4 Configuring Oracle Audit Vault

Learn about configuring Oracle Audit Vault.

4.1 About Configuring Oracle Audit Vault Server

Learn about configuring Oracle Audit Vault Server.

This chapter explains how to perform the initial Oracle Audit Vault Server configuration.

Note:

Oracle Audit Vault Server and Oracle Database Firewall server are software appliances. You must not make changes to the Linux operating system through the command line on these servers unless you are following procedures as described in the official Oracle documentation or you are working under the guidance of Oracle Support.

The main steps involved in the configuration process are as follows:

  1. Perform the initial configuration tasks at the Audit Vault Server. For example, confirm system services and network settings, and set the date and time.

  2. Configure the Audit Vault agents.

  3. (Optional) Define resilient pairs of servers for high availability.

  4. (Optional) Add each Oracle Database Firewall at Oracle Audit Vault Server.

  5. (Optional) Configure Oracle Audit Vault and Database Firewall to work with third party Security Information Event Management (SIEM) system, using syslog integration.

  6. Check that the system is functioning correctly.

See Also:

  • Managing A Resilient Audit Vault Server Pair for more information about configuring a resilient pair of Oracle Audit Vault Servers for high availability. Perform the initial configuration that is described in this chapter for both Oracle Audit Vault Servers

  • Summary of Configuration Steps to understand the high-level workflow for configuring Oracle Audit Vault and Database Firewall

4.2 Changing the UI (Console) Certificate for Oracle Audit Vault Server

Learn how to change the UI certificate for Oracle Audit Vault Server.

When you first access the Oracle Audit Vault Server console, you see a certificate warning or message. To avoid this type of message, you can upload a new UI certificate signed by a relevant certificate authority.

Prerequisite

Log in to Oracle Audit Vault Server console as a super administrator. See Log in to Oracle Audit Vault Server Console for more information

To change the UI certificate for the Audit Vault Server:

  1. Click Settings.
  2. Click the Security tab in the left navigation menu.
  3. Click the Certificate sub-tab on the main page.
  4. Click Console Certificate.
  5. Click Generate Certificate Request.

    The Generate Certificate Request dialog is displayed with the Common Name for the certificate.

  6. If you want to change the common name that is displayed, then click Change.

    The certificate warnings are based on the common name used to identify Oracle Audit Vault Server. To suppress the warning when you access Oracle Audit Vault Server console using its IP address instead of the host name, also check Suppress warnings for IP based URL access.

  7. Complete the form and enter content in the mandatory fields.
  8. Click Submit and Download.
  9. Save the .csr file and then submit this file to a certificate authority. Ensure that the certificate contains the following details. The COMMON NAME field is filled by default.
    • COMMON NAME
    • ISSUER COMMON NAME
  10. After the certificate authority issues a new certificate, upload it by returning to the Console Certificate sub tab, and then click Upload Certificate.

Note:

You may need to install the public certificate of the Certificate Authority in your browser, particularly if you are using your own public key infrastructure.

4.3 Specifying Initial System Settings and Options on Oracle Audit Vault (Required)

Learn how to specify initial Oracle Audit Vault system settings and options.

4.3.1 Specifying the Server Date, Time, and Keyboard Settings

Learn how to specify the Oracle Audit Vault server date, time, and keyboard settings.

Super administrators can change the Oracle Audit Vault Server date, time, and keyboard settings. It is important to ensure that the date and time that you set for Oracle Audit Vault Server are correct. This is because events that the server performs are logged with the date and time at which they occur according to the server's settings. In addition, archiving occurs at specified intervals based on the server's time settings.

About Time Stamps

Oracle Audit Vault Server stores all data in UTC. Time stamps are displayed as follows:

  • If you are accessing data interactively, for example using the Oracle Audit Vault Server UI or AVCLI command line, then all time stamps are in your time zone. In the UI, the time zone is derived from the browser time zone. If you are using AVCLI, then the time zone is derived from the "shell" time zone (usually set by the TZ environment variable).

  • If you log in to Oracle Audit Vault Server as root or support, then time stamps are displayed in UTC, unless you change the TZ environment variable for that session.

  • If you are looking at a PDF or XLS report or email that is generated by the system, then the time stamps displayed reflect the Time Zone Offset setting in the Audit Vault Server Manage link (see procedure below).

    WARNING:

    Do not change the Oracle Audit Vault Server database time zone or change the time zone through any configuration files. Doing so causes serious problems in Oracle Audit Vault Server.

  • If you are looking at the Oracle Database Firewall UI, then all time zones are displayed in UTC.

Prerequisite

Log in to Oracle Audit Vault Server console as super administrator. See Log in to Oracle Audit Vault Server Console for more information.

To set the server date, time, and keyboard settings

  1. Click on Settings tab.

  2. Click on the System tab in the left navigation menu.

  3. Click Manage under the Configuration tab on the main page.

  4. From the Timezone Offset drop-down list, select your local time in relation to Coordinated Universal Time (UTC).

    For example, -5:00 is five hours behind UTC. You must select the correct setting to ensure that the time is set accurately during synchronization.

  5. From the Keyboard drop-down list, select the keyboard setting.

  6. In the System Time field, select Set Manually or Use NTP.

    Selecting NTP synchronizes time with the average of the time recovered from the time servers specified in the NTP Server 1/2/3 fields.

  7. If you selected Use NTP, then select Synchronize Periodically to start using the NTP Server time.

    If you do not enable time synchronization in this step, then you can still enter NTP Server information in the steps below and enable NTP synchronization later.

  8. (Optional) Select Synchronize Once After Save if you want the time to be synchronized when you click Save.

  9. In the NTP Server 1, NTP Server 2, and NTP Server 3 sections enter the IP addresses or names of your preferred time servers.

    If you specify a name, then the DNS server that is specified in the Services dialog under System tab is used for name resolution.

  10. Click Test Server to display the time from the server.

    Click Apply Server to update the Audit Vault Server time from this NTP server. The update will not take effect until you click Save.

  11. Click Save.

To enable time synchronization, you may also need to specify the IP address of the default gateway and a DNS server.

4.3.2 Specifying Oracle Audit Vault Server System Settings

Learn about configuring Oracle Audit Vault Server system settings.

