Release Notes contain important information about Oracle Audit Vault and Database Firewall Release 20.

1.1 New Features In Oracle Audit Vault and Database Firewall Release 20

Learn about new features and enhancements in Oracle AVDF 20.

New features in Oracle AVDF Release 20.5

New features in Oracle AVDF Release 20.4

  • Introducing capability to enable FIPS 140-2 for Audit Vault Server and Database Firewall. See Enabling FIPS 140-2 in Oracle AVDF for more information.
  • Support for audit collection and network monitoring (using Database Firewall) of Oracle Database 21.
  • Support for audit collection from Autonomous Data Warehouse (Dedicated) and Autonomous Transaction Processing (Dedicated).
  • 2X audit collection rate. See Registering Targets for more information.
  • Introducing support for audit collection from Oracle Linux and RHEL versions 7.9; 8.2; and 8.3.
  • Enable conditional auditing for Unified Audit policies. See Custom and Oracle Predefined Unified Policies for more information.
  • Support for profiles in Database Object rule in Firewall policy. See Creating and Managing Profiles and Database Object Rule for more information.
  • CSV format support for audit collection. See CSV File Collection Plug-ins for more information.
  • MongoDB 4.4 support for audit collection.
  • Additional user management capability through AVCLI. See AVCLI User Commands for more information.

New features in Oracle AVDF Release 20.3

New Features in Oracle AVDF Release 20.2

  • Audit Vault Agent can be associated with more than one IP address for Audit Vault Server communication. See section Deploying and Activating the Audit Vault Agent on Host Computers for complete information.
  • Supporting audit collection, Audit Vault Agent deployment, and Host Monitor deployment on Microsoft Windows Server (x86-64) version 2019.
  • Supporting audit records collection from DB2 instance level audit.

New Features in Oracle AVDF Release 20.1

Expanded Audit Collection

Simplified Database Firewall

Enhanced User Interface

  • A new redesigned user interface with simplified navigation for common workflows.
  • Rich dashboards for auditors and administrators.
  • Supports provisioning of recommended Unified audit policies. See Provisioning Unified Audit Policies for complete information.
  • Unified console for Audit and Firewall management. Registering a target for audit collection and Database Firewall monitoring is simplified. See Registering Targets for complete details.

Improved Enterprise Support

1.2 About Oracle AVDF Installable Files

Oracle AVDF software is installed using the .iso files.

Oracle AVDF software contains the following installation files:

  • Audit Vault Server install:

  • Database Firewall install:

    Vpart_number.iso Oracle Audit Vault and Database Firewall 20.x.0.0.0 - Database Firewall

    Note:

    Verify the checksum value for both (the Audit Vault Server ISO file and the Database Firewall ISO file). In case of any error or mismatch in the checksum values, download the ISO files and validate the checksum values again.
  • Database Firewall utility:

    Vpart_number.zip Oracle Audit Vault and Database Firewall 20.x.0.0.0 - Utilities. This bundle contains the following files:

    • Npcap installer required for Host Monitoring on Windows: npcap-utility.zip
    • Database Firewall utilities to examine Native Network Encryption traffic for Oracle Database and to gather session information from other database types: dbfw-utility.zip
    • Utilities_README: Instructions for deploying Npcap and Database Firewall utilities patch.
  • Deprecated cipher utility bundle:

  • Vpart_number.pdf Oracle Audit Vault and Database Firewall 20.x.0.0.0 - Release Notes

Note:

The installation process wipes out existing operating system on the machine on which you install the Audit Vault Server or Database Firewall, and automatically installs the new operating system that comes along.

1.3 Oracle AVDF 12.2 Premier Support Alert

End of premier support for Oracle AVDF release 12.2.

Upgrade to Oracle AVDF 20 at the earliest as premier support for release 12.2 ends in March 2021 as specified in the Oracle Lifetime Support Policy Guide. Refer to Oracle AVDF 20 Upgrade Documentation for complete information.

Before you begin the upgrade, be aware of the following issues:

  • For upgrading to Oracle AVDF version 20, you must be on 12.2.0.9.0 or above.
  • In case you have to perform multiple upgrades to 20, then a single backup operation prior to the first upgrade is enough.

1.4 Product Compatibility Matrix

Types of targets (databases and operating systems) supported by Oracle AVDF 20.

See section Product Compatibility Matrix in the Oracle Audit Vault and Database Firewall Installation Guide for information on supported targets and deployment options for Audit Vault Server.

