Oracle AVDF post-installation configuration

I. Registering Hosts in the Audit Vault Server

1. Log in to the Audit Vault Server console as an administrator.

USERS: SUPADMIN / SUPAUDITOR

####### console url

https://lsvprdaudit01.om.unitel.co.ao/console/f?p=7700:LOGIN::::::

2. Click the Agents tab. A list of the registered hosts, if present, appears in the Agent page.
 3. Click Register. Enter the Host Name and Host IP address.

4. Click Save

II. Deploying and Activating the Audit Vault Agent on Secured Target Hosts
1. Click the Agents tab.
2. Click Downloads Page

3. Download Audit Vault Agent.

4. Using an OS user account, copy the agent.jar file to the secured target’s host computer.
5. On the host machine, call any database environment.
6. Validate Java version installed. Recommended version 1.8.0

[oracle@lsvdevcrmdb01 ~]$ qasmm2crm19c_env

[oracle@lsvdevcrmdb01 ~]$ java -version
openjdk version "1.8.0_262"
OpenJDK Runtime Environment (build 1.8.0_262-b10)
OpenJDK 64-Bit Server VM (build 25.262-b10, mixed mode)
 7. Create Agent Home directory and extract .jar file.

[oracle@lsvdevcrmdb01 ~]$ chown oracle:oinstall agent.jar

[oracle@lsvdevcrmdb01 ~]$ java -jar agent.jar -d $agent_home

III. Request agent Activation

To request activation of the Audit Vault Agent:

1. On the Agent Tab activate the Host.
2. Copy the generated activation key.

3. Start audit agent providing host activation key.

[oracle@lsvdevcrmdb01 ~]$ cd $agent_home/bin

[oracle@lsvdevcrmdb01 bin]$ ./agentctl start –k
Enter Activation Key:
Agent started successfully.

IV. Stopping, Starting and Status the Audit Vault Agent

To stop or start the Audit Vault Agent after initial activation and start, run one of the following
commands from the Agent_Home/bin directory on the secured target host machine:
./agentctl stop

./agentctl start

./agentctl status

[oracle@lsvdevcrmdb01 bin]$./agentctl start

Agent started successfully.

[oracle@lsvdevcrmdb01 bin]$ ./agentctl status

Agent is running.

[oracle@lsvdevcrmdb01 bin]$ ./agentctl stop

Stopping Agent...

V. Verify the Agent Registration

Login to database vault web console and navigate to agent tab. Agent tab verifies the agent status.

This should display in green color and show status “running”.

VI. Register Target Database

To configure the target registration, we need to perform before the below tasks.

1. Create User

create user avdfuser identified by *********;

2. Grant required privileges

[oracle@lsvdevcrmdb01]$ cd
/u03/app/avagent/av/plugins/com.oracle.av.plugin.oracle/config/
[oracle@lsvdevcrmdb01 config]$ sqlplus / as sysdba

SQL*Plus: Release 19.0.0.0.0 - Production on Mon Sep 27 14:35:31 2021

Version 19.3.0.0.0

Copyright (c) 1982, 2019, Oracle. All rights reserved.

Connected to:
Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Version 19.3.0.0.0
SQL>
@/u02/app/avagent/av/plugins/com.oracle.av.plugin.oracle/config/oracle_user_s
etup.sql AVDFUSER SETUP

Session altered.

Granting privileges to "AVDFUSER" ... Done.

Disconnected from Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 -
Production
Version 19.3.0.0.0

SQL>
@/u02/app/avagent/av/plugins/com.oracle.av.plugin.oracle/config/oracle_user_s
etup.sql avdfuser SPA

Session altered.

Granting privileges to "AVDFUSER" ... Done.

Disconnected from Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 -
Production
Version 19.3.0.0.0

SQL>
@/u02/app/avagent/av/plugins/com.oracle.av.plugin.oracle/config/oracle_user_s
etup.sql avdfuser ENTITLEMENT

Session altered.

Granting privileges to "AVDFUSER" ... Done.

