Oracle Audit vault Configuration
The Audit Vault Server contains the tools necessary to configure Audit Vault and Database Firewall components and to collect audit data from, and apply firewall policies to, your secured targets.
Oracle Audit Vault server audit different type of database such as Oracle, MSSQL, IBM DB2 etc. now we will use oracle database as a secure database i.e. auditing oracle database.
- Register host agent.
- Configure agent in host agent server.
- Create a user in secured target database and set permission.
- Add secured target database.
- Enable audit trail in the secured target database.
- Enable audit on the secured target database.
- Provisioning auditor objects to target database.
Register host agent.
The Audit Vault Agent retrieves the audit trail data from a secured target database and sends it to the Audit Vault Server. If the Audit Vault Agent is stopped, then the secured target database will still create an audit trail (assuming auditing is enabled). The next time you restart the Audit Vault Agent, the audit data that had been accumulating since the Audit Vault Agent was stopped is retrieved.
We configure one Audit Vault Agent for each host and one or more audit trails for each individually secured target database. For example, if a host contains four databases, then we would configure one Audit Vault Agent for that host and one or more audit trails for each of the four databases. The number and type of audit trails that you configure depend on the secured target database type and the audit trails that we want to collect from it.
We can create the Audit Vault Agent on one computer and manage multiple audit trails from there. For example, suppose we have 25 secured target databases on 25 servers. We must configure an audit trail for each of these secured target databases, but we do not need to configure an Audit Vault Agent on each of the 25 servers. Instead, just create one Audit Vault Agent to manage the 25 audit trails.
Be aware, however, that for Oracle Databases, we cannot use a remote Audit Vault Agent to collect audit data from users who have logged in with the SYSDBA or SYSOPER privilege because an audit trail is on to the local file system, and therefore you need file system access. The Audit Vault Agent also contains Host monitor capability, which enables AVDF to directly monitor SQL traffic in a database. This can be useful for monitoring many small databases centrally.
Login oracle audit vault and database firewall server console using admin username and password.
To register host agent go
Hosts > Register > enter hostname and IP Address > Save.
Configure agent in host agent server.
If you want to collect audit data from a secured target, you must configure a connection between the Audit Vault Server and the host machine where the Audit Vault Agent resides for that secured target (usually the same computer as the secured target). After registering a host, you must then deploy and activate the Audit Vault Agent on that host.
To configure agent, download agent then moves that agent to the host server in the desired location.
Before configure agent, we must installed jdk 6 or 7.
[root@IAM-PRD-DB-SRV-01] mkdir /u01/AV
[root@IAM-PRD-DB-SRV-01] chown –R oracle:dba /u01/AV
[root@IAM-PRD-DB-SRV-01] chmod –R 755 R 755 /u01/AV
[root@IAM-PRD-DB-SRV-01] cd /u01/AV
[root@IAM-PRD-DB-SRV-01] java –jar agent.jar –d agent
[root@IAM-PRD-DB-SRV-01] cd agent/bin
[root@IAM-PRD-DB-SRV-01] ./agentctl start -k
Copy agent activation key then Enter activation key during agent starting time in the first time.
Refresh browser and see agent status is running.
Create a user in secured target database and set permission.
Some secured target types require credentials in order for Oracle AVDF to access them. If you plan to collect audit data from a secured target, do stored procedure auditing (SPA), entitlements auditing, or enable database interrogation, you must create a user account on the secure target with the appropriate privileges to allow Oracle AVDF to access the required data. Oracle AVDF provides scripts to configure user account privileges for database secured target types.
The scripts set up user privileges that allow Oracle AVDF to do the following functions:
- Audit data collection
- Audit policy management
- Stored procedure auditing
- User entitlement auditing
- Database interrogation
- Audit trail cleanup (for some secured targets)
This script has different type of mode such as:
|1||SETUP||To set up privileges for managing the Oracle Database audit policy from Oracle AVDF, and for collecting data from any audit trail type except the REDO logs. For example, use this mode for a TABLE audit trail in Oracle AVDF.|
|2||REDO_CALL||To set up privileges for collecting audit data from the REDO logs. Use this mode only for a TRANSACTION LOG audit trail in Oracle AVDF.|
|3||SPA||To enable stored procedure auditing for this database|
|4||ENTITLEMENT||To enable user entitlement auditing for this database|
[root@IAM-PRD-DB-SRV-01] sqlplus / as sysdba
SQL> create user avauditor identified by Tigerit1 account unlock;
SQL>@/u01/AV/agent/av/plugins/com.oracle.av.plugin.oracle/config/oracle_user_setup.sql avauditor SETUP;
Add secured target database.
