bash shell for the avsagent OS user.

    Note:

    There is no log in the shell defined for the avsagent OS user. To run the command as avsagent user, log in as root user. It can either be done by running the command sudo -u avsagent /bin/bash and use the created bash shell to run the command as avsagent user, or by running the command sudu -u avsagent <command>.
  6. Log in to the shadow Audit Vault Server console as an administrator.
  7. Click the Agents tab, and then click Downloads.
  8. Download the agent.jar file to /var/lib/oracle/avs_agent directory and copy it to the main Audit Vault Server as avsagent OS user.
  9. Add a line export PATH=/var/lib/oracle/avs_agent/bin:$PATH in the /home/avsagent/.bashrc. This ensures the future bash shell created by sudo -u avsagent /bin/bash has the PATH to access the agentctl.
  10. Deploy the Audit Vault Agent in the main Audit Vault Server as avsagent OS user in the shell created earlier.

    Make sure /var/lib/oracle/avs_agent/bin is in the PATH. Or run export PATH=/var/lib/oracle/avs_agent/bin:$PATH.

  11. Running the following command:
    java -jar /var/lib/oracle/avs_agent/agent.jar
  12. Running the following command to start the Agent as avsagent OS user:
    agentctl start -k
  13. Enter the activation key when prompted. The activation key is available in the Agents tab of the shadow Audit Vault Server. Ensure to enter the complete activation key including the name of the Agent.

O.5 Adding a Trail to Collect Data From Unified Audit Trail on the Main Audit Vault Server

Learn how to add a trail to collect data from unified audit trail on the main Audit Vault Server as an Oracle Database target.

This involves two steps on a high level:

  1. Registering the main Audit Vault Server as an Oracle Database target.
  2. Configuring the trail to collect data from the unified audit trail on the main Audit Vault Server.

O.5.1 Registering the Main Audit Vault Server as an Oracle Database Target

Learn how to register the main Audit Vault Server as an Oracle Database target.

  1. Log in to the main Audit Vault Server as dvaccountmgr.
  2. Update the password of AVSAUDIT user and unlock the account.
  3. Start SQL*Plus connection as sqlplus /nolog without the username or password.
  4. In SQL*Plus run the following command:
    connect <sysdba>

    Alternatively, run the command:

    connect <sysdba/password>
  5. Enter the password when prompted.
  6. Run the following command:
    @oracle_user_setup.sql AVSAUDIT setup

    The oracle_user_setup.sql is located at /var/lib/oracle/avs_agent/av/plugins/com.oracle.av.plugin.oracle/config.

  7. Log in as dvowner.
  8. Start SQL*Plus and run the following command:
    GRANT DV_MONITOR TO "AVSAUDIT"
  9. Log in to the shadow Audit Vault Server as administrator.
  10. Create an archive location and define the archiving policy for the main Audit Vault Server target. It is recommended to create an archiving policy for 6 months online and 0 months archived.
  11. Register the main Audit Vault Server as an Oracle Database target. During the target registration, select 6 months online, 0 months as the retention policy. Use AVSAUDIT in the Database User Name field. Enter AVSAUDIT password in the Password field.

O.5.2 Configuring Trail to Collect Data from Unified Audit Trail on the Main Audit Vault Server

Learn how to add an audit trail to collect data from the unified audit trail on the main Audit Vault Server as an Oracle Database target.

  1. Log in to the shadow Audit Vault Server as administrator.
  2. Add an audit trail for the main Audit Vault Server Oracle Database target.
  3. Click Targets tab.
  4. Identify and click the main Audit Vault Server Oracle Database target.
  5. In the Audit Data Collection section, click Add.
  6. Select the table for Audit Trail Type field.
  7. Select UNIFIED_AUDIT_TRAIL in the Trail Location field.
  8. Select the Audit Vault Agent deployed in the Agent Host field.
  9. In the Agent Plugin field, select com.oracle.av.plugin.oracle.
  10. Click Save.
  11. The audit trail is started automatically.

O.6 Adding a Trail to Collect Data from OS Audit Trail on the Main Audit Vault Server

Learn how to add a trail to collect data from OS audit trail on the main Audit Vault Server as a Linux target.

This involves two steps on a high level:

  1. Registering the main Audit Vault Server as a Linux target.
  2. Configuring trail to collect data from OS audit trail on the main Audit Vault Server.

O.6.1 Registering the Main Audit Vault Server as a Linux Target

Learn how to register the main Audit Vault Server as a Linux target.

  1. Log in to the shadow Audit Vault Server as an administrator.
  2. Click Targets tab, and then click Register.
  3. Select Linux in the Type field.
  4. Select 6 months online and 0 months as the Retention Policy.
  5. Enter the Host Name of the main Audit Vault Server if DNS is configured.
  6. Enter the IP address of the main Audit Vault Server.
  7. Click Save.

