How to install Audit Vault Agent to collect audit data from an Oracle Database

Downloading JDK for the Agent

Agent requires at least the version 1.8 of JDK

In this case, I am downloading "Linux x64 - jdk-8u211-linux-x64.tar.gz":

If the server where you are installing the Agent has already Java 1.8 then you don’t have to do these steps. In my case, the Oracle database home has only Java 1.6, that’s why I have to install Java 1.8 in a different Java Home for the agent:

[oracle@db12c ~]$ /u01/app/oracle/product/12.1.0/db1/jdk/bin/java -version

java version "1.6.0_75"

Java(TM) SE Runtime Environment (build 1.6.0_75-b13)

Java HotSpot(TM) 64-Bit Server VM (build 20.75-b01, mixed mode)

[oracle@db12c ~]$

Transfer the java tar file to the database server where jave will be installed:

[root@db12c ~]# pwd

/root

[root@db12c ~]# ls -ltr jdk-8u211-linux-x64.tar.gz

-rw-r--r-- 1 root root 194990602 Jun 18 08:20 jdk-8u211-linux-x64.tar.gz

 [root@db12c ~]# mkdir -p /usr/java/

[root@db12c ~]# cd /usr/java/

[root@db12c java]# mv /root/jdk-8u211-linux-x64.tar.gz .

[root@db12c java]# tar zxvf jdk-8u211-linux-x64.tar.gz

[root@db12c java]# ls

jdk1.8.0_211  jdk-8u211-linux-x64.tar.gz

[root@db12c java]# rm -rf jdk-8u211-linux-x64.tar.gz

[root@db12c java]# ls

jdk1.8.0_211

[root@db12c java]#

Checking the version of the JDK:

[oracle@db12c ~]$ /usr/java/jdk1.8.0_211/bin/java -version

java version "1.8.0_211"

Java(TM) SE Runtime Environment (build 1.8.0_211-b12)

Java HotSpot(TM) 64-Bit Server VM (build 25.211-b12, mixed mode)

[oracle@db12c ~]$

Registering the Host in Oracle Audit Vault

Login in to Oracle Audit Vault:

Click in “Hosts” menu

In “Hosts” tab click in “Register”

Enter the hostname of the Database Server that that will be monitored by Oracle Audit Vault

Enter the IP of the Database Server that will be monitored by Oracle Audit Vault

Click in “Save” Button

Verify that the Host was added successfully.

Copy the “Agent Activation Key” because it will be used later in this article to activate the agent.

Downloading the Agent Jar File from Audit Vault Server

Login in to Oracle Audit Vault Server

Click in "Hosts" menu
Click in "Hosts" tab
Click in "Agent": The Agent and host monitor files are listed.
Click in "Download" Button next to the Agent file, and then save the "agent.jar" file in your machine. In this case "Agent Release 12.2.0.10.0".

Transfer the agent jar to the database server:

[oracle@db12c ~]$ pwd

/home/oracle

[oracle@db12c ~]$ ls -ltr agent.jar

-rw-r--r-- 1 oracle oinstall 30296508 Jun 18 08:12 agent.jar

[oracle@db12c ~]$

[oracle@db12c ~]$ export JAVA_HOME=/usr/java/jdk1.8.0_211

[oracle@db12c ~]$ export PATH=$JAVA_HOME/bin:$PATH

[oracle@db12c ~]$ java -jar agent.jar -d /u01/app/

Install the Agent:

Check connectivity from Database server to the Oracle Audit Vault:

[oracle@db12c ~]$ ping 192.168.56.20

PING 192.168.56.20 (192.168.56.20) 56(84) bytes of data.

64 bytes from 192.168.56.20: icmp_seq=1 ttl=64 time=0.195 ms

64 bytes from 192.168.56.20: icmp_seq=2 ttl=64 time=0.310 ms

64 bytes from 192.168.56.20: icmp_seq=3 ttl=64 time=0.353 ms

^C

--- 192.168.56.20 ping statistics ---

3 packets transmitted, 3 received, 0% packet loss, time 2001ms

rtt min/avg/max/mdev = 0.195/0.286/0.353/0.066 ms

[oracle@db12c ~]$

Check connectivity from the Oracle Audit Vault to the Database Server:

login as: support

support@192.168.56.20's password:

Last login: Thu Jun 13 13:27:30 2019 from 192.168.56.1

[support@avs08002778ad2b ~]$ su -

Password:

Last login: Thu Jun 13 13:27:33 UTC 2019 on pts/0

[root@avs08002778ad2b ~]# ping 192.168.56.30

PING 192.168.56.30 (192.168.56.30) 56(84) bytes of data.

