Audit Vault and Database Firewall 12.1.2

Oracle has just released a new Release of its Oracle Audit Vault and Database Firewall. The new release is immediately available on Oracle’s Software Delivery Cloud. It look’s like Oracle added a bunch of Enterprise-Grade Features like iSCSI SAN Disk, NFS Storage as well as SYSLOG integration. Starting with this Release, the Audit Vault Repository is again protected by Database Vault.

The installation / update is done in the same manner as the other versions AVDF. Download the ISO, reboot the AVDF server and initiate an upgrade. But be carefully to not initiate an installation. This would erase your system and data.

A bit unusual that the ISO image was split into two parts. They have to be merged prior to use.

  1. Unzip Images avs-installer-disc-12.1.2.0.0.iso00, avs-installer-disc-12.1.2.0.0.iso01
  2. Combine the two files to create a single .iso

Combine the two files to create a single .iso on Windows:

copy /b avs-installer-disc-12.1.2.0.0.iso00+avs-installer-disc-12.1.2.0.0.iso01
avs-installer-disc-12.1.2.0.0.iso

Combine the two files to create a single .iso on Linux:

cat avs-installer-disc-12.1.2.0.0.iso00 \
avs-installer-disc-12.1.2.0.0.iso01 > avs-installer-disc-12.1.2.0.0.iso

Oracle Audit Vault and Database Firewall 12.1.2 New Features

According to the Release Notes, the following features are available as of 12.1.2:

  • Configure the Audit Vault Server to use an external iSCSI SAN server to store the audit event repository and system data
  • The Audit Vault Agent is updated automatically when the Audit Vault Server is upgraded or a patch is applied
  • Store archive data in a Network File Share (NFS) location
  • Entitlement reports include data specific to Oracle Database 12c
  • Database Vault is automatically enabled and configured in the Oracle Database embedded in the Audit Vault Server. This further strengthens security by restricting privileged access to the Oracle Database for all users including those with administrative access
  • Password hashing has been upgraded to a more secure standard. Change your passwords after upgrade to take advantage of the more secure hash
  • The Audit Vault Agent deployment procedure has been simplified. Registering a host in the Audit Vault Server automatically generates an Agent activation key, and therefore, the step requesting Agent activation is no longer required
  • Adding and updating a secured target location has been simplified in the Audit Vault Server administrator console UI
  • Define policy alerts to be forwarded to syslog
  • Download diagnostics log files from the Audit Vault Server UI
  • The Audit Vault Agent is supported on 32-bit Linux and Windows platforms
  • Oracle Database 9i is supported for Database Firewall
  • MySQL 5.6 is supported on the Database Firewall
  • Migration Path to Migrate Oracle Audit Vault 10.3 to AVDF 12.1.2. See MOS Note 1666742.1

References

Some links related to this post.

As soon as the download of the images is done, I’ll start to test the new release on my test AVDF Server. So stay tuned…

24 thoughts on “Audit Vault and Database Firewall 12.1.2

  1. Firas

    Thanks for sharing that.
    Great news. I investigated the 12.1.1 version and did not like the inflexibility of chossing where to put database files and system configuration changes.

    I also was wondering if the upcoming upgrades/patches might wipe out any O.S. system local changes done by the servers team (Like add disks/mount points, installation of SAN drivers…etc) …especially we are talking here about a soft appliance that gets installed as an image (iso),

    Cheers

  2. StefanStefan Oehrli Post author

    Hi

    I did not configure additional disks/mount points on my test system. But I’ve made a few change in the configuration of SSH, sudo etc. This configuration has been wiped out by the upgrade. Changes such as the increase of the swap space or resize the SGA persist. It is definitely a good idea to create a backup of all custom changes before you upgrade.

    Cheers
    Stefan

  3. Firas

    Hi Stefan,

    I am trying to install the AVDF 12.1.2 HP hardware – on Gen5 DL380 and later on Gen8 DL380 which using devices that start with the string “cciss” followed by controller number disk number partition number.

    When I start the installation, I get the following error:

    Error Parsing Kickstart Config: “Specified non-existent disk cciss!c0d0 in partition command”

    Any ideas? (Already openned an SR with Oracle and waiting…)

    The iso file is OK as I tried it on Virtual Box and went OK.

    The Hp server has enough RAM and storage (500 GB). The minimum as per the AVDF 12.1.2 documentation is 130 GB.

    Thanks,
    Firas

  4. StefanStefan Oehrli Post author

    Hi Firas

    We have received the same error when installing on an HP Blade System with 1TB internal hard drive. I also had no problems with the installation of 12.1.2 in a VM. I’ll look at this issue in detail tomorrow.

