Skip Headers
Oracle® Audit Vault Administrator's Guide
10g Release 2 (10.2.2)

Part Number B25321-02
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
View PDF

3 Getting Started with Audit Vault

This chapter describes how to begin configuring Audit Vault components by performing the following tasks:

Adding sources to Audit Vault and deploying collectors involves the following tasks:

  1. For Linux and UNIX platforms, check and set environment variables in the shells in which you will be interacting with the Audit Vault Server and the Audit Vault Agent (see Section 3.1).

  2. Add a source and collectors using the AVORCLDB command-line utility (see Section 3.2).

  3. Start up agents and collectors using the AVCTL command-line utility (see Section 3.3).

3.1 Checking and Setting Environment Variables (Linux and UNIX Platforms)

As the last configuration step in an Audit Vault Server and each Audit Vault Agent installation, a root.sh configuration file is run under the super user. On the Audit Vault Server, this file drops three scripts in the /usr/local/bin directory. Two of these scripts, coraenv and oraenv, can be called by users to set environment variables on the Audit Vault Server. However, because these two scripts are not dropped as part of the Audit Vault Agent installation, you must set environment variables using the appropriate operating system shell command. The tasks to perform in the respective shells for interacting with the Audit Vault Server and the Audit Vault Agent are listed as follows:

Audit Vault Server Shell

At the command line, run the coraenv and oraenv scripts located in the /usr/local/bin directory that sets the following environment variables: ORACLE_HOME, ORACLE_SID, and PATH, LD_LIBRARY_PATH (for Linux x86, Linux x86_64, and Solaris SPAC_64), SHLIB_PATH (for HP-UX), or LIBPATH (for AIX), as applicable in the shell in which you will be interacting with Audit Vault Server.

ORACLE_HOME is set to the Audit Vault Server home directory. By default, this is the directory path down to and including av_1. ORACLE_SID is set to av, the unique service name (SID) for the Audit Vault database. If your SID is set otherwise, use that SID. The PATH appends $ORACLE_HOME/bin to your PATH environment variable.

Audit Vault Agent Shell

  1. Check and manually set the ORACLE_HOME environment variable to the Audit Vault Agent home directory. By default, this is the directory path down to and including av_agent_1.

  2. Check and set the LD_LIBRARY_PATH environment variable to include $ORACLE_HOME/lib.

  3. Check and set the PATH environment variable to include $ORACLE_HOME/bin. Be sure that you append this information to the existing PATH information.

  4. Ensure that the following environment variables are unset: ORACLE_SID, TNS_ADMIN, and TWO_TASK.

3.2 Adding a Source and Collectors

Perform the following steps to add a source and collectors:

  1. Ensure that the source database has a password file set up. AVORCLDB connects to the source database with sysdba privileges. A connection to the source can succeed only if the password file is set up. See Oracle Database Administrator's Guide for information about the orapwd command used to create the password file.

  2. Create users, one on the Oracle source database and one on the Audit Vault Server.

    1. On the Oracle source database

      Create a user, referred to as srcusr, on the source database for use by the collectors.

      SQL> create user <srcusr name> identified by <srcusr password>;
      
      

      The srcusr must have a set of required privileges granted to it. The required privileges are listed in $ORACLE_HOME/av/scripts/streams/source/zarsspriv.sql. This script is located in both the Audit Vault Server and the Audit Vault Agent Oracle homes after an installation.

      Run this script on the source database as SYS user to grant this srcusr the required privileges using the following syntax:

      zarsspriv.sql <srcusr> <mode>
      
      

      The argument srcusr is the user to be granted the privileges, and the argument mode is one of two keywords:

      • SETUP – For policy management for the OSAUD and DBAUD collectors

      • REDO_COLL – For the REDO log collector

      Example 3-1 shows how the srcusr named srcuser1 is granted the required privileges for policy management for the OSAUD and DBAUD collectors.

      Example 3-2 shows how the srcusr named srcuser1 is granted the required privileges for the REDO collector.

      Example 3-1 Grant the Source User the Required Privileges for Policy Management

      sqlplus / as sysdba
      .
      .
      .
      SQL> @zarsspriv.sql srcuser1 SETUP 
      
      PL/SQL procedure successfully completed.
      
      

      Example 3-2 Grant the Source User the Required Privileges for the REDO Collector

      sqlplus / as sysdba
      .
      .
      .
      SQL> @zarsspriv.sql srcuser1 REDO_COLL 
      
      PL/SQL procedure successfully completed.
      
      
    2. On the Audit Vault Server

      Create or use an existing user on Audit Vault Server to be used to insert audit data for this source. This user will be referred to as avsrcusr. For example, to create this user in the Audit Vault database, follow these steps:

      • Log in to SQL*Plus as the Database Vault Account Manager.

