Managing Oracle AVDF in Cloud Control

4 Managing Oracle AVDF in Cloud Control

This chapter describes the various regions displayed on the Audit Vault and Database Firewall (AVDF) plug-in home page and includes the monitoring capabilities. The following topics are provided:

Install and Monitor the AV Agent

As part of the set up of Enterprise Manager Cloud Control, most hosts and targets are already discovered by Enterprise Manager. As part of Enterprise Manager, you can use this setup to install Audit Vault Agents and Sources:

To install an Audit Vault Agent:

On the Audit Vault listing page, click Install.

A new page will display which has a hosts table and an Add/Remove button. Initially, the host table is blank.
Click Add to bring up a pop-up window to search and add hosts for which the installation should happen. The pop-up window should only show those hosts where the AVDF plug-in is installed and where the host does not yet have the AV Agent installed.
Enterprise Manager will auto compute the AV Agent installation directory based on the Enterprise Manager Agent installation directory. You will have an option to change the directory.
Select the hosts you want to install the AV Agent. For those hosts you select, Enterprise Manager will show:
- Host name, operating system, and platform details.
- Agent installation directory.
- A text box for the credential name. Click on the button next to the text box to view a pop-up window which displays all the credentials stored in Enterprise Manager. Select the credential name which is applicable for the host. If none of those credentials are for the particular host, then click on the new credential and provide the new credential information. This information will be saved for future reference.
  
  You can either chose credentials for each host individually or click the default host credential and provide one credential applicable on all hosts.
  
  Note:
  
  If you choose the default host credential and still provide a credential for some other host in the host details table, then the credential provided in the column will override the default credential.
Click Submit to initiate the job (one per host) for the AV Agent setup.
After the job is submitted, the AV listing page is displayed.
To monitor the progress, click the refresh button to see the new AV Agents added to the system.
For any jobs that fail, use the EM Jobs page to diagnose the failure. As part of the job execution, Enterprise Manager will log any relevant information to aid the AV Administrator for diagnosing the issue.

Once you have successfully installed an Audit Vault Agent on a host, Oracle recommends refreshing the latest configuration before adding a Target belonging to that host. To refresh the configuration page, follow these steps:

From the Oracle Audit Vault and Database Firewall main menu, select Configuration, then click Latest.
In the latest configuration page, click Refresh.

The AVDF Plug-in Home Page

Once installed and configured, you can monitor Oracle Audit Vault and Database Firewall from Enterprise Manager Cloud Control, as shown in Figure 4-1. Each section and region of this page is described in Primary AVDF Plug-in Monitoring Overview.

Figure 4-1 Oracle AVDF Plug-in Home Page in Cloud Control

Note:

AVDF Plug-in pages require metrics to be enabled in order to work correctly. Do not disable metrics manually.

Primary AVDF Plug-in Monitoring Overview

The regions described below provide high-level information about the status or performance of the Audit Vault Server and Database Firewall Appliance.

From the Oracle Audit Vault and Database Firewall plug-in home page, you can monitor the following information:

Audit Vault Agents

This region shows the status information and configuration issues of all Audit Vault Agents monitored by Audit Vault and Database Firewall, not only monitored by Enterprise Manager as an Enterprise Manager target. It also shows the information about the Audit Vault Agents not monitored by Enterprise Manager as an Enterprise Manager target.

A graph shows if the agent is down, in progress, unreachable, or up. (See Figure 4-2.)

Figure 4-2 Audit Vault Agents Region

For a detailed report (Audit Vault Agents List), select Audit Vault Agents from the Oracle Audit Vault and Database Firewall menu or click the Audit Vault Agents title found in the Summary region on the AVDF Oracle Home Page.

Audit Vault Agents List

This page lists all of the Audit Vault Agents monitored by Audit Vault and Database Firewall. The following information is available:

Host Name: The host on which the Audit Vault Agent is installed.
Version: The version of the Audit Vault Agent.
Generation Time: Time at which the Audit Vault Agent was added into the Audit Vault server.
Status: Identifies if the agent is Up, Down, Unreachable, Not Activated, etc.
Audit Vault Agent Location: The path on the host where the Audit Vault Agent is installed.
Activation Time: Time at which the Audit Vault Agent was activated in the Audit Vault server.
Audit Trails: A separate summary count of Audit Trail status shown like how many Audit Trails are in UP status and DOWN status.
Incidents: The number of incidents logged against a particular agent (it may or may not be monitored by Enterprise Manager Cloud Control) and all the audit trails managed by it. Incidents have a state of Fatal, Critical, Warning, and Escalated.

