WP Deploy Auditvault in OCI - 2019065 - HLO - v5 PDF

Deploying
Oracle
Audit Vault in
Oracle Cloud
Infrastructure
Database Security and Compliance Auditing
WHITE PAPER / SEPTEMBER 6, 2019

PURPOSE STATEMENT
This document provides an overview of installing Oracle Audit Vault and Database Firewall (AVDF) in
the Oracle Cloud. It is intended to give you an overview of the AVDF installation process in the Oracle
Cloud Infrastructure. The procedure outlined in this document is not intended to replace the formal
installation documentation available at https://docs.oracle.com. The version used for this install is
12.2.0.10, but while specific screen shots may differ, the procedure outlined in this document is valid
for all of the 12.2 AVDF product releases.
DISCLAIMER
This document in any form, software or printed matter, contains proprietary information that is the
exclusive property of Oracle. Your access to and use of this confidential material is subject to the terms
and conditions of your Oracle software license and service agreement, which has been executed and
with which you agree to comply. This document and information contained herein may not be disclosed,
copied, reproduced or distributed to anyone outside Oracle without prior written consent of Oracle. This
document is not part of your license agreement nor can it be incorporated into any contractual
agreement with Oracle or its subsidiaries or affiliates.
This document is for informational purposes only and is intended solely to assist you in planning for the
implementation and upgrade of the product features described. It is not a commitment to deliver any
material, code, or functionality, and should not be relied upon in making purchasing decisions. The
development, release, and timing of any features or functionality described in this document remains
at the sole discretion of Oracle.
Due to the nature of the product architecture, it may not be possible to safely include all features
described in this document without risking significant destabilization of the code.
2 W HITE PAPER / Oracle Cloud Infrastructure

TABLE OF CONTENTS
Purpose Statement ............................................................................................................................... 2
Scope of the document ......................................................................................................................... 5
To know about Oracle Cloud Infrastructure (OCI)................................................................................. 6
Install prerequisites ............................................................................................................................... 8
1. Create a VCN on your OCI Compartment ............................................................................... 8
2. Create a Block Volume for the VM Instance .......................................................................... 10
3. Create a VM Instance ............................................................................................................ 12
4. Configure the VM Instance storage ....................................................................................... 15
5. Update all packages as ROOT .............................................................................................. 21
6. Download Oracle AVDF ISO files and Upload into OCI ........................................................ 21
Install a BYOH KVM for Running the Oracle AVDF VM...................................................................... 22
1. Install KVM ............................................................................................................................ 23
2. Create an OCI Secondary vNIC ............................................................................................ 24
3. Associate OCI Secondary vNIC with the KVM guest VM ...................................................... 26
4. VNC test connection.............................................................................................................. 27
Installing the Audit Vault Server .......................................................................................................... 31
1. Create a storage pool for Audit Vault .................................................................................... 31
2. Create a storage pool for ISO Files ....................................................................................... 33
3. Create a KVM guest instance ................................................................................................ 34
4. Install Audit Vault................................................................................................................... 39

5. Create an NFS endpoint (optional) ........................................................................................ 46
Configuring the Oracle Audit Vault Server .......................................................................................... 50
1. Deploy Audit Vault agents ..................................................................................................... 50
2. Register the DB/DBaaS Instance in the Audit Vault Server ................................................... 50
3. Start the Audit Vault Agent on the DB/DBaaS Instance ........................................................ 52
4. Configure the DB/DBaaS Instance as an Oracle AVDF Secured Target ............................... 52
5. Configure the Unified Audit Trail (recommended) ................................................................. 53
6. Configure the Audit Trail in Oracle AVDF (if you don’t use Unified Auditing) ........................ 54
7. Provision Database Audit Policies ......................................................................................... 54
8. Monitor Database Activity in Oracle Audit Vault .................................................................... 56
Oracle Database Auditing and Oracle AVDF Best Practices .............................................................. 57
Use VCN Security Lists to Firewall the Oracle AVDF VM ............................................................. 57
Know the Performance Impact of Auditing on the DBaaS Instance............................................... 57
Know Your Audit Vault Server Storage Requirements .................................................................. 57
Archive Audit Records to Oracle Cloud Infrastructure Object Storage .......................................... 58
Configure for High Availability ....................................................................................................... 58
Enable SSH Access to the Audit Vault Server .............................................................................. 58
Conclusion .......................................................................................................................................... 58
FAQ .................................................................................................................................................... 59
Appendix ............................................................................................................................................. 59
Create Network Interface Using the vLAN Tag of the Secondary vNIC ......................................... 59

SCOPE OF THE DOCUMENT
Oracle AVDF provides a security solution for monitoring and alerting on database access
events. Audit Vault ingests various types of logs, including audit trails from Oracle and non -
Oracle databases, OS logs, network logs, and application logs, providing a unified security
audit and monitoring solution. For more information, please refer to the Auditing
documentation and Audit Vault Guideline.
The objective of this white paper is to provide instructions for customers who want to install
and configure Oracle AVDF on OCI VM instance to audit and monitor their DB/DBaaS
instances.
Installation steps to follow are:
• Install prerequisites
o Create a VCN, a Block Volume and a VM Instance
o Configure the VM Instance storage
o Download Oracle AVDF ISO files and Upload into OCI
• Install a BYOH KVM for Running the Oracle AVDF VM
o Install KVM
o Create an OCI Secondary vNIC and associate it with the KVM guest VM
• Install the Audit Vault Server
o Create a storage pool for Audit Vault and ISO Files
o Create a KVM guest instance
• Configure the Oracle Audit Vault Server
o Deploy Audit Vault agents
o Register the DB/DBaaS Instance in the Audit Vault Server
o Start the Audit Vault Agent
o Configure the DB/DBaaS Instance Database as an Oracle AVDF Secured Target
o Configure Auditing
o Provision Database Audit Policies
o Monitor Database Activity in Oracle Audit Vault
Note: In this paper, Oracle AVDF refers only to the Audit Vault Server functionality. Database Firewall
is out of scope for this white paper and will be handled separately.