1.5 Downloading Oracle AVDF Documentation

Learn how to access documentation for Oracle AVDF.

1.6 Known Issues

Learn how to fix some known issues with Oracle AVDF.

This section lists current known issues with workarounds if available. Be sure to apply the latest bundle patch. New installations include the latest bundle patch.

In general, if you experience a problem using the Audit Vault Server console, try running the same command using the AVCLI command line utility.

Note:

For additional known issues in Oracle AVDF 20 refer to the MOS note (Doc ID 2688423.1) and the README for specific release.

1.6.1 Error When Starting Audit Vault Agent as a Service on Windows in Oracle AVDF 20.5

Learn how to manage an issue when starting Audit Vault Agent as a service on Windows.

Issue

Audit Vault Agents on Windows machine do not start as service. After installing or upgrading to Oracle AVDF release 20.5, this issue is observed on the Windows host machine.

The following error is observed when attempting to start Agent service on Windows:

The application was unable to start correctly

Workaround

After installing or upgrading Oracle AVDF 20.5, apply the patch 33492214 on Audit Vault Server. Then, download and redeploy the Audit Vault Agents on Windows host machine.

1.6.2 Database Firewall is Unable to Decrypt Native Network Encrypted Traffic

Issue:

Database Firewall is unable to decrypt Native Network Encrypted traffic. The issue is observed when the Oracle Database server and the SQL client are patched with July 2021 Critical Patch Updates.

Symptom:

The Database Firewall Reports and All Activity reports will have the string extracted_from_protocol encrypted in the Command Text column.

Refer to the table to understand Database Firewall capability to decrypt Native Network Encrypted traffic.

Oracle Database Target Patched with July 2021 CPU SQL Client Patched with July 2021 CPU Capability of Database Firewall to Decrypt Native Network Traffic

No

No

Yes

Yes

No

Yes

No

Yes

Yes

Yes

Yes

No

Note:

Oracle Database and SQL clients with versions starting 11.1 to 19c with July CPU may be impacted.

Workaround:

None.

1.6.3 Secondary Audit Vault Server Upgrade Failed Due to Database Mounting Error

Issue: Upgrading secondary Audit Vault Server fails with an error.

Log in as root user, and run the command:

/opt/avdf/bin/privmigutl --status

Check if the following errors are present in the /var/log/debug file:

upgrade_start_asm_db.py: Could not mount the database

upgrade_start_asm_db.py: Mounting the database

Workaround: Follow these steps to resolve this error:

  1. Check the status of dbfwdb service by running the following command as oracle user:

    /usr/local/dbfw/bin/dbfwdb status
  2. Switch user to root.

  3. Edit /etc/sysconfig/avdf and change SYSTEM_STATE to UPGRADE.

  4. If the status is ORACLE instance is running, then run this command as oracle user to stop the process:

    /usr/local/dbfw/bin/dbfwdb stop
  5. Start the dbfwdb service by running the command as oracle user:

    /usr/local/dbfw/bin/dbfwdb start
  6. Run the following command to check if it is running:

    /usr/local/dbfw/bin/dbfwdb status
  7. Ensure the status is running. Then edit /etc/sysconfig/avdf and change SYSTEM_STATE to RECOVERY as root user.

  8. Resume the remaining upgrade process by running the following command as root user:

    /opt/avdf/bin/privmigutl --resume –confirm

Note:

In case you are running the above commands through SSH, then ensure the SSH session does not timeout. Start the SSH session with ServerAliveInterval option and set to a reasonable value. For example, 20 minutes.

1.6.4 Archived Files Copied from Primary Path in High Availability Environment

Issue: The archived files exist for both the primary and secondary Audit Vault Servers in a high availability environment. When configuring the archival locations before pairing, the following path is set.

Primary Audit Vault Server: /dir1

Secondary Audit Vault Server: /dir2

There is an issue where the archive files pertaining to the secondary Audit Vault Server are copied to the path /dir1 instead of /dir2. When such a path (/dir1) does not exist in the secondary Audit Vault Server, it is created when they are paired during high availability configuration.

Workaround: None. The archived files are present in the path /dir1 of the secondary Audit Vault Server.