You can Install, Activate, Deactivate, Start, Stop, or Delete any of the Audit Vault Agents listed in this page by selecting the agent and clicking on the required button.

Audit Trails

Like Audit Vault Agents region, the Audit Trails region (Figure 4-3) shows status information for all the audit trails in the Audit Vault and Database Firewall system. It shows since how long the data upload issues exist.

Figure 4-3 Audit Trails Region

For a detailed report (Audit Trails List), select Audit Trails from the Oracle Audit Vault and Database Firewall menu or select the Audit Trails title found under Summary region from the Oracle AVDF Home Page.

Audit Trails List

This page lists all of the audit trails monitored by the Audit Vault and Database Firewall plug-in. The following information is available:

Location
Secured Target
Status: identifies if the secured target is Up, Down, Idle, Unreachable, Not Activated, etc.
Audit Vault Agent: lists the host name of the Audit Vault Agent. Click the link to display that agent's home page summary.
Type
Time Since Last Upload: The elapsed time since the last upload. This represents the time since when the audit trails has not uploaded any audit data into Audit Vault and Database Firewall repository.
Throughput: shows the number of queries audited per second.
Incidents: Identifies the number of incidents logged against an audit trail. Incidents have a state of Critical, Warning, and Escalated.

You can Add, Stop, Start, or Delete any of the audit trails listed in this page by selecting the trail and clicking on the required button.

Adding an Audit Trial

Follow the steps below to add an audit trail.

From the Oracle Audit Vault and Database Firewall home page, click the home page menu and select Audit Trails.
On the Audit Trails page, click Add.
On the pop-up window, select either Host Operating System or Oracle Database.

Figure 4-4 Select Secured Target Type

Click OK.
On the Search and Select Secured Targets page, select the target(s) and click OK.
For Oracle Database Secured Target, click the Configure Trail icon and select the trail types that you want to enable the trail for, else enter the trail location for the host secured target.
Click Submit.
Enter the credentials in the Credentials pop-up window and click OK.

Database Firewalls

Like the Audit Vault Agents region, the Database Firewalls region (Figure 4-5) shows all of the firewalls in the Audit Vault and Database Firewall system, not only the one monitored by Enterprise Manager as an Enterprise Manager target. This section also shows the count of Database Firewalls not monitored by Enterprise Manager as an Enterprise Manager target.

Figure 4-5 Database Firewalls Region

For a detailed report (Database Firewalls List), select Database Firewalls from the Oracle Audit Vault and Database Firewall menu or click on the Database Firewalls title found under Summary region from the Oracle Audit Vault Home Page.

Database Firewalls List

This page lists all of the Database Firewalls monitored by the Audit Vault and Database Firewall plug-in. The following information is available:

Firewall: The Database Firewall name for all Database Firewalls in the Audit Vault and Database Firewall system - whether they are monitored by Enterprise Manager or not.
Status: Identifies if the firewall is Up, Down, Idle, Unreachable, Not Activated, etc.
Firewall Host: Depending on the information available, this field displays:
- The host name when available. The IP address of the Database Firewall host is shown as a tooltip of the host name.
- The IP address of the Database Firewall host.
Role: This field shows whether the firewall has primary or secondary role in a High Availability (HA) configuration. If the Database Firewall is not HA configured, then this would be standalone.
High Availability Pair: This field shows the name of the other firewall which is paired and its role in High Availability configuration.
Enforcement Points: It shows the status count summary of Enforcement points including UP, DOWN, and UNREACHABLE state.
Incidents: Identifies the number of incidents logged against a particular Database Firewall, whether monitored by Enterprise Manager Cloud Control or not. Incidents have a state of Critical, Warning, and Escalated.

Monitoring Points

This region (Figure 4-6) shows a high-level status of the monitoring points in the Audit Vault and Database Firewall system data. A timestamp shows since how long enforcement points have not scanned any queries (from the last hour to the last week).

Figure 4-6 Monitoring Points Region

For a detailed report (Monitoring Points List), select Monitoring Points from the Oracle Audit Vault and Database Firewall menu.

