Oracle AVDF 20.4 and OCI Autonomous Database Auditing

This note describes the process used to configure and deploy Oracle Audit Vault and Database Firewall 20.4 in Oracle Cloud Infrastructure OCI via Cloud Marketplace.

The note also covers the installation of the AVDF Agent on an OCI compute node and enabling auditing of an Autonomous Transaction Processing 19c database along viewing reports of the ATP database auditing via the AVDF console.

Install Oracle Audit Vault 20.4 from OCI Marketplace.

Note – the key needs to be of type ED25519.

Connect via putty to the public IP address and execute the script generate_post_install_passphrase .

Using username “opc”.

Audit Vault Server 20.4.0.0.0

DO NOT CHANGE ANY CONFIGURATIONS IN Audit Vault Server APPLIANCE WITHOUT GUIDANCE FROM

ORACLE SUPPORT. ANY CHANGES SHOULD BE TRACEABLE TO APPROPRIATE SR REFERENCE.

Authenticating with public key “ed25519-key-20210705”

[opc@avdf-oci ~]$ sudo passwd root

Changing password for user root.

New password:

Retype new password:

passwd: all authentication tokens updated successfully.

[opc@avdf-oci ~]$

[opc@avdf-oci ~]$ sudo -u oracle /usr/local/dbfw/bin/generate_post_install_passphrase

y3r8bCGqy4rgAs035dysctboujiZq12#

Connect via browser to the public IP address and enter the generated passphrase.

Create the AVF_ADM and AVF_AUD users and set passwords.

Click on Save.

Download and install the AVDF agent on an OCI compute node.

[root@db21c ~]# cd /home/opc

[root@db21c oracle]# chown oracle:oinstall agent.jar

[root@db21c opc]# cp agent.jar /home/oracle

[root@db21c opc]# su – oracle

[oracle@db21c ~]$ export JAVA_HOME=$ORACLE_HOME/jdk

[oracle@db21c ~]$ export PATH=$JAVA_HOME/bin:$PATH

[oracle@db21c ~]$ java -jar agent.jar -d /u01/app/oracle/avdf_agent

Agent installed successfully.

If deploying hostmonitor please refer to product documentation for additional installation steps.

Start the AVDFG Agent on the OCI compute node.

[oracle@db21c ~]$ cd /u01/app/oracle/avdf_agent/bin

[oracle@db21c bin]$ ./agentctl start -k

Enter Activation Key:

Checking for updates…

Agent is updating. This operation may take a few minutes. Please wait…

Agent updated successfully.

Agent started successfully.

Create the AVDFUSER in the Autonomous Transaction Processing database.

[oracle@db21c adw]$ sqlplus admin/DreamLiner787##@atpgs_high

SQL*Plus: Release 21.0.0.0.0 – Production on Tue Jul 13 04:07:51 2021

Version 21.1.0.0.0

Copyright (c) 1982, 2020, Oracle. All rights reserved.

Last Successful login time: Fri Jul 09 2021 03:43:20 +00:00

Connected to:

Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 – Production

Version 19.5.0.0.0

SQL> create user avdfuser identified by Oracle_4U;

User created.

Execute the script oracle_AVDF_E1_user_setup.sql from the AVDF agent home.

[oracle@db21c avdf_agent]$ cd /u01/app/oracle/avdf_agent/av/plugins/com.oracle.av.plugin.oracle/config

[oracle@db21c config]$ sqlplus admin/DreamLiner787##@atpgs_high

SQL*Plus: Release 21.0.0.0.0 – Production on Fri Jul 9 00:28:02 2021

Version 21.1.0.0.0

Copyright (c) 1982, 2020, Oracle. All rights reserved.

Last Successful login time: Thu Jul 08 2021 10:34:33 +00:00

Connected to:

Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 – Production

Version 19.5.0.0.0

SQL> @oracle_AVDF_E1_user_setup.sql AVDFUSER ALL

Session altered.

Granting privileges to “AVDFUSER” … Done.

To revoke oracle AVDF user privileges, run oracle_AVDF_E1_drop_db_permissions.sql script ..

Disconnected from Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 – Production

Version 19.5.0.0.0

Add the ATP database as an AVDF target database.

[oracle@db21c ~]$ tnsping atpgs_high

TNS Ping Utility for Linux: Version 21.0.0.0.0 – Production on 14-JUL-2021 07:01:05

Copyright (c) 1997, 2020, Oracle. All rights reserved.

Used parameter files:

/u01/app/oracle/product/21.0.0.0/dbhome_1/network/admin/sqlnet.ora

Used TNSNAMES adapter to resolve the alias

Attempting to contact (description= (retry_count=20)(retry_delay=3)(address=(protocol=tcps)(port=1522)(host=adb.ap-sydney-1.oraclecloud.com))(connect_data=(service_name=zg8choouoo1h8og_atpgs_high.adb.oraclecloud.com))(security=(ssl_server_cert_dn=CN=adb.ap-sydney-1.oraclecloud.com, OU=Oracle ADB SYDNEY, O=Oracle Corporation, L=Redwood City, ST=California, C=US)))

OK (80 msec)

Add the AVDF audit trail for the ATP target database.

Create a Custom Unified Audit policy in the ATP database and test.

SQL> CREATE AUDIT POLICY test_audit_policy

  PRIVILEGES CREATE TABLE, CREATE SEQUENCE

  WHEN    ‘SYS_CONTEXT(”USERENV”, ”SESSION_USER”) = ”DEMO”’

  EVALUATE PER SESSION

  CONTAINER = CURRENT; 

Audit policy created.

SQL> audit policy test_audit_policy;

Audit succeeded.

SQL> conn demo/DreamLiner787##@atpgs_high

Connected.

SQL> create table mytest (col_a date);

Table created.

SQL> create sequence mytest_seq start with 1;

create sequence mytest_seq start with 1

*

ERROR at line 1:

ORA-01031: insufficient privileges

Test the Oracle-supplied Unified Auditing policy.

SQL> select distinct POLICY_NAME from audit_unified_enabled_policies;

POLICY_NAME

——————————————————————————–

ADB_ADMIN_AUDIT

SYS_USER_ACTIONS

COMMON_USER_LOGONS

ADB_MANDATORY_AUDIT

TEST_AUDIT_POLICY

ORA_LOGON_FAILURES

COMMON_USER

[oracle@db21c log]$ sqlplus admin/DreamLi787##@adwgs_high

SQL*Plus: Release 21.0.0.0.0 – Production on Wed Jul 14 07:34:53 2021

Version 21.1.0.0.0

Copyright (c) 1982, 2020, Oracle. All rights reserved.

ERROR:

ORA-01017: invalid username/password; logon denied