Oracle Audit Vault

Oracle Audit Vault
This note applies to 10.2.3.0 audit vault
Oracle Audit Vault Overview

Oracle Audit Vault automates the collection and consolidation of audit data into a secure repository, enabling
efficient monitoring and reporting. Oracle Audit Vault is providing a secure repository for audit data, built-in
reporting, event alerting, and separation-of-duty.
Oracle Audit Vault collects database audit data from the following Oracle audit sources:
audit trail tables

database audit files on the operating system
syslog & EventLog
archived redo log files to capture before/after value changes of transactions.
Oracle Audit Vault can also collect audit data produced by the following database products(other than Oracle
RDBMS):
Microsoft SQL Server

IBM DB2 UDB
Sybase ASE
Oracle Audit Vault Architecture

The architecture of Audit Vault consists of two major components that work together to collect, store and secure the
audit data:
Audit Vault Server A stand-alone stacked application that contains a data warehouse built on a customized
installation of Oracle Database. Oracle Database Vault is protecting the Audit Vault datawarehouse. The Audit
Vault Server contains also the OC4J components that support the Audit Vault Console.
Audit Vault Collection Agent The Agent is responsible for managing the collectors, which are specific to an
audit source and act as the middleman between the source database and the Audit Vault Server by pulling
the audit trail data from the source and sending it to the Audit Vault Server over SQL*Net.
Ahmed Fathi - Senior Oracle Consultant

P ag e |1
Email: ahmedf.dba@gmail.com Blog: http://ahfathi.blogspot.com LinkedIn: http://linkedin.com/in/ahmedfathieg
Oracle Audit Vault
Audit Vault Server Components

Components
OC4J
Database Client
Configuration and
Description
Oracle container for Web applications consisting of:
Audit Vault Administrator's Console User interface to manage Audit Vault. Collection
Agents, Collectors, and so forth
Audit Vault Auditor's Console - User interface to manage Audit Vault. Audit Policy
Manager, Reports, Alerts, and so forth
Oracle Enterprise Manager Database Control console User interface to manage the
raw audit data store or audit repository database
Management Framework Sends management commands to the Audit Vault Collection
Agent to start or stop collection agents and collectors, collect metrics, receive
management commands from AVCTL, AVCA, AVORCLDB, and AVMSSQLDB commandline interfaces using HTTP protocol or HTTPS mutual certificate-based authentication
Audit Policy System A service to retrieve and provision audit settings on the Oracle
Database source; and a system to create and manage alerts raised by audit events from
all sources as they are stored in the audit event repository
Infrastructure to communicate to the audit repository, consisting of:
Oracle Wallet Contains credentials to authenticate Audit Vault users
Configuration Files Files used by Audit Vault for networking, preferences, and so
forth.
Utilities used to configure and manage Oracle Audit Vault, such as the AVCA, AVCTL,

P ag e |2
Oracle Audit Vault

Management
Tools
Audit repository

AVORCLDB, and AVMSSQLDB command-line utilities. They let you define and configure
information about what sources are known to Oracle Audit Vault. Oracle Audit Vault stores
information (metadata) about the sources of audit data and policy information (Oracle
database audit setting and alerts defined for all incoming audit records).
Oracle database to consolidate and manage audit trail records, consisting of:
Raw audit data store A partitioned table where audit records are inserted as rows
Warehouse schema Open schema of normalized audit trail records. This is a published
data warehouse that can be used with reporting tools like Oracle Business Intelligence
Publisher to create customized reports
Job scheduler Database jobs used to populate and manage the warehouse
Alerts Queue maintains alerts
Apply Process used by the REDO collector to insert before or after values of data
Audit Vault Collection Agents