TO KNOW ABOUT ORACLE CLOUD INFRASTRUCTURE (OCI)
Oracle Cloud Infrastructure offers a wide variety of high-performance Oracle Databases in

the cloud. Security is an important consideration in the cloud, and OCI databases provide
many security features by default.
Oracle Cloud Infrastructure offers both Bare Metal and Virtual Machine instances (for more
information, see OCI Compute Overview):
• Bare Metal: A bare metal compute instance gives you dedicated physical server
access for highest performance and strong isolation.
• Virtual Machine: A virtual machine (VM) is an independent computing environment

that runs on top of physical bare metal hardware. The virtualization makes it possible
to run multiple VMs that are isolated from each other. VMs are ideal for running
applications that do not require the performance and resources (CPU, memory,
network bandwidth, storage) of an entire physical machine.
An Oracle Cloud Infrastructure VM compute instance runs on the same hardware as a bare
metal instance, leveraging the same cloud-optimized hardware, firmware, software stack,
and networking infrastructure.
When you create a Compute instance, you can select the most appropriate type of instance
for your applications based on characteristics such as the number of CPUs, amount of
memory, and network resources. Oracle Cloud Infrastructure offers a variety of that are
designed to meet a range of compute and application requirements.
The components required to launch an instance are:
• Availability domain: The Oracle Cloud Infrastructure data center within your
geographical region that hosts cloud resources, including your instances. You can
place instances in the same or different availability domains, depending on your
performance and redundancy requirements. For more information, see Regions and
Availability Domains.

• Virtual Cloud Network (VCN): A virtual version of a traditional network - including
subnets, route tables, and gateways - on which your instance runs. At least one cloud
network has to be set up before you launch instances.
• Security Lists: A virtual firewall for an instance, with ingress and egress rules that
specify the types of traffic allowed in and out. The security lists apply to a given vNIC
whether it's communicating with another instance in the VCN or a host outside the
VCN.
• Key Pair (for Linux instances): A security mechanism required for Secure Shell
(SSH) access to an instance. Before you launch an instance, you’ll need at least one
key pair.
• Tags: You can apply tags to your resources to help you organize them according to
your business needs. You can apply tags at the time you create a resource, or you
can update the resource later with the desired tags.
• Image: A template of a virtual hard drive that determines the operating system and
other software for an instance. You can also launch instances from:
o Images published by Oracle partners from the Partner Image catalog,
o Pre-built Oracle enterprise images and solutions enabled for OCI,
o Custom images, including bring your own image scenarios,
o Boot Volumes.
• Shape: A template that determines the number of CPUs, amount of memory, and other
resources allocated to a newly created instance. You choose the most appropriate
shape when you launch an instance. See OCI Compute Shapes for a list of available
Bare Metal and VM shapes.

INSTALL PREREQUISITES
1. Create a VCN on your OCI Compartment
. Go to the OCI Console

. Choose Networking > Virtual Cloud Networks
. Click on [Create Virtual Cloud Network]

. Fill out the Name, the Compartment, choose “Create Virtual Cloud Network Plus Related
Resources” and check “Use DNS Hostnames in this VCN”

. Click on [Create]
Figure 1. VCN Details after the resource is created
. Click on the newly created VCN to see the details
Figure 2. VCN Subnets details after the resource is created

. Click on [Security Lists] and create “Ingress Rules” to open 22 and 443 TCP Ports, and
activate ICMP protocol as follow
2. Create a Block Volume for the VM Instance
You can create, attach, connect, and move volumes as needed to meet your storage and
application requirements. After you attach and connect a volume to an instance, you can use
the volume like a regular hard drive. You can also disconnect a volume and attach it to another
instance without the loss of data.
. Choose Block Storage > Block Volumes
. Click on [Create Block Volume]

. Fill out the Name, the Compartment, the Domain, the Size necessary to store the audit records
and other data (recommended 1TB but depending on the number of install you want to store
within the VM Instance), the Backup Policy (for more information, see OCI Scheduling Volume
Backup) and choose “Encrypt Using Oracle-Managed Keys”

•
. Click on [Create Block Volume]

. Click on the newly created Block Volume to see the details
Figure 3. Block Volume details after the resource is created

3. Create a VM Instance
When you create an instance, it is automatically attached to a virtual network interface card (VNIC) in
the cloud network's subnet and given a private IP address from the subnet's CIDR. You can either let
the address be automatically assigned or specify a particular address of your choice. The private
IP address lets instances within the cloud network communicate with each other. They can instead use
fully qualified domain names (FQDNs) if you've set up the cloud network for DNS (see DNS in Your
Virtual Cloud Network).
If the subnet is public, you can optionally assign the instance a public IP address. A public IP address
is required to communicate with the instance over the Internet, and to establish a Secure Shell (SSH)
or RDP connection to the instance from outside the cloud network.
. Choose Compute > Instances
. Click on [Create Instance]

