Professional Documents
Culture Documents
Oracle
Audit Vault in
Oracle Cloud
Infrastructure
Database Security and Compliance Auditing
DISCLAIMER
This document in any form, software or printed matter, contains proprietary information that is the
exclusive property of Oracle. Your access to and use of this confidential material is subject to the terms
and conditions of your Oracle software license and service agreement, which has been executed and
with which you agree to comply. This document and information contained herein may not be disclosed,
copied, reproduced or distributed to anyone outside Oracle without prior written consent of Oracle. This
document is not part of your license agreement nor can it be incorporated into any contractual
agreement with Oracle or its subsidiaries or affiliates.
This document is for informational purposes only and is intended solely to assist you in planning for the
implementation and upgrade of the product features described. It is not a commitment to deliver any
material, code, or functionality, and should not be relied upon in making purchasing decisions. The
development, release, and timing of any features or functionality described in this document remains
at the sole discretion of Oracle.
Due to the nature of the product architecture, it may not be possible to safely include all features
described in this document without risking significant destabilization of the code.
6. Download Oracle AVDF ISO files and Upload into OCI ........................................................ 21
6. Configure the Audit Trail in Oracle AVDF (if you don’t use Unified Auditing) ........................ 54
Conclusion .......................................................................................................................................... 58
FAQ .................................................................................................................................................... 59
Appendix ............................................................................................................................................. 59
Create Network Interface Using the vLAN Tag of the Secondary vNIC ......................................... 59
Oracle AVDF provides a security solution for monitoring and alerting on database access
events. Audit Vault ingests various types of logs, including audit trails from Oracle and non -
Oracle databases, OS logs, network logs, and application logs, providing a unified security
audit and monitoring solution. For more information, please refer to the Auditing
documentation and Audit Vault Guideline.
The objective of this white paper is to provide instructions for customers who want to install
and configure Oracle AVDF on OCI VM instance to audit and monitor their DB/DBaaS
instances.
• Install prerequisites
o Create a VCN, a Block Volume and a VM Instance
o Configure the VM Instance storage
o Download Oracle AVDF ISO files and Upload into OCI
• Install a BYOH KVM for Running the Oracle AVDF VM
o Install KVM
o Create an OCI Secondary vNIC and associate it with the KVM guest VM
• Install the Audit Vault Server
o Create a storage pool for Audit Vault and ISO Files
o Create a KVM guest instance
• Configure the Oracle Audit Vault Server
o Deploy Audit Vault agents
o Register the DB/DBaaS Instance in the Audit Vault Server
o Start the Audit Vault Agent
o Configure the DB/DBaaS Instance Database as an Oracle AVDF Secured Target
o Configure Auditing
o Provision Database Audit Policies
o Monitor Database Activity in Oracle Audit Vault
Note: In this paper, Oracle AVDF refers only to the Audit Vault Server functionality. Database Firewall
is out of scope for this white paper and will be handled separately.
Oracle Cloud Infrastructure offers both Bare Metal and Virtual Machine instances (for more
information, see OCI Compute Overview):
• Bare Metal: A bare metal compute instance gives you dedicated physical server
access for highest performance and strong isolation.
An Oracle Cloud Infrastructure VM compute instance runs on the same hardware as a bare
metal instance, leveraging the same cloud-optimized hardware, firmware, software stack,
and networking infrastructure.
When you create a Compute instance, you can select the most appropriate type of instance
for your applications based on characteristics such as the number of CPUs, amount of
memory, and network resources. Oracle Cloud Infrastructure offers a variety of that are
designed to meet a range of compute and application requirements.
• Availability domain: The Oracle Cloud Infrastructure data center within your
geographical region that hosts cloud resources, including your instances. You can
place instances in the same or different availability domains, depending on your
performance and redundancy requirements. For more information, see Regions and
Availability Domains.
• Security Lists: A virtual firewall for an instance, with ingress and egress rules that
specify the types of traffic allowed in and out. The security lists apply to a given vNIC
whether it's communicating with another instance in the VCN or a host outside the
VCN.
