Skip to end of metadata
Go to start of metadata

You are viewing an old version of this content. View the current version.

Compare with Current View Version History

« Previous Version 2 Current »

About the Device

Oracle Database is a relational database with object and Extensible Markup Language (XML) capabilities. In a relational database, all data is stored in tables that are composed of rows and columns. Oracle Database enables you to store data, update it, and efficiently retrieve it, with a high degree of performance, reliability, and scalability.

Device Information

 Entity

Particulars

Vendor Name

Oracle

Product Name

Database

Type of Device

Hosted

Collection Method

Log Type

 Ingestion label

Preferred Logging Protocol - Format

Log collection method

Oracle

ORACLE_DB

Syslog - KV

CyberHub

Port Requirements

Source

Destination

Port

Oracle Database

CyberHub

6514 (TCP)

To facilitate secure communication and align with our best practice, we strongly encourage the use of Transport Layer Security (TLS) between your security devices and our Adaptive MxDR platform for event forwarding.

While we understand that TLS support may not be available on all devices, if your devices do support TLS communication, we recommend utilizing port 6514 for seamless integration.

In some cases, the upgraded version of the device might incorporate TLS support without prior notice. If you come across such a scenario or for further assistance in configuring TLS, we kindly ask you to reach out to your dedicated Adaptive MxDR Service Delivery Lead.

Device Configuration

Prerequisites

NXLog installation on Windows and Linux.

  • A central NXLog server has to be created by the customer before following below Steps.

  • After Installation for Linux devices go to Installed location of the NXLog and then look for the ODBC module and install it via Rpm -ivh <NXLOG-<Version>-<ODBC>.rpm>. This step is not required for Windows as it get pre-installed by default.

After installation of NXLog Please follow the below steps:

  1. Enable Unified_Auditing on Linux Syslog

  2. Enable Unified_Auditing on DB.

  3. Read Only User Creation.

  4. ODBC Driver Installation on Windows and Linux (Tested on Redhat 8.0 and CentOS 7.0)

  5. NXLog configuration.

    1. NXLog Enterprise Edition

    2. NXLog Community Edition

 To Enable Unified Auditing For Linux Syslog

  1. Login to Your System with root permissions.

  2. Switch to Oracle User. 

    su - oracle

  3. Provide the password for oracle user.

  4. Go to Oracle dbs directory. Below is the example:

    cd $ORACLE_HOME/dbs

  5. Under dbs edit the init<SID>.ora file.

    vim initORCL.ora

  6. Under the file add the below mentioned two configurations

    #UNIFIED_AUDIT_SYSTEMLOG = '<FACILITY.SEVERITY>'
#UNIFIED_AUDIT_COMMON_SYSTEMLOG = '<FACILITY.SEVERITY>'
Example:
UNIFIED_AUDIT_SYSTEMLOG = 'local0.info'
UNIFIED_AUDIT_COMMON_SYSTEMLOG = 'local0.info'

Facility can be from LOCAL0 to LOCAL7. You can choose any according to the logs you wish to monitor. SEVERITY can be chosen from DEBUG to Emergency according to the log monitoring.

  1. Save the file.

  2. Now edit the spfile<SID>.ora

    unified_audit_common_systemlog='local0.info'

  3. Add the above configuration at the End. Please note you need to add the same <FACILITY.SEVERITY> as you mentioned in the init<SID>.ora

  4. Save the file.

  5. Configure rsyslog on your system.

    sudo vi /etc/rsyslog.conf
# Unified Audit Rules
local0.info            /var/log/oracle_common_audit_records.log
local1.info            /var/log/oracle_audit_records.log

 12. Restart the rsyslog service

systemctl restart rsyslog

 13. Login into Oracle

[oracle@ip-172-31-18-18 ~]$ SQLPLUS / nolog
SQL> connect username/password:<sid> as sysdba
SQL> SHUTDOWN IMMEDIATE
SQL> exit

  1. Now stop the listener.

lsnrctl stop

  1. Now go to OMS folder.

    cd $ORACLE_HOME/middleware/oms
export OMS_HOME=/u01/app/oracle/product/middleware/oms
$OMS_HOME/bin/emctl stop oms

If you don’t have middleware folder, go to Step 14 directly.