Component
OC4J
Database Client
Configuration and
Management
Tools
Collectors
Description
Oracle container for Web applications consisting of:
Audit Vault Collector Manager Receives management commands from Audit Vault
Server to start and stop collectors, collect and return metrics, and so forth.
Audit Settings Manager Receives commands from Oracle Audit Vault to extract audit
settings from an Oracle Database source.
Infrastructure to communicate to the audit repository, consisting of:
Oracle Wallet Contains credentials to authenticate Audit Vault users
Configuration Files Files used by Audit Vault for networking, preferences, and so forth.
Utilities used to configure and manage Audit Vault, such as the AVCA, AVCTL, AVORCLDB, and
AVMSSQLDB command-line utilities
A collector is specific to an audit source and acts as the middleman between the source and the
Audit Vault Server by pulling the audit trail data from the source and sending it to the Audit
Vault Server over SQL*Net
Collector Type Audit Source Audit Trail
OSAUD
Oracle
On Linux and UNIX platforms: the operating system logs
Database
(audit logs) (SYS$AUD) (.aud) and XML (.xml) files)
On Linux and UNIX-based platforms: the operating system
logs or syslog
On Windows platforms: the operating system Windows
event log and operating system logs (audit logs) XML (.xml)
files
DBAUD
Oracle
Oracle Database audit trail, where standard audit events are
Database
written to the SYS.AUD$ dictionary table
Oracle Database fine-grained audit trail, where audit events
are written to the SYS.FGA_LOG$ dictionary table
Oracle Database Vault audit trail, where audit events are
written to the DVSYS.AUDIT_TRAIL$ dictionary table
REDO
Oracle
Logical change records (LCRs) from the REDO logs
Database
MSSQLDB
Microsoft
C2 audit logs, Server-side trace logs, and Windows Event log
SQL Server

P ag e |3
Oracle Audit Vault
Oracle Audit Vault Installation

Oracle Audit Vault Server Preinstallation Requirements
#
#
#
#
#
#
#
Create the Oracle Groups and User Account
groupadd oinstall
groupadd dba
mkdir -p /export/home/oracle
mkdir /u01
useradd -d /export/home/oracle -g oinstall -G dba -s /bin/ksh oracle
chown oracle:dba /export/home/oracle /u01
passwd oracle
Create the filesystem directory structure for Oracle Homes
# mkdir -p /u01/app/oracle/product/ 10.2.3/av_1

# chown -R oracle.oinstall /u01/app/oracle
Increase the shell limits for the Oracle user
Use a text editor and add the lines listed below to /etc/security/limits.conf, /etc/pam.d/login, and /etc/profile
/etc/security/limits.conf
oracle
oracle
oracle
oracle
soft
hard
soft
hard
nproc 2047
nproc 16384
nofile 1024
nofile 65536
/etc/pam.d/login
session required /lib/security/pam_limits.so
session required pam_limits.so
/etc/profile
if [ $USER = "oracle" ]; then
if [ $SHELL = "/bin/ksh" ]; then
ulimit -p 16384
ulimit -n 65536
else
ulimit -u 16384 -n 65536
fi
fi
Configure the kernel parameters
Use a text editor and add the lines listed below to /etc/sysctl.conf.
fs.file-max = 65536
kernel.shmall = 2097152
kernel.shmmax = 2147483648
kernel.shmmni = 4096
kernel.sem = 250 32000 100 128
net.core.rmem_default = 1048576
net.core.rmem_max = 1048576
net.core.wmem_default = 262144
net.core.wmem_max = 262144
net.ipv4.ip_forward = 0

P ag e |4
Oracle Audit Vault
net.ipv4.conf.default.rp_filter = 1
net.ipv4.ip_local_port_range = 1024 65000
To make the changes effective immediately, execute

/sbin/sysctl p
Configure /etc/hosts file :
The /etc/hosts file must contain a fully qualified name for the server:
<IP-address> <fully-qualified-machine-name> <machine-name>
[oracle@oravaultserver log]$ cat /etc/hosts
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1
localhost.localdomain
localhost
192.168.1.60
192.168.1.65
oravaultserver.oracle.com oravaultserver
oravaultagent.oracle.com oravaultagent
Create the oracle user environment file
/export/home/oracle/.profile
umask 022
ORACLE_BASE=/u01/app/oracle
ORACLE_HOME=/u01/app/oracle/product/ 10.2.3/av_1
ORACLE_SID=avtest
LD_LIBRARY_PATH=$ORACLE_HOME/lib:$LD_LIBRARY_PATH
TMP=/tmp
TEMP=/tmp
TMPDIR=/tmp
PATH=$ORACLE_HOME/bin:$PATH
export PATH ORACLE_BASE ORACLE_HOME ORACLE_SID LD_LIBRARY_PATH
export TMP TEMP TMPDIR
Install Required Linux Packages
Check from below URL Depending on OS version ( in this note Im using Oracle Enterprise Linux 5)
http://docs.oracle.com/cd/E11062_01/install.1023/e11055/avinl_preinstall.htm#BABCGHAI
to check the package is installed, execute