        For the Basic installation, log in as follows:

        sqlplus/ nolog
        SQL> connect <avadmin>dva
        Enter password: <avadmin user password>
        Connected.
        SQL>
        
        

        For the Advanced installation, log in as follows:

        sqlplus /nolog
        SQL> connect <dv_acctmgr user name>
        Enter password: <dv_acctmgr user password>
        Connected.
        SQL>
        
        
      • Create the Audit Vault source user.

        SQL> create user <avsrcusr name> identified by <avsrcusr password>;
        SQL> exit
        
        

      Grant proxy connect privilege to avsrcusr through the user used in the installation of the Audit Vault Agent, referred to here as agentusr, as shown in Example 3-3. You must connect using the Database Vault account manager as shown in Step 2b to run this command.

      Example 3-3 Granting Proxy Connect Privilege to <avsrcusr>

      SQL> alter user <avsrcusr> grant connect through <agentusr>; 
      SQL> exit
      
      
  3. From either the Audit Vault Server home or the Audit Vault Agent home shell, verify that the source is compatible for the collector type in the agent home. The AVORCLDB verify command checks the source database to see if the configuration on it would allow an Audit Vault collector to run against it.

    To verify that the source is compatible with each of the collectors, use the AVORCLDB verify command in the agent home shell, as shown in Example 3-4. However, before you run this command, create an environment variable named AVORCLDB_SRCUSR set to testdba/password. Then run the command.

    Note:

    The -srcusr argument can be omitted if the corresponding environment variable AVORCLDB_SRCUSR is set to testdba/password. If the command-line argument -srcusr is specified, then the command-line argument overrides the environment variable.

    Example 3-4 Partly Successful Verify Operation of Source Compatibility with the Collectors

    avorcldb verify -src SRC1.US.ORACLE.COM:1521:orcl
                    -colltype ALL
    Verified source SRC1.US.ORACLE.COM for OS File Audit Collector
    Verified source SRC1.US.ORACLE.COM for Aud$/FGA_LOG$ Audit Collector
    Source database must be in ARCHIVELOG mode to use REDO Log collector
    Incorrect database compatibility 9.2.0; recommended value is 10.2.0.0.0
    Parameter _SPIN_COUNT not set; recommended value is 5000
    Parameter _JOB_QUEUE_INTERVAL not set; recommended value range [4 - ANY_VALUE]
    Parameter JOB_QUEUE_PROCESSES = 0 not in recommended value range [4 - ANY_VALUE]
    Parameter SGA_MAX_SIZE = 155189248 not in recommended value range [209715200 - ANY_VALUE]
    Parameter SGA_TARGET = 0 not in recommended value range [209715200 - ANY_VALUE]
    Parameter UNDO_RETENTION = 900 not in recommended value range [3600 - ANY_VALUE]
    Parameter GLOBAL_NAMES = false not set to recommended value true
    Please set the above init.ora parameters to recommended values
    
    

    If the AVORCLDB verify command returns an error message for a specific collector or some other message indicating a problem, examine the content of the error message, then try to fix the problem.

    In Example 3-4, a number of initialization parameters on the source database must be set or modified to use the REDO collector. For a complete list of parameters used by the REDO collector, see Appendix D.

    Retry the verify command, specifying the collector type in which there was a problem, as shown in Example 3-5. You can run this command as many times as needed until all problems are solved and this command returns a verified source message indicating success.

    Example 3-5 Successful Verify Operation of Source Compatibility with the REDO Collector

    avorcldb verify -src SRC1.US.ORACLE.COM:1521:orcl
                    -colltype REDO
    source SRC1.US.ORACLE.COM verified for REDO Log Audit Collector collector
    
    
  4. From the Audit Vault Server home shell, add the source to Audit Vault using the AVORCLDB add_source command with the source user srcusr, created in Step 2a (srcuser1 in this example), and the Audit Vault source user avsrcusr, (avsrcuser1 in this example) created in Step 2b, as arguments in the AVORCLDB add_source command.

    Before you run this command, create two environment variables, one named AVORCLDB_SRCUSR set to srcusr/password and the other AVORCLDB_AVSRCUSR set to avsrcusr1. Then run the command. Example 3-6 shows how to add a source to Audit Vault.

    Note:

    The -srcusr argument can be omitted if the corresponding environment variable AVORCLDB_SRCUSR is set to srcusr/password. If the command-line argument -srcusr is specified, then the command-line argument overrides the environment variables.