4.3.2.1 Setting or Changing the Oracle Audit Vault Server Network Configuration

Learn how to change the Oracle Audit Vault Server network configuration.

The Oracle Audit Vault and Database Firewall installer configures the initial network settings for Oracle Audit Vault Server during installation. You can change the network settings after installation.

Note:

If you change the Oracle Audit Vault Server network configuration, then you must also do the following:

  1. Restart all audit trails.

  2. Reconfigure the resilient pair of Oracle Database Firewalls if you previously configured them.

  3. If the IP address of Oracle Audit Vault Server was changed, then update this information in Oracle Database Firewall.

Prerequisite

Log in to the Oracle Audit Vault Server console as an administrator or super administrator. See Log in to Oracle Audit Vault Server Console for more information.

To configure the Oracle Audit Vault Server network settings:

  1. Click on Settings tab.
  2. Click on System tab in the left navigation menu.
  3. Click on Network under Configuration sub tab on the main page.
  4. Edit the following fields as necessary:
    • Host Name: The host name must be a fully qualified domain name of Oracle Audit Vault Server. The host name must start with a letter, can contain maximum of 24 characters, and cannot contain spaces.

      Note:

      Changing the host name requires a reboot. After you click Save, the system asks you to confirm if you want to reboot or cancel. If you confirm, then the system reboots and Oracle Audit Vault Server will be unavailable for a few minutes.

    • IP Address: The IP address of Oracle Audit Vault Server. An IP address was set during the installation of Oracle Audit Vault Server. To use a different address, you can change it now. The IP address is static and must be obtained from your network administrator.

      Note:

      • Changing the IP address requires a reboot.

      • If you have a high availability configuration, then the primary and standby Oracle Audit Vault Servers must be unpaired before changing the IP address. Once the IP address of the primary or standby Oracle Audit Vault Server is changed, pair the two servers again. Once you complete the pairing process, redeploy the Oracle Audit Vault Agents to ensure that they are updated with the new IP addresses for both the primary and the standby Oracle Audit Vault Servers.

      You may need to add the specified IP Address to routing tables to enable traffic to go between the Oracle Audit Vault Server and Database Firewall firewalls.

    • Network Mask: (Super Administrator Only) The subnet mask of the Audit Vault Server.

    • Gateway: (Super Administrator Only) The IP address of the default gateway (for example, to access the management interface from another subnet). The default gateway must be on the same subnet as Oracle Audit Vault Server.

    • Link properties: Do not change the default setting unless your network has been configured to not use auto negotiation.

  5. Click Save.

    See Also:

4.3.2.2 Configuring or Changing the Oracle Audit Vault Server Services

Learn how to configure and change Oracle Audit Vault Server sevices.

Prerequisite

Log in to the Oracle Audit Vault Server console as a super administrator. See Log in to Oracle Audit Vault Server Console for more information.

To configure the Oracle Audit Vault Server services:

  1. Click on Settings tab.
  2. Click on System tab in the left navigation menu.
  3. Click on Services under the Configuration sub tab on the main page.
  4. Under the DNS tab, turn on the button and enter the IP address in the specific fields. Enter the IP addresses of up to three DNS servers on the network. Oracle Audit Vault Server uses these IP addresses to resolve host names. Keep the fields disabled if you do not use DNS servers. Enabling these fields could degrade system performance if you use DNS servers.
  5. In the Services dialog, click on the Web/SSH/SNMP tab.
  6. Complete the following fields as necessary:

    Caution:

    When allowing access to Oracle Audit Vault and Database Firewall you must be careful to take proper precautions to maintain security.

    • Web Access: If you want to allow only selected computers to access the Audit Vault Server console, select IP Addresses and enter specific IP addresses in the box, separated by spaces. Using the default of All allows access from any computer in your site.

    • SSH Access: You can specify a list of IP addresses that are allowed to access Audit Vault Server from a remote console by selecting IP Addresses and entering them in this field, separated by spaces. Using a value of All allows access from any computer in your site. Using a value of Disabled prevents console access from any computer.

    • SNMP Access: You can specify a list of IP addresses that are allowed to access the network configuration of Audit Vault Server through SNMP by selecting IP Addresses and entering them in this field, separated by spaces. Selecting All allows access from any computer. Selecting the default value of Disabled prevents SNMP access. You can Use Stored SNMP String. Else, uncheck the box and specify another one. The SNMP community string is gT8@fq+E.

  7. Click Save.

    See Also:

    Protecting Your Data for a list of recommendations and precautions to maintain security

4.3.2.3 Changing IP Addresses of Active, Registered Hosts

Learn about changing the IP addresses of active, registered hosts.

Use this procedure to change the IP address of a live registered host without affecting the functionality of Oracle Audit Vault Agent.

Prerequisites

  1. Stop Audit Trails. See section Stopping, Starting, and Autostart of Audit Trails in Oracle Audit Vault Server for more information.

  2. Stop Oracle Audit Vault Agent before changing the IP address of the target server. See section Stopping, Starting, and Other Agent Operations for more information to stop the Audit Vault Agent.

To change the IP address of a live registered host

  1. Change the IP address of the target server.
  2. Change the IP address of the previously registered host entity of Oracle Audit Vault and Database Firewall using the Oracle Audit Vault GUI or Oracle Audit Vault command-line interface.
  3. Run the following to start the Oracle Audit Vault Agent with the -k option:
    agentctl start -k
  4. Enter an Activation Key.
  5. Start Audit Trails.

4.3.3 Configuring Oracle Audit Vault Server Syslog Destinations

Learn how to configure Oracle Audit Vault Server syslog destinations.

Use the following procedure to configure the types of syslog messages to send from Oracle Audit Vault Server. The message categories are Debug, Info, or System. You can also forward Alert messages to the syslog.

Configuring Syslog enables integration with popular SIEM vendors such as Splunk, IBM QRadar, LogRhythm, ArcSight and others.

Prerequisites

  • Log in to the Oracle Audit Vault Server console as an administrator. See Log in to Oracle Audit Vault Server Console for more information.

  • Ensure that the IP addresses provided for syslog destinations are on a different host than the Oracle Audit Vault Server.

