Installing andConfiguring Guardium,ODF, and OAVIn this appendix, we will cover the following topics:ffIBM Infosphere Guardium Database SecurityffOracle Database FirewallffOracle Audit VaultIBM Infosphere Guardium Database SecurityA Database Activity Monitor (DAM) is a non-intrusive system that implements real timemonitoring and alerting for various databases.Non-intrusive monitoring systems are implemented by the vendor at the networkcommunication and database shared memory level, and therefore a direct connection to thedatabase to query or look for audit information is not required.Generally these systems may have additional protection and prevention capabilities such asblocking unauthorized access to data or blocking access to data which is violating a definedaccess policy (for example, do not run a query more than three times in a minute).Guardium security life cycleThe Guardium life cycle can be summarized as follows:ffDiscover and classify: Discover all databases, applications, and clients. Discover andclassify sensitive data.

Installing and Configuring Guardium, ODF, and OAVffAccess and harden: Vulnerability assessment, configuration assessment, behavioralassessment, create baseline, configuration lock-down, and change tracking.ffMonitor and enforce: Non-intrusive monitoring, policy-based actions, anomalydetection, real-time prevention, and granular access controls.ffAudit and report: Centralized governance, compliance reporting, sign-offmanagement, automated escalations, secure audit warehouse, data mining forforensics, and long-term retention.Installation and configurationGuardium is generally recommended to be installed on a dedicated system or is usuallydelivered as appliances. The installation kit consists of a customized Linux and applicationpackage. It is important to remember to have allocate sufficient free space on the installationdrive (about 180 GB free space, or else the installation will fail). The installer will remove andwill use all available space.1. Insert the CD or mount the installation kit if you install Guardium on virtual machines.The installation will start by creating the storage layout followed by the Linux andGuardium packages installation, as shown in the following screenshot:2

Appendix2. When installation of the packages is completed, you'll need to introduce temporaryuser passwords for CLI, ADMIN, and ADMIN MGM users. These passwords will bechanged at the first login. If you do not change the password for the user CLI duringinstallation, the default temporary password guardium will be used.3. Enter a temporary password for the user GUI ADMIN.4. Enter a temporary password for the user ACCESS MANAGER.3

Installing and Configuring Guardium, ODF, and OAV5. For a standalone installation, chose the default option, Collector, otherwise if youwant to run Guardium as an aggregator choose No.6. At this moment we have finished installing Guardium. The system will rebootautomatically. Next, we will proceed to the network configuration phase. Connectas the cli user with the password guardium. At this step, it is mandatory to changethe password.4

Appendix7.Configure the IP address and network mask:store network interface ip your ip store network interface mask your ip's corresponding mask 8. To make these values active, and persistent we have to reboot the system. In the CLIcommand prompt execute the following command:restart system5

Installing and Configuring Guardium, ODF, and OAVDeployment and configuration of S-TAP agentsDatabase and system monitoring is performed by using and deploying agents on eachdatabase server host. These agents have the generic name of S-TAP. Installation andconfiguration of these agents can be made using an interactive installer. After the agents aredeployed and are communicating with the Guardium server they can be configured remotelyfrom the administration console local S-TAPs as follows:ffAs the user root starts the S-TAP installer:ffNext the installer will perform the installation of all the libraries. The last step is theconfiguration of the S-TAP init file. S-TAP configuration is contained in a file nameds-tap.init. The installer will open this file for the purpose of editing with vi andthis will require to set all the mandatory parameters.ffTo verify and check that the agents are running and communicating with theGuardium server, log in to the Guardium console, check the status of agents. Theirstatus should be green in the console.6

AppendixPerforming a vulnerability assessmentUsually performing a vulnerability assessment is one of the first few steps for securingand defending a database. There are many types of vulnerabilities based on bugs orincorrect configuration.1. To perform a vulnerability assessment we must connect to the administration consoleand navigate to Tools and in the Config & Control panel click on the SecurityAssessment Builder link, as shown in the following screenshot:7

Installing and Configuring Guardium, ODF, and OAV2. We must first define the source on which we will run the security assessment. Theconfiguration of a data source is straightforward. In our case, we have the followingconfiguration. In this panel we can test whether we can connect. We have used thesystem user. If the network data is ready to go, click on the Apply button, as shown inthe following screenshot:8

