Oracle Audit Vault and Database Firewall (AVDF) 20 has a revamped, modern user interface with simplified navigation for common workflows and expanded audit collection for new target types. Oracle Audit Vault and Database Firewall now expands beyond database activity monitoring to manage your Oracle Database’s security posture, enhancing its best-in-class activity monitoring capabilities with visibility into security configuration, user entitlements, and stored procedures. AVDF audits databases and monitors network-based activities to help manage the security posture of Oracle and non-Oracle databases hosted in the cloud or on-premises. Refer to the AVDF 20 Release Notes for a complete feature list.
AVDF supports native audit collection and network-based SQL traffic monitoring. Audit data and the network events from the Database Firewall are stored in the Oracle Audit Vault server. This allows you to correlate the activity data and create reports.
Oracle recommends a holistic approach and supports database auditing and network-based SQL traffic monitoring. You can start with either capability and expand your architecture to include both if needed.
AVDF 20 supports Oracle Database, Microsoft SQL Server, MySQL, IBM Db2, PostgreSQL, SAP Sybase, MongoDB, and operating system logs for Linux, Windows, Solaris, and AIX. AVDF also supports audit trails written to files in XML, CSV, and JSON format. You can use custom collectors to collect the audit logs and send them to the audit vault server for all the other targets where audit trails are written to database tables. See the Platform Support Matrix in the AVDF 20 Installation Guide for details.
AVDF can collect audit data from application tables or files (XML, JSON, CSV), map them to the standard format, and include them in a single report across all sources. For details, refer to the AVDF Developer's Guide.
Auditing typically captures detailed information after a certain event, whether directly from a SQL statement or through a stored procedure call. Monitoring SQL traffic helps you analyze and act on the SQL statement before it reaches the database, making it possible to block suspicious statements. In both cases, you can specify the conditions under which you want to collect the audit or event logs. Both give different views on the same event: one after and one before. Alerts can be raised on both of them.
Oracle recommends a holistic approach and supports database auditing and network-based SQL traffic monitoring. Customers can start with either capability and expand their architecture to include both.
AVDF provides an interface to view your Oracle audit policies and, with a single click, provision them in the target database. For Database Firewall policy, when a database firewall monitoring point is configured for the target, the default policy is automatically applied. This default policy is configured for all the targets monitored by the database firewall. It logs all logins and logouts and unique DDL and DCL statements across sessions for all the tables and views. User-defined Database Firewall policies can also be configured in the UI to allow, log, alert, substitute, or block the SQL. In addition, firewall policies can be configured for Oracle Databases to capture the returned number of rows from a SQL SELECT statement and use that data to monitor and alert you on data exfiltration attempts. For more information, refer to the Auditor's Guide.
You can configure the Database Firewall for monitoring and blocking or only for monitoring. To implement monitoring and blocking, you must configure the firewall in proxy mode, where all database traffic is routed via the Database Firewall. To implement network-based SQL traffic monitoring, you can have the span port of network switches send the traffic to the Database Firewall, or you can set up the host monitor on the database machines to forward the SQL traffic to the Database Firewall. For details, refer to the Administrator’s Guide.
Audit Vault server consolidates audit data and network SQL traffic to provide a unified view of all database activity from the audit logs or captured SQL traffic. Alerts and reports are created from the consolidated data.
Yes, AVDF provides a report that displays details of database events correlated with the original Linux OS user before the SU or SUDO transition.
AVDF 20.9 introduces a fleet-wide centralized security assessment solution for enterprises by integrating the popular Database Security Assessment Tool (DBSAT) for Oracle Databases. The full-featured assessment with compliance mappings and recommendations will help organizations clearly understand their security posture for all their Oracle Databases in one central place. Read more about it here.
Starting with AVDF 20.9, users can discover sensitive data and privileged users for Oracle Databases. AVDF 20 extends the capability of user entitlements and the DBSAT and identifies privileged users and sensitive objects for Oracle Database. This is enabled by running and scheduling the user entitlements and sensitive object discovery jobs. Once the privileged users and sensitive objects have been discovered, they can be added to the privileged user and sensitive object sets, respectively. These sets are global and can be used in multiple database firewall policies.
AVDF provides prebuilt compliance reports for GDPR, PCI, GLBA, HIPAA, IRS 1075, SOX, and UK DPA. For example, under GDPR compliance, we provide reports on who has access to your sensitive data and who is accessing your sensitive data. You can customize the reports to meet your specific objectives or industry/region-specific compliance requirements. Third-party reporting tools can also connect to the Audit Vault schema for analysis and reports.