  1. Relink Oracle with the uniaud_on option.

cd $ORACLE_HOME/rdbms/lib
make -f ins_rdbms.mk uniaud_on ioracle

  1. The above command will enable the Unified Auditing on the DB.

  2. Restart all the Oracle Services.

    sqlplus / as sysdba
startup mount
exit

  3. Start the listener service.

    lsnrctl start

  4. Now again login into Oracle

    sqlplus / as sysdba

  5. Run the below Query.

    SQL> ALTER DATABASE OPEN;

  6. Now run the Query.

    SQL> select * from vsoption where PARAMETER = 'Unified Auditing';
PARAMETER                  VALUE          CON ID
Unified Auditing.          TRUE

  7. Now the Unified auditing is enabled.

 To Enable Unified_Auditing on DB

  1. To enable Unified Auditing on DB please follow Step 13 to Step 23 under section Enable Unified_Auditing on Linux Syslog

 Below are the steps to Follow if the Unified Auditing is enabled on DB. If the Unified_Auditing is Enabled to log into Linux Syslog then you need to follow NXLog Community Edition. 

Read Only User Creation

Oracle 21c onwards

  • To start SQLPlus without logging in to a database, at a command prompt, type the following: sqlplus /nolog;

  • To connect as a system database administrator, at the SQLPlus prompt, type the following command: connect sys/password@SID as sysdba;

  • To create a read-only user, at the SQLPlus prompt, type the following commands:
    create user read_only_user identified by password;
    grant connect to read_only_user;

  • To grant select privileges for the database user, type the following commands:

grant select on AUDSYS.AUD$UNIFIED to read_only_user;

grant select on  v$instance to read_only_user;

grant select on sys.audit_actions to read_only_user;

  • Type the following commands: grant create session to read_only_user;

 ODBC Driver Installation

  1. Windows:

When you extract these three packages it will extract all the content in its own folder name. Copy the content of these folders into the folder instantclient_21_3 which was created in above steps.

  • Now we need to add our Oracle Client directory to the Windows PATH environment. Right-click My Computer > Advanced System Settings > Environment Variables

image-20240808-094751.pngimage-20240808-094811.png

  • In System Variables, click New and then enter the following details:

image-20240808-094906.png

Change C:\Program Files\Oracle\Product\Client\instantclient_21_3 with your actual Oracle Client folder.

  • Now open the folder instantclient_21_3, in your Oracle Client folder created on the Step 1 and double click the file odbc_install.

image-20240808-094936.png

Now go to run with Windows + R and type regedit. Now go to HKEY_LOCAL_MACHINE > SOFTWARE > ODBC > ODBCINST.INI you will find name as Oracle in instantclient_21_3 as below

image-20240808-095004.png

  • Copy this name and paste it in connection string in nxlog.conf.

  1. LINUX (Redhat and CentOS)

  • Download the ODBC driver/instant client for Oracle Server. Go to link to download the file https://www.oracle.com/database/technologies/instant-client/downloads.html .  Select the OS and click the link.

  • A page will open https://www.oracle.com/database/technologies/instant-client/linux-x86-64-downloads.html Download oracle-instantclient-basic-21.6.0.0.0-1.el8.x86_64.rpm, oracle-instantclient-odbc-21.6.0.0.0-1.el8.x86_64.rpm

  • Now login into your linux box and go to /tmp/ and create a directory oracle as mkdir oracle.

  • Go under this directory via cd oracle.

  • Copy the above package under this location.

  • Now run the command yum install unixODBC.

  • Now run the command yum install <package name> one by one.

  • After the installation go to /etc/odbcinst.ini and see the content of the file via cat /etc/obdcinst.ini the content of the file should looks like below:

    [Oracle 19c Driver]
Description     = Oracle ODBC driver for Oracle 21c
Driver          = /usr/lib/oracle/21.6/client64/lib/libsqora.so.21.1
Setup           =
FileUsage       =
CPTimeout       =
CPReuse         =
Driver Logging  = 7

  • Now another file should be created as odbc.ini if not created create one via vi /etc/odbc.ini

  • Under this fie add content as below:

