Table of Contents
ToggleQuick Recap
In the previous post on AVDF implementation, we have initiated the building planning phase of AVDF implementation. Downloading AVDF software, Installing the Audit Vault and Database Firewall, SSH user creation, Post Installation steps for Audit Vault and Database Firewall and Updating the Host Names, etc.,
In this post, we are moving towards building the AVDF system to the next milestone.
Target Database Parameter Changes
Target system is the source system from where the information is required to be collected for Auditing or to be stored in AVDF system.
Identifying the Target System is a key action for the AVDF implementation, there are certain changes to be performed at the database level to retrieve the information required.
For this process, some parameters are required for Oracle GoldenGate to fetch the details from the source system.
Considering the widely used 19c DB as the Target DB for this scenario.
Review details in Target Database
show parameter compatible
show parameter audit_trail
show parameter enable_goldengate_replication
show parameter streams_pool_size
archive log list;
show parameter log_archive_dest_1
col name for a10 col force_logging for a13 select name, log_mode, open_mode, force_logging, supplemental_log_data_min from v$database;
col name for a30
col value for a15
select name,VALUE,ISSYS_MODIFIABLE from v$PARAMETER where name in ('enable_goldengate_replication','streams_pool_size','audit_trail');
Perform the changes
As required update the required parameters.
To enable archivelog mode in the database
Check current archive status
Deploying Audit Vault Agent
Create directories for AVDF in GoldenGate Server
In this scenario, using the golden gate server for AVDF agent deployment and GoldenGate XML caputre.
Follow the previous posts, to create the OS user in GoldenGate server, once done follow the below steps.
su – oragg
id
ls -ltr
df -h
mkdir -p AVDFAGENT/avdf_home
mkdir -p AVDFAGENT/scripts/logs
ls -ltr
cd AVDFAGENT/
ls -ltr
cd scripts/
ls -ltr
pwd
Download Java and Export Java Path
Download the supported java for the OS and move to a location in the server.
pwd
ls -ltr
mkdir java_home
cd java_home
tar -zxvf jre-8u471-linux-x64.tar.gz &
ls -ltr
cd jre1.8.0_471
mv * ../
ls -ltr
cd ..
ls -ltr
Verify the Java details
echo $PATH
export PATH=/home/oragg/java_home/bin:$PATH
echo $PATH
which java
java -version
Copy agent.jar to Target location
cd /home/oragg/AVDFAGENT/avdf_home
ls -ltr
Deploy Audit Vault Agent
java -jar agent.jar -d /home/oragg/AVDFAGENT/avdf_home
ls -ltr
ps -ef |grep agent
cd bin
ls -ltr
Register Audit Vault Agent in AV Console
Navigate: Login AV admin -> Agents -> Register -> Enter Name & IP Address -> Save
Activate Audit Vault Agent in Target
pwd
ls -ltr
hostname
./agentctl start -k
Verify Audit Vault Agent Status
./agentctl status
pwd
ps -ef |grep agent
Implement Agent Start and Stop Scripts
Instead of manually navigating and performing start and stop activities of the agent, below script is created and used for these actions.
cd /home/oragg/AVDFAGENT/scripts
ls -ltr
Stop script
vi stopAgent.sh
export PATH=/home/oragg/java_home/bin:$PATH export AGENT_BASE=/home/oragg/AVDFAGENT export AGENT_HOME=$AGENT_BASE/avdf_home export LOG_FILE=$AGENT_BASE/scripts/logs/agent_status.log cd $AGENT_HOME/bin date >> $LOG_FILE ./agentctl stop >> $LOG_FILE sleep 15 ./agentctl status >> $LOG_FILE date >> $LOG_FILE
cat stopAgent.sh
ps -ef |grep agent
sh stopAgent.sh
ps -ef |grep agent
cd logs
ls -ltr
cat agent_status.log
Start script
cd /home/oragg/AVDFAGENT/scripts
vi startAgent.sh
export PATH=/home/oragg/java_home/bin:$PATH export PATH=/home/oragg/java_home/bin:$PATH export AGENT_BASE=/home/oragg/AVDFAGENT export AGENT_HOME=$AGENT_BASE/avdf_home export LOG_FILE=$AGENT_BASE/scripts/logs/agent_status.log cd $AGENT_HOME/bin date >> $LOG_FILE ./agentctl status >> $LOG_FILE ./agentctl start >> $LOG_FILE ./agentctl status >> $LOG_FILE date >> $LOG_FILE
ls -ltr
cat startAgent.sh
ps -ef |grep agent
sh startAgent.sh
ps -ef |grep agent
cd logs
ls -ltr
cat agent_status.log
Deploying Host Monitor Agent in Target
The Host Monitor Agent captures SQL traffic from the network interface card of the host machine that is running the target database and securely forwards it the Database Firewall.