    Cheers
    Stefan

  5. Firas

    Thanks Stefan.

    I will be awaiting your feedback and also will share any news with you as soon as I get some from Oracle Support.

    Cheers,
    Firas

  6. StefanStefan Oehrli Post author

    Hi

    I’ve looked into this issue. It seems, that this is related to driver of the HP Smart Array. There is a MOS Note describing this issue 1587742.1 AVDF 12.1.1 Installation Fails On HP server with Smart Array Disk Controller. Unfortunately this solution does not work on 12.1.2 since there is no Terminal 2 (Alt-F2) available. Isolinux is configured to not show any shell.

    I’ve fixed my installation with recreating the AVS iso image with an updated version of isolinux.cfg. My boot menu allows to boot from an other kickstart file. I’ll provide more information in a new blog post.

    Cheers
    Stefan

  7. Firas

    Thanks Stefan.

    I am looking forward to your next post about this solution.

    Cheers,
    Feras

  8. Firas

    Here is the Oracle Linux Hardware certification List. The one I am trying with right now is Gen5 which is not supported according to this list. However, the hardware I am going to use soon is DL380p Gen8 is there and supported.
    Not sure Stefan which Model you are trying with?

    Cheers,
    Firas

  9. Firas

    Hi Stefan,

    Do you reckon we also need to consider performance tuning of other parameters than the memory? E.g. what about processes which will affect sessions and transaction number?

    The Audit Vault Best practices I have seen so far only talk about the disk space, memory and CPU# total calculations but having no clue about other performance parameters such as the no. of concurrent sessions…etc

    Any ideas?

    Cheers,
    Firas

  10. StefanStefan Oehrli Post author

    Hi Firas

    It depends on what will be changed. We’ve increased the SGA on our system to use more Memory. Other changes makes future updates impossible. E.g changing the disk layout / volume groups etc. We did have some performance issues in the past. After doing some investigations by our own we open an SR to get some information / feedback from Oracle. During the SR the Development Team has been involed as well. Since AVDF is a software appliance, performance issues must be considered individually including a corresponding SR.

    Regards
    Stefan

  11. StefanStefan Oehrli Post author

    Hi

    We do have the issue on a BL465 Gen8 as well on DL380 Gen8. The workaround mentioned in MOS Note 1587742.1 did not work. I’ll do some other tests later tomorrow.

    Cheers
    Stefan

  12. Jeff

    Stefan: have you encountered any issues with the archiving feature? We cannot get archiving to work. We are currently in test and have set the retention period to 1 month online, 1 month archived – but there are never any “datafiles to be archived” in the Settings->Archive section when logged in a AVADMIN.

  13. StefanStefan Oehrli Post author

    Hi Jeff

    Yes we did encountered some issues with archiving but in general it does work. When I’ve used archiving the first time it took me a while to get some datafiles to be archived. You have to make sure, the you define an archive policy as AVAUDITOR with the retention period and assign it to a secure target. Afterwards load audit data for this secure target. Audit Vault does create different partitions and subpartitons based on secure targets and retention policy. An ILM job is then handling the archiving. Under certain condition it can happen, that old date will never be archived.
    When testing archiving under 12.1.1.2 we defined a clean use case where we did the following:

    • Define the archive policy
    • Clean out the audit data in the database XYZ which will be used
    • Install AV Agent and configure a new secure target / audit trail for the DB XYZ
    • Assign the archive policy to the new secure target / audit trail
    • Define audit for the DB XYZ
    • Start the new audit trail and collect data for the next month
    • After a month plus 1 day you should see datafiles ready to be archive

    It is very laborious that there is no way to have shorter time windows. I know for the regular database ILM it is possible to “speed up” ILM for test purpose but it is not for AVDF. Any way, during our test we run into a few other archiving issues and bugs which we will test as soon as we fixed the 12.1.2 installation and setup problems. I’ll write blog post about my archiving experiences.

    Regards
    Stefan

  14. Firas

    Hi Stefan,

    In AVDF 12.1.2 as you know, database files are shown in the ASM disk groups rather than directly in /var/lib/oracle as before.
    However, we have many local disks (NOT SAN) that we need to add to the EVENTDATA disk group. The interface as AVDAMIN does not give the ability to add disks from local server…only from SAN if configured !

    I can see that AV server is using oracleasm behind the scenes. Not sure if it is a good idea to add them manually to EVENTDATA through ASM directly.

    I opened an SR with Oracle and will see how it goes.

    Appreciate your feedback on this if you encounter such an issue or a requirement.