. Fill out the Name, choose OS (Oracle Linux 7.6 min), Domain and choose “Virtual Machine”

. Click on [Change Shape] to set up the VM resources
. Select and Validate your choice (VM Standard 2.4 or higher is recommended)
. Configure networking: fill out the VCN Compartment, the VCN and the Subnet
. Add your SSH Public Key (for more information, see OCI Creating Keys)
. Click on “Show Advanced Options” and open the Management tab to change the “Default
Domain name”
. and the Networking tab to select “Assign public IP address”

. Click on [Create]
. Check the details of the VM Instance newly created
. Open “Console Connections” above

. Click on [Create Console Connection] to configure a Console on the VM Instance
. Add your SSH Public Key

. Click on [Create Console Connection]
Figure 4. Console connection details after the resource is created

4. Configure the VM Instance storage
. Open “Attached Block Volumes”

. Click on [Attach Block Volume] to configure the Block Volume for the VM Instance
. Select: “iSCSI”, “Read/Write”, “Select Volume”, Compartment and Block Volume created
. Click on [Attach]
. Pay attention of the caution message

. After the Block Volume is attached, click on […] and select “iSCSI Commands &
Information” to see the command line which allows you to attach the Block Volume to the VM
. Copy the attach command lines in an editor to use them later
. Connect to the VM Instance with an SSH client from the Public IP Address (available on
VM Instance details) as OPC User with your PrivateKey
Figure 5. VM Instance details - Public IP Address

Figure 6. Configurating SSH client to login to the VM Instance as OPC User
. Connect as ROOT and run iSCSI commands copied

sudo su - root
. List physical disks to check your disk volume /dev/sdb

fdisk -l

. Create the Physical Volume
pvcreate -v /dev/sdb
. Create the Volume Group

vgcreate -v vg_sdb /dev/sdb
. Create the Logical Volume

lvcreate -l 100%FREE -n lv_sdb vg_sdb
. Check the configuration

vgdisplay

lvdisplay
. Format the Volume in XSF

mkfs.xfs /dev/vg_sdb/lv_sdb -f
. Mount the volume at /u01

mkdir /u01
fdisk -l
mount /dev/mapper/vg_sdb-lv_sdb /u01

df -h

. Automatic mounting after Reboot
blkid /dev/vg_sdb/lv_sdb
. Copy UUID and paste the following line into /etc/fstab file
UUID=<UUID Copied> /u01 xfs defaults,noatime,_netdev 0 2
vi /etc/fstab
. Reboot to test automount: Click on [Reboot] button onto the OCI Console
. After rebooting, check that /u01 is correctly mounted

df -h

5. Update all packages as ROOT
sudo su – root
yum update -y
yum groupinstall "Server with GUI" -y
ln -sf /lib/systemd/system/runlevel5.target /etc/systemd/system/default.target
6. Download Oracle AVDF ISO files and Upload into OCI
. Download the latest version of Oracle AVDF ISO image (follow the download instructions)
Figure 7. Oracle AVDF 12.2.0.10.0 ISO Files downloaded from eDelivery to be used in this document
Note: Oracle AVDF is a separately licensed product within the Oracle Database Security product portfolio.
Procure necessary licenses for all production and non-production (test and development) environments.

. Upload ISO files into dedicated directory
sudo su – root
mkdir -p /u01/kvm
mkdir -p /u01/kvm/av01
mkdir -p /u01/sources
mkdir -p /u01/sources/av
chown -R opc:opc /u01/sources
. Transfer the AVDF ISO files into the VM Instance storage (via sftp, scp,…)
INSTALL A BYOH KVM FOR RUNNING THE ORACLE AVDF VM
For BYOH, the essential feature is the VCN’s secondary VNIC. Secondary VNIC allows
additional VNICs to attach to a VM instance, assign a VCN-routable IP address to the VNIC,
and attach it to a VM running on the BYOH BM instance. For more information about
secondary VNICs, see the Networking service documentation.
Configure the KVM hypervisor, in order to be able to run a Nested KVM server, you need to
enable that feature along with the capability of using virtual NICs passthrough (IOMMU) option.

1. Install KVM
. Back up the Grub file

sudo su – root
cp /etc/default/grub /etc/default/grub.bck
. Edit the Grub file and append the following parameters in GRUB_CMDLINE_LINUX line:
intel_iommu=on kvm-intel.nested=1
vi /etc/default/grub
. Install the latest qemu packages along with virt-manager

yum -y install qemu-kvm qemu-img virt-manager libvirt libvirt-python libvirt-
client virt-install
Figure 10 Expected result
. Enable tuned
systemctl enable tuned
systemctl start tuned
tuned-adm profile virtual-host

. Recreate grub to validate all the changes
cp /boot/efi/EFI/redhat/grub.cfg /boot/efi/EFI/redhat/grub.cfg.orig
grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg
Figure 11 Expected result
2. Create an OCI Secondary vNIC
Before configuring the guest instance, the host interface needs additional configurations.
Next step is creating a secondary vNIC and attaching it to the KVM Nested VM instance.
For more information, please refer to Create Secondary vNIC using the Console
. Open the OCI Console and click on the VM Instance

. Open “Attached vNICs” and click on [Create vNIC]
. Fill out the Name, the VCN, the Subnet, check “Skip Source” and “Assign Public IP
address”, and the Private IP address:

. Click on [Create]
. Pay attention to the MAC Address and IP address information because you will use them
later. You may want to copy them to a text file for convenience.
. Configure the OS to use the vNIC