rpm qa |grep xxxxxx
to install or upgrade packages, execute

rpm Uvh
package_name.rpm

P ag e |5
Oracle Audit Vault
Installing the Oracle Audit Vault Server

This section describes the advanced installation for single instance installation
Run Oracle Universal Installer (OUI) to install Oracle Audit Vault.
cd <directory containing the Oracle Audit Vault installation files>
./runInstaller
On the Select Installation Type screen, select the Advanced Installation option, then click Next.
Enter the following information on the Advanced Installation Details screen.

1. Audit Vault Name A unique name for the Audit Vault database
2. Audit Vault Home Specify the path to the Audit Vault home where you want to install Oracle Audit Vault.
3. Audit Vault Administrator and Audit Vault Auditor account

P ag e |6
Oracle Audit Vault
Enter the following information on the Database Vault User Credentials screen.
Database Vault Owner and Database Vault Account Manage Accounts
Review the installation prerequisite checks on the Prerequisite Check screen, then click Next
On the Specify Database Storage Options screen, you can select one of the following storage options: File system,
Automatic Storage Management (ASM), or Raw Devices.
If you select the File System, specify or browse to the database file location for the data files. If you select Raw
Devices, specify the path or browse to the Raw Devices mapping file. If you select Automated Storage Management
(ASM), you must have already installed ASM. Make a selection and click Next.
Then On the Specify Backup and Recovery Options screen, you can choose either to not enable automated backups or
to enable automated backups.
P ag e |7
Oracle Audit Vault
On the Specify Database Schema Passwords screen, you can choose to enter different passwords for each privileged
database account or select the Use the same passwords for all account
Review the installation summary information on the Advanced Installation Summary screen. After reviewing this
installation information, click Install to begin the installation procedure. The installation will copy files, link binaries,
apply patches, run configuration assistants, including DBCA to create and start the Audit Vault Server, DVCA to secure
the server, and AVCA to configure and start Audit Vault Console

P ag e |8
Oracle Audit Vault

P ag e |9
Oracle Audit Vault
Run scripts as the root user when prompted by Oracle Universal Installer
After the installation completes, take note of the Oracle Enterprise Manager Database Control URL and the Audit
Vault Console URL. On the Exit page, click Exit. Then, on the Confirmation message box, click Yes to exit Oracle
Universal Installer.

P a g e | 10
Oracle Audit Vault
Audit Vault Agent Installation

Audit Vault Agent Preinstallation : You must add or register the Oracle Audit Vault Agent at Oracle Audit Vault Server
avca add_agent agentname <avagent name> [-agentdesc <agent description>]
-agenthost <name of host where agent will be installed>
Installing the Oracle Audit Vault Agent

Run Oracle Universal Installer (OUI) to install Oracle Audit Vault Agent.
cd <directory containing the Oracle Audit Vault Agent installation files>
./runInstaller
Specify the following information on the Agent Details page, then click Next:
1) Audit Vault Agent Name The name of the agent (created in preinstallation)
2) Audit Vault Agent Home Specify the path to the Audit Vault Agent home where you want to install Oracle
Audit Vault Agent
3) Agent User Name The account name of the Audit Vault Agent User (created in preinstallation)
4) Agent User Password The password for the Audit Vault Agent user
5) Specify the Audit Vault Server Connect String that takes the form hostname:port:service name in that order
using a (:) colon delimiter between each item
Review the installation prerequisite checks on the Prerequisite Check screen, then click Next

P a g e | 11
Oracle Audit Vault
On the installation Summary page, review the installation summary information. After reviewing this installation
information, click Install to begin the installation procedure.