• Key Pair (for Linux instances): A security mechanism required for Secure Shell
(SSH) access to an instance. Before you launch an instance, you’ll need at least one
key pair.
• Tags: You can apply tags to your resources to help you organize them according to
your business needs. You can apply tags at the time you create a resource, or you
can update the resource later with the desired tags.
• Image: A template of a virtual hard drive that determines the operating system and
other software for an instance. You can also launch instances from:
o Boot Volumes.
• Shape: A template that determines the number of CPUs, amount of memory, and other
resources allocated to a newly created instance. You choose the most appropriate
shape when you launch an instance. See OCI Compute Shapes for a list of available
Bare Metal and VM shapes.
You can create, attach, connect, and move volumes as needed to meet your storage and
application requirements. After you attach and connect a volume to an instance, you can use
the volume like a regular hard drive. You can also disconnect a volume and attach it to another
instance without the loss of data.
. Choose Block Storage > Block Volumes
When you create an instance, it is automatically attached to a virtual network interface card (VNIC) in
the cloud network's subnet and given a private IP address from the subnet's CIDR. You can either let
the address be automatically assigned or specify a particular address of your choice. The private
IP address lets instances within the cloud network communicate with each other. They can instead use
fully qualified domain names (FQDNs) if you've set up the cloud network for DNS (see DNS in Your
Virtual Cloud Network).
If the subnet is public, you can optionally assign the instance a public IP address. A public IP address
is required to communicate with the instance over the Internet, and to establish a Secure Shell (SSH)
or RDP connection to the instance from outside the cloud network.
. Select and Validate your choice (VM Standard 2.4 or higher is recommended)
. Configure networking: fill out the VCN Compartment, the VCN and the Subnet
. Add your SSH Public Key (for more information, see OCI Creating Keys)
. Click on “Show Advanced Options” and open the Management tab to change the “Default
Domain name”
. Select: “iSCSI”, “Read/Write”, “Select Volume”, Compartment and Block Volume created
. Click on [Attach]
. Pay attention of the caution message
. Connect to the VM Instance with an SSH client from the Public IP Address (available on
VM Instance details) as OPC User with your PrivateKey
fdisk -l
. Copy UUID and paste the following line into /etc/fstab file
UUID=<UUID Copied> /u01 xfs defaults,noatime,_netdev 0 2
vi /etc/fstab
. Reboot to test automount: Click on [Reboot] button onto the OCI Console
sudo su – root
yum update -y
. Download the latest version of Oracle AVDF ISO image (follow the download instructions)
Figure 7. Oracle AVDF 12.2.0.10.0 ISO Files downloaded from eDelivery to be used in this document
Note: Oracle AVDF is a separately licensed product within the Oracle Database Security product portfolio.
Procure necessary licenses for all production and non-production (test and development) environments.
mkdir -p /u01/kvm
mkdir -p /u01/kvm/av01
mkdir -p /u01/sources
mkdir -p /u01/sources/av
. Transfer the AVDF ISO files into the VM Instance storage (via sftp, scp,…)
For BYOH, the essential feature is the VCN’s secondary VNIC. Secondary VNIC allows
additional VNICs to attach to a VM instance, assign a VCN-routable IP address to the VNIC,
and attach it to a VM running on the BYOH BM instance. For more information about
secondary VNICs, see the Networking service documentation.
Configure the KVM hypervisor, in order to be able to run a Nested KVM server, you need to
enable that feature along with the capability of using virtual NICs passthrough (IOMMU) option.
cp /etc/default/grub /etc/default/grub.bck
. Edit the Grub file and append the following parameters in GRUB_CMDLINE_LINUX line:
intel_iommu=on kvm-intel.nested=1
vi /etc/default/grub
. Enable tuned
systemctl enable tuned
grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg
Before configuring the guest instance, the host interface needs additional configurations.
Next step is creating a secondary vNIC and attaching it to the KVM Nested VM instance.