O.6.2 Configuring a Trail to Collect Data from OS Audit Trail on the Main Audit Vault Server

Learn how to add an audit trail for unified auditing for the main Audit Vault Server as a Linux target.

  1. Log in to the shadow Audit Vault Server as administrator.
  2. Add an audit trail for the main Audit Vault Server as Linux target.
  3. Click Targets tab.
  4. Identify and click the main Audit Vault Server Linux target.
  5. In the Audit Data Collection section, click Add.
  6. Select DIRECTORY in the Audit Trail Type field.
  7. In the Trail Location field, enter /var/log/audit/audit*.log.
  8. Select the Audit Vault Agent deployed in Agent Host field. This is the Agent that was earlier deployed in the main Audit Vault Server.
  9. In the Agent Plugin field, select com.oracle.av.plugin.linuxos.
  10. Click Save.
  11. The audit trail is started automatically.

    Best Practice:

    • It is recommended to configure a shadow Audit Vault Server to collect unified audit data and OS audit data from the main Audit Vault Server.
    • The shadow Audit Vault Server must be highly restricted to capturing audit data from only the main Audit Vault Server.
    • It is recommended not to provision or modify the audit policies through the shadow Audit Vault Server for the main Audit Vault Server without careful consideration. Increased auditing of the main Audit Vault Server impacts the performance.

O.7 Storage Requirement for Main Audit Vault Server

Learn about the storage requirement for the main Audit Vault Server when auditing is enabled.

For every 1 million audit records and network events collected, the Audit Vault Server generates 3 GB of audit records as part of self auditing. The administrator must complete the sizing exercise to account for this space usage as per the deployment.

For a fresh installation of Audit Vault Server, refer to Audit Vault Sizing Guide. For an upgrade of Audit Vault Server from an older version, follow these guidelines:

  1. Collect the data on the number of records (in million) generated by the Audit Vault Server for a duration of 8 days. Take this as X. For example, if 2 million records are generated per day, then X is 2 * 8 = 16.

  2. Now calculate the space required (Y) for Audit Vault Server self auditing. This includes SYSTEMDATA and EVENTDATA. For every million records the space required is 3 GB.

    Y = X multiplied by 3 GB

The administrator needs to allocate Y GB of space in SYSTEMDATA and EVENTDATA disk groups. For example, if the system is processing 2 million audit records per day, then it requires 48 GB storage space in both SYSTEMDATA and EVENTDATA for auditing Audit Vault Server. (2 million records * 8 days * 3 GB = 48 GB).


X = 2 * 8 = 16
Y = 16 * 3 GB = 48 GB

For auditing of Audit Vault Server to process about 2 million audit records per day, the administrator must allocate 48 GB space in SYSTEMDATA and EVENTDATA.

O.8 About Purging Unified Audit Trail on the Main Audit Vault Server

Learn how to configure a purge job for unified audit data pertaining to the main Audit Vault Server.

Unified audit trail data that is older than 7 days is purged by default. This is done as part of the AVS_MAINTENANCE_JOB that is scheduled to run daily by default. The schedule can be changed using the Audit Vault Server console.

After configuring the unified audit trail collection in the shadow Audit Vault Server, it is recommended to configure a unified audit trail purge job in the main Audit Vault Server.

Follow these steps to configure unified audit trail purge job:

  1. Log in to the Audit Vault Server as root OS user.
  2. Run the command to switch to oracle user:
    su - oracle
  3. Start SQL*Plus connection as sqlplus /nolog without the username or password.
  4. In SQL*Plus run the following command:
    connect <sysdba>

    Enter the password when prompted. Alternatively, run the command:

    connect <sysdba/password>
  5. Run the following SQL script to create a purge job with the job name AVS_UNIFIED_AUDIT_CLEANUP for Unified Audit Trail:
    
    begin
          dbms_audit_mgmt.create_purge_job(
            audit_trail_type => dbms_audit_mgmt.audit_trail_unified,
            audit_trail_purge_interval => 1,
            audit_trail_purge_name => 'AVS_UNIFIED_AUDIT_CLEANUP',
            use_last_arch_timestamp => true,
            container => dbms_audit_mgmt.container_current);
      end;
    

    This job runs once every hour to clean up the unified audit trail based on the archived timestamp updated by the shadow Audit Vault Server trail collection.

    Best Practice:

    It is recommended to configure unified audit trail purge job when configuring trails on the shadow Audit Vault Server, to collect data from the main Audit Vault Server.

    Note:

    When you configure unified audit trail purge job, the cleanup performed as part of AVS_MAINTENANCE_JOB is automatically removed and the following message is displayed in the Job Status page:

    Audit Trail cleanup for Audit Vault Server is enabled, so not purging audit data by Maintenance

    Note:

    To check the status of AVS_UNIFIED_AUDIT_CLEANUP, run the following SQL statement:

    select * from dba_scheduler_job_run_details where job_name='AVS_UNIFIED_AUDIT_CLEANUP';

    Refer to Audit Trail Management Data Dictionary Views for more information.