Category Archives: Security Audit

Audit Vault and Database Firewall 12.2

Oracle has just released a new major Release of its Oracle Audit Vault and Database Firewall. The new release is immediately available on Oracle’s Software Delivery Cloud. But the OTN website have not been updated. Beside the upgrade of the OS and embedded Oracle Database to 12.1.0.2, Oracle added a bunch of Enterprise-Grade Features. Starting with this Release all new installation will have Oracle Transparent Data Encryption enabled for the audit data.

A few first impressions:

  • The AVDF Documentation has been improved. Beside more detailed setup and configuration information, there is now a concepts guide. The concept guide should be read definitely when planning a new AVDF deployment.
  • The Hardware requirements are slightly increased. A minimum of 220GB disk space is a bit more than for the last release. This will definitely a challenge for my VM setup on my notebook.
  • There are multiple ISO files to download. eg. for the AV Server, FW Server, Utility Files and a ISO with RPM’s for upgrading existing AVDF installations. I will analyze more closely how existing deployments can be upgraded.

Oracle Audit Vault and Database Firewall 12.2 New Features

According to the Release Notes, the following features are available as of 12.2:

  • A backup and restore utility for the Audit Vault Server has been integrated into the product.
  • Audit trails will automatically start when the Audit Vault Agent is restarted or when Oracle AVDF is upgraded.
  • The AVCLI command line utility can be used non-interactively by storing an administrator’s credentials in the AVCLI wallet.
  • You can adjust the number of Audit Vault Agent processing threads on a host to optimize performance.
  • You can configure Oracle Database In-Memory to speed up reports.
  • New (full) installations of Oracle AVDF 12.2 will have all audit data encrypted using Oracle Database Transparent Data Encryption (TDE).
  • When new audit trails collect data that is older than limits set in the retention (archiving) policy, that data will be automatically archived according to the policy.
  • You can change the certificate for the Audit Vault Server and Database Firewall Web UIs.
  • You can register hosts with a host name or a domain name.
  • You can change the logging levels of system components from the Web UI.
  • You can unlock user accounts from the Web UI.
  • New reports have been added including: the Oracle Database Vault report, summary reports, IRS compliance reports, and reports that correlate database audit events with OS users that used su or sudo to execute commands.
  • In the Administrator’s Web UI, the Hosts tab has new Host Monitor details, and added Audit Vault Agent details.
  • The Audit Vault Server’s high availability pairing UI has been improved for usability.
  • Support for IBM AIX secured targets has been added.
  • The Oracle AVDF auditor can create an alert syslog template.
  • The Oracle AVDF auditor can set a schedule for retrieval of audit data and entitlements from Oracle Database.
  • We have added Oracle Audit Vault and Database Firewall Concepts Guide to the documentation library.

References

Some links related to this post.

I’ll start to do some test with the new release of AVDF after the christmas time. So stay tuned…

Release of Audit Vault and Database Firewall 12.1.2 Bundle Patch 2

End of last week, Oracle has released the second Bundle Patch for Audit Vault and Database Firewall 12.1.2. I’ve missed the release due to public holiday here in Switzerland. 🙂 The patch can be downloaded as usual on Oracle Metalink as Patchset 19190265 for existing installations or on Oracle eDelivery as full installation image for new installations. The installation image is split in two parts which need to be merged before use. A short description on how to merge the image can be found on my blog post about Audit Vault and Database Firewall 12.1.2.

According the readme, the Release 12.1.2 BP2 contains the July 2014 PSU 11.2.0.3.11 for the database as well several bug fix for the base platform. These include security and stability fixes to Java and the underlying Linux operating system. This is more or less similar to thelast bundle patch. What’s new, are the bug fix for the following bugs:

Bug Number Description
18724624 WITH EXCESSIVE VALUE FOR RMEM_MAX, TRAFFIC MONITORING IS SILENTLY DISABLED
18161187 INTEGRATE INTERFACE MASTERS NEW DRIVERS INTO THE PRODUCT
18940816 AVDF SERVER FAILS TO INSTALL ON HP DL380 GEN8 WITH CCISS!C0D0 ERROR
18823169 AFTER UPGRADE, THE DBFW CAN NOT COMMUCIATE WITH THE AVDF SERVER
18112713 ERRORS RELATING TO ILM AND DISK METRICS SEEN IN ALERT LOGS
18442791 NFS ARCHIVE JOB FAILS
18459675 SUPPORT FOR NVARCHAR DATA TYPE IN TABLE EZCOLLECTOR

In particular, I am interested in bug 18940816. I’ve discussed this issues in my post about AVDF installation fails on HP server with Smart Array Disk Controller. To verify if this issue is successfully fixed, I’ll have to reinstall one of the HP BL465c Blades.

