You are currently viewing How to Implement Oracle Audit Vault Database Firewall (AVDF) – Part 3

How to Implement Oracle Audit Vault Database Firewall (AVDF) – Part 3

Quick Recap

In the previous post on implementation, we were entering in the planning phase of implementation, the Implementation Architecture, Data Flow, Sizing and Topology, etc.,

In this post, we are getting our hands on the building the AVDF system brick by brick.

Implementation Phases

1. Build

    • Provision AVDF server, 
    • AVDF agent, 
    • GoldenGate Microservices host, 
    • Source DB prerequisites.

2. Configure

    • Create GoldenGate credential and extracts, 
    • Define XML trail directory, 
    • Configure AVDF transaction log audit trail and validate permissions.

3. Validate

    • Run EBS DML and test transactions,
    • Confirm XML generation,
    • AVDF ingestion,
    • Report visibility.

Download the AVDF Software from Oracle E-delivery

Login to https://edelivery.oracle.com with your oracle support credentials and search for “Oracle Audit Vault and Database Firewall”, in All Categories, choose Release and you’ll see the available versions to download select the required version, add to cart. Click on the cart icon and choose the required OS and download.

p3_dw_img1
p3_dw_img2

Installing Oracle Audit Vault or Database Firewall

For performing the installation, I would suggest following the Oracle documentation to perform on an on-prem environment / on an AWS / on an Oracle private cloud appliance.

https://docs.oracle.com/en/database/oracle/audit-vault-database-firewall/20/sigig/install.html#GUID-41F1370E-BAE5-4BBF-AD2E-153648D71088

If you still have any queries or doubts during the installation, feel free to reach out via Contact Page.

SSH user Creation and Configuration

Create a new user after the installation for login to Audit vault and Database firewall servers to perform action instead of root or any other seeded users.

Login in as root user and add new user to the existing support group

useradd -G support avdfusr

Set password the above created user

passwd avdfusr

Edit the sudoers file and add the below line to allow the user

visudo

%wheel ALL=(ALL) ALL

Modify the usergroup

usermod -aG wheel avdfusr

Validation

Switch user to the newly created user

su – avdfusr

Verify the user status

groups

sudo whoami

Audit Vault Server Post Installation Steps

Perform the below activities to complete the Audit Vault server post installation steps

Accessing Audit Vault (AV) console

Once the installation is completed, enter the URL https://<ip_address>/console

Login as with root password

p3_av_con

Once logged in, you’ll be prompted for setting the username and passwords for Super Administrator, Super Auditor and Audit Vault Database Encryption

p3_av_con1

Enter desired details and save to proceed with logging into the audit vault console.

p3_av_con2
p3_av_con4

Note: DNS Setup will be done in later steps

Login with the above created details

p3_av_con5

Login as AVADMIN and Create Additional Admin User

Login as AVADMIN and create additional super administrator user to avoid lockout of administrator access in AVDF
p3_av_adm_addn
p3_av_adm_addn1

Navigate to Settings -> Manage Admins -> Add

p3_av_adm_addn2
p3_av_adm_addn3
p3_av_adm_addn4

Login as AVAUDITOR and Create Additional Auditor User

Login as AVAUDITOR and create additional super auditor user to avoid lockout of auditor access in AVDF
 
Navigate to Settings -> Manage Auditors -> Add
p3_av_aud_addn
p3_av_aud_addn1
p3_av_aud_addn2

Verify/Change Time Zone

Login as AVADMIN and navigate as below.

p3_v_tz
p3_v_tz1

Verify AVDF Certificates

Login as AVADMIN, navigate to Settings -> Certificates and review the valid until for CA Certificate and Service Certificates.

p3_v_cert

Network Connectivity Validation between AV, DF servers and Target servers

Verify the network connectivity between audit vault, database firewall and target servers.

Note: If using only Audit vault server for implementation check the connectivity between AV and target servers

Login to the AV/DF/Target servers and issue the below command and verify the connectivity

ping 172.x.x.x

Database Firewall Server Post Installation Steps

Perform the below activities to complete the Database Firewall server post installation steps. This is completely optional if you’re implementing only Audit Vault.

