Linux-UNIX: Configuring S-TAP interception using Oracle Unified Audit

Use Oracle Unified Auditing (OUA) to capture user activities in Oracle database environments based on Oracle Unified Audit policies. All captured activities are stored in specific tables. Linux S-TAP x86_64 can dynamically load and use Oracle-provided libraries to connect to the configured Oracle services. The S-TAP can then pull data from the unified auditing tables, and send data to Guardium collectors.

Before you begin

With Oracle Unified Auditing, the S-TAP does not need to be on the same server where Oracle Unified Auditing is set up. It can be installed on any Linux x86_64-based server, either the same server (if Oracle is running on a Linux x86_64 platform) or a remote server. If the S-TAP is installed on a remote server, it captures database activities remotely.

If Oracle Instant Client is not already installed and configured, the root user must take the following steps :
  1. Download Oracle Instant Client rpm from the Oracle website at https://www.oracle.com/database/technologies/instant-client/linux-x86-64-downloads.html.
  2. Install the Oracle Instant Client Basic rpm on the Linux server where you install the S-TAP. For example:
    rpm -ivh oracle-instantclient-basic-21.10.0.0.0-1.el8.x86_64.rpm
  3. The installation process installs the Oracle libraries and creates the TNS_ADMIN path for Oracle Instant client. Add tnsnames.ora or ldap.ora files that contain content for Oracle Database connections that the S-TAP will monitor under the TNS_ADMIN path. The TNS_ADMIN path might be similar to the following example:
    /usr/lib/oracle/21/client64/lib/network/admin
Note: The Oracle Instant Client must be installed on the same system where you install the S-TAP.

About this task

Oracle Unified Auditing with an S-TAP has the following requirements:

  • Using Guardium® S-TAP with the Oracle Unified Auditing method requires Oracle database 18c and higher.
  • Oracle Instant Client must be version 18 or higher.
  • Unified auditing must be enabled in any Oracle database instances that you want to monitor by this method.
  • The designated user for S-TAP must either be created for Oracle database access or you can use an existing user with sysdba privileges.

Procedure

  1. Create a designated database user (with minimal privileges) for S-TAP as follows,
    1. Connect to Oracle by using the sysdba account. For this example, the Oracle Unified Audit user is called guardium (password = password).
      CREATE USER guardium IDENTIFIED BY password
      GRANT CONNECT, RESOURCE to guardium;
      GRANT SELECT ANY DICTIONARY TO guardium;
      exec DBMS_NETWORK_ACL_ADMIN.APPEND_HOST_ACE(host => 'localhost', ace  =>  xs$ace_type(privilege_list => xs$name_list('connect', 'resolve'),  principal_name  => 'guardium', principal_type => xs_acl.ptype_db));
      
    2. You can verify your new user's privileges by connecting to the Oracle instance with the specified name and credentials. Run following statements:
      select count(*) from AUDSYS.AUD$UNIFIED;
      SELECT UTL_INADDR.get_host_address FROM DUAL;
      

      If no errors are returned, then the user has appropriate privileges for Oracle Unified Auditing S-TAP interception.

    Note: Instead of creating a new user, you can use an existing user that has sysdba privileges.
  2. From either the Guardium GUI or the guard_tap.ini file, set the following parameters.
    • From the Guardium GUI, browse to Manage > Activity Monitoring > S-TAP Control. In the Details section of S-TAP Control, make the following updates,
      • LD library paths - The path to the Oracle Instant Client libraries that are installed on the system. For example,
        /usr/lib/oracle/19.8/client64/lib
      • SQL configuration properties directory - The TNS_ADMIN path for Oracle Instant client. For example,
        /usr/lib/oracle/19.8/client64/lib/network/admin
    • From guard_tap.ini, set the following parameters,
      ld_library_paths=/usr/lib/oracle/19.8/client64/lib
      sqlc_properties_dir=/usr/lib/oracle/19.8/client64/lib/network/admin
  3. Add the SQL configuration. This configuration is similar to inspection engines. Use one of the following methods:
    • From the S-TAP Control page, take the following steps:
      1. Click edit S-TAP configuration.
      2. Click Add SQL Configuration.
      3. Complete the details and then click Add.
      4. Finally, click Apply to apply your changes.
    • From the CLI, call the create_sql_configuration GrdAPI. For more information about parameters, see create_sql_configuration.
    • From guard_tap.ini, add one section for each database instance at the end of the file:
      [SQLC_<0,1,2...>]
      data_pull_interval=300
      data_pull_num_rows=100
      db_type=oracle
      instance=on8pgre1
      timeout=300000
      username=username
      
  4. Store the username and password pair for the designated user that you created (or for an existing user).
    You can store the username and password pair from either the Guardium GuardAPI or from the Guardium S-TAP Control page in the GUI.
    • To use the CLI, run the store_sql_credentials GuardAPI command from the CLI. For example,
      grdapi store_sql_credentials stapHost=STAPHOST username=guardium password=password
    • From the S-TAP Control page in the Guardium GUI,
      1. Click the Send Command Send command, then select Store SQL credentials from the drop-down list.
      2. Enter the username and password, and then click Apply.
        Note: You can also update the password by entering an existing username and a new password.