3. Verify the Grants

SQL> select granted_role from dba_role_privs where grantee='AVDFUSER';

GRANTED_ROLE
-----------------------------------------------------------------------------
---
AUDIT_ADMIN
AUDIT_VIEWER
RESOURCE

SQL> select privilege from dba_sys_privs where grantee='AVDFUSER';

PRIVILEGE
----------------------------------------
AUDIT ANY
AUDIT SYSTEM
CREATE SESSION

VII. Register Target Database

Configure auditing in database involve two steps

 Create new auditing tablespace;

 Execute procedures to set the appropriate parameters settings;

Let’s verify the current audit settings using the mention SQL query before performing any
changes.

Current Settings:
set lines 600
col OWNER for a10
col TABLE_NAME for a30
col INTERVAL for a20
select
owner,table_name,interval,partitioning_type,partition_count,def_tablespace_na
me from dba_part_Tables where owner='AUDSYS';
OWNER TABLE_NAME INTERVAL PARTITION
PARTITION_COUNT DEF_TABLESPACE_NAME
---------- ------------------------------ -------------------- ---------
AUDSYS AUD$UNIFIED INTERVAL '1' MONTH RANGE 1048575 SYSAUX

1. Create a tablespace to record this auditing data.

SQL> CREATE TABLESPACE TBS_AUD

DATAFILE
 '+DG_EIM_DATA' SIZE 10G AUTOEXTEND ON NEXT 100M MAXSIZE UNLIMITED
LOGGING
DEFAULT
NO INMEMORY
EXTENT MANAGEMENT LOCAL AUTOALLOCATE
BLOCKSIZE 8K
SEGMENT SPACE MANAGEMENT AUTO
FLASHBACK ON;

TABLESLACE CREATED.

2. Set audit parameter settings for new tablespace.

SQL> BEGIN
DBMS_AUDIT_MGMT.SET_AUDIT_TRAIL_LOCATION(
audit_trail_type => dbms_audit_mgmt.audit_trail_unified,
audit_trail_location_value => 'TBS_AUD');
END;
/ 2 3 4 5 6

PL/SQL procedure successfully completed.

SQL> BEGIN
DBMS_AUDIT_MGMT.INIT_CLEANUP(
AUDIT_TRAIL_TYPE => DBMS_AUDIT_MGMT.AUDIT_TRAIL_ALL,
DEFAULT_CLEANUP_INTERVAL => 24);
END;
/ 2 3 4 5 6

PL/SQL procedure successfully completed.

3. Verification

set lines 600

col owner for a10
col table_name for a30
col interval for a30
select
owner,table_name,interval,partitioning_type,partition_count,def_tablespace_na
me from dba_part_Tables where owner='AUDSYS';
OWNER TABLE_NAME INTERVAL
PARTITION PARTITION_COUNT DEF_TABLESPACE_NAME
---------- ------------------------------ ------------------------------ ----
----- --------------- ------------------------------
AUDSYS AUD$UNIFIED INTERVAL '1' MONTH RANGE
1048575 'TBS_AUD'

4. Alter Partition Interval to daily

BEGIN
DBMS_AUDIT_MGMT.ALTER_PARTITION_INTERVAL(
interval_number => 1,
interval_frequency => 'DAY');
END;
/

5. Create Purge retention job

BEGIN
DBMS_SCHEDULER.create_job (
job_name => 'PURGE_UNIFIED_AUDIT_JOB',
job_type => 'PLSQL_BLOCK',
job_action => 'BEGIN
DBMS_AUDIT_MGMT.SET_LAST_ARCHIVE_TIMESTAMP(DBMS_AUDIT_MGMT.AUDIT_TRAIL_UNIFIE
D, SYSTIMESTAMP-15);
DBMS_AUDIT_MGMT.CLEAN_AUDIT_TRAIL(
audit_trail_type => DBMS_AUDIT_MGMT.AUDIT_TRAIL_UNIFIED,
use_last_arch_timestamp => TRUE);
END;',
start_date => '',
repeat_interval => 'freq=daily; byhour=3; byminute=10; bysecond=0;',
end_date => NULL,
enabled => TRUE,
comments => 'Purge unified audit trail older than 15 days.');
END;
/

Once the database side configurations are complete, configure the audit trail in the web
console.
 1. Register the database on Targets Page;

connection String* mode: jdbc:oracle:thin:@//flbprdrac01-scan.services.unitel.co.ao:1521/PRDCAD

1. Navigate to added target and select audit data collection and add database
settings, such as trail type, agent host etc…
 2. After completing the adding step verify using Target Tab -> Audit Trails page.
Status should be green.

