Oracle has just released a new major Release of its Oracle Audit Vault and Database Firewall. The new release is immediately available on Oracle’s Software Delivery Cloud. But the OTN website have not been updated. Beside the upgrade of the OS and embedded Oracle Database to 18.104.22.168, Oracle added a bunch of Enterprise-Grade Features. Starting with this Release all new installation will have Oracle Transparent Data Encryption enabled for the audit data.
A few first impressions:
- The AVDF Documentation has been improved. Beside more detailed setup and configuration information, there is now a concepts guide. The concept guide should be read definitely when planning a new AVDF deployment.
- The Hardware requirements are slightly increased. A minimum of 220GB disk space is a bit more than for the last release. This will definitely a challenge for my VM setup on my notebook.
- There are multiple ISO files to download. eg. for the AV Server, FW Server, Utility Files and a ISO with RPM’s for upgrading existing AVDF installations. I will analyze more closely how existing deployments can be upgraded.
Oracle Audit Vault and Database Firewall 12.2 New Features
According to the Release Notes, the following features are available as of 12.2:
- A backup and restore utility for the Audit Vault Server has been integrated into the product.
- Audit trails will automatically start when the Audit Vault Agent is restarted or when Oracle AVDF is upgraded.
- The AVCLI command line utility can be used non-interactively by storing an administrator’s credentials in the AVCLI wallet.
- You can adjust the number of Audit Vault Agent processing threads on a host to optimize performance.
- You can configure Oracle Database In-Memory to speed up reports.
- New (full) installations of Oracle AVDF 12.2 will have all audit data encrypted using Oracle Database Transparent Data Encryption (TDE).
- When new audit trails collect data that is older than limits set in the retention (archiving) policy, that data will be automatically archived according to the policy.
- You can change the certificate for the Audit Vault Server and Database Firewall Web UIs.
- You can register hosts with a host name or a domain name.
- You can change the logging levels of system components from the Web UI.
- You can unlock user accounts from the Web UI.
- New reports have been added including: the Oracle Database Vault report, summary reports, IRS compliance reports, and reports that correlate database audit events with OS users that used su or sudo to execute commands.
- In the Administrator’s Web UI, the Hosts tab has new Host Monitor details, and added Audit Vault Agent details.
- The Audit Vault Server’s high availability pairing UI has been improved for usability.
- Support for IBM AIX secured targets has been added.
- The Oracle AVDF auditor can create an alert syslog template.
- The Oracle AVDF auditor can set a schedule for retrieval of audit data and entitlements from Oracle Database.
- We have added Oracle Audit Vault and Database Firewall Concepts Guide to the documentation library.
Some links related to this post.
I’ll start to do some test with the new release of AVDF after the christmas time. So stay tuned…
End of last week, Oracle has released the second Bundle Patch for Audit Vault and Database Firewall 12.1.2. I’ve missed the release due to public holiday here in Switzerland. 🙂 The patch can be downloaded as usual on Oracle Metalink as Patchset 19190265 for existing installations or on Oracle eDelivery as full installation image for new installations. The installation image is split in two parts which need to be merged before use. A short description on how to merge the image can be found on my blog post about Audit Vault and Database Firewall 12.1.2.
According the readme, the Release 12.1.2 BP2 contains the July 2014 PSU 22.214.171.124.11 for the database as well several bug fix for the base platform. These include security and stability fixes to Java and the underlying Linux operating system. This is more or less similar to thelast bundle patch. What’s new, are the bug fix for the following bugs:
||WITH EXCESSIVE VALUE FOR RMEM_MAX, TRAFFIC MONITORING IS SILENTLY DISABLED
||INTEGRATE INTERFACE MASTERS NEW DRIVERS INTO THE PRODUCT
||AVDF SERVER FAILS TO INSTALL ON HP DL380 GEN8 WITH CCISS!C0D0 ERROR
||AFTER UPGRADE, THE DBFW CAN NOT COMMUCIATE WITH THE AVDF SERVER
||ERRORS RELATING TO ILM AND DISK METRICS SEEN IN ALERT LOGS
||NFS ARCHIVE JOB FAILS
||SUPPORT FOR NVARCHAR DATA TYPE IN TABLE EZCOLLECTOR
In particular, I am interested in bug 18940816. I’ve discussed this issues in my post about AVDF installation fails on HP server with Smart Array Disk Controller. To verify if this issue is successfully fixed, I’ll have to reinstall one of the HP BL465c Blades.
Some links related to the Audit Vault and Database Firewall:
Earlier today, Oracle has released the first Bundle Patch for Audit Vault and Database Firewall 12.1.2. The patch can be downloaded on Oracle Metalink as Patchset 18728905 for existing installations or on Oracle eDelivery as full installation image for new installations. The installation image is split in two parts which need to be merged before use. A short description on how to merge the image can be found on my blog post about Audit Vault and Database Firewall 12.1.2.
According the readme, the Release 12.1.2 BP1 contains the April 2014 PSU 126.96.36.199.10 for the database as well several bug fix for the base platform. These include security and stability fixes to Java and the underlying Linux operating system.