You can enable audit policies for admin activity and name users. AVDF has predefined reports, including privileged user reports, which show all audited activity by privileged users.
AVDF users can use the all activity report to analyze which objects were accessed. AVDF can filter by user, object, dates, and more, and analyze the resulting data to see if unauthorized users have accessed the objects. Additionally, for Oracle Databases, users can use the returned rows from SQL SELECT statements to investigate data exfiltration attempts.
AVDF can be configured to check entitlements for Oracle Databases on a scheduled basis and provide differential reporting on what has changed since the last report. AVDF identifies changes to users, roles, and privileges.
Corporate security policies and regulations, such as HIPAA, require that changes made to sensitive data are audited and that the before and after values of the record are captured. AVDF captures the before/after values using the Oracle GoldenGate integrated extract process (restricted license included) and makes those available in the AVDF reports for analysis. See AVDF Administrator's Guide and Auditor's Guide for details.
AVDF is a DAM solution providing native audit data collection and network-based SQL traffic monitoring. AVDF supports alerts, reports, and audit data archival. AVDF can send events to syslog for integration with SIEM systems. AVDF repository schema is documented and can be queried by a SIEM or log aggregator, allowing for easy integration with most third-party SIEM/log analyzer products.
Oracle Database Firewall monitors the traffic to and from an Oracle Database when Oracle native network encryption or TLS network encryption is used. For non-Oracle databases that use TLS network encryption, the Database Firewall cannot interpret this SQL traffic. You can use SSL or TLS termination solutions to terminate the SQL traffic just before it reaches the Database Firewall so it can interpret the SQL traffic and enforce the policies.
AVDF encrypts collected data using transparent data encryption and encrypts the network traffic from the targets. AVDF provides a separation of duties between the administrator and the auditor and uses Database Vault to restrict access to data. See the General Security Guidelines in the AVDF Administrator's Guide for details.
AVDF 20 supports Microsoft Active Directory integration for user authentication. You can also create AVDF admins/auditors as Microsoft Active Directory users. For details, see the AVDF Administrator's Guide.
When configured per the sizing guidance, an Audit Vault server can support AVDF event data collection up to 1,000 audit trails, and each agent can support up to 20 audit trails. For sizing guidance, refer to Audit Vault and Database Firewall Best Practices and Sizing Calculator (MOS Note: 2092683.1) in the Installation Guide. You can size the CPU, memory, and disk needed for the Audit Vault server, agent, and Database Firewall based on your environment. You will need to provide the number of targets, average audit data generated per day, retention period, number of firewall targets, and other information to generate the sizing guidance.
AVDF can scale to support audit data collection from Oracle Exadata and other clustered databases. You can configure the number of agents based on the total targets and expected audit ingestion rate. In AVDF 20.5 (and later), the Audit Vault agents automatically choose the best possible configuration for improving the audit collection rate. This dynamic, multithreaded collector functionality effectively utilizes the resources of the Audit Vault server and Audit Vault agent. For details, see Registering Targets in the Administrator's Guide.
AVDF can monitor targets deployed on-premises and in Oracle Cloud, including Oracle Autonomous Database services. The Audit Vault server collects data for traditional audit trails, fine-grained audits, Database Vault audits, and unified audits from audit trails in cloud or on-premises databases. Refer to Oracle Audit Vault And Database Firewall Hybrid Cloud Deployment in the Administrator's Guide for details.
AVDF supports high availability configuration for all the AVDF components, including the Audit Vault server, Database Firewall, and Audit Vault agent. Refer to the Administrator's Guide for details.
Audit Vault server supports data retention policies on a per-target basis, making it possible to meet internal or external compliance requirements. Audit data can be automatically archived in a low-cost external repository and retrieved as per the target-specific policy. Refer to the Administrator's Guide for details.
AVDF has a powerful alert builder that configures alerts on the collected audit and firewall data based on various conditions. AVDF can display the alert on the dashboard and send it as an email or send it to syslog.
AVDF can read and display audit data from the Database Vault audit trail in the AVDF reports. Oracle Key Vault can be added as a target in AVDF. AVDF will collect audit data from Oracle Key Vault and generate all activity reports in AVDF. From AVDF Release Update 9 onwards, DBSAT is integrated with AVDF security assessment and sensitive data discovery to assess the security posture of Oracle Databases and discover sensitive data in Oracle Databases fleet-wide.