- Download the secondary_vnic_all_configure.sh from Secondary vNIC Documentation
- Upload the script into into the VM : /u01/sources/av/ and eecute it as ROOT
cd /u01/sources/av
chmod 607 secondary_vnic_all_configure.sh
./secondary_vnic_all_configure.sh -c

3. Associate OCI Secondary vNIC with the KVM guest VM
. Identify the interface that matches the OCI Secondary vNIC mac address created in the
previous step
ip a
As shown above only one interface carries an IP address: ens3 besides the loopback one.
This is the network interface used for host management access. The newly created interface
is: ens5 and you can see the corresponding MAC address is the one listed in the OCI UI.
. Configure the interface on the host instance before attaching them to the KVM
cp /etc/sysconfig/network-scripts/ifcfg-ens3 /etc/sysconfig/network-
scripts/ifcfg-ens5
uuidgen ens5
. Copy UUID
Here: 2d47b9da-9223-41b4-b396-bff675a1e4fd
. Edit the config file for ens5, change Name and Device with ens5, and put the new UUID
vi /etc/sysconfig/network-scripts/ifcfg-ens5
. Reboot the VM in order to KVM host to allow the KVM Guest instance to use this new NIC
interface with command line or with OCI Console:

shutdown -r now
. After the restart, ens5 NIC interface will be ready to be used
4. VNC test connection
. Change the ROOT password of the VM

sudo su – root
passwd
Here, for example, our new password could be Oracle123!
. Copy VNC Server service

cp /lib/systemd/system/vncserver@.service
/etc/systemd/system/vncserver@\:1.service
. On OCI, select the VM Instance and open “Console Connections”

. Click on […], then “Connect with VNC”
. Choose “Linux/MAC OS” and copy the command line

. Create an SSH tunnel using the command generated in the “Connect with VNC” screen:
- Remember to modify the Private Key path with your path (Attention, the Private Key
file must be in READ-ONLY mode)
- Run the command copied as follow
ssh -i <your private Key path>\privateKey -o ProxyCommand='ssh -i <your private
Key path>\privateKey -W %h:%p -p 443
ocid1.instanceconsoleconnection.oc1.iad.abuwcljscrfmcy25f4hh7ibiy65u7mnqtlczcqdkjr
xcwundef2wd6jq2noq@instance-console.us-ashburn-1.oraclecloud.com' -N -L
localhost:5900:ocid1.instance.oc1.iad.abuwcljslrvceqvzwikh2uuw3z76np2jltsfqbvlymwz
zf3k7g6l4e36yefa:5900
ocid1.instance.oc1.iad.abuwcljslrvceqvzwikh2uuw3z76np2jltsfqbvlymwzzf3k7g6l4e36yef
a
- For Windows use PowerShell
. Run VNC Viewer on Localhost - port 5900

. Connect to the VM with VNC Viewer (as ROOT with your new password)
. Open a terminal and launch virt-manager
virt-manager

. Right click on “QEMU/KVM” and choose “Details”
. Open the “Network Interfaces” tab and verify the MAC address is correct
for ens3 and ens5 (compare with Attached vNICs of the VM Instance)
As reminder:

INSTALLING THE AUDIT VAULT SERVER
1. Create a storage pool for Audit Vault
. Connect to the VM with VNC Viewer as ROOT

. Open a terminal and launch virt-manager
virt-manager
. Right click on “QEMU/KVM”, choose “Details” and select the “Storage” tab
. Click on [+] at the left bottom corner
. Fill out the Name and Type of the storage pool

. Select the directory where to store the Audit Vault files
. Click on [Finish]
. Select the new directory created and Click on [+] at right to add a volume
. Fill out the Name, select the Format (qcow2 is recommended) and specify the Size to install
the Audit Vault Server (250GB minimum)

. Click on [Finish]
2. Create a storage pool for ISO Files
. In the virt-manager storage tab, click on [+] at the left bottom corner as seen previously
. Fill out the Name and Type of the storage pool an specify the ISO files location (we put them
earlier in: /u01/sources/av)
. Click on [Finish]
. Select the new Storage Pool to see all the ISO Files

3. Create a KVM guest instance
KVM can be managed through command line or graphical tools and the focus here is on GUI
tools. Use VNC to connect into the OCI KVM Hypervisor instance then open gnome-terminal
and run the following command
. Connect to the VM with VNC Viewer as ROOT

. Open virt-manager
virt-manager
. Choose File > New Virtual Machine
. Select “Local install media”

. Select the information based on the setup:
- Click “Browse” to select the first ISO File
- Uncheck “Automatically detect…” and choose Linux as “OS Type” and Oracle
Linux 7.6 minimum

. Choose Memory (8GB minimum) and CPU (2 minimum) settings based on the services
workload that will be used on this KVM guest VM
. Select “Select or create custom storage” and put the qcow2 storage pool created earlier
. Fill out the Name and select "Customize Configuration before install"
. Extend “Network selection” and choose ens5 device, and “Passthrough” as source mode

. Click on [Finish]
. Customize configuration as follow:
- Click on the “NIC : …” and check is on ens5 and in "Passthrough" source mode.
Select “virtio” in Device model and add the OCI Secondary vNIC (vNIC_Appliance)
MAC address identified above.
As reminder

- Click on “VirtIO Disk1” and select “SATA” as Disk bus
- Click on “IDE CDROM 1” and check the source path is connected to the ISO File

. Click [Apply] and Reboot the VM to apply changes
4. Install Audit Vault

. Go back to the console: select “View” > “Console”
. Click [Begin Installation] at the left top corner
When the VM starts installing, it should detect the vNIC network device attached to the VM.
The VM installation takes about 1 hour. For more information, see Oracle AVDF installation.