VIII. Configure Unified Audit Trail Policies

Unified Auditing is more powerful and less impacting (usually) compared to the old
auditing. And since Oracle 12.2.0.1, it has even a working relational structure which
allows you to query data.

Unified Auditing is enabled partially in mixed mode. But in order to unleash it

completely, you need to link it into your kernel. It is not linked in by default.

1. Check if UNIFIED AUDIT is Enabled on target Database, by default is disabled;

SQL> SELECT VALUE FROM V$OPTION WHERE PARAMETER='Unified Auditing';

VALUE
----------------------------------------------------------------
FALSE
SQL>

2. To enable unified auditing is required to stop database and link the

ORACLE_HOME

[oracle@lsvdevcrmdb01 lib]$ qasmm2crm19c_env

[oracle@lsvdevcrmdb01 lib]$
[oracle@lsvdevcrmdb01 lib]$ sqlplus / as sysdba

SQL*Plus: Release 19.0.0.0.0 - Production on Tue Jul 12 14:56:55 2022

Version 19.14.0.0.0

Copyright (c) 1982, 2021, Oracle. All rights reserved.

Connected to:
Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production
Version 19.14.0.0.0

SQL> shutdown immediate

Database closed.
Database dismounted.
ORACLE instance shut down.
SQL> exit
SQL> exit
Disconnected from Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 -
Production
[oracle@lsvdevcrmdb01 lib]$ cd $ORACLE_HOME/rdbms/lib
[oracle@lsvdevcrmdb01 lib]$ make -f ins_rdbms.mk uniaud_on ioracle
[oracle@lsvdevcrmdb01 lib]$ sqlplus / as sysdba

SQL*Plus: Release 19.0.0.0.0 - Production on Tue Jul 12 15:00:25 2022

Version 19.14.0.0.0

Copyright (c) 1982, 2021, Oracle. All rights reserved.

Connected to an idle instance.

SQL> startup
ORACLE instance started.

Total System Global Area 6257899064 bytes

Fixed Size 8910392 bytes
Variable Size 1677721600 bytes
Database Buffers 4563402752 bytes
Redo Buffers 7864320 bytes
Database mounted.
Database opened.
SQL> SELECT VALUE FROM V$OPTION WHERE PARAMETER='Unified Auditing';

VALUE
----------------------------------------------------------------
TRUE

SQL>

3. Verify Enabled Default Audit Policies

SQL> set lines 200

SQL> SELECT policy_name, enabled_option, entity_name FROM
audit_unified_enabled_policies;

POLICY_NAME ENABLED_OPTION ENTITY_NAME

------------------------------ --------------- ----------------
ORA_SECURECONFIG BY USER ALL USERS
ORA_LOGON_FAILURES BY USER ALL USERS

SQL>

4. Verify Audit Options of enabled policies

SQL> SET LINESIZE 200

SET PAGESIZE 300
COLUMN audit_option FORMAT A40
COLUMN condition_eval_opt FORMAT A10
COLUMN audit_condition FORMAT A50
COLUMN policy_name FORMAT A50
SELECT policy_name,
audit_option,
condition_eval_opt,
 audit_condition
FROM audit_unified_policies
ORDER BY 1,2;

5. Create Unified Audit DDL Policy

SQL> CREATE AUDIT POLICY DDL_ACTIONS_POL ACTIONS

CREATE TABLE,DROP TABLE,ALTER TABLE,GRANT,REVOKE,
CREATE VIEW,DROP VIEW,CREATE PROCEDURE,
ALTER PROCEDURE,RENAME,AUDIT,NOAUDIT,
ALTER DATABASE,ALTER USER,ALTER SYSTEM,
CREATE USER,CREATE ROLE,SET ROLE,DROP USER,
DROP ROLE,CREATE TRIGGER,ALTER TRIGGER,
DROP TRIGGER,CREATE PROFILE,DROP PROFILE,
ALTER PROFILE,DROP PROCEDURE,
CREATE MATERIALIZED VIEW,DROP MATERIALIZED VIEW,
ALTER ROLE,TRUNCATE TABLE,CREATE FUNCTION,
ALTER FUNCTION,DROP FUNCTION,CREATE PACKAGE,
ALTER PACKAGE,DROP PACKAGE,CREATE PACKAGE BODY,
ALTER PACKAGE BODY,DROP PACKAGE BODY,LOGON,LOGOFF,
CREATE DIRECTORY,DROP DIRECTORY,CREATE JAVA,
ALTER JAVA,DROP JAVA,PURGE TABLE,
CREATE PLUGGABLE DATABASE,ALTER PLUGGABLE DATABASE,
DROP PLUGGABLE DATABASE,CREATE AUDIT POLICY,
ALTER AUDIT POLICY,DROP AUDIT POLICY,
CREATE FLASHBACK ARCHIVE,ALTER FLASHBACK ARCHIVE,
DROP FLASHBACK ARCHIVE, CREATE TABLESPACE,DROP TABLESPACE;