Before installing the bundle patch it is absolutely recommended, that you create a backup of the AVDF Installation and ensure that there is free space in the following Audit Vault Server partitions.
- 5 GB in /var/lib/oracle
- 5 GB in /var/tmp
- 4.5 GB in /root
The upgrade will fail, if the partitions does not have enough free space. The bundle patch readme describes the different upgrade scenarios. I’ll upgrade my AVDF 12.1.2 Test VM once the download of the 3GB bundle patch is finished.
Some links related to the Audit Vault and Database Firewall:
Oracle has just released a new Release of its Oracle Audit Vault and Database Firewall. The new release is immediately available on Oracle’s Software Delivery Cloud. It look’s like Oracle added a bunch of Enterprise-Grade Features like iSCSI SAN Disk, NFS Storage as well as SYSLOG integration. Starting with this Release, the Audit Vault Repository is again protected by Database Vault.
The installation / update is done in the same manner as the other versions AVDF. Download the ISO, reboot the AVDF server and initiate an upgrade. But be carefully to not initiate an installation. This would erase your system and data.
A bit unusual that the ISO image was split into two parts. They have to be merged prior to use.
- Unzip Images
- Combine the two files to create a single .iso
Combine the two files to create a single .iso on Windows:
copy /b avs-installer-disc-188.8.131.52.0.iso00+avs-installer-disc-184.108.40.206.0.iso01
Combine the two files to create a single .iso on Linux:
cat avs-installer-disc-220.127.116.11.0.iso00 \
avs-installer-disc-18.104.22.168.0.iso01 > avs-installer-disc-22.214.171.124.0.iso
Oracle Audit Vault and Database Firewall 12.1.2 New Features
According to the Release Notes, the following features are available as of 12.1.2:
- Configure the Audit Vault Server to use an external iSCSI SAN server to store the audit event repository and system data
- The Audit Vault Agent is updated automatically when the Audit Vault Server is upgraded or a patch is applied
- Store archive data in a Network File Share (NFS) location
- Entitlement reports include data specific to Oracle Database 12c
- Database Vault is automatically enabled and configured in the Oracle Database embedded in the Audit Vault Server. This further strengthens security by restricting privileged access to the Oracle Database for all users including those with administrative access
- Password hashing has been upgraded to a more secure standard. Change your passwords after upgrade to take advantage of the more secure hash
- The Audit Vault Agent deployment procedure has been simplified. Registering a host in the Audit Vault Server automatically generates an Agent activation key, and therefore, the step requesting Agent activation is no longer required
- Adding and updating a secured target location has been simplified in the Audit Vault Server administrator console UI
- Define policy alerts to be forwarded to syslog
- Download diagnostics log files from the Audit Vault Server UI
- The Audit Vault Agent is supported on 32-bit Linux and Windows platforms
- Oracle Database 9i is supported for Database Firewall
- MySQL 5.6 is supported on the Database Firewall
- Migration Path to Migrate Oracle Audit Vault 10.3 to AVDF 12.1.2. See MOS Note 1666742.1
Some links related to this post.
As soon as the download of the images is done, I’ll start to test the new release on my test AVDF Server. So stay tuned…
As I wrote in my post Error installing Audit Vault Agent 12.1.1 on AIX, there is a Audit Vault Agent bug 17058352 on AIX. Unfortunately it hasn’t yet been fixed in the latest bundle patch for Oracle Audit Vault and Database Firewall. If you haven’t changed your default profile in /etc/profile on your AIX server, you will run into the same issues again when trying to update the agents according the patch readme. Rather than downloading and fixing the agent.jar on each AIX system, it is also possible to update the agent.jar on the Audit Vault server before updating and restarting the agents on the monitored servers.
For this just login to the Oracle Audit Vault and Database Firewall server as support and become oracle.
su - root
su - oracle
Locate your agent.jar, backup it and unpack the agentctl
cp agent.jar agent.jar_backup_bugfix_17058352
jar -xf agent.jar bin/agentctl
Update the agentctl and add LOGNAME the the list of pass through variable on line 46.
# Passthrough env vars
# Note: we passthru any vars with "-" invalid character
Put the updated agentctl script back to the agent.jar and run a regular installation.
jar -uf agent.jar bin/agentctl
You now just can proceed with updating the agent on the AIX servers.
Just a couple of hours ago I’ve lecture a presentation about the latest Generation of Database Technology at the DOAG SIG Security in München. It is a sneak preview on a few upcoming security improvements. Unfortunately I do not yet have the permission to provide the presentation for download. But I will make the download link available once the dust settles on the latest Generation of Database Technology…
so stay tuned.
In the hustle and bustle of the Christmas season, it went under that Oracle had released a new version of Oracle Audit Vault respectively Oracle Audit Vault and Database Firewall. This weekend I found some time to take a first look into the new release.
About a year ago Oracle released the Audit Vault Server 10.3. (see New release of Oracle Audit Vault). During this update Oracle mainly moved internally to a 126.96.36.199 database. The architecture has remained more or less the same. But this has changed now. Oracle is trying to complete its security portfolio. Therefore Oracle has merged the two Oracle Audit Vault and Oracle Database Firewall into the new Oracle Audit Vault and Database Firewall. From the security officer point of view it is definitely more interesting to only have one platform. On the other hand a software appliance is one of the favorites of the DBA and Unix admins. What about, updates, HA, backup & recovery etc? I’ll try to consider these thoughts in a later post on installing and configuring the new Oracle Audit Vault and Database Firewall.