Appendix3. Our configured data source will appear as the target for the security assessment,then click on the Apply button, as shown in the following screenshot:9

Installing and Configuring Guardium, ODF, and OAV4. Next choose the vulnerabilities to be checked. In the Test available for addition option,check the option All. Then click on the ORACLE tab and select all the vulnerabilitiesfrom the list box found on this panel and click on the Add Selections button. Click onthe Select All button and click on Save. This is shown in the following screenshot:10

Appendix5. A page will appear with our security assessment defined. Click on the Run Once Nowbutton to perform a security assessment.The result for the security assessment with details and scores is generated as follows:Perform the necessary correction as the security assessment report advises and repeat theassessment until you have a 100 percent score.11

Installing and Configuring Guardium, ODF, and OAVOracle Database FirewallOracle Database Firewall monitors traffic at network level using SQL grammar-basedtechnology. In practice, it dissects the network packet and checks the SQL statementsissued by the clients. It is a heterogeneous technology with support for monitoring DB2, MSSQL, MySQL, and Sybase databases. Depending on the traffic registered in a period of time,policies can be defined using a tool called Oracle Firewall Analyzer. The definition of policiesis largely based on baselines. We may have white lists, black lists, and exceptions. Whitelisted statements are a category of statements that may pass from clients to servers withoutany restriction. Black listed statements are a category of statement that may not pass andthat are blocked by Oracle Database Firewall. Exceptions are a category of statements thatcan be exempted from a policy.Policies can also be associated with additional inspection criteria such as the time of day, IPaddress, and username in order to generate more complex policies when needed.Traffic can be monitored by interposing an Oracle Database Firewall between a client and aserver (in-line monitoring) by using bridged or proxy traffic sources or by using network taps(out of band monitoring). Monitoring can be made either in passive mode, Database ActivityMonitor (DAM) mode, reactive mode, or Database Policy Enforcement (DPE) mode. Thereis also support for remote monitoring using monitoring agents and local connections forstatements issued locally using local agents.Along with monitoring capabilities, Oracle Database Firewall provides real-time alerting andreporting capabilities and provides built-in custom modules to verify compliance with regulatoryrequirements such as Sarbanes-Oxley (SOX) Act, Payment Card Industry Data SecurityStandard (PCI DSS), and Health Insurance Portability and Accountability Act (HIPAA).Installation and configurationOracle Database Firewall consists of a custom installation of Oracle Enterprise Linuxinfrastructure, ODF packages, customized WebLogic application server, and a databasewhich is used as a repository for items such as policies, rules, and exceptions. For a morecomplex installation where we want to use more than one Database Firewall environment it isrecommended to install the Oracle Database Firewall Management server used for centralizedmanagement. Depending on the current network configuration in your organization youcan decide on the type of monitor configuration to use. We used a configuration with threenetwork cards, one dedicated to ODF management and two for implementing bridgednetwork configuration. In a bridged network configuration all traffic from clients will passthrough the network devices configured on ODF machine. We used something similar withthe following setup described at this link.12

AppendixThe installation kit for version 5.1 used in our description consists of the following:ffOracle Linux Release 5 Update 5 for x86 (32 Bit) - DVDffOracle Database Firewall Management Server 5.1 (ISO)ffOracle Database Firewall 5.1 - Disc 1 (ISO)ffOracle Database Firewall 5.1 - Disc 2 (ISO)ffOracle Database Firewall 5.1 - Disc 3 (ISO)ffOracle Database Firewall Utilities 5.1 (ISO)The installation and configuration steps are as follows:1. On the dedicated server for DBF, insert Disc 1 and boot from it. If you want to installOracle Firewall Management server, insert this disc.2. After the system is booted it will require the disc with Oracle Enterprise Linux (OEL).It will perform the creation of the layout and install the core Linux system.3. Next Disc 2 and Disc 3 will be required and the installation will continue.4. Finally Disc 1 will be required again and the installation will finalize withconfiguration steps.5. Next we have to configure the IP address for Oracle Database Firewall and thegateway if it is the case:Adding and configuring protection for databasesFrom the client host, open a browser and type the DBF management host and port number(the default is 80) and log in as an admin user with an admin temporary password. At thisstep a password change is required.13