1.6.5 Error While Running Pre-upgrade RPM

Issue: The following error is observed when running the pre-upgrade RPM on the secondary Audit Vault Server in a high availability environment:

Unable to stop observer

Workaround: Follow these steps to resolve this error:

  1. Uninstall the pre-upgrade RPM.
  2. Re-install the RPM.

1.6.6 GoldenGate Integrated Extract fails to Clone Existing LogMiner Session and Invalid XML Records are Generated

Issue: The following issues are observed while configuring Oracle GoldenGate Integrated Extract:

  • GoldenGate Integrated Extract does not wrap the text data inside CDATA tag.
  • GoldenGate Integrated Extract failed to clone existing LogMiner session when the dictionary log is not available for a specific SCN.

Workaround: After installing Oracle GoldenGate, contact Oracle Support to create a Merge Label Request for applying the patch (Bug 32175609 and Bug 32063871). This patch needs to be applied on Oracle GoldenGate installation.

1.6.7 Unable to Access Audit Vault Server Console After Upgrade

Issue: After upgrading to Oracle AVDF 20.1 or later, the Audit Vault Server console cannot be launched. This may be due to inactive httpd service. Upon observing the /var/log/httpd/error_log file contains the following error message pertaining to httpd service restart:

AH00060: seg fault or similar nasty error detected in the parent process

Workaround: If this error is observed, then log in as root user and run the following command:

systemctl start httpd

1.6.8 Unsupported Character Sets in Oracle Database Directory Trails

Issue: Oracle Database related DIRECTORY and SYSLOG audit trails do not support some of the database character sets.

They are NE8ISO8859P10, JA16DBCS, KO16DBCS, CE8BS2000, CL8BS2000, CL8EBCDIC1158R, EE8BS2000, EL8EBCDIC423R, SE8EBCDIC1143, WE8BS2000, WE8BS2000E, and WE8BS2000L5.

There are 5 characters that are not supported in WE8DEC database character set.

Workaround: None.

1.6.9 DIRECTORY and SYSLOG Audit Trails Do Not Stop

Issue: For Oracle DIRECTORY and SYSLOG audit trails, when the system is unable to determine the character set to open the audit file, the audit trails do not stop.

Workaround: None.

1.6.10 Unable to Set Custom Ports in Audit Vault Server

Issue: Unable to set custom ports in Audit Vault Server.

Workaround: Attempt to set the custom port again using same steps.

1.6.11 Unable to Access the AVS Console After Changing the Audit Vault Server Time using NTP Server or Manually

Issue: After changing the Audit Vault Server time using NTP server or manually, there may be a difference in few minutes. This may bring down the Automatic Storage Management and the database. This results in an error and the Audit Vault Server console is not accessible.

Workaround:

  1. Log in as root user.

  2. Execute the following command:

    systemctl stop dbfwdb

    Note:

    Check the exit status of the command by running the echo $? command. If the exit status is non-zero, then contact Oracle Support. If the exit status is zero, then only proceed with executing the next command.
  3. Execute the remaining commands in a sequence and proceed only if the exit status is zero:

    systemctl stop asmdb
    systemctl start asmdb
    systemctl start dbfwdb

1.6.12 Archive Location Is Not Accessible During Archiving Or Retrieving

Issue: The archive location is not accessible. This issue may be encountered during archiving or retrieving post upgrade or installation.

Workaround: This may be due to a "-" (dash or hyphen) in the export directory name for NFS archiving locations. Check for "-" (dash or hyphen) in the export directory name and delete that filesystem from the Audit Vault Server.

Note:

  • Oracle AVDF 20.1 and later supports archive and retrieve functionality with Network File System (NFS) server which support both versions v3 and v4.

  • Only NFS version v3 is not supported for releases 20.3 and prior. It is supported starting Oracle AVDF release 20.4.

  • If your NFS server supports and permits both v3 and v4 for archive or retrieve, then no action is required.

  • In case you have NFS v4 only in your environment for archive or retrieve, then set the _SHOWMOUNT_DISABLED parameter to TRUE using the following steps:

    1. Log in to the Audit Vault Server as root.
    2. Switch user to oracle: su oracle
    3. Start SQL*Plus connection as sqlplus /nolog without the username or password.
    4. In SQL*Plus execute the command: connect <super administrator>
    5. Enter the password when prompted. Alternatively, execute the command: connect <super administrator/password>
    6. Execute the command: exec avsys.adm.add_config_param('_SHOWMOUNT_DISABLED','TRUE');

1.6.13 Unable To SSH Into Oracle Audit Vault And Database Firewall After Upgrade

Issue: SSH no longer connects after upgrade to Oracle Audit Vault And Database Firewall 12.2.0.11.0.

Workaround: Upgrade SSH client to a version that supports SHA-256.