The Enterprise Manager AVDF plug-in provides an interface within Oracle Enterprise Manager Cloud Control for administrators to manage and monitor AVDF components. Refer to System Monitoring Plug-in User's Guide for Audit Vault and Database Firewall for complete information. Refer to Compatibility with Oracle Enterprise Manager to check the supported versions of Oracle Enterprise Manager with AVDF 20.
Any Intel x86 64-bit hardware platform supported by Oracle Linux Release 8 can be used to deploy the AVDF components. Please refer to the Hardware Certification List for a complete list of certified hardware. Each Audit Vault server and Database Firewall must be installed on its dedicated x86 64-bit server. Please refer to the 2.2.1 Product Compatibility Matrix in the Installation Guide.
AVDF is also deployable in Oracle Cloud Infrastructure (OCI) from the Oracle Cloud Marketplace. With the marketplace image, it’s possible to deploy a fully functioning AVDF system within a few minutes. Oracle Cloud offers the flexibility to scale compute resources to meet growing requirements. The ease of scaling up gives the option to start with a small VM shape and scale up as the workload increases.
For sizing guidance, refer to Audit Vault and Database Firewall Best Practices and Sizing Calculator (MOS Note: 2092683.1) in the Installation Guide. You can size the CPU, memory, and disk needed for the Audit Vault server, agent, and Database Firewall based on your environment. You will need to provide the number of targets, average audit data generated per day, retention period, number of firewall targets, and other information to generate the sizing guidance.
Although AVDF can be run on virtualized environments, such as Oracle VM Server or VMware, we recommend installing it on physical hardware.
A typical proof of concept can range anywhere from two days to two weeks, depending on the number of targets and policies. There are three key steps to deployment:
1. Installation of the Audit Vault server and, optionally, Database Firewall on server machines of their choice: The whole process using the ISO image is quite simple and can be accomplished quickly in a few hours. If you deploy AVDF from Oracle Cloud Marketplace in an OCI tenancy, the system can be provisioned in just a few minutes.
2. Enabling or creating the appropriate audit or monitoring policies on the target or the Database Firewall: AVDF can help customers create default policies very quickly with a few clicks. However, depending on the use case, this can take more time.
3. Analyzing the reports and alerts: AVDF provides several dozen reports out of the box, and you can customize them further to address your compliance or security requirements.
Once the proof of concept is done, you typically spend more time setting up the backup, archival, high availability, etc., using the AVDF console. You can also add collectors for your applications using the custom collector framework.
Many of our customers have implemented AVDF without using consulting services.
Before installation, refer to the installation checklist in the Installation Guide and use the sizing spreadsheet (MOS Note: 2092683.1) to determine the appropriate hardware configuration.
AVDF is a full-stack software appliance that includes the Oracle Linux operating system, Oracle Database, and AVDF software, making it easy to deploy and upgrade all components at once. When the Audit Vault server is patched or upgraded, the agents are automatically downloaded and updated, thus minimizing deployment and upgrade time.
You can also use the backup and restore functionality to update Oracle Audit Vault and Database Firewall to a new release that provides minimal downtime for monitoring and collecting data. You can use this process to update from Oracle AVDF 20.3 and later to Release 20.9 and later. Read more here.
Oracle Audit Vault and Database Firewall (AVDF) is shipped as an appliance, and no third-party software should be installed on the Audit Vault server. See the AVDF Concepts Guide for more details.
You should consider upgrading to AVDF 20 for the following reasons. First, AVDF 12.2 ended Premier Support in March 2021. That means Oracle no longer produces periodic security patches for the product. But more importantly, the latest release of AVDF offers the following new features and capabilities:
You can upgrade from AVDF 188.8.131.52.0 and above to AVDF 20. If you are on a version lower than 12.2 Bundle Patch 9, you should upgrade it first. See the AVDF Installation Guide for details.
After the upgrade, your currently registered targets, customized reports, and archive data will be automatically migrated to AVDF 20.
Visit the Oracle Technology Network website to learn more about the product and access technical briefs, datasheets, and other materials, or contact an Oracle representative near you.
AVDF is available for download from the Oracle Software Delivery Cloud. Search for the Oracle Audit Vault and Database Firewall product pack. AVDF is also deployable on Oracle Cloud. Go to Oracle Cloud Marketplace and search for Oracle Audit Vault and Database Firewall.
Product documentation is available here.
Yes, Oracle Audit Vault and Database Firewall forum provide a platform where you can get answers to your product questions from Oracle community experts.