Monitoring Points List

This page lists all of the monitoring points monitored by the Audit Vault and Database Firewall plug-in. The following information is available:

Monitoring Point: the name of the monitoring point for a particular Database Firewall.
Status: identifies if the monitoring point is Up, Down, Idle, Unreachable, Not Activated, etc.
Monitoring Mode:
- Database Activity Monitoring (DAM): monitors the activity of the database.
- Database Policy Monitoring Mode (DPM): blocks activity if a policy violation occurs.
Firewalls: lists the Database Firewalls associated with a particular monitoring point.
Target: identifies the name of the target. Click the link for a pop-up window with a detail summary.
Time Since Last scan: The time since the monitoring point last scanned any query.
Throughput: shows the number of queries audited per second.
Incidents: Identifies the number of incidents logged against an monitoring point. Incidents have a state of Critical, Warning, and Escalated

Targets

Targets can be supported databases or operating systems that Audit Vault and Database Firewall monitors. You must register all targets in Oracle Audit Vault and Database Firewall. From this page you can perform the following tasks:

This region (see Figure 4-7) shows number of Targets:

Contained in the Audit Vault and Database Firewall system.
Monitored by the Audit Trails in Audit Vault and Database Firewall system.
Protected by the monitoring points in the Audit Vault and Database Firewall system.

Figure 4-7 Secured Targets Region

For a detailed report, select Targets from the Oracle Audit Vault and Database Firewall menu or click the Targets title on the Oracle AVDF home page.

Add a Database Target

From the Targets page, click Add.
On the pop-up, select Oracle Database, as shown in Figure 4-8:

Figure 4-8 Add Oracle Database Target Type

Click OK.
Another pop-up displays, which shows all available Oracle Database targets. Select an Oracle Database target. Click OK to return to the Targets page.
Optional: On the Targets page, you can modify the Database target name. Click the DB name and then enter a new target name.
Select the host credentials:
- Under Target Details, select Default Target Host Credential and select the default host credentials for all Database hosts (applicable for all targets).
  
  Or
- In the Credentials pop-up, set the host credentials for each Database host, overriding the default.
Enter the Sys password:
- Under Host Details, select Default Sys User Password and enter the default sys password for all Databases (applicable for all targets).
  
  Or
- In the DB Sys Password field, enter the sys password for each Database, overriding the default.
Select the AVDF user credentials:
- Under Host Details, select Default AVDF User Credential and enter the default avdf user credential - a credential for a user to be created and configured on the target Oracle Database and applicable for all targets.
  
  Or
- In the AVDF User Account column, click New Credential and enter the avdf user credentials for each Database target, overriding the default.
Click Submit.

Add Host Target

From the Targets page, click Add.
On the pop-up, select Host Operating System. Click OK.
Another pop-up displays, which shows all available Host Targets. Select a host target from the list. Click OK to return to the Targets page.
Optional: On the Targets page, you can modify the Host target name. Click the Host name and then enter a new target name.
Click Submit.
On the credential pop-up, enter the Oracle user credential for the AV Server host. Click OK.

Delete a Database Target or a Host Target

To delete a database target or a host target, follow these steps:

From the Targets page, select a target from the list that you want to delete.
Click Delete.
In the pop-up, specify the credential for the user who owns the Oracle Home of Audit Vault Agent(s).
Click OK to close the Credentials window. The deletion request is submitted as a job to Cloud Control.

Targets Page Information

On the Targets list page, the following information is available:

Target: name of the target
Type: the type of the supported database or operating system (such as, Oracle Database or Microsoft SQL Server)
Status: shows whether the database is Up or Down
Audit Trails: Number of audit trails associated with a Secure Target.
Monitoring Points: the number of monitoring points associated with a Target.
Connection String:
Monitored by: identifies the Audit Vault Agent and Audit Trails that are monitoring this Target
Protected by: identifies the Database Firewall and enforcement points that are protecting this Target

Other AVDF Plug-in Monitoring

The regions described below may provide links for additional information about the target. For example, the links in the Summary Region takes you to the corresponding component listing page which has the summary of all the components of that type. Other link and chart sections are also clickable, which will take you to the corresponding component listing page after applying the appropriate filter.

From the Oracle Audit Vault and Database Firewall plug-in home page, you can monitor the following information:

Summary Region

This region shows high-level information including the Oracle Audit Vault Server version and the number and type of components monitored by the plug-in (as shown in Figure 4-9).

Figure 4-9 Summary Region

Auditor Activity Notifications

This region (Figure 4-10) shows the number of Auditor Activity Notifications. A notification can be Ready to be Sent, Pending, or Failed/Expired. These notifications are generated by Audit Trails in the Audit Vault and Database system.

Figure 4-10 Auditor Activity Notifications Region

Incidents and Problems

This region (Figure 4-11) provides a summary of any incident or problem for the components monitored by the plug-in. If there is an incident or problem listed, click the link in the Message column to show details in the Incident Manager feature of Enterprise Manager Cloud Control.

Figure 4-11 Incidents and Problems Region