  1. Click the Settings tab.
  2. Click on System tab in the left navigation menu.
  3. Under the Configuration section, click Connectors.
  4. In the Connectors dialog, click on Syslog tab.
  5. Complete the fields, as necessary:
    • Syslog Destinations (UDP): Use this box if you are using User Datagram Protocol (UDP) to communicate syslog messages from Oracle Audit Vault Server. Enter the IP address of each machine that is permitted to receive the syslog messages, separated by spaces.

    • Syslog Destinations (TCP): Use this box if you are using Transmission Control Protocol (TCP) to communicate syslog messages from Oracle Audit Vault Server. Enter the IP address and port combinations of each server that is permitted to receive the syslog messages, separated by spaces.

    • Syslog Categories: You can select the types of syslog messages to generate as follows:

      • Alert: Alerts based on alert conditions that an Oracle Audit Vault and Database Firewall auditor specifies.

        To forward Oracle Audit Vault and Database Firewall alerts to syslog. In addition to this setting, the Oracle Audit Vault and Database Firewall auditor must configure alert forwarding.

      • Debug: Engineering debug messages (for Oracle support use only).

      • Info: General Oracle Audit Vault and Database Firewall messages and property changes.

      • System: System messages generated by Oracle Audit Vault and Database Firewall or other software that has a syslog priority level of at least INFO.

  6. Click Save.
  7. If you are using two Oracle Audit Vault Servers as a resilient pair, then repeat specifying the initial system settings and options on the second Oracle Audit Vault Server.

    See Also:

4.3.4 Configuring Custom Ports on Network Interfaces

Learn how to configure custom ports on network interfaces in standalone and high availability environment.

Oracle Audit Vault and Database Firewall requires TCP and TCPS based external SQL access. By default, the TCP and TCPS ports are 1521 and 1522 respectively. User-defined ports are also used for SQL connections. Oracle Audit Vault and Database Firewall supports the configuration of a custom port. As a super admin user you can specify a custom TCP and TCPS port for SQL communication on Oracle Audit Vault Server. Custom ports can be configured for network interfaces in standalone and high availability environment. Upon configuring a custom port, SQL communication is enabled and added to the network configuration.

To configure custom ports on a primary network interface:

Note:

The commands in the procedure below must be executed only on the primary Audit Vault Server in a high availability environment.
  1. Log in to the appliance as root user.
  2. Switch user to oracle.
  3. Use SQLPLUS and connect as super admin user by entering the ID and password as follows.
    <super-admin>/<password>

    Note:

    • Other users cannot configure custom ports. If this operation is attempted by another user, then a message is displayed on the AVCLI that there are insufficient privileges for the user.
    • Only root users can access error or debug logs.
  4. Run the following commands to configure custom ports and related operations:
    Operation Command
    To configure custom TCP and TCPS ports on the Audit Vault Server.
    exec management.server.custom_listener_ports(<tcp_custom_port>, <tcps_custom_port>);
    To disable default ports (1521, 1522) on the Audit Vault Server.
    exec management.server.disable_std_listener_port_access;

    Note:

    • The same ports are configured on the standby Audit Vault Server in a high availability environment.
    • Upon configuring a new custom port, ensure all the Audit Vault Agents are updated with the new port. This can be verified with the Agent update timestamp on the Audit Vault Server console. After all the Agents are updated, ensure the trails continue to run after the Agents are updated with the new custom ports. The standard ports must be disabled after this verification. If standard ports are disabled before the Agents are updated, then those Agents stop running and need to be manually updated. This can be done by updating the connect string in the av/conf/bootstrap.prop file of the Agent home directory.
    • Oracle Audit Vault and Database Firewall supports more than one set of custom ports.
    • Follow these instructions while performing backup and restore operations. If you configured a custom port before performing the backup operation, then the port should remain as you configured it during the restore operation.
    • Follow these instructions for high availability environment. The TCPS port configured on the standby is same as primary server during pairing. Else, pairing results in an error.
    • Execute the command exec management.server.enable_std_listener_port_access to rollback and set ports 1521 and 1522 as the default ports. After the custom ports are enabled, do not disable them in immediate succession as this may disrupt the communication between the Audit Vault Agent and Audit Vault Server. In such an event, the Audit Vault Agents have to be reinstalled. Before disabling the custom port and changing back to default ports, ensure the Audit Vault Agents are updated.

4.4 Configuring the Email Notification Service

Learn about configuring the email notification service.

4.4.1 About Email Notifications in Oracle Audit Vault and Database Firewall

Learn about Oracle Audit Vault and Database Firewall email notifications.

An auditor can configure Oracle Audit Vault and Database Firewall to send users email notifications when alerts or reports are generated. To do this, you must configure an SMTP server to enable email notifications. The email notifications can be sent in text format to mobile devices or they can be routed through an SMS gateway.

Note the following:

  • You can configure one SMTP (or ESMTP) server for each Oracle Audit Vault and Database Firewall installation.

  • You can configure Oracle Audit Vault and Database Firewall to work with both unsecured SMTP servers as well as with secured and authenticated SMTP servers.

See Also:

Oracle Audit Vault and Database Firewall Auditor's Guide for information about configuring alerts and generating reports

4.4.2 Configuring Email Notification for Oracle Audit Vault and Database Firewall

Learn how to configure email notification for Oracle Audit Vault and Database Firewall.

Prerequisite

Log in to Oracle Audit Vault Server as an administrator. See Log in to Oracle Audit Vault Server Console for more information.

To configure the email notification service:

  1. Click the Settings tab.
  2. Click the System tab in the left navigation menu.
  3. Click Connectors in the Configuration section on the main page.
  4. In the Connectors dialog, click on Email tab.
  5. Enter the IP address of the SMTP server in SMTP Server Address.
  6. In the SMTP Port field, enter the SMTP server port.
  7. In the From Username field, enter the user name used as the sender of the email.
  8. In the From Address field, enter the sender's address that appears in the email notifications.
  9. If this SMTP server requires it, then select Require Credentials, then supply a Username, Password.
  10. If this SMTP server requires authentication, then select Require Secure Connection, and then select the authentication protocol (SSL or TLS).
  11. Optionally enter the email address and Test the email configuration.
  12. Click Save.