Installing and Configuring Guardium, ODF, and OAVTraffic source configurationNavigate to the System tab. In the left-hand side panel, click on the Networks link and addthe available network card to Network 0 and check the Bridge Enabled option as follows:Adding protected databaseNavigate to the Monitoring tab. In the left-hand side panel, select Protected Databasesand click on Create. Enter Name as HACKDB ORCL, the protected database configurationDatabase Type as Oracle, add Address and Port Number and click on the Save Button, asshown in the following screenshot:14

AppendixCreating enforcement pointThe enforcement points are the databases to be protected and monitored.1. Navigate to the Monitoring tab. In the Enforcement Points panel, click on the Createlink. Name the enforcement point as HACKDB ORCL ENF, as shown in the followingscreenshot, and click on Next:2. Chose the protection point defined before HACKDB ORCL and click on Next:15

Installing and Configuring Guardium, ODF, and OAV3. Choose the monitoring mode – Database Policy Enhancement (DPE) and from theavailable policies select unique-nomask.dna and click on Next, as shown in thefollowing screenshot:4. Now a summary will be displayed, as we do not have another traffic source definedwhile Network 0 is the default one. Finally, click on Finish. At this moment ourdatabase starts being monitored.16

AppendixVerify that Oracle Database Firewall monitors the traffic from client host connect to serverdatabase server HACKDB. To check that our connection is monitored, navigate to theSystem tab. In the Network Traffic panel, click on the Network traffic: link. Try to issue somestatements against the server. From the Level of details panel, select Packet content andselect Network 0 from Network. Issue a statement and click on the Show Traffic button. Withthis, we should see the packet's content as shown in the following screenshot:17

Installing and Configuring Guardium, ODF, and OAVUsing Oracle Firewall AnalyzerOracle Firewall Analyzer is a standalone tool which is designated to create and modifycustom policies. The following steps will help you to install and use Oracle Firewall Analyzer.1. On the windows client, install Oracle Firewall Analyzer and launch it. From the Newmenu, click on New Model and select Train on Log Data and click on the Change.button, as shown in the following screenshot:18

Appendix2. Add Traffic Log Server which is the same IP used during the installation of OracleDatabase Firewall. Next log in with the Oracle Database Firewall credentials asfollows and click on OK, as shown in the following screenshot:19

Installing and Configuring Guardium, ODF, and OAV3. After the connection is established, click on the Train button. We should thensee the captured statements issued in the logging interval, as shown in thefollowing screenshot:4. Navigate to the Baseline tab and click on the select last name, first name fromemployees statement. Select Action as Block, Logging Level as Always, and ThreatSeverity as Major, and change Substitute Statement to select 1 from dual, andthen click on OK, as shown in the following screenshot:20

Appendix5. Next, go back to main menu and click on Assign Threat Severities. At this point weare able to save the model and the policy.6. From the New menu, click on Save the model as test policy and Export policy astestpolicy.dna.21

Installing and Configuring Guardium, ODF, and OAV7.Next we will proceed to upload the new policy in Oracle Database Firewall. Navigateto the Monitoring tab, in the Policies panel, and click on the Upload link. Selecttestpolicy.dna and click on Save.8. Navigate to Enforcement Points and click on the List link. HACKDB ORCL ENFwill be listed, click on the Settings button. Next, from the Policies panel, selecttestpolicy.dna and click on Save to enforce the defined policies with OFA andensure that in the Appliance Mode, Database Policy Enforcement (DPE) ischecked (in DAM mode only monitoring is performed, no reactive measure areapplied such as statement blocking). This is shown in the following screenshot:9. Now the enforcement point will be reconfigured and the current monitoredconnection will be dropped.22

Appendix10. Reconnect to the HACKDB database and reissue select last name, first namefrom employees to verify that the current policy is blocking the statement,shown as follows:11. Navigate to the Oracle Database Firewall console's main page. The followingscreenshot shows the blocked statement listed:23