    Cheers Stefan,
    Firas

  15. StefanStefan Oehrli Post author

    Hi Firas

    I’ve did not yet found time to look more into the ASM setup of our AVDF server. We still struggle with our 12.1.2 setup. We now have some issues related to HP BL 465c / AMD and high IO waits. I’ll post later about this topic. Any way, I just realized that there is quite a difference how ASM is used if you upgrade from 12.1.1.3 or start with a new installation. I do have a bunch of question at oracle related to this topic.

    Adding additional storage via web GUI is only possible with iSCSI. There is an Oracle internal MOS note, which describes how to extend a LVM volume (1571631.1). I assume Oracle does have something similar for ASM.

    According to my understanding you have to extend the EVENTDATA directly through ASM.

    Regards
    Stefan

  16. Firas

    Hi Stefan,

    I can extend the EVENTDATA directly through ASM by presenting the local disks. However, Oracle mentioned in the current SR that you need to add that only through the GUI interface which means you need to use “ADD DISK” which relies on SAN disks only! I am struggling with that as well as I told Oracle you cannot just tell us before to extend LVM for /var/lib/oracle using local disks and now telling us in the very new release…NO YOU NEED TO USE SAN only!! This is really very frustrating…Let’s see how it goes. I will update you what happens and kindly let me know if you find out something about how to extend EVENTDATA ASM disk group in a supported way using local disks not SAN.

    Cheers,
    Firas

  17. Firas

    One more thing Stefan to share with you. Oracle has backup/restore scripts but those are designed to restore/recover in a new hardware with a new install with same version (Oracle Support Article 1556200).
    What if we need to restore/recover on the same machine in case of failures but the hardware is fine? Have you had a play with such thing?

    Cheers,
    Firas

  18. StefanStefan Oehrli Post author

    Hi

    I’ve just played around with an early and buggy version of the scripts mentioned in note 1556200.1. I’ll do soon some tests with the news scripts. Theoretically you can do some restore/recovery operation with the backup created with the AVDF Backup scripts. Unfortunately the early release did not backup the archive log’s. Therefor it was only possible to restore / recover the Full Backup. But with the new it should work. I’ll try a few test cases with my backup/restore tests.

    Regards
    Stefan

  19. Firas

    Thanks Stefan. Please let me know how it goes in terms of the backup scripts and the ASM disk groups. you might have also noticed that if you upgrade from 12.1.1.3 to 12.1.2, the data files still reside in the /var/lib/oracle filesystem while if you fresh install 12.1.2, the data files reside in ASM disks instead.

    Cheers,
    Firas

  20. Firas

    Hi Stefan,

    Just to update you that Oracle Support will publish a note soon on what need to be done to extend the ASM disk groups from command line but in a supported way. Releif a bit for us 🙂

    Cheers,
    Firas

  21. Bilal

    Just attempted an upgrade from 12.1.1.3 to 12.1.2. on VM using the rpm upgrade provided by Oracle support. The upgrade was successful but I see issues with Audit Vault login which is giving “Error during rendering of region “Database Firewalls” ORA-04063: package body “MANAGEMENT.FW” has errors”. I logged in the repository and see a bunch of invalid packages.

    I have a HA setup with 2-AV Servers and a single Firewall, FW has no issues and I can login with no issues. My previous upgrade from 12.1.1.0 to 12.1.1.3 back in March went very smooth.

    Thanks,
    Bilal

  22. StefanStefan Oehrli Post author

    Hi

    I could successfully migrate my AVDF VM from 12.1.1.3 to 12.1.2.1. But I have not configured HA, nor have I integrated a firewall. The MANAGEMENT.FW package seems to be used for the firewall management stuff. Have you yet tried to recompile the invalid objects? In the latest patch bundle Oracle mentioned a bug related to the firewall Bug 18823169 : AFTER UPGRADE, THE DBFW CAN NOT COMMUCIATE WITH THE AVDF SERVER Sofare I did not have the chance to verify this bug.

    Regards
    Stefan

  23. Bilal

    Hi,

    Thanks for the information, I looked at the bug information and there is not much information to confirm that I am hitting that bug. The workaround/solution in the bug is not very useful at this time and has to be done before the upgrade but not very clearly documented.

    I have tried to compile the packages but they are wrapped and give compilation error and I cannot get any information on the error.

    I am testing the upgrade on new VM install with one AV and FW setup and if I hit the same issue , I will open a SR with Oracle as I am not going to upgrade the DEV and PROD until there is solid fix for this issue.

    Regards,
    Bilal

Comments are closed.