Oracle Audit Vault and Database Firewall FAQ

General questions

Which is the latest release of Audit Vault and Database Firewall?

The latest release of Oracle Audit Vault and Database Firewall (AVDF) is Release Update 12 (AVDF 20.12). Please read the announcement blog and release note for more details.

What’s new in Oracle Audit Vault and Database Firewall?

Oracle Audit Vault and Database Firewall now expands beyond database activity monitoring to manage your Oracle Database’s security posture, enhancing its best-in-class activity monitoring capabilities with visibility into security configuration, user entitlements, and stored procedures. It provides a modern user interface with simplified navigation for common workflows and expanded audit collection for many popular target types. AVDF audits databases and monitors network-based SQL activities to help manage the security posture of Oracle and non-Oracle databases hosted in the cloud or on-premises. Refer to the AVDF Release Notes for a complete feature list.

How are Audit Vault and Database Firewall related? Do I need both of them?

AVDF supports native audit collection and network-based SQL traffic monitoring. All the audit events are stored in Oracle Audit Vault Server. This allows you to correlate the activity data and create reports. Oracle recommends a holistic approach and supports database auditing and network-based SQL traffic monitoring. You can start with either capability and expand your architecture to include both if needed.

Which target types and versions are supported by AVDF?

AVDF supports Oracle Database, Microsoft SQL Server, MySQL, IBM Db2, PostgreSQL, SAP Sybase, MongoDB, and operating system logs for Linux, Windows, Solaris, and AIX. AVDF also supports audit trails written to files in XML, CSV, and JSON format. You can use custom collectors to collect the audit logs and send them to the audit vault server for all the other targets where audit trails are written to database tables. See the Platform Support Matrix in the AVDF Installation Guide for details.

How does AVDF consolidate audit data from other sources, such as applications?

AVDF can collect audit data from application tables or files (XML, JSON, CSV). AVDF maps the data into a standardized format and stores it in the AVDF repository. The collected data is available for reporting, alert generation, and analysis. Because the format is standardized across all sources, it’s possible to consolidate information from all types of sources in a single report. For details, refer to the AVDF Developer's Guide.

What is the difference between auditing and network monitoring? Do I need both?

Auditing typically captures detailed information after a certain event, whether directly from a SQL statement or through a stored procedure call. Monitoring SQL traffic helps you analyze and act on the SQL statement before it reaches the database, making it possible to block suspicious statements. In both cases, you can specify the conditions under which you want to collect the audit or event logs. Both give different views on the same event: one after and one before. Alerts can be raised on both. Oracle recommends a holistic approach and supports database auditing and network-based SQL traffic monitoring. You can start with either capability and expand architecture to include both.

How do I provision auditing and Database Firewall policies?

AVDF provides an interface to view your Oracle audit policies and, with a single click, provision them in the target database. For Database Firewall policy, when a database firewall monitoring point is configured for the target, the default policy is automatically applied. This default policy is configured for all the targets monitored by the database firewall. It captures all logins and logouts and unique DDL and DCL statements across sessions for all the tables and views. User-defined Database Firewall policies can also be configured to allow, log, alert, substitute, or block the SQL. In addition, firewall policies can be configured for Oracle Databases to capture the returned number of rows from a SQL SELECT statement and use that data to monitor and alert you on data exfiltration attempts. For more information, refer to the Auditor's Guide.

What are the different ways to monitor database traffic?

You can configure the Database Firewall for monitoring and blocking or only for monitoring. To implement monitoring and blocking, you must configure the firewall in proxy mode, where database traffic is routed through the Database Firewall. To implement network-based SQL traffic monitoring, you can have the span port of network switches send the traffic to the Database Firewall, or you can set up the host monitor on the database machines to forward the SQL traffic to the Database Firewall. For details, refer to the Administrator’s Guide.

Can I get a unified report with both audit data and network logs?

Yes. The Audit Vault server consolidates audit data and network SQL traffic to provide a unified view of all database activity from the audit logs or captured SQL traffic. Alerts and reports are created from the consolidated data.

Can I correlate OS activity with the database activities to get the full picture?

Yes. AVDF provides a report that displays details of database events correlated with the original Linux OS user before the SU or SUDO transition.

Key use cases

Can AVDF assess the security posture of databases?