Installing and Configuring Guardium, ODF, and OAVOracle Audit VaultOracle Vault addresses the problem of centralization, separation, and protection of audit trailsand provides real-time alerting and reporting capabilities. As we mentioned in Chapter 8,Tracking and Analysis – Database Auditing, it is imperative to collect audit information in alocation where it cannot be tampered with.Audit Vault has heterogeneous database support. In addition to Oracle, Audit Vault offersthe ability to collect audit data from DB2, MS SQL, and Sybase. It's good to know thatOracle Audit Vault does not implement or alter audit procedures on the database. It issolely based on traditional methods of defining the methods by using the standard auditand fine grained auditing.The Audit Vault database used is architecturally designed to be a warehouse. In a largeorganization that has a need to audit many databases, the audit data volume generated canbe significant and the Audit Vault database must be able to handle the volume of data beinggenerated. It is therefore important to install Oracle Audit Vault on a dedicated powerful server.On the other hand AV offers a variety of reporting methods. Since the audit information mustbe protected, the Audit Vault database is configured with the Oracle Database Vault product.The Audit Vault environment consists of an audit server, audit agents, and collectors.Installation and configurationThe following steps will present how to install and perform an initial configuration of AV:1. Launch the installer and select the Create and configure Audit Vault option and clickon Next, as shown in the following screenshot:24

Appendix2. Navigate to Audit Vault Details, and you will have to configure the audit vaultadministrator, audit vault auditor, oracle vault owner, and account managerusernames and credentials.25

Installing and Configuring Guardium, ODF, and OAV3. When at Management Options, depending on your local configuration, youcan select Use an existing Oracle Enterprise Management Grid Control fordatabase management or Use Oracle Enterprise Manager Database Controlfor database management.26

Appendix4. Navigate through all the steps and finalize the installation:27

Installing and Configuring Guardium, ODF, and OAVDeploying and configuring agents and collectorsIn order to communicate with a Oracle Database Vault repository, a set of collectors, and anOracle Audit Vault, an agent must be deployed on each host.1. Copy the agent installation kit on each source database host. Launch the installerand configure the password, the port, and the connection string for the connection tothe central repository.2. Complete the installation and proceed to configuration.3. On a server host, define the agent for audit collection as follows:[oracle@oraaudva Disk1] avca add agent -agentname avagnt-agenthost nodeorcl1Enter agent user name: avagntEnter agent user password:Re-enter agent user password:Agent added successfully.28

Appendix4. On the client database, create a user av collector for audit trail collection andgrant collector privileges as follows:SQL create user av collector identified by "gY5 TY?z2 5";User created.SQL SQL /streams/source/zarsspriv.sql av collector setupGranting privileges to AV COLLECTOR . Done.5. On the audit vault host, verify if the source database is enabled for the audit trailcollection:[oracle@oraaudva Disk1] avorcldb verify -srcnodeorcl1:1521:HACKDB -colltype ALLEnter Source user name: av collectorEnter Source password: gY5 TY?z2 source HACKDB verified for OS File Audit Collector collectorsource HACKDB verified for Aud /FGA LOG Audit Collector collectorparameter JOB QUEUE INTERVAL is not set; recommended value is 1parameter UNDO RETENTION 900 is not in recommended value range[3600 - ANY VALUE]parameter GLOBAL NAMES false is not set to recommended valuetruesource HACKDB verified for REDO Log Audit Collector collector6. Perform corrections on the source database as instructed by the verification output:SQL alter system set global names true scope both;System altered.SQL alter system set undo retention 3600 scope both;System altered.SQL alter system set job queue interval 1 scope spfile;System altered.29

Installing and Configuring Guardium, ODF, and OAV7.Perform a verification again as follows:[oracle@oraaudva Disk1] avorcldb verify -srcnodeorcl1:1521:HACKDB -colltype ALLEnter Source user name: av collectorEnter Source password:source HACKDB verified for OS File Audit Collector collectorsource HACKDB verified for Aud /FGA LOG Audit Collector collectorsource HACKDB verified for REDO Log Audit Collector collector[oracle@oraaudva Disk1] 8. With this the source database is enabled for collection. Add a source database and acollection agent:[oracle@oraaudva ] avorcldb add source -src10.241.132.80:1521:HACKDB -desc HACKDB -srcname HACKDB SCHM-agentname avagntEnter Source user name: av collectorEnter Source password:Adding source.Source added successfully.remember the following information for use in avctlSource name (srcname): HACKDB SCHMCredential stored successfully.Mapping Source to Agent.9. If we plan to use OS audit trails then add a collector of type OSAUD as follows:[oracle@oraaudva ] avorcldb add collector -srcname HACKDB SCHM-agentname avagnt -colltype OSAUD -orclhome /u01/app/oracle/product/11.2.0/dbhome 1source HACKDB SCHM verified for OS File Audit Collector collectorAdding collector.Collector added successfully.remember the following information for use in avctlCollector name (collname): OSAUD Collector[oracle@oraaudva ] 30