P a g e | 12
Oracle Audit Vault
Run scripts as the root user when prompted by Oracle Universal Installer
After the installation completes, on the Exit page, click Exit. Then, on the Confirmation message box, click Yes to exit
Oracle Universal Installer.
Start the Audit Vault Agent

Agent process can be started from Audit Vault Server home shell with 'avctl start_agent'. However, for this command
to be successful the oc4j should already be running on the agent oracle home. oc4j on the agent oracle home can be
started with 'avctl start_oc4j' from the Agent home Shell.
$ avctl start_oc4j
$ avctl start_agent -agentname agnt_secsvr1

P a g e | 13
Oracle Audit Vault
Registering Oracle Database Sources and Collectors with Audit Vault Server
Create a user on source database server.
SQL> create user avuser identified by oracle;
The source user avuser, must have a set of required privileges and roles granted to it. The required privileges and
roles are listed in $ORACLE_HOME/av/scripts/streams/source/zarsspriv.sql. This script is located in both the Audit
Vault Server and the Audit Vault Collection Agent Oracle home.
Run this script on the source database as SYS user to grant this user avuser the required privileges using the following
syntax:
SQL> zarsspriv.sql srcusr mode
SETUP For OSAUD and DBAUD collectors, and for policy management
REDO_COLL For the REDO log collector; includes all privileges that are granted using the argument mode SETUP.
Add the source database to Audit Vault

From the Audit Vault Server home shell, execute 'avorcldb add_source' command to add the source database with
the Audit Vault Server.
Note : After successful execution of 'avorcldb add_source', you can notice an entry being created in tnsnames.ora file
for the source database. It is located in $ORACLE_HOME/network/admin directory on the Audit Vault Server Oracle
Home
Collector Configurations
Verify if the source database is ready for DBAUD collector. This can be done from both Audit Vault Server and the
Agent home. The same for REDO and OSAUD collectors

P a g e | 14
Oracle Audit Vault
From the Audit Vault Server home shell, execute 'avorcldb add_collector' to add DBAUD collector.
From the Audit Vault Server home shell, execute 'avorcldb add_collector' to add OSAUD collector.
From the Audit Vault Server home shell, execute 'avorcldb add_collector' to configure REDO collector. If you want to
add REDO collector
$ avorcldb add_collector -srcname
oravaultagent:1521:ORCL
ORCLDB -agentname avagent1 -colltype REDO -av
Enable to Audit Vault agent to run the Oracle Database collectors

Use AVORCLDB setup command to update the tnsnames.ora file, store credentials in wallet and verify connection
using the wallet
Starting Collectors
Using the AVCTL start_collector command to start collectors
DBAUD Collector
OSAUD Collector

P a g e | 15
Oracle Audit Vault
Registering Microsoft SQL Server Database Sources and Collector with Audit Vault Server
-
Download the Microsoft SQL Server JDBC Driver
Oracle Audit Vault requires a JDBC connection to the SQL Server database. Audit Vault supports Microsoft SQL Server
JDBC Driver version 1.2. Ensure that you have downloaded the JDBC driver (sqljdbc.jar) to the $ORACLE_HOME/jlib
directories in both the Audit Vault Server and Audit Vault collection agent homes.
http://msdn.microsoft.com/en-us/data/aa937724.aspx
Create a User Account on the Microsoft SQL Server Database Instance
The collector must use this user account to access audit data from the Microsoft SQL Server source database
instance. After you create the user account, the privileges that you assign to this user depend on whether the source
database instance is Microsoft SQL Server 2000, 2005, or 2008.
Create the user account:
1. Log in to the Microsoft SQL Server source database instance.
2. Create a user account. for example, to create a user account named srcuser_mss:
EXEC sp_addlogin srcuser_mss, password
For a Microsoft SQL Server 2005 or 2008 database, grant this user the alter_trace privilege.
1. Log in as the SYSADMIN user.
2. Run the following command to grant the alter trace privilege to the user.
GRANT ALTER TRACE TO srcuser_mss
For a Microsoft SQL Server 2000 database instance, grant the user the SYSADMIN fixed server role.
1. Click Security.
2. Click Logins.
3. Right-click the login you created (srcuser_mss).
4. Click Properties.
5. On the left pane, click Server Roles.
6. Select the sysadmin option setting, and then click OK.
-
Register the SQL Server Source Database Instance with Audit Vault
To register the SQL Server source database instance with Oracle Audit Vault, Run the avmssqldb add_source
command.
avmssqldb add_source -src 'hrdb.example.com\hr_db' -srcname mssqldb1 -desc 'HR Database'
Enter a username: srcuser_mss
Enter a password : password
-
Add the MSSQLDB Collector to Oracle Audit Vault
To add the MSSQLDB collector to Oracle Audit Vault, Run the avmssqldb add_collector command.
avmssqldb add_collector -srcname mssqldb1 -agentname agent1
Enter a username: srcuser_mss
Enter a password: password
-
Enable the Audit Vault Agent to Run the MSSQLDB Collector
To enable the Oracle Audit Vault agent to run the MSSQLDB collector, Run the avmssqldb setup command.
avmssqldb setup -srcname mssqldb1
Enter a username : srcuser_mss
Enter a password : password
P a g e | 16
Oracle Audit Vault
Audit Vault Log Files