AVDF 20.9 introduces a fleet-wide, centralized security assessment solution for enterprises by integrating the popular Database Security Assessment Tool (DBSAT) for Oracle Databases. The full-featured assessment with compliance mappings and recommendations helps organizations clearly understand the security posture of all their Oracle Databases in one central place. You can also define an assessment baseline and determine deviation from that baseline by viewing security assessment drift reports. Read more about it here.

Can AVDF discover sensitive data and privileged users?

Starting with AVDF 20.9, you can now discover sensitive data and privileged users for Oracle Databases. AVDF extends the capability of user entitlements and the DBSAT and identifies privileged users and sensitive objects for Oracle Database. This is enabled by running and scheduling the user entitlements and sensitive object discovery jobs. Once the privileged users and sensitive objects have been discovered, they can be added to the privileged user and sensitive object sets, respectively. These sets are global and can be used in multiple database firewall policies. Global sets can also include session context information, such as IP Address, OS User, Client Program, and Database User, simplifying Database Firewall policy management even further.

How does AVDF help meet compliance reporting requirements?

AVDF provides prebuilt compliance reports for GDPR, PCI, GLBA, HIPAA, IRS 1075, SOX, and UK DPA. For example, under GDPR compliance, we provide reports on who has access to your sensitive data and who is accessing your sensitive data. You can customize the reports to meet your specific objectives or industry/region-specific compliance requirements. Third-party reporting tools can also connect to the Audit Vault schema for analysis and reports.

Can AVDF audit and track privileged users’ activities?

Yes. You can enable audit policies for administrative activity and name users. AVDF has predefined reports, including privileged user reports, which show all audited activity by privileged users.

How does AVDF help in investigating misuse or unauthorized access?

Use the All Activity report to analyze which objects were accessed. AVDF can filter by user, object, dates, and more and analyze the resulting data to see if unauthorized users have accessed the objects. Additionally, for Oracle Databases, you can use the count of returned rows from SQL SELECT statements to identify potential data exfiltration attempts.

Can AVDF help in tracking changes to users, roles, privileges, and entitlements?

Yes. AVDF can be configured to check entitlements for Oracle Databases on a scheduled basis and provide differential reporting on what has changed since the last report. AVDF identifies changes to users, roles, and privileges.

How does reporting before/after values help security and compliance?

Corporate security policies and regulations, such as HIPAA, require that changes made to sensitive data are audited and that the before and after values of the record are captured. AVDF captures the before/after values using the Oracle GoldenGate integrated extract process (restricted license included) and makes those available in AVDF reports. This capability is available for Oracle and MS SQL Server databases. See the AVDF Administrator's Guide and Auditor's Guide for details.

How does AVDF help with database activity monitoring (DAM) and SIM/SIEM initiatives in my organization?

AVDF is a DAM solution providing native audit data collection and network-based SQL traffic monitoring. AVDF supports alerts, reports, and audit data archival. AVDF can send events to syslog for integration with SIEM systems. AVDF repository schema is documented and can be queried by a SIEM or log aggregator, allowing for easy integration with most third-party SIEM/log analyzer products.

Security

Does Oracle Database Firewall monitor encrypted traffic to the targets?

Oracle Database Firewall monitors the traffic to and from an Oracle Database when Oracle native network encryption or TLS network encryption is used. For non-Oracle databases that use TLS network encryption, the Database Firewall cannot interpret this SQL traffic. You can use SSL or TLS termination solutions to terminate the SQL traffic just before it reaches the Database Firewall so it can interpret the SQL traffic and enforce the policies.

How is the data stored in AVDF secured?

AVDF encrypts collected data using transparent data encryption and encrypts the network traffic from the targets. AVDF provides a separation of duties between the administrator and the auditor and uses Database Vault to restrict access to data. See the General Security Guidelines in the AVDF Administrator's Guide for details.

Can AVDF work with Microsoft Active Directory for authentication?

Yes. AVDF supports Microsoft Active Directory integration for user authentication. You can also create AVDF administrators/auditors as Microsoft Active Directory users. For details, see the AVDF Administrator's Guide.

Enterprise capabilities

How does AVDF scale with lots of targets or a high volume of audit/log data?

When configured per the sizing guidance, an Audit Vault server can support AVDF event data collection up to 1,000 audit trails, and each agent can support up to 20 audit trails. For sizing guidance, refer to Audit Vault and Database Firewall Best Practices and Sizing Calculator (MOS Note: 2092683.1) in the Installation Guide. You can size the CPU, memory, and disk needed for the Audit Vault server, agent, and Database Firewall based on your environment. You will need to provide the number of targets, average audit data generated per day, retention period, number of firewall targets, and other information to generate the sizing guidance.