References

Some links related to the Audit Vault and Database Firewall:

Release of Audit Vault and Database Firewall 12.1.2 Bundle Patch 1

Earlier today, Oracle has released the first Bundle Patch for Audit Vault and Database Firewall 12.1.2. The patch can be downloaded on Oracle Metalink as Patchset 18728905 for existing installations or on Oracle eDelivery as full installation image for new installations. The installation image is split in two parts which need to be merged before use. A short description on how to merge the image can be found on my blog post about Audit Vault and Database Firewall 12.1.2.

According the readme, the Release 12.1.2 BP1 contains the April 2014 PSU 11.2.0.3.10 for the database as well several bug fix for the base platform. These include security and stability fixes to Java and the underlying Linux operating system.

Before installing the bundle patch it is absolutely recommended, that you create a backup of the AVDF Installation and ensure that there is free space in the following Audit Vault Server partitions.

  • 5 GB in /var/lib/oracle
  • 5 GB in /var/tmp
  • 4.5 GB in /root

The upgrade will fail, if the partitions does not have enough free space. The bundle patch readme describes the different upgrade scenarios. I’ll upgrade my AVDF 12.1.2 Test VM once the download of the 3GB bundle patch is finished.

References

Some links related to the Audit Vault and Database Firewall:

Audit Vault and Database Firewall 12.1.2

Oracle has just released a new Release of its Oracle Audit Vault and Database Firewall. The new release is immediately available on Oracle’s Software Delivery Cloud. It look’s like Oracle added a bunch of Enterprise-Grade Features like iSCSI SAN Disk, NFS Storage as well as SYSLOG integration. Starting with this Release, the Audit Vault Repository is again protected by Database Vault.

The installation / update is done in the same manner as the other versions AVDF. Download the ISO, reboot the AVDF server and initiate an upgrade. But be carefully to not initiate an installation. This would erase your system and data.

A bit unusual that the ISO image was split into two parts. They have to be merged prior to use.

  1. Unzip Images avs-installer-disc-12.1.2.0.0.iso00, avs-installer-disc-12.1.2.0.0.iso01
  2. Combine the two files to create a single .iso

Combine the two files to create a single .iso on Windows:

copy /b avs-installer-disc-12.1.2.0.0.iso00+avs-installer-disc-12.1.2.0.0.iso01
avs-installer-disc-12.1.2.0.0.iso

Combine the two files to create a single .iso on Linux:

cat avs-installer-disc-12.1.2.0.0.iso00 \
avs-installer-disc-12.1.2.0.0.iso01 > avs-installer-disc-12.1.2.0.0.iso

Oracle Audit Vault and Database Firewall 12.1.2 New Features

According to the Release Notes, the following features are available as of 12.1.2:

  • Configure the Audit Vault Server to use an external iSCSI SAN server to store the audit event repository and system data
  • The Audit Vault Agent is updated automatically when the Audit Vault Server is upgraded or a patch is applied
  • Store archive data in a Network File Share (NFS) location
  • Entitlement reports include data specific to Oracle Database 12c
  • Database Vault is automatically enabled and configured in the Oracle Database embedded in the Audit Vault Server. This further strengthens security by restricting privileged access to the Oracle Database for all users including those with administrative access
  • Password hashing has been upgraded to a more secure standard. Change your passwords after upgrade to take advantage of the more secure hash
  • The Audit Vault Agent deployment procedure has been simplified. Registering a host in the Audit Vault Server automatically generates an Agent activation key, and therefore, the step requesting Agent activation is no longer required
  • Adding and updating a secured target location has been simplified in the Audit Vault Server administrator console UI
  • Define policy alerts to be forwarded to syslog
  • Download diagnostics log files from the Audit Vault Server UI
  • The Audit Vault Agent is supported on 32-bit Linux and Windows platforms
  • Oracle Database 9i is supported for Database Firewall
  • MySQL 5.6 is supported on the Database Firewall
  • Migration Path to Migrate Oracle Audit Vault 10.3 to AVDF 12.1.2. See MOS Note 1666742.1

References

Some links related to this post.

As soon as the download of the images is done, I’ll start to test the new release on my test AVDF Server. So stay tuned…

Update agent.jar on audit vault server

As I wrote in my post Error installing Audit Vault Agent 12.1.1 on AIX, there is a Audit Vault Agent bug 17058352 on AIX. Unfortunately it hasn’t yet been fixed in the latest bundle patch for Oracle Audit Vault and Database Firewall. If you haven’t changed your default profile in /etc/profile on your AIX server, you will run into the same issues again when trying to update the agents according the patch readme. Rather than downloading and fixing the agent.jar on each AIX system, it is also possible to update the agent.jar on the Audit Vault server before updating and restarting the agents on the monitored servers.