For more information, please refer to Create Secondary vNIC using the Console
. Fill out the Name, the VCN, the Subnet, check “Skip Source” and “Assign Public IP
address”, and the Private IP address:
./secondary_vnic_all_configure.sh -c
. Identify the interface that matches the OCI Secondary vNIC mac address created in the
previous step
ip a
As shown above only one interface carries an IP address: ens3 besides the loopback one.
This is the network interface used for host management access. The newly created interface
is: ens5 and you can see the corresponding MAC address is the one listed in the OCI UI.
. Configure the interface on the host instance before attaching them to the KVM
cp /etc/sysconfig/network-scripts/ifcfg-ens3 /etc/sysconfig/network-
scripts/ifcfg-ens5
uuidgen ens5
. Copy UUID
Here: 2d47b9da-9223-41b4-b396-bff675a1e4fd
. Edit the config file for ens5, change Name and Device with ens5, and put the new UUID
vi /etc/sysconfig/network-scripts/ifcfg-ens5
. Reboot the VM in order to KVM host to allow the KVM Guest instance to use this new NIC
interface with command line or with OCI Console:
passwd
. Open the “Network Interfaces” tab and verify the MAC address is correct
for ens3 and ens5 (compare with Attached vNICs of the VM Instance)
As reminder:
. Right click on “QEMU/KVM”, choose “Details” and select the “Storage” tab
. Click on [Finish]
. Select the new directory created and Click on [+] at right to add a volume
. Fill out the Name, select the Format (qcow2 is recommended) and specify the Size to install
the Audit Vault Server (250GB minimum)
. In the virt-manager storage tab, click on [+] at the left bottom corner as seen previously
. Fill out the Name and Type of the storage pool an specify the ISO files location (we put them
earlier in: /u01/sources/av)
. Click on [Finish]
. Select the new Storage Pool to see all the ISO Files
KVM can be managed through command line or graphical tools and the focus here is on GUI
tools. Use VNC to connect into the OCI KVM Hypervisor instance then open gnome-terminal
and run the following command
. Select “Select or create custom storage” and put the qcow2 storage pool created earlier
. Fill out the Name and select "Customize Configuration before install"
. Extend “Network selection” and choose ens5 device, and “Passthrough” as source mode
As reminder
- Click on “IDE CDROM 1” and check the source path is connected to the ISO File
When the VM starts installing, it should detect the vNIC network device attached to the VM.
The VM installation takes about 1 hour. For more information, see Oracle AVDF installation.
Note: You can access to the AVDF console directly by internet if you open 443 port in the security lists. In that respect, open
a web browser and type https://AVDF_VM_IP, where AVDF_VM_IP is the public IP address of the Secondary vNIC (not
recommended due to the risk of exposure of your console on internet).
. When prompted, set the Username and Password for the Administrator and Audit Manager.
Also when prompted, set the Repository Encryption password, Root password (root
privilege on the VM) and Support password (for SSH access to the VM).
Oracle Cloud Infrastructure File Storage service provides a durable, scalable, secure,
enterprise-grade network file system. You can connect to a File Storage service file system
from any bare metal, virtual machine, or container instance in your Virtual Cloud Network
(VCN). You can also access a file system from outside the VCN using Oracle Cloud
Infrastructure FastConnect and Internet Protocol security (IPSec) virtual private network (VPN).
The File Storage service supports the Network File System version 3.0 (NFSv3) protocol.
The service supports the Network Lock Manager (NLM) protocol for file locking functionality.
For more information, see OCI File Storage.
The File Storage service supports snapshots for data protection of your file system. Snapshots
are a consistent, point-in-time view of your file systems. Snapshots are copy-on-write and
scoped to the entire file system. You can take as many snapshots as you need.
Snapshots are accessible under the root directory of the file system at .snapshot/name.
For data protection, you can use rsync, tar, or another third-party tool that supports NFSv3 to
copy your data to a remote location, file system, or object storage. For more information, see
OCI Managing Snapshots.
b. On the Hosts tab, click [Agent] and download the agent.jar file
d. Set $AVDF_AGENT_HOME as the directory where the Audit Vault Agent will be installed.