Can AVDF handle the high load from Oracle Exadata and other clustered databases?

Yes. AVDF can scale to support audit data collection from Oracle Exadata and other clustered databases. You can configure the number of agents based on the total targets and expected audit ingestion rate. In AVDF 20.5 (and later), the Audit Vault agents automatically choose the best possible configuration for improving the audit collection rate. This dynamic, multithreaded collector functionality effectively utilizes the resources of the Audit Vault server and Audit Vault agent. For details, see Registering Targets in the Administrator's Guide.

Does AVDF support cloud targets in addition to on-premises targets?

Yes. AVDF can monitor targets deployed on-premises and in cloud, including Oracle Autonomous Database services. The Audit Vault server collects data for traditional audit trails, fine-grained audits, Database Vault audits, and unified audits from audit trails in the cloud or on-premises databases. Refer to Oracle Audit Vault and Database Firewall Hybrid Cloud Deployment in the Administrator's Guide for details.

Does AVDF support high availability for fault tolerance?

AAVDF supports high availability configuration for all the AVDF components, including the Audit Vault server, Database Firewall, and Audit Vault agent. Refer to the Administrator's Guide for details.

Can AVDF archive audit/log data to meet regulatory retention requirements?

The Audit Vault server supports data retention policies on a per-target basis, making it possible to meet internal or external compliance requirements. Audit data can be automatically archived in a low-cost external repository and retrieved as per the target-specific policy. Refer to the Administrator's Guide for details.

Can AVDF raise alerts on anomalous activity to minimize analysis time?

AVDF has a powerful alert builder that configures alerts on the collected audit and firewall data based on various conditions. AVDF can display the alert on the dashboard and send it as an email or send it to syslog.

How is AVDF integrated with Oracle security products, such as Oracle Key Vault, Oracle Database Vault, and Oracle Database Security Assessment Tool (DBSAT)?

AVDF can read and display audit data from the Database Vault audit trail in the AVDF reports. Oracle Key Vault can be added as a target in AVDF. AVDF will collect audit data from Oracle Key Vault and generate all activity reports in AVDF. From AVDF Release Update 9 onwards, DBSAT is integrated with AVDF security assessment and sensitive data discovery to assess the security posture of Oracle Databases and discover sensitive data in Oracle Databases.

Can an Oracle Enterprise Manager manage AVDF?

The Enterprise Manager AVDF plug-in provides an interface within Oracle Enterprise Manager cloud control for administrators to manage and monitor AVDF components. Refer to System Monitoring Plug-in User's Guide for Audit Vault and Database Firewall for complete information. Refer to Compatibility with Oracle Enterprise Manager to check the supported versions of Oracle Enterprise Manager with AVDF.

Deployment

What type of hardware or VMs can I run AVDF on? How do I size them?

Any Intel x86 64-bit hardware platform supported by Oracle Linux Release 8 can be used to deploy the AVDF components. Please refer to the Hardware Certification List for a complete list of certified hardware. Each Audit Vault server and Database Firewall must be installed on its dedicated x86 64-bit server. Please refer to the 2.2.1 Product Compatibility Matrix in the Installation Guide.

AVDF is also deployable in Oracle Cloud Infrastructure (OCI) from the Oracle Cloud Marketplace. With the marketplace image, it’s possible to deploy a fully functioning AVDF system within a few minutes. Oracle Cloud offers the flexibility to scale compute resources to meet growing requirements. The ease of scaling up gives the option to start with a small VM shape and scale up as the workload increases.

For sizing guidance, refer to Audit Vault and Database Firewall Best Practices and Sizing Calculator (MOS Note: 2092683.1) in the Installation Guide. You can size the CPU, memory, and disk needed for the Audit Vault server, agent, and Database Firewall based on your environment. You will need to provide the number of targets, average audit data generated per day, retention period, number of firewall targets, and other information to generate the sizing guidance.

Although AVDF can be run on virtualized environments, such as Oracle VM Server or VMware, we recommend installing it on physical hardware.

How long does it take to install/deploy AVDF? Is consulting help needed?

A typical proof of concept can range anywhere from two days to two weeks, depending on the number of targets and policies. There are three key steps to deployment.