Appendix10. Add a database audit collector type as follows:[oracle@oraaudva ] avorcldb add collector -srcname HACKDB SCHM-agentname avagnt -colltype DBAUDsource HACKDB SCHM verified for Aud /FGA LOG Audit CollectorcollectorAdding collector.Collector added successfully.remember the following information for use in avctlCollector name (collname): DBAUD Collector[oracle@oraaudva ] 11. Add a redo collector as follows:[oracle@nodeorcl1 av] b setup -srcname HACKDB SCHMEnter Source user name: av collectorEnter Source password:adding credentials for user av collector for connection [SRCDB21]Credential stored successfully.updated tnsnames.ora with alias [SRCDB21] to source databaseverifying SRCDB21 connection using wallet12. Start the agent on the source database, as follows:[oracle@nodeorcl1 av] avctl[oracle@nodeorcl1 av] /u01/app/oracle/product/11.2.0/avagent/bin/avctl start agent -agentname avagntStarting agent.Agent started successfully.[oracle@nodeorcl1 av] 13. Start the collectors as follows:[oracle@oraaudva ] avctl start collector -collname OSAUDCollector -srcname HACKDB SCHMStarting collector.Collector started successfully.31

Installing and Configuring Guardium, ODF, and OAV[oracle@oraaudva ] avctl start collector -collname DBAUDCollector -srcname HACKDB SCHMStarting collector.Collector started successfully.[oracle@oraaudva ] Audit vault administrationIn the following section we will summarize the main administrative tasks used with Audit Vault:Open Audit Vault administration control and log in as the AV administrator (type the passwordset during installation):32

AppendixInstead of using the command line prompt, you can manage collectors from the Managementtab and within that Collectors, as shown in the following screenshot:Creating additional audit policiesAudit Vault has the capability to generate scripts for different audit statements which can beapplied later on to the source database:1. Log in as the Audit owner avaudit, as shown in the following screenshot:33

Installing and Configuring Guardium, ODF, and OAV2. Navigate to the Audit policy tab. The overview page will show you what type ofauditing and how many objects or statements are audited:3. Next navigate to Statements and click on the Create button. The Create ObjectAudit page will open, then check SELECT in the statement box, select the ObjectType as TABLE, Object as HR.DEPARTMENTS, Statement Execution Condition asBoth and DML Audit Granularity as SESSION, as shown in the following screenshot:34

Appendix4. Next, we will create a capture rule. Navigate to the Capture Rule and set CaptureRule to Table, set Table to HR.HR EMP DETAIL AUD , Capture to Both, and thenclick on OK, as shown in the following screenshot:5. To generate the provisioning script, navigate to the Overview tab and click on theSave All Audit Settings button, as shown in the following screenshot:35

Installing and Configuring Guardium, ODF, and OAV6. A script will be generated; select the last two statements and run it on thesource database:Using Audit Vault reportsAudit Vault provides us with the possibility of creating different types of built-in or customizedreports, as we will see in the following section.1. Navigate to the Audit Reports tab, as shown in the following screenshot:36

Appendix2. To summarize the audit data collected, go to Activity Overview. This is an unsortedlist of audit events that are captured. This is illustrated in the following screenshot:You also have the ability to perform compliance reporting. In Audit Vault you havebuilt-in reports for Credit Card, Financial, and Health compliance reports.37

Installing and Configuring Guardium, ODF, and OAVDefining an alert ruleTo create an altering condition, navigate to the Audit policy tab and click on Create Alert Rule.In this example we will create an alert rule named delete table. Select the severity level to beWarning, Audit Source Type to be HACKDB SCH, Audit Event Category to be DATA ACCESS.User should be set to HR, Table to HR.HR EMP DETAILS AUD, and Audit Event to DELETE.38

policies can be defined using a tool called Oracle Firewall Analyzer. The definition of policies is largely based on baselines. We may have white lists, black lists, and exceptions. White liste