For this just login to the Oracle Audit Vault and Database Firewall server as support and become oracle.

ssh support@melete2

su - root
su - oracle

Locate your agent.jar, backup it and unpack the agentctl

cd /var/lib/oracle/dbfw/av/jlib/
cp agent.jar agent.jar_backup_bugfix_17058352
jar -xf agent.jar bin/agentctl

Update the agentctl and add LOGNAME the the list of pass through variable on line 46.

43
44
45
46
# Passthrough env vars
# Note: we passthru any vars with "-" invalid character
#
passthru='^TZ$|^LANG$|^LC_|^JAVA_HOME$|^PATH$|^PS1$|^LOGNAME$|-'

Put the updated agentctl script back to the agent.jar and run a regular installation.

jar -uf agent.jar bin/agentctl

You now just can proceed with updating the agent on the AIX servers.

DOAG SIG Security

Just a couple of hours ago I’ve lecture a presentation about the latest Generation of Database Technology at the DOAG SIG Security in München. It is a sneak preview on a few upcoming security improvements. Unfortunately I do not yet have the permission to provide the presentation for download. But I will make the download link available once the dust settles on the latest Generation of Database Technology

so stay tuned.

New Oracle Audit Vault and Database Firewall

In the hustle and bustle of the Christmas season, it went under that Oracle had released a new version of Oracle Audit Vault respectively Oracle Audit Vault and Database Firewall. This weekend I found some time to take a first look into the new release.

What’s New

About a year ago Oracle released the Audit Vault Server 10.3. (see New release of Oracle Audit Vault). During this update Oracle mainly moved internally to a 11.2.0.3 database. The architecture has remained more or less the same. But this has changed now. Oracle is trying to complete its security portfolio. Therefore Oracle has merged the two Oracle Audit Vault and Oracle Database Firewall into the new Oracle Audit Vault and Database Firewall. From the security officer point of view it is definitely more interesting to only have one platform. On the other hand a software appliance is one of the favorites of the DBA and Unix admins. What about, updates, HA, backup & recovery etc? I’ll try to consider these thoughts in a later post on installing and configuring the new Oracle Audit Vault and Database Firewall.

Some short notes on the new features:

  • Oracle Audit Vault and Database Firewall is released as a software appliance-based platform
  • Internally Oracle does use Oracle 11.2.0.3 including Advance Security and Database Vault to enforce Database security and segregation of duties
  • One simple setup does install and configure the operating system, software, database, web frontend etc
  • Audit Vault Agents for:
  • Oracle Database 10g
  • Oracle Database 11g
  • Microsoft SQL Server 2000
  • Microsoft SQL Server 2005
  • Microsoft SQL Server 2008
  • Sybase Adaptive Server Enterprise (ASE) versions 12.5.4 to 15.0.x
  • IBM DB2 version 9.x (Linux, UNIX, Microsoft Windows)
  • Solaris operating system
  • Oracle ACFS
  • Microsoft Windows Server 2008
  • Microsoft Windows Server 2008 R2
  • Microsoft Active Directory 2008
  • Microsoft Active Directory 2008 R2 on 64 bit

New Architecture

As initially mentioned Audit Vault and Database Firewall are moving closer. Oracle Audit Vault is now also the data storage and analysis platform for the Oracle Database Firewall. Former Database Firewall Management Server is eliminated and thus is replaced with Oracle Audit Vault.

OverviewAVDF

An important note here is that Oracle Audit Vault can not be installed on different platforms as before. It is rather a software appliance like the Oracle Database Firewall. The license for each Oracle Audit Vault and Oracle Database Firewall includes always a license for Oracle Enterprise Linux as well. To install only the appropriate hardware is required. This can be a virtual or a physical host. To setup my test environment, I’ve use as usual virtual servers.

Oracle AVDF Requirements

To install Oracle AVDF the following minimal Hardware Requirements must be met. See as the online installation guide for more details on the installation requirements in particular for the supported secured target products (agents).

  • x86 64-bit Server
  • 2 GB Ram
  • single hard drive 125 GB
  • 1 NIC for Audit Vault Server
  • 1 NIC for Database Firewall Proxy Mode
  • 2 NICs for Database Firewall DAM Mode (monitoring)
  • 3 NICs for Database Firewall DPE Mode (blocking)

In addition to the hardware the following software is required to begin the installation:

  • Oracle Linux Release 5 Update 8 for x86_64 (64 Bit) V31120-01 (3.7GB)
  • Oracle Audit Vault and Database Firewall (12.1.0.0.0) – Server V35715-01 (3.4GB)
  • Oracle Audit Vault and Database Firewall (12.1.0.0.0) – Database Firewall V35716-01 (3.1GB)

The server can not be used for other activities, setup of either Oracle Audit Vault or Oracle Database Firewall will completely reimage the server. But I’ll post more details on the installation later this month.

Resources

Links all around the new Oracle Audit Vault and Database Firewall…