Overview of Oracle Audit Vault and Database Firewall Installation（二）

The Audit Vault Server provides the following services:

Audit data collection and lifecycle management

Audit Vault Agent management

Database Firewall management

Audit and firewall policy management

Alerting and notification management

User entitlement（权利） auditing

Stored procedure auditing (SPA)

Reporting

Archiving data

High availability mode

Published data warehouse schema that can be used with reporting tools such as Oracle Business Intelligence Publisher to create customized reports

User access management

Third party integrations

The Database Firewall

The Database Firewall is a dedicated server that runs the Database Firewall software. Each Database Firewall monitors SQL traffic on the network from database clients to
secured target databases. The Database Firewall then sends SQL data, according to a defined firewall policy, to the Audit Vault Server to be analyzed and presented in reports.

防火墙是一个运行database防火墙软件的专有服务，他监控客户端到目标数据库的sql流。同时根据防火墙上的策略，发送sql 数据到Audit Vault Server

An Oracle AVDF auditor can create firewall policies that define rules for how the Database Firewall handles SQL traffic to the database secured target. The firewall policy specifies the types of alerts to be raised in response to specific types of SQL statements,
and when to log specific statements. The policy also specifies when to block potentially harmful statements, and optionally substitute harmless SQL statements for blocked statements. To do this, the Database Firewall can operate in one of two monitoring modes:

Oracle AVDF auditor能创建防火墙策略，这些策略里面包含防火墙如何掌控sql 流的规则。这些策略指定了哪些语句会生成告警，记录特定sql语句，阻塞带有危害性的sql语句等等，为了做到这些，database firewall能在两种模式工作。

DPE Mode: Database Policy Enforcement.
When in this mode, the Database Firewall applies rules in a firewall policy to monitor SQL traffic to your secured target database and raise alerts, block traffic, and/or substitute benign SQL statements for potentially destructive ones.

这种模式下，防火墙监控去往目标库的sql 流，并且能够生成告警，阻塞sql，使用符合规则的sql替代潜在危害的sql。

DAM Mode: Database Activity Monitoring.
When in this mode, the Database Firewall applies rules in a firewall policy to monitor and raise alerts about potentially harmful SQL traffic to your secured target database, but it does not block or substitute SQL statements.

这种模式下，防火墙只能起到监控和告警的作用，不能够阻塞和替代的sql语句。

The Audit Vault Agent

The Audit Vault Agent retrieves the audit trail data from a secured target database and sends it to the Audit Vault Server. If the Audit Vault Agent is stopped, then the
secured target database will still create an audit trail (assuming auditing is enabled). The next time you restart the Audit Vault Agent, the audit data that had been accumulating
since the Audit Vault Agent was stopped is retrieved.

如果Audit Vault Agent stop了，目标库依然能创建审计记录（假如目标库的审计功能是开启的），当代理再次启动时，能够从上次代理stop的那个点抓取审计记录

You configure one Audit Vault Agent for each host and one or more audit trails for each individual secured target database. For example, if a host contains four databases, then you would configure one Audit Vault Agent for that host and one or more audit trails
for each of the four databases. The number and type of audit trails that you configure depends on the secure d target databasetype and the audit trails that you want to collect from it. See Table
B-13 for information on the types of audit trails that can be configured for each secured target type.

一个主机上只能配置一个代理，但是能配置多个审计trail。下面列出了各种审计 trail：

Oracle Database	TABLE Releases 10.1.x, 10.2.x, 11.x, and 12.x	Collects from the following audit trails: Oracle Database audit trail, where standard audit events are written to the SYS.AUD$ dictionary table Oracle Database fine-grained audit trail, where audit events are written to the SYS.FGA_LOG$ dictionary table Oracle Database Vault audit trail, where audit events are written to the DVSYS.AUDIT_TRAIL$ dictionary table Oracle database 12c Unified Audit trail, where audit events are written to v$unified_audit_trail

You can create the Audit Vault Agent on one computer and manage multiple audit trails from there. For example, suppose you have
25 secured target databases on 25 servers. You must configure an audit trail for each of these secured target databases, but you do not need to configure an Audit Vault Agent on each of the 25 servers. Instead, just create one Audit Vault Agent to manage the
25 audit trails. Be aware, however, that for Oracle Databases, you cannot use a remote Audit Vault Agent to collect
audit data from users who have logged in with
the

SYSDBA

or

SYSOPER

privilege
because an audit trail is on to the local file system, and therefore you need file system access.

你不能通过登录远程数据的拥有sysdba或sysoper的用户来收集audit
trail ，因为audit trail 保存在本地文件系统上面，因此你需要访问文件系统的权限。

Placing Oracle AVDF Within Your Enterprise Architecture

An
Audit Vault Agent is deployed on the host computer of the secured target, which in this case, is a database that is also protected by the Database Firewall.
The Database Firewall has two connections, one for management and one for monitoring database traffic. They are treated the same way in the
switch.

防火墙需要两个链接，
一个用于管理，一个用于监控

The Database Firewall can connect to the database network in one of three ways:

Through a hub, tap or network switch configured with a "spanning port": A spanning port is also known as a "mirror port" on some switches. This method sends a copy of all database traffic to the Database Firewall.
This configuration enables a Database Firewall to operate as an out-of-band audit and monitoring system, and produce warnings of potential attacks, but it cannot block potentially harmful traffic.

使用镜像端口，这种配置使防火墙成为带外的监控系统，只能生成告警，而不能阻塞sql。

Inline between the database clients and database: This method enables Database Firewall to both block potential attacks and/or operating as an audit or monitoring system.

既能监控又能阻塞sql

As a proxy: Using this method, the Database Firewall acts as a traffic proxy, and the database client applications connect to the database using the Database Firewall's proxy IP and port address.

High-Availability Modes

You can configure pairs of Database Firewalls or pairs of Audit Vault Servers, or both, to provide a high-availability
system architecture. These pairs are known as resilient pairs. The resilient pair configuration works in Database Activity Monitoring (DAM)
mode only. See "The Database Firewall" for information on DAM mode.

resilient
pairs只能工作在DAM模式下

Administrator Roles in Oracle AVDF

There are two administrator roles in Oracle AVDF, with different levels of access to
secured targets:

Super Administrator - This role can create other administrators or super administrators, has access to all secured targets, and grants
access to specific secured targets and groups to an administrator.

Administrator - Administrators can only see data for secured targets to which they have been granted access by a super administrator.