. During the installation, you are prompted for Mounting Disc 2 and 3:
- Choose View > Details
- Open “IDE CDROM1” and click on [Disconnect] to disconnect Disk 1

- Click on [Connect] to specify the next ISO file path
- Select the ISO file

. Configure the Oracle AVDF installation passphrase (this passphrase is used for initial login
to the Oracle AVDF web console).

. Select the Network Interface (make sure the MAC Address is correct)
. If it’s correct, validate the Network Interface

. Oracle AVDF network configuration:
Setup IP address (provide the Private IP address of the Secondary vNIC), Netmask
(255.255.255.0) and Gateway IP address (10.0.0.1).
. When installation is complete, this screen appears to change settings if needed

. On the host VM instance open a web browser and type https://AVDF_VM_IP, where AVDF_VM_IP is
the private IP address of the Secondary vNIC assigned to the Oracle AVDF VM. The
browser opens the Oracle AVDF console. Use the installation passphrase to log in.
Note: You can access to the AVDF console directly by internet if you open 443 port in the security lists. In that respect, open
a web browser and type https://AVDF_VM_IP, where AVDF_VM_IP is the public IP address of the Secondary vNIC (not
recommended due to the risk of exposure of your console on internet).
. When prompted, set the Username and Password for the Administrator and Audit Manager.
Also when prompted, set the Repository Encryption password, Root password (root
privilege on the VM) and Support password (for SSH access to the VM).

. Also, it is important to configure the time on the Audit Vault Server instance by using NTP
to keep time synchronized. Unsynchronized time between the Audit Vault Server and target
negatively affects the collection of database audit trails.
. Configure the VCN security lists to ensure that Audit Vault Server is reachable from the targets
to be audited. Check the network connectivity between the Audit Vault Server and targets by
using ICMP ping. If all the previous steps were executed correctly, the Audit Vault Server and
targets should be able to reach each other.
5. Create an NFS endpoint (optional)
Oracle Cloud Infrastructure File Storage service provides a durable, scalable, secure,
enterprise-grade network file system. You can connect to a File Storage service file system
from any bare metal, virtual machine, or container instance in your Virtual Cloud Network
(VCN). You can also access a file system from outside the VCN using Oracle Cloud
Infrastructure FastConnect and Internet Protocol security (IPSec) virtual private network (VPN).
The File Storage service supports the Network File System version 3.0 (NFSv3) protocol.
The service supports the Network Lock Manager (NLM) protocol for file locking functionality.
For more information, see OCI File Storage.
. Choose File Storage > File Systems
. Click [Create File Systems]

. Edit details in “File System Information” section to name the FS
Figure 12. File Systems details after the resource is created

. Click on the new NFS created available in “Exports” section
. Click on “Mount Commands”
. Follow the instructions to mount the FS

▪ Configure Security List Rules to allow traffic to the mount target subnet
▪ Execute in Audit Vault Instance the command lines provided

. Go back to FS Console and click [Snapshots] to managing NFS backups
The File Storage service supports snapshots for data protection of your file system. Snapshots
are a consistent, point-in-time view of your file systems. Snapshots are copy-on-write and
scoped to the entire file system. You can take as many snapshots as you need.
Snapshots are accessible under the root directory of the file system at .snapshot/name.
For data protection, you can use rsync, tar, or another third-party tool that supports NFSv3 to
copy your data to a remote location, file system, or object storage. For more information, see
OCI Managing Snapshots.

CONFIGURING THE ORACLE AUDIT VAULT SERVER
This section provides instructions for deploying the Audit Vault Agent on DB/DBaaS instances
and collecting database audit trails in the Audit Vault Server. These instructions are intended
to get you started with using Oracle AVDF for auditing DB/DBaaS instances; they are not meant
to be comprehensive. For details about configuration options, see the comprehensive Oracle
AVDF documentation.
1. Deploy Audit Vault agents
a. Log in to the Oracle AVDF console as Administrator
b. On the Hosts tab, click [Agent] and download the agent.jar file
c. Copy the agent.jar file to the DB/DBaaS instance server
d. Set $AVDF_AGENT_HOME as the directory where the Audit Vault Agent will be installed.
The following command creates the $AVDF_AGENT_HOME directory and installs the
agent:
java –jar agent.jar –d $AVDF_AGENT_HOME
The following figure shows the $AVDF_AGENT_HOME (/home/oracle/avdf_agent) on a DB/DBaaS

instance (dbtest), and various files in the subdirectories. /bin/agentctl is the script for
enabling the agent.
2. Register the DB/DBaaS Instance in the Audit Vault Server
a. Verify that the database audit trail is enabled on the DB/DBaaS instance by
running the following command:
show parameter audit

The AUDIT_TRAIL parameter should have the value DB.
If AUDIT_TRAIL is set to NONE, perform the following steps:
o Connect to the database as SYS
o Use the following command to enable the audit trail:

ALTER SYSTEM SET AUDIT_TRAIL=DB
o Shut down and restart the database to activate the audit trail.
b. Because Oracle AVDF requires privileges to collect audit data from the database
and manage audit policies, you must create a user (audituser) with the
appropriate privileges. Oracle AVDF provides a PL/SQL script
(oracle_user_setup.sql) to configure audituser with the appropriate privileges.
The script is available at
$AVDF_AGENT_HOME/av/plugins/com.oracle.av.plugin.oracle/config
Run the following commands at the SQL prompt on the DB/DBaaS instance to
create the audituser user with the necessary privileges:
CREATE USER audituser IDENTIFIED BY <password>
<password> is a strong password for audituser