1. Installation of the Audit Vault server and, optionally, Database Firewall on server machines of your choice: The whole process using the ISO image is quite simple and can be accomplished quickly in a few hours. If you deploy AVDF from Oracle Cloud Marketplace in an OCI tenancy, the system can be provisioned in just a few minutes.

2. Enabling or creating the appropriate audit or monitoring policies on the target or the Database Firewall. AVDF can help you create default policies very quickly, with just a few clicks. However, depending on the use case, this can take more time.

3. Analyzing the reports and alerts. AVDF provides several dozen reports out of the box, and you can customize them further to address your compliance or security requirements.

Once the proof of concept is done, setting up the backup, archival, high availability, and other configuration options in the AVDF console typically takes more time. You can also add collectors for your applications using the custom collector framework.

Many of our customers have implemented AVDF without using consulting services. Before installation, refer to the installation checklist in the Installation Guide and use the sizing spreadsheet (MOS Note: 2092683.1) to determine the appropriate hardware configuration.

How does AVDF minimize deployment and upgrade time?

AVDF is a full-stack software appliance that includes the Oracle Linux operating system, Oracle Database, and AVDF software, making it easy to deploy and upgrade all components at once. When the Audit Vault server is patched or upgraded, the agents are automatically downloaded and updated, thus minimizing deployment and upgrade time.

You can also use the backup and restore functionality to update Oracle Audit Vault and Database Firewall to a new release that provides minimal downtime for monitoring and collecting data. You can use this process to update from Oracle AVDF 20.3 and later to Release 20.9 and later. Read more here.

What is Oracle’s support policy when additional or third-party software is installed on AVDF?

Oracle Audit Vault and Database Firewall is shipped as an appliance; no third-party software should be installed on the Audit Vault server. See the AVDF Concepts Guide for more details.

Upgrade

I currently have AVDF 12.2. Why should I upgrade to AVDF 20?

You should consider upgrading to AVDF 20 for the following reasons. First, AVDF 12.2 ended Premier Support in March 2021. That means Oracle no longer produces periodic security patches for the product. But more importantly, the latest release of AVDF offers the following new features and capabilities:

  • Increased administrator/auditor productivity from a brand-new, modernized UI that’s optimized for different workflows.
  • Support for unified audit, which is important to customers looking to move from a traditional to a unified audit.
  • Simplified configuration of the Database Firewall settings compared to earlier releases.
  • New targets, such as PostgreSQL, MongoDB (using a simple attribute mapping table), and Oracle Cloud Autonomous Databases.
  • Extended custom collector support to include JSON, REST, and CSV.
  • Collection of before/after values of modified records using Oracle GoldenGate integrated extract process (restricted license included) that supports Oracle and Microsoft SQL Server Databases.
  • Integration with Microsoft Active Directory makes it easier to centrally manage AVDF users.
  • Automated archival of audit/network event data from the Audit Vault server.
  • FIPS 140-2 compatibility for embedded databases and operating systems.
  • Ability to deploy AVDF on-premises or in Oracle Cloud. AVDF follows the Security Technical Implementation Guidelines (STIG) unified audit policy for provisioning on Oracle Database targets.
  • Fleet-wide simplified and centralized view of security configuration assessments for all Oracle Databases with database security posture management.

A list of the significant new features and enhancements introduced in AVDF 20 and later release updates can be found here. If you want to see these features in action, register for a LiveLabs guided workshop here.

What AVDF versions can I upgrade from?

You can upgrade from AVDF 12.2.0.9.0 and above to AVDF 20. If you are on a version lower than 12.2 Bundle Patch 9, you should upgrade it first. See the AVDF Installation Guide for details.

Would my currently registered targets, customized reports, and archived data migrate if I upgraded?

Yes. After the upgrade, your currently registered targets, customized reports, and archive data will be automatically migrated to AVDF 20.

More information

How do I start using AVDF? What resources are available to help me?

Visit the Oracle website to learn more about the product and access technical briefs, datasheets, and other materials, or contact an Oracle representative near you.

Where can I download the AVDF software and the product documentation?

AVDF is available for download from the Oracle Software Delivery Cloud. Search for the Oracle Audit Vault and Database Firewall product pack. AVDF is also deployable on Oracle Cloud. Go to Oracle Cloud Marketplace and search for Oracle Audit Vault and Database Firewall.

Is there an external discussion forum?

Yes. The Oracle Audit Vault and Database Firewall forum provides a platform where you can get answers to your product questions from Oracle community experts.