4.5 Configuring Archive Locations and Retention Policies

Learn about configuring archive locations and retention policies.

Note:

Remember the following rules while archiving and restoring tablespaces:

  • The restore policy must follow the guidelines in this section.

  • Check the tablespace that needs to be archived and the corresponding tablespace that needs to be purged as explained in the policy.

  • Restoring data into empty tablespaces is not possible. Check accordingly.

  • In case the tablespace enters the delete period, it is deleted automatically from Oracle Audit Vault Server.

  • Every tablespace is uniquely identified using the name of the month that it moves offline and the month that it is purged. The tablespaces are created automatically based on the policies that you create.

  • When the retention policy changes, the new policy is applied to the incoming data immediately. It does not affect the existing tablespaces which adhere to the old policy.

  • You can archive the tablespace when it enters the offline period.

  • After restoring the tablespace, it is actually online. After you release the tablespace, it goes offline. You must rearchive the tablespace after it is released.

4.5.1 About Archiving and Retrieving Data in Oracle Audit Vault and Database Firewall

Learn about archiving and retrieving data in Oracle Audit Vault and Database Firewall.

Data files are archived as part of an information lifecycle strategy. Oracle Audit Vault and Database Firewall release 20.1.0.0.0 supports the automatic archival of a job to an NFS-configured location. When the online period of the data on the tablespace expires, it is automatically archived without your intervention. You have a choice to enable automatic archival during a fresh installation of Oracle Audit Vault and Database Firewall in release 20.1.0.0.0. Or, you can manually archive jobs with the desired settings.

When you upgrade to Oracle Audit Vault and Database Firewall release 20.1.0.0.0 from an older release, the system continues to use manual archiving. This means that you have to configure archival of jobs manually.

You can switch between automatic and manual job archiving. If there is a job in progress during the switch over, then the change occurs after the active job is completed. A suitable message is displayed to the user. After you switch to automatic archiving, all of the existing NFS locations are configured into an automatic archiving list. They are listed under Manage Archive Locations. If the space in archive location is full or inaccessible, then automatic archiving chooses the next archive location from the list. The automatic archival functionality performs a check for available space and accessibility on a daily basis.

Note:

After you enable automatic archiving, manual archiving is disabled. When upgrading to a newer version in release 20.1.0.0.0, the system continues to use either the automatic or the manual archiving that you configured prior to the upgrade.

You must create archiving (or retention) policies and archive locations so that the archived data is transferred in accordance with your archiving policies. Oracle recommends that you archive regularly in accordance with your company's policy.

Automatic archival is supported only on Network File Systems (NFS). Oracle recommends that you use NFS to transfer data to an archive location. If you use Secure Copy (SCP) or Windows File Sharing (SMB) to transfer data to an archive location, then your data files are first copied to a staging area in Oracle Audit Vault Server. Therefore, you must ensure that there is sufficient space in your file system. Otherwise, the data file copying may fail. Transferring large files using SCP or SMB may take a long time.

What is a Retention (or Archiving) Policy?

Retention policies determine how long data is retained in Oracle Audit Vault Server, when data is available for archiving, and for how long archived data can be retrieved to Oracle Audit Vault Server. An administrator creates retention (or archiving) policies and an auditor assigns a specific policy to each target as well as to scheduled reports. The settings that you can specify in a retention policy are as follows:

  • Months Online: The audit data is available in Oracle Audit Vault Server for the number of months online that you specify. During this period, data is available for viewing in reports. When this period elapses, the audit data files are available for archiving, and are no longer visible for reports. When the administrator archives these data files, the data is physically removed from Oracle Audit Vault Server.

  • Months Archived: The archived audit data can be retrieved to Oracle Audit Vault Server for the number of months specified in Months Archived. If you retrieve the data during this period, then it will be available again in reports. When the months archived period expires, the data can no longer be retrieved to Oracle Audit Vault Server.

Retention times are based on the time that the audit events occurred in the target. If the auditor does not select a retention policy for a target or scheduled report, Oracle Audit Vault Server uses the default retention policy (12 months for online retention, and 12 months in archives).

Example

Suppose your retention policy is:

  • Months Online: 2

  • Months Archived: 4

With this retention policy, data that is generated during the last two months is available in Oracle Audit Vault Server. Data that is older than two months is available for archiving, and is no longer visible in reports. Archived data is available to retrieve for four months. This data is older than two months but newer than six months, and can be retrieved from the archives to Oracle Audit Vault Server. Data that is older than six months is no longer available.

When new Data Collected is Older than Retention Policy Limits

When you collect audit data for a newly configured target, or from a new audit trail on an existing target, the data collected from that target may be older than the Months Online period. In fact, the data may be even be older than the Months Archived period.

For instance, suppose your retention policy is the same as the above Example. Now suppose you begin collecting audit data from a newly configured target. If some of this data is over six months old, it is older than the months online period and the months archived period combined. In this case, Oracle Audit Vault and Database Firewall automatically drops any newly collected audit records that are older than six months.

However, if some of this audit data is older than two months but newer than six months, that is, it falls within the months archived period, then Oracle Audit Vault and Database Firewall does one of the following:

  • If this is an audit trail for a newly configured target, then Oracle Audit Vault and Database Firewall automatically archives that data as the audit trail is collected.

  • If this is a new audit trail for an existing target, then Oracle Audit Vault and Database Firewall attempts to archive these records automatically as the audit trail is collected. However, you may have to make required data files available during this process.

Note:

In case the archive location is not defined, once the months online period expires and before the completion of offline period, the audit data for the specific target is moved offline. The data remains on the Audit Vault Server and can be retrieved and viewed in the Reports section of the Audit Vault Server console. This is applicable for the default and user defined archival and retention policy.

See Also:

Handling New Audit Trails with Expired Audit Records for information to make required data files available

4.5.2 Defining Archive Locations

Learn about defining archive locations.

You must define one or more locations as destinations for archive files before you can start an archive job. An archiving destination specifies the archive storage locations and other settings.

Oracle recommends that you use NFS to transfer data to an archive location. If you use Secure Copy (SCP) or Windows File Sharing (SMB) to transfer data to an archive location, then your data files are first copied to a staging area in Oracle Audit Vault Server. Therefore, you must ensure that there is sufficient space in the file system. Otherwise the data file copying may fail. Transferring large files using SCP or SMB may take a long time.