The following command creates the $AVDF_AGENT_HOME directory and installs the
agent:
java –jar agent.jar –d $AVDF_AGENT_HOME
a. Verify that the database audit trail is enabled on the DB/DBaaS instance by
running the following command:
show parameter audit
o Shut down and restart the database to activate the audit trail.
b. Because Oracle AVDF requires privileges to collect audit data from the database
and manage audit policies, you must create a user (audituser) with the
appropriate privileges. Oracle AVDF provides a PL/SQL script
(oracle_user_setup.sql) to configure audituser with the appropriate privileges.
The script is available at
$AVDF_AGENT_HOME/av/plugins/com.oracle.av.plugin.oracle/config
Run the following commands at the SQL prompt on the DB/DBaaS instance to
create the audituser user with the necessary privileges:
CREATE USER audituser IDENTIFIED BY <password>
e. Enter the DB/DBaaS instance name (DB_NAME) in the Host Name field, and the IP
address (DB_IP) in the Host IP field.
f. Click [Save]
A unique activation key is generated. Copy the activation key, which you will use in the
next section while installing the Audit Vault Agent. Note that the DB_NAME has no relation
to the ORACLE_SID of the database running on the DB/DBaaS instance and could be any
meaningful string.
b. When prompted for the agent activation key, provide the activation key that you
copied from the Oracle AVDF console. The activation key is available in the Hosts
tab when you log in to the console as Administrator.
c. To verify that the Audit Vault Agent was successfully activated and is running,
check the Agent Status on the Hosts tab in Oracle AVDF console (after logging
in as administrator). The status should say Running with a green dot. In addition,
the DB_NAME and DB_IP values should be listed in the Host Name and Host IP
columns. The following figure shows the status of the agent, the DB host name
(dbtest), and the IP address (10.0.0.13).
o Protocol: TCP
o Port: 1521
o Password: <audituser_password>
(password created for audituser in a previous step)
Note: It is important to synchronize the time on the Audit Vault Server and secured targets (DB/DBaaS instances,
in this case) by using the NTP server. Unsynchronized time negatively affects audit trail collection.
From Oracle 12c, all the audit trails (SYS.AUD$, SYS.FGA_LOG$, DVSYS.AUDIT_TRAIL$, and so on)
have been unified into a single view, SYS.UNIFIED_AUDIT_TRAIL. With this, audit tools such as Oracle
AVDF can analyze an entire set of audit data in one location, rather than having to gather the data into
one location. A new schema AUDSYS is used for storing the unified audit data. The following figure
shows the high-level operation of Oracle Unified Audit:
6. Configure the Audit Trail in Oracle AVDF (if you don’t use Unified Auditing)
b. On the Secured Targets tab, click Audit Trails under Monitoring in the left-
hand pane, and then click [Add].
c. Enter the following values in the fields and then click [Save]:
You can provision audit policies in the database from the Audit Vault Server. Provisioning new
policies and modifying existing ones requires auditor user privileges.
a. Log in to the Oracle AVDF console as auditor
b. On the Policy tab, select the secured target for which you want to create policies.
The console shows all the audit policies. The following figure shows audit policies
for the dbtest secured target.
c. To add an audit policy for statements, click Statement in the Audit Type column,
and then click [Create]. Define the audit policy.
The following figure shows an example audit policy AUDIT ALL STATEMENTS
BY DBA_DEBRA BY ACCESS for the secured target dbtest:
d. Go to the Secured Target pane, select Statement and then click [Provision].
Continuing from the previous example, all the SQL statements by user DBA_DEBRA on the
dbtest secured target running on the DB/DBaaS instance are audited by the Audit Vault Server.
You can view all the activity in the Oracle AVDF console.
a. Log in to the Oracle AVDF console as auditor
Use the following best practices for Oracle Database security and compliance auditing with
Oracle AVDF.
You can use VCN security lists to allow network connections to the Oracle AVDF VM only from
authorized database instances in the VCN.
