Opinions on Oracle Audit Vault and Firewall

Discussion:

Chris Stephens

2017-09-26 13:14:32 UTC

Is anyone on this list willing to share their experience and general
opinion of Audit Vault and Oracle Database Firewall?

I'm looking for comments related to stability, easy of use, general value.

We have security folks recommending that we license the products but I'm
not sure anyone really knows what advantages they offer. I'm also worried
that the promotional material doesn't exactly reflect real-world usage. I
personally haven't really heard of anyone using either product.

Thanks for any input.

Chris

Leroy Kemnitz

2017-09-26 14:05:43 UTC

Permalink

I just started to use the AVDF 12.2 appliance about 3 months ago. I installed it on a Linux VM. I am only using the AV portion - not the Firewall.

The security implementation on the appliance has been a challenge to get used to - but it is secure! The appliance has been stable and relatively easy to install. You will then need to deploy AVDF agents to each of your servers that you want to monitor.

I am being challenged on how to administer the ASM disks that are setup in the appliance. This is my first exposure to ASM as a DBA. Once I am up-to-speed with that part, I will need to investigate the built-in reports and what it can do for me. The default division of the disk isn't big enough to handle the event data that is being collected.

Overall, I like it but as a lone DBA in my shop - it is one more piece of Oracle technology to manage.

________________________________
From: oracle-l-***@freelists.org <oracle-l-***@freelists.org> on behalf of Chris Stephens <***@gmail.com>
Sent: Tuesday, September 26, 2017 8:14:32 AM
To: oracle-l
Subject: Opinions on Oracle Audit Vault and Firewall

Is anyone on this list willing to share their experience and general opinion of Audit Vault and Oracle Database Firewall?

I'm looking for comments related to stability, easy of use, general value.

We have security folks recommending that we license the products but I'm not sure anyone really knows what advantages they offer. I'm also worried that the promotional material doesn't exactly reflect real-world usage. I personally haven't really heard of anyone using either product.

Thanks for any input.

Chris

Jeff Chirco

2017-09-29 14:50:54 UTC

Permalink

We had a security review with Oracle and they also recommended Audit Vault
and Firewall. I did a demo and it seemed interesting but as a smaller shop
here I was worried about the amount of overhead management for it and if it
would prove worth while. I also haven't heard of many people using it. I
asked the same question on here a few months ago and only got a few hits.
If you do go with it or do a full demo I would love to hear your recap.

Jeff

Post by Chris Stephens
Is anyone on this list willing to share their experience and general
opinion of Audit Vault and Oracle Database Firewall?
I'm looking for comments related to stability, easy of use, general value.
We have security folks recommending that we license the products but I'm
not sure anyone really knows what advantages they offer. I'm also worried
that the promotional material doesn't exactly reflect real-world usage. I
personally haven't really heard of anyone using either product.
Thanks for any input.
Chris

Seth Miller

2017-09-29 16:08:12 UTC

Permalink

Chris,

Although they work closely together, Audit Vault and Firewall are two
completely different products. I work with AV on a regular basis and it is
very easy to set up and use, especially if you can get other folks to
manage the reporting and analytics half of the administration. As Leroy
mentioned, you need to deploy an agent on every server that will be
monitored but after that, most of the management is actually tuning the
auditing in the database.

Firewall is a whole different story. It requires much more extensive
physical setup and heavy involvement from networking and data center folks.
In the one place where I implemented it, the data center people literally
laughed at us when we told them we needed to tap into the switch spanning
ports, so we ended up investing in an infrastructure that allowed us to
have multiple physical paths to the spanning ports of our switching
infrastructure. It was a pain, a long process, and ended up being much more
expensive than we had anticipated.

My suggestion would be to start with AV. It's easy to install and easy to
manage. When you are ready, move into Firewall slowly and with lots of
planning. It wouldn't hurt to hire some folks that have done it before so
you don't have to go through some of the pains I did.

Seth

Post by Jeff Chirco
We had a security review with Oracle and they also recommended Audit Vault
and Firewall. I did a demo and it seemed interesting but as a smaller shop
here I was worried about the amount of overhead management for it and if it
would prove worth while. I also haven't heard of many people using it. I
asked the same question on here a few months ago and only got a few hits.
If you do go with it or do a full demo I would love to hear your recap.
Jeff

2017-09-30 12:19:54 UTC

Permalink

Hi,
I wonder if there is an instrumentation I can set in order to trace
ORA-00932 occurences database wide .
Like alter system set event 932 , all in 11.2 EE and it would be great
if it turn off after few hits .

Regards .
GG

--
http://www.freelists.org/webpage/oracle-l

Stefan Koehler

2017-09-30 12:35:15 UTC

Permalink

Hello GG,
yes, you can control this with the lifetime and/or occurrences option.

Tanel has written about this a long time ago in his blog: http://blog.tanelpoder.com/2009/03/03/the-full-power-of-oracles-diagnostic-events-part-1-syntax-for-ksd-debug-event-handling/

Best Regards
Stefan Koehler

Independent Oracle performance consultant and researcher
Website: http://www.soocs.de

Post by GG
Hi,
I wonder if there is an instrumentation I can set in order to trace
ORA-00932 occurences database wide .
Like alter system set event 932 , all in 11.2 EE and it would be great
if it turn off after few hits .
Regards .
GG
--
http://www.freelists.org/webpage/oracle-l

--
http://www.freelists.org/webpage/oracle-l

2017-09-30 15:27:07 UTC

Permalink

Post by Stefan Koehler
Hello GG,
yes, you can control this with the lifetime and/or occurrences option.
Tanel has written about this a long time ago in his blog: http://blog.tanelpoder.com/2009/03/03/the-full-power-of-oracles-diagnostic-events-part-1-syntax-for-ksd-debug-event-handling/

Thanks Stefan,

indeed I was able to get what I want via:

ALTER system SET events '932 trace name errorstack level 3, lifetime 1';
ALTER system SET events '932 trace name context off';

one little oddity I noticed was liftime 1 related to session so only one
trace per session not per system .
I was expecting the trace to stop after getting one occurence at all .
That my impression at least .
Regards .
G

--
http://www.freelists.org/webpage/oracle-l

Tanel Poder

2017-10-04 04:27:43 UTC

Permalink

Yep with ALTER SYSTEM you're really setting this event for every session,
so it's enabled in all sessions and every session will have its own
independent lifetime counter.

This may also be intereting/relevant when setting events with ALTER SYSTEM
(10g & 11g behave differently):

http://blog.tanelpoder.com/2013/10/07/why-doesnt-alter-system-set-events-set-the-events-or-tracing-immediately/

Tanel.

Post by GG
ALTER system SET events '932 trace name errorstack level 3, lifetime 1';
ALTER system SET events '932 trace name context off';
one little oddity I noticed was liftime 1 related to session so only one
trace per session not per system .
I was expecting the trace to stop after getting one occurence at all .
That my impression at least .
Regards .
G

2017-10-04 15:45:23 UTC

Permalink

Thanks Guys .
Regards .
G

--
http://www.freelists.org/webpage/oracle-l