    Example 3-6 Adding a Source to Audit Vault Database

    avorcldb add_source -src lnxserver:4523:source1db.domain.com
                        -avsrcusr avsrcuser1 -desc 'HR Database'
                        -agentname agent1
    Adding source...
    Source added successfully.
    source successfully added to Audit Vault
    
    remember the following information for use in avctl
    Source name (srcname): RODSRC1.US.ORACLE.COM
    map_source_to_agent
    map_source_to_agent
    
    
  5. From the Audit Vault Server home shell, add the collector to Audit Vault using the AVORCLDB add_collector command with the source user srcusr, created in Step 2a (srcuser1 in this example), and the Audit Vault source user avsrcusr, (avsrcuser1 in this example) created in Step 2b, as arguments in the AVORCLDB add_collector command.

    Before you run this command, create an environment variable named AVORCLDB_SRCUSR set to srcuser1/password. Then run the command. Example 3-7 shows how to add the OSAUD collector to Audit Vault for UNIX platforms.

    Note:

    The -srcusr argument can be omitted if the corresponding environment variable, AVORCLDB_SRCUSR is set to srcuser1/password. If the command-line argument -srcusr is specified, then the command-line argument overrides the environment variable.

    Example 3-7 Adding the OSAUD Collector to Audit Vault for UNIX Platforms

    avorcldb add_collector -srcname source1db.domain.com 
                           -agentname agent1 
                           -colltype OSAUD
    source SOURCE1DB.DOMAIN.COM verified for OS File Audit Collector collector
    Adding collector...
    Collector added successfully.
    collector successfully added to Audit Vault
    
    remember the following information for use in avctl
    Collector name (collname): OSAUD_Collector
    
    

    Example 3-8 shows how to add the OSAUD collector to Audit Vault on Windows for the event log.

    Example 3-8 Adding the OSAUD Collector to Audit Vault on Windows for the Event Log

    avorcldb add_collector -srcname source1db.domain.com 
                           -agentname agent1 
                           -colltype EVTLOG 
    source SOURCE1DB.DOMAIN.COM verified for Windows Event Log Audit Collector collector 
    Adding collector... 
    Collector added sucessfully. 
    collector successfully added to Audit Vault 
    
    remember the following information for use in avctl
    Collector name (collname): EVTLOG_Collector
    
    

    Example 3-9 shows how to add the DBAUD collector to Audit Vault.

    Example 3-9 Adding the DBAUD Collector to Audit Vault

    avorcldb add_collector -srcname source1db.domain.com 
                           -agentname agent1 -colltype DBAUD
    source SOURCE1DB.DOMAIN.COM verified for Aud$/FGA_LOG$ Audit Collector collector
    Adding collector...
    Collector added successfully.
    collector successfully added to Audit Vault
    
    remember the following information for use in avctl
    Collector name (collname): DBAUD_Collector
    
    

    Example 3-10 shows how to add the REDO collector to Audit Vault and shows that values for both the -avsrcusr and -av arguments must be supplied for this collector type.

    Note:

    The -avsrcusr argument can be omitted if the corresponding environment variable, AVORCLDB_AVSRCUSR is set to avsrcuser1/password. If the command-line argument -srcusr is specified, then the command-line argument overrides the environment variable.

    Example 3-10 Adding the REDO Collector to Audit Vault

    avorcldb add_collector -srcname source1db.domain.com 
                           -agentname agent1 
                           -colltype REDO
                           -av lnxserver:4523:hrdb.domain.com
    source SOURCE1DB.DOMAIN.COM verified for REDO Log Audit Collector collector
    Adding collector...
    Collector added successfully.
    collector successfully added to Audit Vault
    
    remember the following information for use in avctl
    Collector name (collname): REDO_Collector
    initializing REDO Collector
    setting up APPLY process on Audit Vault server
    setting up CAPTURE process on source database
    
    
  6. In the Audit Vault Agent shell, set up the source using the AVORCLDB setup command (as shown in Example 3-11) using the source user srcusr created in Step 2a (srcuser1 in this example), the source name -srcname <srcname> previously used in Step 5, and the wallet password, which is the <agentusr> password. However, before you run this command, create an environment variable named AVORCLDB_WPWD set to password, the wallet password. Then run the command.

    Note:

    The -wpwd argument can be omitted if the corresponding environment variable, AVORCLDB_WPWD is set to password. If the command-line argument -wpwd is specified, then the command-line argument overrides the environment variable.