    [root@ip-100-108-177-17 etc]# cat /etc/odbc.ini 
[Oracle]
Description = ODBC Driver for Oracle 21c
AggregateSQLType = FLOAT
Application Attributes = T
Attributes = W
BatchAutocommitMode = IfAllSuccessful
BindAsFLOAT = F
CacheBufferSize = 20
CloseCursor = F
DisableDPM = F
DisableMTS = T
DisableRULEHint = T
Driver = ODBC Driver for Oracle 21c
DSN = ORCL 
EXECSchemaOpt =
EXECSyntax = T
Failover = T
FailoverDelay = 10
FailoverRetryCount = 10
FetchBufferSize = 64000
ForceWCHAR = F
LobPrefetchSize = 8192
Lobs = T
Longs = T
MaxLargeData = 0
MaxTokenSize = 8192
MetadataIdDefault = F
QueryTimeout = T
ResultSets = T
ServerName = 
SQLGetData extensions = F
SQLTranslateErrors = F
StatementCache = F
Translation DLL =
Translation Option = 0
UseOCIDescribeAny = F
UserID = 
Password =

  • Now add LD_LIBRARY_PATH for above locations as below:

    export ORACLE_HOME=/usr/lib/oracle/21.6/client64
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$ORACLE_HOME/lib

  • Now copy the path /usr/lib/oracle/21.6/client64/lib/libsqora.so.21.1 and paste it under nxlog.conf file connection string.

NXLog Configuration

NXLOG Enterprise Edition

  • Download and Install the NXLOG Enterprise Edition.

  • After installation find the attached files nxlog.conf.21c

  • Download this file.

  • Now go to your NXLog installed directory. Windows: C:\Program Files\nxlog\conf Linux : /opt/nxlog/etc/

  • Copy the file under these directory.

  • Rename the file to nxlog.conf

  • Provide proper permission.

  • Provide CYBERHUBIP in output section.

  • Restart the nxlog service.

  • The log flow will start.

For multiple Databases add multiple inputs.

NXLog Community Edition

NXLog Community Edition will read logs from the audit file created in section, Enable Unified Auditing For Linux Syslog. The logs have very less security value in comparison to read from NXLog Enterprise Edition as the Data is read directly from DB by querying the DB.

  • Download and Install the NXLOG Community Edition.

  • After installation find the attached files nxlog.conf

  • Download this file.

  • Now go to your NXLog installed directory. Windows: C:\Program Files\nxlog\conf Linux : /opt/nxlog/etc/

  • Copy the file under these directory.

  • Rename the file to nxlog.conf

  • Provide proper permission.

  • Provide Filepath in Input Section and CYBERHUBIP in output section.

  • Restart the nxlog service.

  • The log flow will start.

Integration Parameters

Parameters required from customer for Integration.

Property

Default Value

Description

IP Address

Oracle Database interface IP address

Hostname or IP address of the device which forwards logs to the CyberHub

  • No labels

About Accenture:
Accenture is a leading global professional services company that helps the world’s leading businesses, governments and other organizations build their digital core, optimize their operations, accelerate revenue growth and enhance citizen services—creating tangible value at speed and scale. We are a talent and innovation led company with 738,000 people serving clients in more than 120 countries. Technology is at the core of change today, and we are one of the world’s leaders in helping drive that change, with strong ecosystem relationships. We combine our strength in technology with unmatched industry experience, functional expertise and global delivery capability. We are uniquely able to deliver tangible outcomes because of our broad range of services, solutions and assets across Strategy & Consulting, Technology, Operations, Industry X and Accenture Song. These capabilities, together with our culture of shared success and commitment to creating 360° value, enable us to help our clients succeed and build trusted, lasting relationships. We measure our success by the 360° value we create for our clients, each other, our shareholders, partners and communities. Visit us at www.accenture.com.

About Accenture Security
Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence. Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.

Legal notice: Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. This document is intended for general informational purposes only and does not take into account the reader’s specific circumstances, and may not reflect the most current developments. Accenture disclaims, to the fullest extent permitted by applicable law, any and all liability for the accuracy and completeness of the information in this presentation and for any acts or omissions made based on such information. Accenture does not provide legal, regulatory, audit, or tax advice. Readers are responsible for obtaining such advice from their own legal counsel or other licensed professionals.