To add secured target follow bellow step:
Secured Targets > Register >
Section Name: Add Secured Target Location
- New Secured Target Name: idmdb (if any what you can choice)
- Secured Target Type: Oracle Database
- Host Name/IP Address: 192.168.102.51
- Port: 1521
- Service Name: idmdb1
- User Name: avauditor( new created user in target database)
- Password: password of this user.
Note: in Advanced setting Secured target location will be fully qualified connection string of target database.
Section Name: Add Secured Target Address
If we want to monitor this target with database firewall, and then we have to add all connection in this area with hostname/IP Address, Port Number, SID/Service Name
Note: Only added address database firewall will monitor from client access. If client access using the different connection to target database that not added in this area then database firewall cannot monitor.
Successfully created the secure target.
The enabling audit trail in a secured target database.
In order to start collecting audit data, we must configure and audit trail for each secured target in the audit vault server, then start audit trail collection manually.
This procedure assumes that the Audit Vault Agent is installed on the same host computer as the secured target.
To configure an audit trail for a secured target:
1. Log in to the Audit Vault Server console as an administrator.
2. Click the Secured Targets tab.
3. Under Monitoring, click Audit Trails.
The Audit Trails page appears, listing the configured audit trails and their status.
4. In the Audit Trails page, click Add.
5. In the Collection Host field, click the up-arrow icon to display a search box, and then find and select the host computer where the Audit Vault Agent is deployed.
6. In the Secured Target Name field, click the up-arrow icon to display a search box, and then find and select the secured target.
7. From the Audit Trail Type drop-down list, select one of the following:
- EVENT LOG
- TRANSACTION LOG
Note: For this audit trail type, ensure that the secured target database has a fully qualified database name. Specifies whether a database link is required to have the same name as the database to which it connects. Recommended value is TRUE. Ensure that the global name for the secured target database is a fully qualified name (for example, orcl.example.com). If you must change the global database, then run the following ALTER statement in
ALTER DATABASE RENAME GLOBAL_NAME TO new_name;
To use Oracle Streams to share information between databases, set this parameter to true at each database that is participating in your Oracle Streams environment.
8. In the Trail location field, enter the location of the audit trail on the secured target computer, for example, sys.aud$.
Note: For Oracle Database Audit trail location:
For TABLE audit trails: sys.aud$, Sys.fga_log$, dvsys.audit_trail$, v$unified_audit_trail
For DIRECTORY audit trails: Full path to a directory containing AUD or XML files.
For SYSLOG audit trails: Full path to the directory containing the Syslog file.
For TRANSACTION LOG, EVENT LOG and NETWORK audit trails: no trail location required.
Special Note: If you select DICTIONARY for audit trail type. The trail location must be a dictionary mask.
9. If you have deployed plug-ins for this type of secured target, select the plug-in in the Collection Plug-in drop-down list.
- Click Save. The audit trail is added to the list on the Audit Trails page. The collection status displays a red down-arrow (stopped) initially. The audit trail starts automatically shortly after it is added.
Click Audit trail then click ‘start’ button.
Audit trail collection status, when we put the mouse cursor on Collection Status field we can see collection status.
|Audit Trail Collection Status|
|1||Idle||Trail is up and running, no new audit data to collect. In this state, the trail is waiting for the Secured Target to generate new audit data.|
|2||Collecting||Trail is currently actively collecting audit data.|
|3||Stopped||Trail is currently stopped.|
|4||Recovering||Trail has collected a batch of audit data and is setting a checkpoint on the Audit Vault Server. This can take a while depending on the server load.|
|5||Unreachable||A heartbeat timeout has occurred, indicating that a heartbeat message has not been received from the trail in the last two minutes. This status is temporary unless the trail has crashed.|
Enabling audit on the secured target database.
This procedure we only audit Employees Table of HR schema. Enable audit on HR Schema.
Provisioning auditor objects to target database.
In this part, we have to log in with AVAUDITOR User. We enabled audit on the table in the previous step. Now we retrieve all audit trail object from the database. There are many objects on the database for audit purpose, from here we set up object what is needed to audit object, next step all object will be provisioned to target database using SYSTEM username and password. Follow step:
Login AVAUDITOR username and password in the same address.
To retrieve auditor object, Go policy > checked secured target database > press retrieve audit setting button.
Before retrieve audit trail , we have no any problem.
After retrieving audit setting, we found 40 problems.
Click secured target >
There are five types of audit type such as Statement, Object, Privileged, FGA, Capture Rule.
Click any audit type , you can see all object in Needed field are red down-arrow , select object what you need to audit then click ‘set as Needed’ Button.
After click button
Above image, you see ‘SELECT’ Setting is yellow marking. Because SELECT setting we have to create with ACCESS Audit granularity.
To provisioning all objects to target database, select all audit type then click ‘Export Provision’ button
Set Username: System and Password: System password. Then click ‘Export’ Button.
We will discuss report building in details our next discussion .