Note:

  • The backup functionality does not backup archived files. The data files in the archive location are not backed up by avbackup because they may be located on a remote file system. In case those files are on NFS mount point, then they are accessible after restoring on a new system with the same mount points that were previously configured.

  • Oracle AVDF 20.1 and later supports Network File System (NFS) versions v3 and v4 for archive or retrieve functionality.

  • NFS v3 only is not supported.

  • If your NFS server supports and permits both v3 and v4 for archive or retrieve, then no action is required.

  • In case you have NFS v4 only in your environment for archive or retrieve, then set the _SHOWMOUNT_DISABLED parameter to TRUE using the following steps:

    1. Log in to the Audit Vault Server as root.
    2. Switch user to oracle: su oracle
    3. Start SQL*Plus connection as sqlplus /nolog without the username or password.
    4. In SQL*Plus execute the command: connect <super administrator>
    5. Enter the password when prompted. Alternatively, execute the command: connect <super administrator/password>
    6. Execute the command: exec avsys.adm.add_config_param('_SHOWMOUNT_DISABLED','TRUE');

Prerequisite

Log in to the Audit Vault Server as an administrator. See Log in to Oracle Audit Vault Server Console for more information.

To create an archive location:

  1. Click the Settings tab.
  2. Click Archiving tab in the left navigation menu.
  3. Click Manage Archive Locations tab in the main page.

    A list of existing archive locations is displayed.

  4. Click the Create button, and complete the following fields:
    • Transfer Method: The method used to transfer data from Oracle Audit Vault Server to the machine that archives the data:

      • Secure Copy (scp): Select if the data is archived by a Linux machine.

      • Windows File Sharing (SMB): Select if the data is archived by a Windows machine.

      • Network File System (NFS): Select if using a network file share or NAS.

    • Location Name: The name of the archiving destination. This name is used to select the archiving destination when starting an archive.

    • Remote Filesystem: If you use the Network File System (NFS) transfer method, then you can select an existing filesystem, or one will be created automatically based on the details of this archive location.

      Note:

      In a standalone system, you can use the AVCLI utility to register a remote filesystem. This filesystem can be later selected in the Audit Vault Server console. This is not possible in a high availability environment.

      The archive locations must be created using the Audit Vault Server console only in a high availability environment by selecting the Create New Filesystem option.

    • Address: The name or IP address of the machine that archives the data. If Windows File Sharing is the transfer method, then specify an IP address.

    • Export Directory: If you use the Network File System (NFS) transfer method, then enter the export directory of the NFS server for both the primary and secondary Oracle Audit Vault Server. This directory must be created in the etc/exports file of the NFS server. Ensure that this directory has appropriate read and write permissions before entering data in the this field.

    • Path: The path to the archive storage location. Enter a path to a directory (not a file), noting the following for these transfer methods:

      • Secure Copy (scp): If there is no leading slash character, the path is relative to the user's home directory. If there is a leading slash, the path is relative to the root directory.

      • Windows File Sharing (SMB): Enter the sharename, followed by a forward slash and the name of the folder. For example, /sharename/myfolder

      • Network File System (NFS): Enter the path relative to the export directory. For example if the export directory is /export_dir, and the full path to the directory you want to designate as an archive location is /export_dir/dir1/dir2, then enter /dir1/dir2 in the Path field. This sub-directory need not be under etc/exports file of the NFS server. It is used for entering details in the Path field while defining the archive location. To put archives directly in the NFS server's export directory, enter / (forward slash) for the Path.

        You can click the Test button to validate the NFS location when done.

    • Port: This is the port number that secure copy uses or the Windows fileshare service on the machine that archives the data. You can normally use the default port number.

      If you selected Windows File Sharing as the Transfer Method, then use port 445.

    • Username: The account name on the machine to which the archive data will be transferred.

    • Authentication Method: If Secure Copy (scp) is the transfer method, then you can select Password Authentication and enter the login password. If a Linux machine is used, then you can select Key-based Authentication.

      If using Key-based Authentication, then the administrator of the remote machine must ensure that the file that contains the RSA key (~/.ssh/authorized_keys) has permissions set to 664.

    • Password and Confirm Password: If you use Windows file sharing, or if you selected Password as the authentication method, then this is the password to log into the machine that archives the data.

    • Public Key: This field appears if you selected Key-based Authentication. Copy this public key and add it to the public keys file on the machine that archives the data. For example, add the key in ~/.ssh/authorized_keys.

  5. Click Save.

Managing NFS locations in high availability environment

Oracle Audit Vault and Database Firewall supports archiving. Prior to release 12.2.0.11.0, archiving was configured only on the primary Audit Vault Server and there was no ability to configure archiving on the standby server. After a failover, archive locations had to be manually set on the former standby (new primary). Starting with release 12.2.0.11.0, you can now configure NFS archive locations on both the primary and standby Audit Vault Servers, reducing the amount of manual work that needs to be performed following a failover.

Follow these steps to create a new NFS archive location:

  1. Log in to the Audit Vault Server console as admin user.
  2. Click Settings, and then click ARCHIVING tab in the left navigation menu.
  3. Click Manage Archive Locations tab in the main page.
  4. The list of existing archive locations is displayed. Click the name of the existing archive location to modify. Make the changes and click Save.
  5. Click Create, to create a new archive location using NFS.
  6. The Network File System (NFS) is selected by default. Enter the following details to create a new NFS archive location:
    • Location Name
    • Remote Filesystem
    • Primary Server Address
    • Secondary Server Address
    • Primary Server Export Directory
    • Secondary Server Export Directory
    • Primary Server Path
    • Secondary Server Path
  7. Click Save.

Note:

Export directory and destination path of the archive locations for the primary and secondary Oracle Audit Vault Servers must be unique. The complete combination of the NFS location (host:export_directory:destination_path) must be unique.

4.5.3 Creating or Deleting Archiving Policies

Learn about creating and deleting policies.

4.5.3.1 Creating Archiving and Retention Policies

Learn about creating archiving and retention policies.