1.6.14 AVS Reboot with SAN Storage Can Cause Proxy Errors

Cause: If the same iSCSI target is shared between more than one AVS instance, it can cause proxy errors.

Workaround: Ensure that each iSCSI target is exclusive to an AVS instance.

1.6.15 Pre-Upgrade Process Failed After Remove and Re-Install

Cause: The RPM process can hold open file descriptors after it has removed the pre-upgrade RPM, making it produce an error when attempting to re-install.

Workaround: Reboot the appliance and reinstall the pre-upgrade RPM to work round this issue.

1.6.16 Rebooting After Running Pre-Upgrade RPM Results in /var/dbfw/upgrade Not Mounted

Cause: After the pre-upgrade RPM is installed, you must manually mount the upgrade media partition if the appliance is rebooted.

Workaround: Run mount /var/dbfw/upgrade to remount the partition.

1.6.17 Check For Busy Devices Before Starting The Upgrade Process

Cause: Check for any busy devices before starting the upgrade process. The upgrade may not check for busy volumes and may result in an error.

Workaround: Run lsof against /tmp and /usr/local/dbfw/tmp to discover any open temporary files. Ensure that no logs are open when starting the upgrade process.

1.6.18 Upgrade Fails If The Time Settings For The Primary And Standby Servers Are Out Of Synch By More Than 3 Minutes

Cause: If the primary and standby server time settings are out of sync by more than 3 minutes, then upgrade will fail raising the following error: ORA-29005: The certificate is invalid.

Workaround: You must synchronize the time on the primary and standby servers before commencing upgrade.

1.6.19 "Failed Install Or Upgrade" Dialog Box Appears During Installation Or Upgrade

Problem: I see a blue screen that states:

The system has encountered a problem, and will start minimal services so that you can log in and recover.

It provides the current status of the installation or upgrade and asks you to check the system log for more information and contact Oracle Support.

Workaround: Upon seeing this blue screen, perform the following:

  1. Log in as root user.

  2. Execute the following command to install the diagnostic tool:

    rpm -i /usr/local/dbfw/packages/avs-diagnostic-20.1.0.0.0-0_*.x86_64.rpm
  3. Capture the diagnostics archive by running the following diagnostics package to output the name of the archive file:

    /usr/local/dbfw/bin/priv/dbfw-diagnostics-package.rb

    Note:

    If this command creates a file diagnostics-not-enabled.readme follow the instructions in that file to enable the diagnostics and generate the archive.

  4. File a Service Request (SR) and attach the archive to the SR.

Note:

Once Oracle Audit Vault and Database Firewall detects an error in the installation or upgrade, it will not start any more services, but it will retain any started services so that they can be debugged.

1.6.20 Oracle Audit Vault And Database Firewall May Fail To Install On Sun X4-2

Symptoms: The pre-reboot part of install is normal. However, after reboot, the system presents the user with a black screen containing only the text Hard disk error.

Cause: These servers include a small internal USB drive for the Oracle System Assistant. This device contains a Linux installation, which conflicts with the bootloader in Oracle Audit Vault and Database Firewall 20.1 and later.

Solution: To install Oracle Audit Vault and Database Firewall 20.1 or later, you must first disable Oracle System Assistant from the BIOS menu. If the option to disable the OSA is greyed out, reset the BIOS to enable it.

1.6.21 Before Re-booting The System During The Upgrade Process, Check The Group Status Volume To Ensure Only A Single Instance Of VG (vg_root) Exists

Cause: Re-using storage from a previous installation. Having two instances of vg_root in the (VG), may result in kernel panic or upgrade failure upon reboot of the system. The cases may include iSCSI or re-using the hard drives.

In addition, it is possible for the system to go into kernel panic mode if the additional storage to vg_root VG is iSCSI-based storage.

Solution: Only a single instance of VG (vg_root) can exist. In case there are more instances, they must be removed. Failure to comply may result in kernel panic or upgrade failure.

Contact Oracle Support for assistance.

1.6.22 Error While Pairing Database Firewall With Audit Vault Server

Cause: An error OAV-46599: internal error Unable to remove data from previous paring of this firewall with AVS is encountered while pairing Database Firewall which impacts registration of a newly installed Database Firewall with Audit Vault Server.

Workaround: Reboot Firewall and register Firewall again on the Audit Vault Server.

1.6.23 Missing Data File In The Archive Page Post Upgrade Of Oracle Audit Vault And Database Firewall

Cause: In case there are archive files in the Audit Vault Server that are not encrypted post upgrade followed by restore and release operations, it may result in missing data file.