CONNECT SYS / AS SYSDBA
@oracle_user_setup.sql audituser SETUP
c. Log in to the Oracle AVDF console as Administrator
d. On the Hosts tab, click [Register]
e. Enter the DB/DBaaS instance name (DB_NAME) in the Host Name field, and the IP
address (DB_IP) in the Host IP field.
f. Click [Save]
A unique activation key is generated. Copy the activation key, which you will use in the
next section while installing the Audit Vault Agent. Note that the DB_NAME has no relation
to the ORACLE_SID of the database running on the DB/DBaaS instance and could be any
meaningful string.

3. Start the Audit Vault Agent on the DB/DBaaS Instance
a. On the DB/DBaaS instance, go to the $AVDF_AGENT_HOME directory, and run the

following command:
./agentctl start –k
b. When prompted for the agent activation key, provide the activation key that you
copied from the Oracle AVDF console. The activation key is available in the Hosts
tab when you log in to the console as Administrator.
c. To verify that the Audit Vault Agent was successfully activated and is running,
check the Agent Status on the Hosts tab in Oracle AVDF console (after logging
in as administrator). The status should say Running with a green dot. In addition,
the DB_NAME and DB_IP values should be listed in the Host Name and Host IP
columns. The following figure shows the status of the agent, the DB host name
(dbtest), and the IP address (10.0.0.13).
4. Configure the DB/DBaaS Instance as an Oracle AVDF Secured Target
a. On the DB/DBaaS instance, go to the $ORACLE_HOME/network/admin/tnsnames.ora file,

and copy the value of the SERVICE_NAME parameter.
b. Log in to the Oracle AVDF console as administrator.
c. On the Secured Targets tab, click [Register].

d. Enter the following values in the fields and then click Save:
o New Secured Target Name: ORACLE_SID

(SID of the DB/DBaaS instance database to be audited)
o Secured Target Type: Oracle Database
o Host Name/IP Address: DB_IP
o Protocol: TCP
o Port: 1521
o Service Name: SERVICE_NAME parameter value from step 1
o User Name: audituser
o Password: <audituser_password>
(password created for audituser in a previous step)
Note: It is important to synchronize the time on the Audit Vault Server and secured targets (DB/DBaaS instances,
in this case) by using the NTP server. Unsynchronized time negatively affects audit trail collection.
5. Configure the Unified Audit Trail (recommended)
From Oracle 12c, all the audit trails (SYS.AUD$, SYS.FGA_LOG$, DVSYS.AUDIT_TRAIL$, and so on)
have been unified into a single view, SYS.UNIFIED_AUDIT_TRAIL. With this, audit tools such as Oracle
AVDF can analyze an entire set of audit data in one location, rather than having to gather the data into
one location. A new schema AUDSYS is used for storing the unified audit data. The following figure
shows the high-level operation of Oracle Unified Audit:
Figure 13. Unified Audit in Oracle 19c

For better separation of duties, two new database roles are available for auditing:
AUDIT_ADMIN for managing database audit management, and AUDIT_VIEWER for viewing
audit trails only. More information about Oracle Unified Audit please refer to the Unified Audit
Documentation
6. Configure the Audit Trail in Oracle AVDF (if you don’t use Unified Auditing)
a. Log in to the Oracle AVDF console as administrator.
b. On the Secured Targets tab, click Audit Trails under Monitoring in the left-
hand pane, and then click [Add].
c. Enter the following values in the fields and then click [Save]:
o Audit Trail Type: TABLE
o Collection Host: DB_NAME
o Secured Target: ORACLE_SID (provided during secured target configuration)
o Trail Location: sys.aud$
7. Provision Database Audit Policies
You can provision audit policies in the database from the Audit Vault Server. Provisioning new
policies and modifying existing ones requires auditor user privileges.
a. Log in to the Oracle AVDF console as auditor
b. On the Policy tab, select the secured target for which you want to create policies.
The console shows all the audit policies. The following figure shows audit policies
for the dbtest secured target.

Note: The following steps show an example of adding a statement audit policy, but the steps are generic
and can be used for any audit policy.
c. To add an audit policy for statements, click Statement in the Audit Type column,
and then click [Create]. Define the audit policy.
The following figure shows an example audit policy AUDIT ALL STATEMENTS
BY DBA_DEBRA BY ACCESS for the secured target dbtest:
d. Go to the Secured Target pane, select Statement and then click [Provision].

e. Select the Provision option and provide the Secured Target database User
Name (audituser) and Password (<audituser_password>). Then click
[Provision].
8. Monitor Database Activity in Oracle Audit Vault
Continuing from the previous example, all the SQL statements by user DBA_DEBRA on the
dbtest secured target running on the DB/DBaaS instance are audited by the Audit Vault Server.
You can view all the activity in the Oracle AVDF console.
a. Log in to the Oracle AVDF console as auditor
b. On the Report tab, click [All Activity]

The following figure shows all statements issued by the DBA_DEBRA user on the dbtest
secured target. Timestamp, status, user, SQL command, and other information are shown for
each activity.