Database Firewall Registration

This step is required only if database firewall is also implemented, for only audit vault implementations skip this step.

Register Database Firewall with Audit Vault Server

Login to the Audit Vault server console as AVADMIN

Click the Settings tab –> click the Security tab, click the Certificate tab –> then Server Certificate –> in the server certificate –> Copy Certificate

p3_df_regn

Login as root user in Database Firewall server using SSH

  • Create a file(/tmp/ca.cert)
  • Execute the config-avs script providing the IP Address of the Audit Vault server and the location of the certificate file.

cd /opt/avdf/config-utils/bin
./config-avs show
./config-avs set avs=primary address=<IP address of Audit Vault Server> certificate=/tmp/ca.cert
./config-avs show

p3_df_reg1n
p3_df_reg2
p3_df_reg3n
p3_df_reg4

In the AVDF console as AVADMIN, Click on the Database Firewall tab

Click on Register option to register the Database Firewall. Enter the details and click Register

Name: Database Firewall

IP: 172.x.x.2x

p3_df_reg5
p3_df_reg6

Validate Database Firewall Setup

Validate the database firewall setup performed in the previous steps.
Login as AVADMIN, navigate to Database Firewalls -> Database Firewalls you’ll see the above registered firewall details, and status shows green (meaning active).
p3_df_reg7

Update Audit Vault and Database Firewall Servers Host Name

Changing the hostnames of the audit vault and database firewall servers is required as the hostnames after installation will have avs/dfw followed by random generated characters.

Changing Audit Vault Server Host Name

Login AV Console as AVADMIN -> Settings -> System -> Network Settings -> Enter Hostname of AV Server -> <host>.<domain>.com

p3_chg_av_host
p3_chg_av_host1

Note: Changing the hostname and saving will stop the services and reboot the server during this time AVDF console will not be accessible

p3_chg_av_host2
p3_chg_av_host3
p3_chg_av_host4
p3_chg_av_host5

After some time, the AVDF console will be available for access.

Verification of hostname change in Server level through SSH

Before:

p3_chg_av_host_bfr

After:

p3_chg_av_host_afrn

Validate the Services after Reboot

It is essential to verify the services after reboot of server, use below commands to validate the services through SSH.

systemctl status
systemctl status dbfwdb
systemctl status dbfwlistener
systemctl status monitor
systemctl status asmdb
systemctl status controller
systemctl status ords
systemctl status javafwk
systemctl status rsyslog

Changing Database Firewall Server Host Name

Login AV Console as AVADMIN -> Click Database Firewalls -> Click Database Firewall -> <host>.<domain>.com -> Save

p3_chg_df_host
p3_chg_df_host1

Change the desired hostname in the Host Name section and Save

p3_chg_df_host2
p3_chg_df_host3
p3_chg_df_host4

Note: Unlike AV server, DF server hostname change will not stop the access to AVDF console but the DF server will restart.

Verification of hostname change in Server level through SSH

Before:

p3_chg_df_host_bfr

After:

p3_chg_df_host_aftrn

Validate the Services after Reboot

It is essential to verify the services after reboot of server, use below commands to validate the services through SSH.

systemctl status

Audit Vault Server DNS Server Configuration

Gather the DNS information from the network team and follow the below steps to update in the Audit Vault server.
 
The Audit Vault Server DNS servers are used to resolve any host names that Audit Vault Server might use.
 
Note: Set the Audit Vault Server DNS server values only if the network has DNS servers, otherwise system performance will be impaired.
 

Enter the IP addresses of up to three DNS servers on the network in the Server 1Server 2, and Server 3 fields.

Leave the fields blank if there are no DNS servers and click Save.

To Be Continued . . . 

In next post, we’ll be diving into the hands-on Target Parameter Changes, Deploying Audit Vault Agent, GoldenGate MAA Installation and Configurations, etc.,