Workaround:

  1. Execute the encryption script. See section Data Encryption on Upgraded Instances.

  2. In case the archive files are remote, click Set Tablespaces Available on the Audit Vault GUI to encrypt the remote data file.

  3. The data file is now listed on the archive page.

1.6.24 Unable To Remove Pre-Upgrade RPM

Cause: It may not be possible to remove the pre-upgrade RPM if there are open SSH connections on the appliance.

Workaround: Close all the open SSH connections and attempt to remove the pre-upgrade RPM.

1.6.25 Host Monitor Selects Wrong Net Device On Windows With Multiple Preferred

Host Monitor might choose incorrect network device if multiple preferred devices exist.

This can occur when the default network adapter that the host monitor uses (of type Intel(R) PRO/1000 MT Network Adapter) is for the wrong network.

Workaround:

Change the network adapter the host monitor uses so that traffic is captured from the correct network for the target. Follow these steps:

  1. Check the Host Monitor log file and look for a section similar to:

    The selected network device for capturing is:
    \Device\NPF_{22E6D6FF-43E2-4212-9970-05C446A33A35}. To change the device update the network_device_name_for_hostmonitor attribute at Collection Attributes to any one value from the list:
    \Device\NPF_{17C832B3-B8FC-44F4-9C99-6ECFF1706DD1},
    \Device\NPF_{22E6D6FF-43E2-4212-9970-05C446A33A35},
    \Device\NPF_{60611262-3FCC-4374-9333-BD69BF51DEEA} and restart the trail
    

    This indicates which device is being used, and which devices are available. For more information on the available devices, you can run the host monitor in debug mode.

  2. In the Audit Vault Server console, Targets tab, click the target you want.

  3. In the Modify Collection Attributes section, Attribute Name field, enter:

    network_device_name_for_hostmonitor
  4. In the Attribute Value field, enter the device name. For example: \Device\NPF_{17C832B3-B8FC-44F4-9C99-6ECFF1706DD1}

  5. Click Add, and then Save.

  6. Restart the audit trail for this target.

Note:

Alternatively follow the steps documented in section Create a Network Audit Trail for Windows hosts in Administrators Guide.

1.6.26 Custom Collection Plugin Packaged on Windows Does Not Work on Linux

The avpack plug-in that is packaged on Windows does not work on Linux. In other words, you cannot run the avpack plug-in on Linux after you have packaged it on Windows. To produce this error:

  1. Download the Oracle AVSDK on Windows.

  2. Package the plug-in on Windows.

  3. Deploy the plug-in on Oracle AVDF.

  4. Install an Oracle AVDF Agent on Linux.

  5. Start an audit trail for this Linux host. However, the audit trail cannot start.

Workaround: If you want to run the Agent and audit trail collection on Linux, then package the plug-in on Linux, not on Windows. If you package the plug-in on Linux, then Agent and audit trail collection can run on either Linux or Windows.

1.6.27 Database Firewall is Unable to Monitor Root Container Database Targets With Native Encryption Enabled

Issue

Database Firewall does not support decryption of traffic using with native encryption for root container databases. Running ASO advance security integration script on root container database does not work. Set up Database Firewall ASO integration on every pluggable databases and configure the Database Firewall to monitor them.

Workaround

None.

1.6.28 Microsoft SQL Server Extended Events Collector is in Unreachable State

Issue: In case the size of the extended events file is more than 400 MB, then during recovery of the audit trail or when stopping the trail, may leave the collector in UNREACHABLE state for a short duration.

Workaround: Enable only the necessary events in the extended events session of the target database. Maintain the extended events file in smaller size (not exceeding 400 MB).

1.6.29 Recovery Issues in Microsoft SQL Server Extended Events Collector

Issue: In case there are extended events with same event timestamp, and if all the fields are the same between the events, then only one of the event is collected by Oracle AVDF during recovery and others are omitted.

Workaround: None.

1.7 Documentation Accessibility

For information about Oracle's commitment to accessibility, visit the Oracle Accessibility Program website at http://www.oracle.com/pls/topic/lookup?ctx=acc&id=docacc.

Access to Oracle Support

Oracle customers that have purchased support have access to electronic support through My Oracle Support. For information, visit http://www.oracle.com/pls/topic/lookup?ctx=acc&id=info or visit http://www.oracle.com/pls/topic/lookup?ctx=acc&id=trs if you are hearing impaired.