Validate Symlinks and Create if not exists
Use the below commands to validate the symlinks and create if not available in target server
ls -lrt /lib64/libcap* ls -lrt /lib64/libaio* ls -lrt /lib64/libnsl* ls -lrt /lib64/libpcap* ls -lrt /lib64/libssl* ls -lrt /lib64/libcrypto* ls -lrt /usr/lib/libcap* ls -lrt /usr/lib/libaio* ls -lrt /usr/lib/libnsl* ls -lrt /usr/lib/libpcap* ls -lrt /usr/lib/libssl* ls -lrt /usr/lib/libcrypto*
As root user:
ln -s /lib64/libpcap.so.1.5.3 /usr/lib/libpcap.so.1
ln -s /usr/lib/libpcap.so.1 /usr/lib/libpcap.so
Validate Package and Install if not exists
rpm -qa|grep cap rpm -qa|grep openssl rpm -qa|grep make rpm -q libcap rpm -q libcap-devel rpm -q libpcap rpm -q libpcap-devel rpm -q openssl rpm -q openssl-devel rpm -q make
Connect as root:
yum install libpcap-devel
yum install libcap-devel
yum install openssl-devel
Download Host Monitor Agent from AVDF Console
Navigate: Login AV Console as AVADMIN -> Downloads -> Name: Host Monitor (Platform required) -> Download
Copy and Extract Host Monitor Agent zip file to target server as root user
cd /usr/local
id
pwd
ls -lrt
du -sh agent-linux-x86-64-hmon-one.zip
unzip agent-linux-x86-64-hmon-one.zip
ls -lrt
Install Host Monitor Agent in Target server as root user
cd /usr/local/hm
pwd
./hostmonsetup install agentuser=avsagentdev agentgroup=dba
cd /oradb/TEST/avdf_base/avdf_agent
pwd
ls -lrt
ps -ef | grep avsagen
Post Install Activities
To get a Signed Certificate from the Audit Vault Server
- Transfer hmcsr.csr file to AVS Server as root User
- In target Oracle DB Server
ls -lrt /usr/local/hm/hmcsr.csr
scp -r /usr/local/hm/hmcsr.csr username@<AV_server_IP>:/home/avdev - In AVS Server
ls -lrt /home/avdev/hmcsr.csr
sudo su –
cp /home/avdev/hmcsr.csr /usr/local/dbfw/etc
cd /usr/local/dbfw/etc
ls -lrt /usr/local/dbfw/etc/hmcsr.csr
- In target Oracle DB Server
Generate a signed cert file in AVS Server as root user
cd /usr/local/dbfw/etc
ls -lrt hmcsr.csr
/usr/local/dbfw/bin/generate_casigned_hmcert.sh
ls -lrt /usr/local/dbfw/etc/hmcert.crt
ls -lrt /usr/local/dbfw/etc/hmprivkey.perm
Transfer Generated hmcert.crt file to Target DB Server as root user
- In AVS server
ls -lrt /usr/local/dbfw/etc/hmcert.crt
scp -r /usr/local/dbfw/etc/hmcert.crt root@<target_db_server_IP>:/usr/local/hm - In target Oracle DB Server
cd /usr/local/hm
ls -lrt hmcert.crt
To require a Signed Certificate for Host Monitor Connections to the Database Firewall Server as root user
cp /usr/local/dbfw/etc/controller.crt /usr/local/dbfw/etc/fw_ca.crt
chown arbiter:arbiter /usr/local/dbfw/etc/fw_ca.crt
chmod 400 /usr/local/dbfw/etc/fw_ca.crt
systemctl status monitor
systemctl restart monitor
systemctl status monitor
Verify Host Monitor Agent Status
Navigate: Login AV admin -> Agents -> Host Monitor Agent Status ‘Installed’
To Be Continued . . .
In next post, we’ll be diving into the hands-on AV Target Configuration, Verification and Validation of Transaction Log Audit Trails retrieval, DF Target Configuration and User-defined Database Firewall Policies, etc.,