After you create a retention policy, an Oracle AVDF auditor can apply the policy to targets.

Prerequisite

Log in to the Audit Vault Server console as an administrator. See Log in to Oracle Audit Vault Server Console for more information.

To create an archiving (retention) policy:

  1. Click the Settings tab.
  2. Click Archiving tab in the left navigation menu.
  3. Click Manage Policies tab in the main page, and then click the Create button.
  4. Enter a Name for this policy.
  5. In the Months Online field, enter the number of months to retain audit data in Oracle Audit Vault Server before the data is marked for archiving. The default value is 1.

    For example, if you enter 2, then audit data for targets that use this retention policy will be available for archive jobs after two months online in Oracle Audit Vault Server. After the months online period expires, the data is no longer visible in reports.

  6. In the Months Archived field, enter the number of months to retain audit data in the archive location. The default value is 6.

    This value determines how long data is available to retrieve to Oracle Audit Vault Server, but it does not cause the data to be purged from the archive. For example if you enter 4, data can be retrieved from the archives for a period of four months after it has been archived.

    See Also:

    Oracle Audit Vault and Database Firewall Auditor's Guide for instructions on assigning retention policies

4.5.3.2 Deleting Archiving Policies

Learn how to delete archiving policies.

You can only delete user-defined archiving policies.

Prerequisite

Log in to Oracle Audit Vault Server console as an administrator. See Log in to Oracle Audit Vault Server Console for more information.

To delete an archiving (retention) policy:

  1. Click the Settings tab.
  2. Click the Archiving tab in the left navigation menu.
  3. Click Manage Policies in the main page.
  4. Under User-defined Policy section, select the specific policy to delete.
  5. Click Delete button.

4.5.4 Running Archive and Retrieval Jobs

Learn how to run archive and retrieval jobs.

4.6 Managing Archival and Retrieval in High Availability Environments

Learn how to manage archival and retrieval in high availability environments.

Oracle Audit Vault and Database Firewall supports archiving. Prior to release 12.2.0.11.0, archiving was configured only on the primary Audit Vault Server and there was no ability to configure archiving on the standby server. After a failover, archive locations had to be manually set on the former standby (new primary). Starting with release 12.2.0.11.0, you can now configure NFS archive locations on both the primary and standby Audit Vault Servers, reducing the amount of manual work that needs to be performed following a failover.

Oracle Audit Vault and Database Firewall release 12.2.0.11.0 and later ensures that the primary and secondary Audit Vault Servers have the same number of NFS archive locations. This is crucial for archiving and file management functionality to work effectively in a high availability environment.

Note:

  • Any user with admin privileges can perform archival and retrieval tasks.
  • It is recommended that NFS archive locations for primary and secondary Audit Vault Servers are on separate NFS servers.
  • It is recommended to have these NFS servers within the same Data Center as the Audit Vault Server. As in the NFS server for primary Audit Vault Server should be in the same data center and NFS server for secondary Audit Vault Server should be in the same data center.
  • NFS is a mount point on the Audit Vault Server. If you want to replace NFS server, then make sure the Audit Vault Server does not access the mount point.

Prerequisite

Ensure that all of the Prerequisites for Configuring a Resilient Pair of Audit Vault Servers are satisfied before configuring high availability.

After you complete the high availability pairing, the NFS locations pertaining to both the primary and secondary Audit Vault Servers are displayed under Manage Archive Locations of the primary Audit Vault Server console. These NFS locations include those created on both the primary and secondary Audit Vault Servers before and after configuring high availability. The names of these NFS locations have the primary location name or the name defined while creating the location once high availability is configured. The Audit Vault Server console provides details of the host, export directory, and destination path for both the primary and secondary Audit Vault Servers.

Note:

Oracle Audit Vault and Database Firewall release 20.1.0.0.0 supports automatic archival on both primary and secondary Audit Vault Servers. If automatic archival is enabled on the primary Audit Vault Server, it is enabled on the corresponding secondary Audit Vault Server as well. The Audit Vault Server console displays the archive locations of the primary host with their mapped corresponding secondary locations.

Upgrade and archiving functionality in high availability environment

Archiving functionality is disabled during the upgrade process only when there are datafiles archived to the NFS locations. Upon completion of the upgrade process the admin user must enable the archive functionality to start archiving.

Updating or Deleting NFS locations

The super admin can update or delete the NFS locations after high availability pairing of primary and secondary Audit Vault Servers. The NFS locations on both the primary and secondary Audit Vault Servers can be updated or deleted. In case the datafiles are archived, the location cannot be updated or deleted. The Location Name and the Primary Server Path or the Secondary Server Path can be updated in case high availability is enabled.

4.7 Defining Resilient Pairs for High Availability

Learn how to define resilient pairs for high availability.

You can define resilient pairs of Oracle Audit Vault Servers, Oracle Database Firewalls, or both.

When you define a resilient pair of Oracle Audit Vault Servers, you must perform all of the configuration tasks. These tasks include adding database firewalls to the server and registering the targets on the primary Oracle Audit Vault Server.

4.8 Registering Oracle Database Firewall in Oracle Audit Vault Server

Learn how to register Oracle Database Firewall in Oracle Audit Vault Server.

Use this procedure to register an Oracle Database Firewall in Oracle Audit Vault Server.

Prerequisites

To register Database Firewall in Audit Vault Server:

  1. If there is a resilient pair of Oracle Audit Vault Servers, then log in to the primary server.
  2. Click the Database Firewalls tab.

    The Firewalls page displays the currently registered firewalls and their statuses.

  3. Click Register.
  4. Enter a Name for Oracle Database Firewall and its IP Address.
  5. Click Save.

    Note:

    • If a message indicates that there is a problem with the certificate, then ensure that the date and time settings are identical on both Database Firewall and Audit Vault Server.

    • If the following error message is encountered, then check the Audit Vault Server certificate is copied properly to the Database Firewall. Also check the date and time settings are identical on both the Database Firewall and Audit Vault Server.

      OAV-46981 Unable to connect to Database Firewall with IP

4.9 Testing Oracle Audit Vault Server System Operations

Learn about testing Oracle Audit Vault Server system operations.

Verify that your system is fully operational before beginning your normal, day-to-day operations.