6. Audit all Users

SQL> AUDIT POLICY DDL_ACTIONS_POL;

7. Audit Selected Users

SQL> AUDIT POLICY DDL_ACTIONS_POL BY USER1, USER2;

8. Audit all except selected Users

SQL> AUDIT POLICY DDL_ACTIONS_POL EXCEPT SYS, SYSTEM;

9. Disable Audit for all users

SQL> NOAUDIT POLICY DDL_ACTIONS_POL;

10. Disable Audit for Selected users

SQL> NOAUDIT POLICY dml_pol BY USER1, USER2;

11. AUDIT DML ACTIONS POLICY IN ALL SCHEMAS TABLES

SQL> CREATE AUDIT POLICY DML_ACTIONS_POlicy

ACTIONS DELETE, INSERT, UPDATE
WHEN 'SYS_CONTEXT(''USERENV'', ''SESSION_USER'') in
(''RBAGBCKADM'',''RBAGBCKAPP'',''RBAGCOREADM'',''RBAGCOREAPP'',''RDR'') '
EVALUATE PER statement;

SQL> AUDIT POLICY DDL_ACTIONS_POL;

12. Create Audit DML Policy in schema object Level.

CREATE AUDIT POLICY DML_RB_F_INCOMING_UDR_N_POL

ACTIONS DELETE on RBAGCOREADM.RB_F_INCOMING_UDR_N,
INSERT on RBAGCOREADM.RB_F_INCOMING_UDR_N,
UPDATE on RBAGCOREADM.RB_F_INCOMING_UDR_N;

SQL> AUDIT POLICY DML_RB_F_INCOMING_UDR_N_POL;

13. Supporting SQL queries

SQL> SELECT policy_name, enabled_option, entity_name

FROM audit_unified_enabled_policies
WHERE policy_name = 'DML_ACTIONS_POLOLICY';

----------------------------------------------------------------
SQL> SELECT *
FROM audit_unified_enabled_policies
 WHERE policy_name = 'DML_ACTIONS_POLOLICY';

SQL> SELECT policy_name, enabled_option, entity_name

FROM audit_unified_enabled_policies
WHERE policy_name = 'DDL_ACTIONS_POL';
----------------------------------------------------------------
SQL> SET LINESIZE 200
SET PAGESIZE 300
COLUMN audit_option FORMAT A40
COLUMN condition_eval_opt FORMAT A10
COLUMN audit_condition FORMAT A50
COLUMN policy_name FORMAT A20
SELECT policy_name,
audit_option,
condition_eval_opt,
audit_condition
FROM audit_unified_policies
WHERE policy_name in ('DML_RB_F_INCOMING_UDR_N_POL')
ORDER BY 1,2;

References:
https://www.dbi-services.com/blog/purging-unified-audit-trail-in-12cr2/
https://gavinsoorma.com.au/knowledge-base/unified-auditing-getting-started/

How To Purge The UNIFIED AUDIT TRAIL (Doc ID 1582627.1)

Changing Partitioning Behavior of Unified Audit Trail (AUD$UNIFIED) (Doc ID

2438973.1)

BEGIN
DBMS_AUDIT_MGMT.ALTER_PARTITION_INTERVAL(
interval_number => 1,
interval_frequency => 'DAY');
END;
/
IX. Accessing Audit Data
1. Login Audit Vault Web Console by SUPAUDITOR user.

2. Click Repors Tab -> Activity Reports page

3. In Summary Section, click All Activity

4. Filter the desired Data