Some short notes on the new features:
- Oracle Audit Vault and Database Firewall is released as a software appliance-based platform
- Internally Oracle does use Oracle 188.8.131.52 including Advance Security and Database Vault to enforce Database security and segregation of duties
- One simple setup does install and configure the operating system, software, database, web frontend etc
- Audit Vault Agents for:
- Oracle Database 10g
- Oracle Database 11g
- Microsoft SQL Server 2000
- Microsoft SQL Server 2005
- Microsoft SQL Server 2008
- Sybase Adaptive Server Enterprise (ASE) versions 12.5.4 to 15.0.x
- IBM DB2 version 9.x (Linux, UNIX, Microsoft Windows)
- Solaris operating system
- Oracle ACFS
- Microsoft Windows Server 2008
- Microsoft Windows Server 2008 R2
- Microsoft Active Directory 2008
- Microsoft Active Directory 2008 R2 on 64 bit
As initially mentioned Audit Vault and Database Firewall are moving closer. Oracle Audit Vault is now also the data storage and analysis platform for the Oracle Database Firewall. Former Database Firewall Management Server is eliminated and thus is replaced with Oracle Audit Vault.
An important note here is that Oracle Audit Vault can not be installed on different platforms as before. It is rather a software appliance like the Oracle Database Firewall. The license for each Oracle Audit Vault and Oracle Database Firewall includes always a license for Oracle Enterprise Linux as well. To install only the appropriate hardware is required. This can be a virtual or a physical host. To setup my test environment, I’ve use as usual virtual servers.
Oracle AVDF Requirements
To install Oracle AVDF the following minimal Hardware Requirements must be met. See as the online installation guide for more details on the installation requirements in particular for the supported secured target products (agents).
- x86 64-bit Server
- 2 GB Ram
- single hard drive 125 GB
- 1 NIC for Audit Vault Server
- 1 NIC for Database Firewall Proxy Mode
- 2 NICs for Database Firewall DAM Mode (monitoring)
- 3 NICs for Database Firewall DPE Mode (blocking)
In addition to the hardware the following software is required to begin the installation:
- Oracle Linux Release 5 Update 8 for x86_64 (64 Bit) V31120-01 (3.7GB)
- Oracle Audit Vault and Database Firewall (184.108.40.206.0) – Server V35715-01 (3.4GB)
- Oracle Audit Vault and Database Firewall (220.127.116.11.0) – Database Firewall V35716-01 (3.1GB)
The server can not be used for other activities, setup of either Oracle Audit Vault or Oracle Database Firewall will completely reimage the server. But I’ll post more details on the installation later this month.
Links all around the new Oracle Audit Vault and Database Firewall…
As I announced in my last post DOAG / SOUG Security-Lounge at Basel I’ve been at the Security-Lounge at Basel. The slides can know be downloaded below or from the download section on this website.
I’m happy for any comment on the presentation or the slides. Feel free to add a comment or drop me a line by mail.
I haven’t found time to provide any blog post in the past weeks. Never the less I would like to inform about the upcoming security lounge in Basel at which I’ll give two lectures about Oracle Security. It’s a small even with just one speaker 😉 Ok it was planned to have a second one but it did not work. The event is organized by the DOAG regional group Freiburg and SOUG. It will start at 17:30 on the 24th of April.
Have a look at the DOAG Webpage for a detailed Agenda of the Event and the location. Looking forward to see you there.
I’ll post the slides for both presentations shortly after the event on this page.
Somewhen beginning of 2012 Oracle has secretly released an update of Oracle Audit Vault. So far just for Linux x86-64bit but I guess other OS will follow. The new release is available trough OTN or Oracle eDelivery. You’ll have to download around 2.3GB for the Audit Vault Server and an other 620MB for the Audit Vault Collection Agent. According the Oracle Audit Vault documentation this release has the following new features.
- Starting with this release Oracle use a 18.104.22.168 Database as Audit Vault repository
- change of console URL respectively port from old http://host:5700/av to new https://host:1158/av
- Updated MS SQL Server JDBC Driver. MS SQL Server JDBC Driver version 3.0 has to be used to configure Microsoft SQL Server source databases
- Support for Sybase Adaptive Server Enterprise 15.5 and IBM DB2 9.7 for Linux, UNIX and MS Windows
- SSL and HTTPS is automatically configured. Due to this a two avca command have been removed (secure_agent,secure_av)
OK the update to 11gR2 was somehow foreseeable. I wonder more why it took that long. Any way, I’ll setup a VM to do a short test installation and check how to new Audit Vault does look like. I’ll post my experience on the installation a bit later.
More details on these new features as well on all changes for 10.2.3.2 and 10.2.3.1 can be found in Oracle® Audit Vault Administrator’s Guide and Oracle Audit Vault Auditor’s Guide on OTN.