    Example 3-11 Setting Up the Source at the Agent

    avorcldb setup -verbose -srcname source1db.domain.com
    updated tnsnames.ora with alias [SRCDB1] to source database
    adding credentials for user srcdba2 for connection [SRCDB1]
    Storing user credentials in wallet...
    Create credential oracle.security.client.connect_string2
    done.
    verifying SRCDB1 connection using wallet
    
    

3.3 Starting Up Agents and Collectors

Steps to start up an agent and its collectors are described as follows:

  1. Ensure that the agent is started.

    To check the status of the agent to see if it is started, on the Audit Vault Server shell, use the AVCTL show_agent_status command, as shown in Example 3-12. In this case the agent is not started.

    Example 3-12 Checking the Status of the Agent

    avctl show_agent_status -agentname agent1
    AVCTL started
    Getting agent metrics...
    --------------------------------
    Agent is not running
    --------------------------------
    Metrics retrieved successfully
    --------------------------------
    
    

    If the agent is not started as indicated in Example 3-12, use the AVCTL start_agent command to start the agent, as shown in Example 3-13.

    Example 3-13 Starting the Agent

    avctl start_agent -agentname agent1
    AVCTL started
    Executing task start_agent
    Starting Agent...
    Agent started successfully.
    
    
  2. In the Audit Vault Server shell, start the OSAUD, DBAUD, and REDO collectors.

    To start the OSAUD, DBAUD, and REDO collectors, use the AVCTL start_collector command for each collector, as shown in Example 3-14. If successful, each collector is moved to a RUNNING state.

    Example 3-14 Starting the OSAUD, DBAUD, and REDO Collectors

    avctl start_collector -collname OSAUD_Collector 
                            -srcname DBS1.REGRESS.RDBMS.DEV.US.ORACLE.COM
    AVCTL started
    Executing task start_collector
    Starting Collector...
    Collector started successfully.
    
    avctl start_collector -collname DBAUD_Collector 
                            -srcname DBS1.REGRESS.RDBMS.DEV.US.ORACLE.COM
    AVCTL started
    Executing task start_collector
    Starting Collector...
    Collector started successfully.
    
    avctl start_collector -collname REDO_Collector 
                            -srcname DBS1.REGRESS.RDBMS.DEV.US.ORACLE.COM
    AVCTL started
    Executing task start_collector
    Starting Collector...
    Collector started successfully.
    
    

    To use the Audit Vault Console to start collectors, log in to the Audit Vault Console as the user with AV_ADMIN role granted. Click the Management tab, then the Collectors subtab to display the Collectors page (see Figure 4-9). On the Collectors page you can view the collectors and collector information and start and stop collectors. Locate the OSAUD_Collector, the DBAUD_Collector, and REDO_Collector collectors that you added. Note the status of each collector. A red down arrow should appear, indicating that the collector is not running. Select each collector and click Start. A green up arrow appears when the collector is successfully started and is in the RUNNING state.

    Another way to check the collector status is to check for the process names. In the agent home shell, issue a ps command. If the DBAUD and OSAUD collectors are running, you will see that the avaudcoll and avoscoll processes are present. To see if audit records are being collected, inspect the contents of the log files in the Audit Vault Agent home $ORACLE_HOME/av/log directory. The log file has the format <collector_name>_<source-name_prefix><source_id>.log. For the DBAUD_Collector collector, the log file name is DBAUD_Collector_<source-name_prefix><source-id>.log. For the OSAUD_Collector collector, the log file name is OSAUD_Collector_<source-name_prefix>_<source-id>.log. Each log file keeps a running record of its audit record collection operations and will indicate when collection has occurred, or if a problem was encountered in the collection operation. See Chapter 6 for more information about troubleshooting collector setup and start collector operations.

  3. Check the collector status from the Audit Vault Server shell using the AVCTL command-line utility.

    To check the status of the collectors, use the AVCTL show_collector_status command shown in Example 3-15.

    Example 3-15 Checking the Status of the OSAUD, DBAUD, and REDO Collectors

    avctl show_collector_status -collname OSAUD_Collector 
                                -srcname DBS1.REGRES.RDBMS.DEV.US.ORACLE.COM 
    AVCTL started
    Getting collector metrics...
    --------------------------------
    Collector is running
    --------------------------------
    
    avctl show_collector_status -collname DBAUD_Collector 
                                -srcname DBS1.REGRES.RDBMS.DEV.US.ORACLE.COM 
    AVCTL started
    Getting collector metrics...
    --------------------------------
    Collector is running
    --------------------------------
    
    avctl show_collector_status -collname REDO_Collector 
                                -srcname DBS1.REGRES.RDBMS.DEV.US.ORACLE.COM 
    AVCTL started
    Getting collector metrics...
    --------------------------------
    Collector is running
    --------------------------------
    
    

    The status return message will indicate whether the collector is running or not; otherwise, it might display an error message indicating that there is a problem.

See Chapter 4 for additional configuration and management tasks that you may need to perform on your running Audit Vault system.