Prerequisite

Log in to Oracle Audit Vault Server as an administrator. See Log in to Oracle Audit Vault Server Console for more information.

To test your system's operation:

  1. Check the date and time settings of Oracle Audit Vault Server.
  2. Click the Settings tab.
  3. Click on the System tab in the left navigation menu.
  4. Under Monitoring section in the main page, click Diagnostics.
  5. Click the Run Diagnostics button to run a series of diagnostic tests and review the results.

    These diagnostics include testing:

    • Existence and access permissions of configuration files

    • File system sanity

    • Network configuration

    • Status of various processes that are required to run on the system. For example, database server processes, event collection process, Java framework process, HTTP server process, and so on.

  6. You can use the Download Diagnostics button to download the diagnostic results for further analysis.
  7. You can use the Clear Diagnostic Logs button to clear the current set of diagnostic logs on the Audit Vault Server.
  8. Click the Home tab, and check the status of Database Firewalls and Targets.

4.10 Configuring Fiber Channel-Based Storage for Oracle Audit Vault Server

Learn about configuring fiber channel-based storage for Oracle Audit Vault Server.

Oracle Audit Vault Server supports fiber channel-based storage. You can configure this storage during installation by performing this procedure.

To configure fiber channel-based storage for Oracle Audit Vault Server:

  1. Install Oracle Audit Vault Server on the local disk of your server. During installation, Oracle Audit Vault Server attempts to use all of the disks in your system. Use the configuration tools for the fiber channel controller such as Fast!UTIL, to ensure that other disks are not accessible.

    Note:

    • If the other disks are accessible, then they are formatted and erased during installation.

    • Oracle Audit Vault Server looks for the devices with the names of sd*, xvd*, hd*, cciss*, fio* in /sys/block. The installation succeeds if the fiber channel disks are exposed as one of these block devices.

    • The device xvd* is not supported for multipath.

    • The first disk must be a local disk with a minimum of 300 GB available space. If the available space is less than 300 GB, then the boot partition is allocated to a SAN fiber channel disk which is not supported. It is recommended that the sizes of the other disks be greater than that of the first disk.

  2. If you are using fiber channel-based storage, then perform the following remaining steps after your installation has successfully completed to ensure that Oracle Automatic Storage Management uses the active path. Otherwise, reboot your system to complete the configuration process.

    Note:

    Fiber channel-based storage with multipath is supported by Oracle Audit Vault and Database Firewall release 20.1 and onwards.

4.11 Fiber Channel Based Multipath in Oracle AVDF

Learn about support for multipath in Oracle AVDF.

Oracle Audit Vault and Database Firewall 20.1 and later supports fiber channel based storage with multipath. The redundant paths in multipath can enhance performance and utilize features like dynamic load balancing, traffic shaping, automatic path management, and dynamic reconfiguration. The connection to the disk can be made through two fiber channel ports.

Here are some important aspects of multipath in Oracle AVDF:

  • It is not supported with ISCSI storage.
  • It does not support the device xvd*.
  • Multipath is supported only for Audit Vault Server installation.
  • Multipath is not supported for Database Firewall installation.
  • It does not support removable block devices. Check for removable block devices in the system as they can lead to installation failure.

Note:

In case there are removable block devices in the system, the following error may be encountered during Audit Vault Server installation:

ERROR: Failed to check if the disk is in multipath
Traceback (most recent call last):
  File "/run/install/repo/partitions.py", line 386, in <module>
    main()
  File "/run/install/repo/partitions.py", line 372, in main
    write_partition_table( None )
  File "/run/install/repo/partitions.py", line 322, in write_partition_table
    part_table = generate_partition_table_data(dev_list)
  File "/run/install/repo/partitions.py", line 243, in generate_partition_table_data
    raise RuntimeError("No disks detected")
RuntimeError: No disks detected

4.12 Adding Network Address Translation IP Addresses to Oracle Audit Vault Agent

You can add Network Address Translation (NAT) IP addresses to Oracle Audit Vault Agent.

Network Address Translation (NAT) is a method of remapping one IP address space into another. This is done by modifying network address information in the IP header of packets when they are in transit across traffic routing devices. Use this procedure to manually add the NAT IP address of the Oracle Audit Vault Server to the Oracle Audit Vault Agent.

In some deployments, Oracle Audit Vault Servers are within NAT networks. The agents are deployed in a network outside of the NAT configured network with actual IP addresses of Oracle Audit Vault Server. In such cases, the agents cannot reach Oracle Audit Vault Server.

In this case, you can add the NAT IP address and port mapping information to the dbfw.conf file of Oracle Audit Vault Server. This ensures adding an extra connection string in the agent's bootstrap.prop file so that agents can be deployed in both NAT and non-NAT networks.

Use Cases

Case Configuration Type Description

Case 1

Oracle Audit Vault Server configuration without high availability.

  • There is only one Oracle Audit Vault Server. This server is behind NAT.

  • Agents in this set up can either connect to Oracle Audit Vault Server directly without NAT, or connect to the Oracle Audit Vault Server through NAT.

  • Agents connecting to Oracle Audit Vault Server directly, use IP address and port of Oracle Audit Vault Server.

  • Agents connecting to Oracle Audit Vault Server through NAT use the IP address and port of Oracle Audit Vault Server.

Case 2

Oracle Audit Vault Server configuration with high availability.

  • Both the primary and secondary Oracle Audit Vault Servers are behind the same NAT. The primary NAT IP address and secondary NAT IP address is the same. The primary NAT port and secondary NAT port are different.

  • Agents in this set up can either connect to Oracle Audit Vault Server directly without NAT, or through NAT.

  • Agents connecting to Oracle Audit Vault Server directly use the IP address and port of Oracle Audit Vault Server. In case of a failover of the primary Oracle Audit Vault Server, the agents continue to connect to the secondary Oracle Audit Vault Server using the IP address and port of the secondary Oracle Audit Vault Server.

  • Agents connecting to Oracle Audit Vault Server through NAT use the IP address and port of the primary Oracle Audit Vault Server. In case of failover of the primary Oracle Audit Vault Server, the Agents continue to connect to the secondary Oracle Audit Vault Server using the IP address and port of the secondary Oracle Audit Vault Server.

