The Audit Vault Server provides the following services:
-
Audit data collection and lifecycle management
-
Audit Vault Agent management
-
Database Firewall management
-
Audit and firewall policy management
-
Alerting and notification management
-
User entitlement(权利) auditing
-
Stored procedure auditing (SPA)
-
Reporting
-
Archiving data
-
High availability mode
-
Published data warehouse schema that can be used with reporting tools such as Oracle Business Intelligence Publisher to create customized reports
-
User access management
-
Third party integrations
The Database Firewall
The Database Firewall is a dedicated server that runs the Database Firewall software. Each Database Firewall monitors SQL traffic on the network from database clients to secured target databases. The Database Firewall then sends SQL data, according to a defined firewall policy, to the Audit Vault Server to be analyzed and presented in reports.
防火墙是一个运行database防火墙软件的专有服务,他监控客户端到目标数据库的sql流。同时根据防火墙上的策略,发送sql 数据到Audit Vault Server
An Oracle AVDF auditor can create firewall policies that define rules for how the Database Firewall handles SQL traffic to the database secured target. The firewall policy specifies the types of alerts to be raised in response to specific types of SQL statements, and when to log specific statements. The policy also specifies when to block potentially harmful statements, and optionally substitute harmless SQL statements for blocked statements. To do this, the Database Firewall can operate in one of two monitoring modes:
Oracle AVDF auditor能创建防火墙策略,这些策略里面包含防火墙如何掌控sql 流的规则。这些策略指定了哪些语句会生成告警,记录特定sql语句,阻塞带有危害性的sql语句等等,为了做到这些,database firewall能在两种模式工作。
-
DPE Mode: Database Policy Enforcement. When in this mode, the Database Firewall applies rules in a firewall policy to monitor SQL traffic to your secured target database and raise alerts, block traffic, and/or substitute benign SQL statements for potentially destructive ones.
-
DAM Mode: Database Activity Monitoring. When in this mode, the Database Firewall applies rules in a firewall policy to monitor and raise alerts about potentially harmful SQL traffic to your secured target database, but it does not block or substitute SQL statements.
The Audit Vault Agent
The Audit Vault Agent retrieves the audit trail data from a secured target database and sends it to the Audit Vault Server. If the Audit Vault Agent is stopped, then the secured target database will still create an audit trail (assuming auditing is enabled). The next time you restart the Audit Vault Agent, the audit data that had been accumulating since the Audit Vault Agent was stopped is retrieved.
如果Audit Vault Agent stop了,目标库依然能创建审计记录(假如目标库的审计功能是开启的),当代理再次启动时,能够从上次代理stop的那个点抓取审计记录
You configure one Audit Vault Agent for each host and one or more audit trails for each individual secured target database. For example, if a host contains four databases, then you would configure one Audit Vault Agent for that host and one or more audit trails for each of the four databases. The number and type of audit trails that you configure depends on the secure d target databasetype and the audit trails that you want to collect from it. See Table B-13 for information on the types of audit trails that can be configured for each secured target type.
一个主机上只能配置一个代理,但是能配置多个审计trail。下面列出了各种审计 trail:
You can create the Audit Vault Agent on one computer and manage multiple audit trails from there. For example, suppose you have 25 secured target databases on 25 servers. You must configure an audit trail for each of these secured target databases, but you do not need to configure an Audit Vault Agent on each of the 25 servers. Instead, just create one Audit Vault Agent to manage the 25 audit trails. Be aware, however, that for Oracle Databases, you cannot use a remote Audit Vault Agent to collect audit data from users who have logged in with the
SYSDBA
or SYSOPER
privilege because an audit trail is on to the local file system, and therefore you need file system access.
Placing Oracle AVDF Within Your Enterprise Architecture
The Database Firewall can connect to the database network in one of three ways:
-
Through a hub, tap or network switch configured with a "spanning port": A spanning port is also known as a "mirror port" on some switches. This method sends a copy of all database traffic to the Database Firewall. This configuration enables a Database Firewall to operate as an out-of-band audit and monitoring system, and produce warnings of potential attacks, but it cannot block potentially harmful traffic.
-
Inline between the database clients and database: This method enables Database Firewall to both block potential attacks and/or operating as an audit or monitoring system.
-
既能监控又能阻塞sql
-
As a proxy: Using this method, the Database Firewall acts as a traffic proxy, and the database client applications connect to the database using the Database Firewall's proxy IP and port address.
-
High-Availability Modes
You can configure pairs of Database Firewalls or pairs of Audit Vault Servers, or both, to provide a high-availability system architecture. These pairs are known as resilient pairs. The resilient pair configuration works in Database Activity Monitoring (DAM) mode only. See "The Database Firewall" for information on DAM mode.
resilient pairs只能工作在DAM模式下
Administrator Roles in Oracle AVDF
There are two administrator roles in Oracle AVDF, with different levels of access to secured targets:
-
Super Administrator - This role can create other administrators or super administrators, has access to all secured targets, and grants access to specific secured targets and groups to an administrator.
-
Administrator - Administrators can only see data for secured targets to which they have been granted access by a super administrator.