64 bytes from 192.168.56.30: icmp_seq=1 ttl=64 time=0.355 ms

64 bytes from 192.168.56.30: icmp_seq=2 ttl=64 time=0.435 ms

64 bytes from 192.168.56.30: icmp_seq=3 ttl=64 time=0.318 ms

64 bytes from 192.168.56.30: icmp_seq=4 ttl=64 time=0.239 ms

^C

--- 192.168.56.30 ping statistics ---

4 packets transmitted, 4 received, 0% packet loss, time 3001ms

rtt min/avg/max/mdev = 0.239/0.336/0.435/0.074 ms

[root@avs08002778ad2b ~]#

Create the Agent Home:

mkdir -p /u01/app/av_agent_12c

Move the agent jar file to the new Agent Home:

[oracle@db12c ~]$ mv /home/oracle/agent.jar /u01/app/av_agent_12c

Install the agent:

[oracle@db12c ~]$ cd /u01/app/av_agent_12c/

[oracle@db12c av_agent_12c]$ java -jar agent.jar -d /u01/app/av_agent_12c/

[oracle@db12c av_agent_12c]$ java -jar agent.jar -d /u01/app/av_agent_12c/

Checking for updates...

Agent is updating. This operation may take a few minutes. Please wait...

Agent updated successfully.

Agent installed successfully.

If deploying hostmonitor please refer to product documentation for additional installation steps.

[oracle@db12c av_agent_12c]$

Activating the Agent:

To activate the agent you will need the “activation key” that was copied at the beginning of this article. I

[oracle@db12c av_agent_12c]$ bin/agentctl start -k

Enter Activation Key: --Enter here the Activation Key--

Agent started successfully.

[oracle@db12c av_agent_12c]$

In  Audit Vault Server web console
Click in "Hosts" menu
Click in "Hosts" tab
Confirm that the agent status is now "Running"

Checking status of Audit Agent:

[oracle@db12c av_agent_12c]$ bin/agentctl status

Agent is running.

[oracle@db12c av_agent_12c]$

Stop Audit Agent:

[oracle@db12c av_agent_12c]$ bin/agentctl stop

Stopping Agent...

[oracle@db12c av_agent_12c]$

Start Audit Agent: Activation key is only required in the first start.

[oracle@db12c av_agent_12c]$ bin/agentctl start

Agent started successfully.

[oracle@db12c av_agent_12c]$

If you need to troubleshoot the Agent, (database connection, etc), the Agent log is located in $AGENT_HOME/av/log. In my case is "/u01/app/av_agent_12c/av/log/"



Registering an Oracle Database in Oracle Audit Vault Server to Collect Audit Data

Creating the Secured Target

In Audit Vault Server web console
Click in "Secured Targets"
Click in "Targets"
Click in "Register"

Fill up the basic information of the Secured Target

Fill up the Section “Secured Target Location (For auditing)”

Click in “Save” Button

Verify that the Secured Target was created successfully:

In Audit Vault Server web console

Click in “Secured Targets”

Click in “Audit Trails” under “Monitoring” Section

Click in “Add” Button

Enter the “Audit Trail Type”, “Collection Host”, “Secured Target”, “Trail Location” to collect auditing data from the Secured Target.

Click in “Save” Button

Verify that the information for collect audit information is correct. You will see that the Status is "Stopped", that's normal, the next step is actually start it up.

Select the Audit Trail and then click in "Start" Button. And then click in "OK" Button to confirm.

The Audit Trail Status will change to "Starting"

NOTE: The status doesn't refresh automatically, you will have to refresh it "manually" (F5, or click in "Audit Trails" Menu)

And after some seconds the Status will be "Idle" which means waiting for the Database to generate more audit data to be collected.

How to register an Oracle Database Firewall in Oracle Database Audit Vault

Version of Oracle Database Firewall: 12.2.0.10.0

Version of Oracle Audit Vault: 12.2.0.10.0

Registering the Oracle Audit Vault Server in the new Oracle Database Firewall

Login to Oracle Database Vault
Click in “Settings” menu
Click in “Server Certificate”
Copy the Certificate

Login into Oracle Database Firewall

Click in “System”

Click in “Audit Vault Server”

Enter the IP of the Audit Vault Server

Enter the Certificate that was copied from Audit Vault Server

Click in “Apply” button

Registering the new Oracle Database Firewall into the Oracle Audit Server


Login into Oracle Audit Server

Click in “Database Firewalls” menu, then “Database Firewalls” and click in “Register” Button