Case 3

Primary and secondary Oracle Audit Vault Servers with different NAT IP addresses.

  • Both the primary and secondary Oracle Audit Vault Servers are behind two different NAT IP addresses. The primary NAT IP address and secondary NAT IP address are different. The primary NAT port and secondary NAT port can be the same or different.

  • Agents in this setup can either connect to Oracle Audit Vault Server directly without NAT or through NAT.

  • Agents connecting to Oracle Audit Vault Server directly use the IP address and port of the Oracle Audit Vault Server. In case of failover of the primary Oracle Audit Vault Server, the agents continue to connect to the secondary Oracle Audit Vault Server using the IP address and port of the secondary Oracle Audit Vault Server.

  • Agents connecting to the Oracle Audit Vault Server through NAT use the IP address and port of the primary Oracle Audit Vault Server. In case of failover of the primary Oracle Audit Vault Server, the Agents continue to connect to the secondary Oracle Audit Vault Server using the IP address and port of the secondary Oracle Audit Vault Server.

To add the NAT IP address of Oracle Audit Vault Server into Oracle Audit Vault Agent, follow these steps:

  1. Log in to the Oracle Audit Vault command-line interface (AVCLI) as the admin or oracle user.
  2. Take a backup of the configuration file before proceeding:
    cp /usr/local/dbfw/etc/dbfw.conf /usr/local/dbfw/etc/dbfw.conf.backup
  3. Edit the dbfw.conf file to include the NAT IP address in the Oracle Audit Vault Server as follows:
    NAT_PRIMARY_IP_ADDRESS=<xx.yyy.zzz.aaa>
    NAT_PRIMARY_AGENT_PORT_TLS=<12345>
    NAT_PRIMARY_AGENT_PORT=<12346>
  4. Save the changes.
  5. Regenerate the agent by running the following command:
    avca configure_bootstrap
    After this, all of the agents downloaded contain one of the strings with the NAT IP address. To verify, check the contents of the bootstrap file at /var/lib/oracle/dbfw/av/conf/bootstrap.prop which should be as follows:
    SYS.CONNECT_STRING999=(DESCRIPTION=(ENABLE=BROKEN)(ADDRESS=(PROTOCOL=TCP)(HOST=10.240.114.167)(PORT=13031))(CONNECT_DATA=(SERVICE_NAME=DBFWDB.DBFWDB)))
    SYS.SSL_CONNECT_STRING999=(DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(HOST=10.240.114.167)(PORT=13032))(CONNECT_DATA=(SERVICE_NAME=DBFWDB.DBFWDB)(SERVER=DEDICATED))(SECURITY= (SSL_SERVER_CERT_DN="DC=com,CN=avserver,OU=db,O=oracle")))
  6. The above case is applicable in Case 1 that is mentioned in the table above. In Case 2 and Case 3, Oracle Audit Vault Server is in high availability mode. In these cases, you need to configure the dbfw.conf file with an additional set of parameters as follows:
    NAT_PRIMARY_IP_ADDRESS=<xx.yyy.zzz.aaa>
    NAT_PRIMARY_AGENT_PORT_TLS=<12345>
    NAT_PRIMARY_AGENT_PORT=<12346>
    NAT_SECONDARY_IP_ADDRESS=<xx.yyy.zzz.ccc>
    NAT_SECONDARY_AGENT_PORT_TLS=<56789>
    NAT_SECONDARY_AGENT_PORT=<12678>
  7. Save the changes.
  8. After this, the Agent’s bootstrap.prop file is configured with a high availability connect string to include the above set of IP addresses and ports. To verify this, check the contents of the bootstrap file at /var/lib/oracle/dbfw/av/conf/bootstrap.prop which should be as follows:
    SYS.CONNECT_STRING999=(DESCRIPTION_LIST=(LOAD_BALANCE=off)(FAILOVER=on)(DESCRIPTION=(ENABLE=BROKEN)(ADDRESS_LIST=(LOAD_BALANCE=on)(ADDRESS=(PROTOCOL=TCP)(HOST=<NAT_PRIMARY_AGENT_PORT>)(PORT=<NAT_PRIMARY_AGENT_PORT>)))
    
    (CONNECT_DATA=(SERVICE_NAME=DBFWDB.DBFWDB)))(DESCRIPTION=(ENABLE=BROKEN)(ADDRESS_LIST=(LOAD_BALANCE=on)(ADDRESS=(PROTOCOL=TCP)(HOST=<NAT_SECONDARY_IP_ADDRESS>)(PORT=NAT_SECONDARY_AGENT_PORT>)))(CONNECT_DATA=(SERVICE_NAME=DBFWDB.DBFWDB))))
    
    SYS.SSL_CONNECT_STRING999=(DESCRIPTION_LIST=(LOAD_BALANCE=off)(FAILOVER=on)(DESCRIPTION=(ADDRESS_LIST=(LOAD_BALANCE=on)(ADDRESS=(PROTOCOL=TCPS)(HOST=<NAT_PRIMARY_IP_ADDRESS>)(PORT=<NAT_PRIMARY_AGENT_PORT_TLS>)))(CONNECT_DATA=(SERVICE_NAME=DBFWDB.DBFWDB)(SERVER=DEDICATED))(SECURITY= (SSL_SERVER_CERT_DN="DC=com,CN=avserver,OU=db,O=oracle")))(DESCRIPTION=(ADDRESS_LIST=(LOAD_BALANCE=on)(ADDRESS=(PROTOCOL=TCPS)(HOST=<NAT_SECONDARY_IP_ADDRESS>)(PORT=<NAT_SECONDARY_AGENT_PORT_TLS>)))(CONNECT_DATA=(SERVICE_NAME=DBFWDB.DBFWDB)(SERVER=DEDICATED))(SECURITY=(SSL_SERVER_CERT_DN="DC=com,CN=avserver,OU=db,O=oracle"))))
  9. After the installation of Oracle Audit Vault and Database Firewall release 12.2.0.8.0 is completed, edit the dbfw.conf file on Oracle Audit Vault Server to include the NAT IP address and regenerated agent.jar file.

    Note:

    The NAT IP changes made to the dbfw.conf file persist after upgrading from a previous release.