Audit Vault Agents run on the DBaaS instance to read Oracle Database audit trails and copy
records to the Audit Vault Server. Oracle AVDF employs the following collectors:
• DBAUD (to read from database audit tables)
Audit records consume space on the Audit Vault Server. On average, one million audit records
require about 900 MB of disk space. Depending on the number of audit records generated per
day and their retention period, it is necessary to allocate enough disk space (both block volume
and Oracle AVDF virtual disk sizes). Failure to provision an appropriate-sized disk could lead
to an Oracle AVDF VM crash and loss of all collected audit records.
We recommend setting up periodic archiving of Oracle AVDF audit records to your Oracle
Cloud Infrastructure Object Storage bucket. Oracle AVDF allows archiving using SCP (secure
copy) to an IP-addressable host (among other options such as NFS). We recommend archiving
Oracle AVDF audit records on the BYOH VM host and transferring them by using a script from
the VM host to your Object Storage bucket. Refer to the Oracle AVDF documentation for more
information about setting up periodic archiving.
You can configure a pair of Audit Vault Servers, one as primary and one as secondary. Audit
records in the primary are automatically synchronized to the secondary. In the scenario
described in this paper, we recommend that primary and secondary Oracle AVDF VMs be
installed on two separate BYOH VM instances for maximum availability. Refer to the Oracle
AVDF documentation for a high-availability (HA) setup.
SSH access is useful for troubleshooting and performing operational activities with the Oracle
AVDF VM, and we recommend enabling SSH access to the VM. In the Oracle AVDF console,
go into System settings and enable SSH access to the Oracle AVDF VM from the host VM
instance. After this step, you can log in to the Oracle AVDF VM from the host VM instance by
using ssh support@AVDF_VM_IP.
CONCLUSION
This white paper presents a solution for deploying Oracle Audit Vault and Database Firewall
on Oracle Cloud Infrastructure for auditing Oracle Cloud Infrastructure DB/DBaaS instances
for improved security and compliance. Along with Oracle Cloud Infrastructure DB/DBaaS API
audit logs, the Oracle AVDF auditing provides comprehensive audit logging and monitoring
capability for DB/DBaaS instances. This customer-managed solution requires customers to
deploy a BYOH on their VM instance in order to run the Oracle AVDF security appliance.
APPENDIX
Create Network Interface Using the vLAN Tag of the Secondary vNIC
Worldwide Headquarters
500 Oracle Parkway, Redwood Shores, CA 94065 USA
Worldwide Inquiries
TELE + 1.650.506.7000 + 1.800.ORACLE1
FAX + 1.650.506.7200
oracle.com
CONNECT W ITH US
Call +1.800.ORACLE1 or visit oracle.com. Outside North America, find your local office at
oracle.com/contact.
blogs.oracle.com/oracle facebook.com/oracle twitter.com/oracle
Copyright © 2019, Oracle and/or its affiliates. All rights reserved. This document is provided for information purposes only, and the contents hereof are
subject to change without notice. This document is not warranted to be error-free, nor subject to any other warranties or conditions, whether expressed
orally or implied in law, including implied warranties and conditions of merchantability or fitness for a particular purpose. We specifically disclaim any
liability with respect to this document, and no contractual obligations are formed either directly or indirectly by this document. This document may not be
reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without our prior written permission. This device has
not been authorized as required by the rules of the Federal Communications Commission. This device is not, and may not be, offered for sale or lease, or
sold or leased, until authorization is obtained. (THIS FCC DISLAIMER MAY NOT BE REQUIRED. SEE DISCLAIMER SECTION ON PAGE 2 FOR
INSTRUCTIONS.)
Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.
Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and are trademarks or
registered trademarks of SPARC International, Inc. AMD, Opteron, the AMD logo, and the AMD Opteron logo are trademarks or registered trademarks of
Advanced Micro Devices. UNIX is a registered trademark of The Open Group. 0919
White Paper Oracle Cloud InfrastructureDatabase Security and Compliance AuditingDeploying Oracle Audit Vault and Database Firewall in Oracle
Cloud InfrastructureDeploying Oracle Audit Vault And Database Firewall In Oracle Cloud Infrastructure
September 2019September 2019
Author: [OPTIONAL]
Contributing Authors: [OPTIONAL]