Enter the name of the new Oracle Database Firewall and its IP. Click in “Save” Button

Verify that the Secondary Oracle Database Firewall was added successfully

How to configure Oracle Database Firewall as Proxy in DPE mode

The version of Oracle Database Firewall for this article es: 12.2.0.10.0

IP of Oracle Database Firewall: 192.168.56.11
Port of Oracle Database Firewall: 5557

IP of the Database Server: 192.168.56.30
Port of the Database: 1521 (Default)


Registering Oracle Audit Vault Server in Oracle Database Firewall:

First step is to configure Oracle Audit Vault Server to work with Oracle Database Firewall. To do so we have to register Oracle Audit Vault Server's certificate in Oracle Database Firewall.

Login into Oracle Audit Vault Server web console:

Click in "Settings"-> "Security" menu -> "Server Certificate":

Copy the server's certificate:

Login in to the Oracle Database Firewall console.
Click in "System" menu -> "Audit Vault Server".
In "Audit Vault Server 1 IP Address" field, enter the IP Address of the Audit Vault Server.
Paste the Audit Vault Server's certificate in the "Audit Vault Server 1 Certificate"

Registering Oracle Database Firewall in Oracle Audit Server

Login in to Oracle Audit Vault Server web console.
Click in "Database Firewalls" -> "Settings"

Verify the Database Firewall was registered successfully:

Configuring Network Interfaces for Proxy in Oracle Database Firewall

Login in to Oracle Database Firewall web console.
Click in "System"-> "Network Configuration"
Click in "Change" button

In this Oracle Database Firewall there are 3 network interfaces connected. The first one is used for "Management", in the other two are not used, that's why we see two unallocated network interfaces.

Under "Unallocated Network Interfaces" click in "Device"
For the first interface select "Traffic Proxy" and Click in "Add" Button.

Configuring the Proxy network interface:

Input a correct IP Address (A default is generated randonmly)
Check "Enabled" Under "Proxy 0"
Specify a port for the new Proxy and check "Enabled"
Click in "Add" button under "Traffic Proxies" -> "Proxy 0" -> "Proxy Ports"
Click in "Save" Button

Creating a Secured Target in Oracle Audit Vault Server

Login in to Oracle Audit Vault Server
Click in "Secured Targets" -> "Targets" -> "Register" Button
Enter the basic information for the Secured Target

Fill up only the section "Add Secured Target Addresses (For Firewall)" and leave empty the other sections ("Secured Target Location (For Auditing)" and "Collection Attributes").

Click in "Add" Button under "Add Secured Target Address (For Firewall)" Section

Confirm the Secured Target was created:

Configuring Enforcement Point in Oracle Audit Vault Server

Login in to Oracle Audit Vault Server
Click in "Secured Targets" -> "Enforcement Points" and then click in "Create" Button.
Fill up all the information required.

• Specify a name for the Enforcement Point.
• Select "Database Policy Enforcement (DPE)
• Select the Secured Target that was created before, in this case "db12".
• Select Firwall that was created before, in this case "dbfirewall".
• Select the Proxy Interface that was created before, in this case "Proxy 0:5557"

Click in "Save" Button.

Confirm the Enforcement Point was created successfully:

The Enforcement Point seems to be "Up", but for some reason the connections were failing using the IP and Port of Oracle Database Firewall, as you can see bellow:

[oracle@db12c ~]$ sqlplus dgomez/dgomez@192.168.56.11:5557/orcl

SQL*Plus: Release 12.1.0.2.0 Production on Fri Jun 7 09:50:39 2019

Copyright (c) 1982, 2014, Oracle.  All rights reserved.

ERROR:

ORA-12543: TNS:destination host unreachable

To fix it, I had to "start" the Enforcement Point manually, even if the state is "Up". After to manually start up the Enforcement Point, I was able to create sessions through Oracle Database Firewall that was configured as Proxy:

[oracle@db12c ~]$ sqlplus dgomez/dgomez@192.168.56.11:5557/orcl

SQL*Plus: Release 12.1.0.2.0 Production on Fri Jun 7 09:55:10 2019

Copyright (c) 1982, 2014, Oracle.  All rights reserved.

Last Successful login time: Fri Jun 07 2019 09:54:59 -06:00

Connected to:

Oracle Database 12c Enterprise Edition Release 12.1.0.2.0 - 64bit Production

With the Partitioning, OLAP, Advanced Analytics, Real Application Testing

and Unified Auditing options

SQL> show user

USER is "DGOMEZ"

SQL>