ORACLE DATABASE AUDITING AND ORACLE AVDF BEST PRACTICES
Use the following best practices for Oracle Database security and compliance auditing with
Oracle AVDF.
Use VCN Security Lists to Firewall the Oracle AVDF VM
You can use VCN security lists to allow network connections to the Oracle AVDF VM only from
authorized database instances in the VCN.
Know the Performance Impact of Auditing on the DBaaS Instance
Audit Vault Agents run on the DBaaS instance to read Oracle Database audit trails and copy
records to the Audit Vault Server. Oracle AVDF employs the following collectors:
• DBAUD (to read from database audit tables)
• OSAUD (to read from OS files)
• REDO (to read REDO logs)

The more events collected by the agents, the greater the load on the DBaaS instance. In
general, collecting 100 audit records per second imposes about 2-3 percent CPU overhead for
DBAUD and OSAUD, and about 6 percent overhead for REDO. This collector overhead does
not include the performance overhead imposed by standard auditing and FGA.
The more events audited per second, the greater the performance overhead. So, we
recommend caution in deciding which events to audit.
Know Your Audit Vault Server Storage Requirements
Audit records consume space on the Audit Vault Server. On average, one million audit records
require about 900 MB of disk space. Depending on the number of audit records generated per
day and their retention period, it is necessary to allocate enough disk space (both block volume
and Oracle AVDF virtual disk sizes). Failure to provision an appropriate-sized disk could lead
to an Oracle AVDF VM crash and loss of all collected audit records.

Archive Audit Records to Oracle Cloud Infrastructure Object Storage
We recommend setting up periodic archiving of Oracle AVDF audit records to your Oracle
Cloud Infrastructure Object Storage bucket. Oracle AVDF allows archiving using SCP (secure
copy) to an IP-addressable host (among other options such as NFS). We recommend archiving
Oracle AVDF audit records on the BYOH VM host and transferring them by using a script from
the VM host to your Object Storage bucket. Refer to the Oracle AVDF documentation for more
information about setting up periodic archiving.
Configure for High Availability
You can configure a pair of Audit Vault Servers, one as primary and one as secondary. Audit
records in the primary are automatically synchronized to the secondary. In the scenario
described in this paper, we recommend that primary and secondary Oracle AVDF VMs be
installed on two separate BYOH VM instances for maximum availability. Refer to the Oracle
AVDF documentation for a high-availability (HA) setup.
Enable SSH Access to the Audit Vault Server
SSH access is useful for troubleshooting and performing operational activities with the Oracle
AVDF VM, and we recommend enabling SSH access to the VM. In the Oracle AVDF console,
go into System settings and enable SSH access to the Oracle AVDF VM from the host VM
instance. After this step, you can log in to the Oracle AVDF VM from the host VM instance by
using ssh support@AVDF_VM_IP.
CONCLUSION
This white paper presents a solution for deploying Oracle Audit Vault and Database Firewall
on Oracle Cloud Infrastructure for auditing Oracle Cloud Infrastructure DB/DBaaS instances
for improved security and compliance. Along with Oracle Cloud Infrastructure DB/DBaaS API
audit logs, the Oracle AVDF auditing provides comprehensive audit logging and monitoring
capability for DB/DBaaS instances. This customer-managed solution requires customers to
deploy a BYOH on their VM instance in order to run the Oracle AVDF security appliance.

FAQ
Why can’t the Oracle AVDF appliance be run directly on an Oracle Cloud Infrastructure
instance?
Oracle AVDF is built as a security appliance that includes auditing software packaged with an
Oracle Linux operating system. Installing Oracle AVDF requires wiping the boot disk and
installing the Oracle AVDF ISO. To install Oracle AVDF directly on Oracle Cloud Infrastructure
instances would require customizing the Oracle AVDF ISO to boot on Oracle Cloud
Infrastructure instances. At present, we do not have an Oracle AVDF ISO image available.
Is this a managed Oracle AVDF service?
This white paper enumerates a customer-managed solution to meet a customer’s critical
security and compliance requirements by using a proven product used on-premises by
enterprises. The customer is responsible for deploying and managing the Oracle AVDF
appliance in their VCN. Please contact Oracle Cloud Infrastructure to let us know your interest
in a managed Oracle AVDF service.
APPENDIX
Create Network Interface Using the vLAN Tag of the Secondary vNIC
1. Get the VF network device name (VF_DEVICE_NAME).

For VF numbered VF_NUM, select the (VF_NUM+1) line number in the output of the
following command.
For example, if VF_NUM is equal to 1, then pick the second line of the output. The port,
slot, and function number are listed in hexadecimal format, as the first field of the line.
For example, 13:10:2 denotes port number 19, slot number 16, and function number 2,
and the VF_DEVICE_NAME is enp19s16f2.
lspci -nn | grep -i virtual
2. Bring up the VF network device:

ip link set VF_DEVICE_NAME down
ip link set VF_DEVICE_NAME up
3. Assign the VF network device to the vNIC vLAN:

ip link add link VF_DEVICE_NAME name VLAN_DEVICE_NAME type vlan id
VNIC_VLAN_TAG
ip link set VLAN_DEVICE_NAME up