Audit Vault Server Log Files
Much like the Oracle Database, the Oracle Audit Vault server generates log files that provide current status and
diagnostic information. The log files should be monitored and periodically removed to control the amount of disk
space used by the log files. These log files may be found in <Audit_Vault_Server_Home>/av/log.
Server Log File Name
avorcldb.log
avca.log
av_client-%g.log.n
Description
This log file tracks the commands issued by the
avorcldb facility. Avorcldb facility is used during the
initial configuration of audited sources and Audit
Vault agents and collectors.
This log file tracks the creation of collectors and the
starting and stopping of Audit Vault agents and
collectors.
This log file contains information about collection
metrics from the Audit Vault Collection Agent. The
%g is a generation number that starts from 0 (zero)
and increases once the file size reaches the 10 MB
limit.
Maintenance
It is safe to delete this file at any
time.
This file may only be deleted after

the Audit Vault Server is shutdown.
The files, which contain an extension
of .log.n, for example av_client0.log.1, may be deleted at any time.
Enterprise Manager stores its logs in the directory <AuditVault_Server_Home>/<Host_Name>_<SID>/sysman/log .

The file emdb.nohup in this directory contains a log of activity for the Audit Vault web application, including GUI
conversations, requests from the avctlutility and communication with the various Audit Vault collection agents. This
can be used to debug communication issues between the server and the agents
Audit Vault Collection Agent Log Files

The Audit Vault Collection Agent creates several log files and also must be maintained to control the amount of disk
space used by the log files. These log files may be found <Audit_Vault_Collection_Agent_Home>/av/log.
Agent Log File Name
agent.err
agent.out
Description
Contains a log of all errors encountered in agent
initialization and operation.
Contains a log of all primary agent-related
operations and activity.
Maintenance
time.
the Audit Vault Collection Agent is
shutdown.
time.
avca.log
Contains a log of all AVCA commands that have

been run and the results of running each command.
avorcldb.log
Contains a log of all AVORCLDB commands that

have been run and the results of running each
command.

time.
<CName><SName><SI
d>.log
Contains a log of collection operations for the

DBAUD and OSAUD collectors.
av_client-%g.log.n
Contains a log of the agent operations and any

errors returned from those operations. The %g is a
generation number that starts from 0 (zero) and
increases once the file size reaches the 10 MB limit.

the Audit Vault Collection Agent is
shutdown.
The files which contain an extension
of .log.n may be deleted at any time.

P a g e | 17
Oracle Audit Vault
sqlnet.log

A concurrent existence of this file is indicated by a
.n suffix appended to the file type name, such as
av_client-%g.log.n, where n is an integer issued in
sequence, for example av_client-0.log.1.
Contains a log of SQL*Net information.
The directory <Audit_Vault_Collection_Agent_Home>/oc4j/j2ee/home/logcontains the logs generated by the

Collection Agent OC4J. In this directory, the file AVAgent-access.log contains a log of requests the agent receives from
the Audit Vault Server. This can be used to debug communication issuesbetween the server and the agent.

P a g e | 18

Oracle Audit Vault

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Oracle Audit Vault

Uploaded by

Copyright:

Available Formats

Oracle Audit Vault

This note applies to 10.2.3.0 audit vault