ORACLE CORPORATION
Worldwide Headquarters
500 Oracle Parkway, Redwood Shores, CA 94065 USA
Worldwide Inquiries
TELE + 1.650.506.7000 + 1.800.ORACLE1
FAX + 1.650.506.7200
oracle.com
CONNECT W ITH US
Call +1.800.ORACLE1 or visit oracle.com. Outside North America, find your local office at
oracle.com/contact.
blogs.oracle.com/oracle facebook.com/oracle twitter.com/oracle
Copyright © 2019, Oracle and/or its affiliates. All rights reserved. This document is provided for information purposes only, and the contents hereof are
subject to change without notice. This document is not warranted to be error-free, nor subject to any other warranties or conditions, whether expressed
orally or implied in law, including implied warranties and conditions of merchantability or fitness for a particular purpose. We specifically disclaim any
liability with respect to this document, and no contractual obligations are formed either directly or indirectly by this document. This document may not be
reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without our prior written permission. This device has
not been authorized as required by the rules of the Federal Communications Commission. This device is not, and may not be, offered for sale or lease, or
sold or leased, until authorization is obtained. (THIS FCC DISLAIMER MAY NOT BE REQUIRED. SEE DISCLAIMER SECTION ON PAGE 2 FOR
INSTRUCTIONS.)
Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.
Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and are trademarks or
registered trademarks of SPARC International, Inc. AMD, Opteron, the AMD logo, and the AMD Opteron logo are trademarks or registered trademarks of
Advanced Micro Devices. UNIX is a registered trademark of The Open Group. 0919
White Paper Oracle Cloud InfrastructureDatabase Security and Compliance AuditingDeploying Oracle Audit Vault and Database Firewall in Oracle
Cloud InfrastructureDeploying Oracle Audit Vault And Database Firewall In Oracle Cloud Infrastructure
September 2019September 2019
Author: [OPTIONAL]
Contributing Authors: [OPTIONAL]

WP Deploy Auditvault in OCI - 2019065 - HLO - v5 PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

WP Deploy Auditvault in OCI - 2019065 - HLO - v5 PDF

Uploaded by

Copyright:

Available Formats

Deploying

WHITE PAPER / SEPTEMBER 6, 2019

2 W HITE PAPER / Oracle Cloud Infrastructure

Purpose Statement ............................................................................................................................... 2

Scope of the document ......................................................................................................................... 5

To know about Oracle Cloud Infrastructure (OCI)................................................................................. 6

Install prerequisites ............................................................................................................................... 8

1. Create a VCN on your OCI Compartment ............................................................................... 8

2. Create a Block Volume for the VM Instance .......................................................................... 10

3. Create a VM Instance ............................................................................................................ 12

4. Configure the VM Instance storage ....................................................................................... 15

5. Update all packages as ROOT .............................................................................................. 21

Install a BYOH KVM for Running the Oracle AVDF VM...................................................................... 22

1. Install KVM ............................................................................................................................ 23

2. Create an OCI Secondary vNIC ............................................................................................ 24

3. Associate OCI Secondary vNIC with the KVM guest VM ...................................................... 26

4. VNC test connection.............................................................................................................. 27

Installing the Audit Vault Server .......................................................................................................... 31

1. Create a storage pool for Audit Vault .................................................................................... 31

2. Create a storage pool for ISO Files ....................................................................................... 33

3. Create a KVM guest instance ................................................................................................ 34

4. Install Audit Vault................................................................................................................... 39

3 W HITE PAPER / Oracle Cloud Infrastructure

Configuring the Oracle Audit Vault Server .......................................................................................... 50

1. Deploy Audit Vault agents ..................................................................................................... 50

2. Register the DB/DBaaS Instance in the Audit Vault Server ................................................... 50

3. Start the Audit Vault Agent on the DB/DBaaS Instance ........................................................ 52

4. Configure the DB/DBaaS Instance as an Oracle AVDF Secured Target ............................... 52

5. Configure the Unified Audit Trail (recommended) ................................................................. 53

7. Provision Database Audit Policies ......................................................................................... 54

8. Monitor Database Activity in Oracle Audit Vault .................................................................... 56

Oracle Database Auditing and Oracle AVDF Best Practices .............................................................. 57

Use VCN Security Lists to Firewall the Oracle AVDF VM ............................................................. 57

Know the Performance Impact of Auditing on the DBaaS Instance............................................... 57

Know Your Audit Vault Server Storage Requirements .................................................................. 57

Archive Audit Records to Oracle Cloud Infrastructure Object Storage .......................................... 58

Configure for High Availability ....................................................................................................... 58

Enable SSH Access to the Audit Vault Server .............................................................................. 58

4 W HITE PAPER / Oracle Cloud Infrastructure

Installation steps to follow are:

5 W HITE PAPER / Oracle Cloud Infrastructure

Oracle Cloud Infrastructure offers a wide variety of high-performance Oracle Databases in

• Virtual Machine: A virtual machine (VM) is an independent computing environment

The components required to launch an instance are:

6 W HITE PAPER / Oracle Cloud Infrastructure

o Images published by Oracle partners from the Partner Image catalog,

o Pre-built Oracle enterprise images and solutions enabled for OCI,

o Custom images, including bring your own image scenarios,

7 W HITE PAPER / Oracle Cloud Infrastructure

1. Create a VCN on your OCI Compartment

. Go to the OCI Console

. Click on [Create Virtual Cloud Network]

8 W HITE PAPER / Oracle Cloud Infrastructure

Figure 1. VCN Details after the resource is created

. Click on the newly created VCN to see the details

Figure 2. VCN Subnets details after the resource is created

9 W HITE PAPER / Oracle Cloud Infrastructure

2. Create a Block Volume for the VM Instance

. Click on [Create Block Volume]

10 W HITE PAPER / Oracle Cloud Infrastructure

. Click on [Create Block Volume]

Figure 3. Block Volume details after the resource is created

11 W HITE PAPER / Oracle Cloud Infrastructure