13 Using Audit Analysis and Reporting

This chapter describes how to configure audit reporting and how to view audit reports. It contains these topics:

13.1 Setting up Oracle Business Intelligence Publisher for Audit Reports

When your audit data resides in a database, you can run pre-defined Oracle Business Intelligence Publisher reports and create your own reports on the data. This section contains these topics about configuring your environment for audit reports:

See Also:

Oracle Business Intelligence Publisher Enterprise documentation at:

http://www.oracle.com/technology/documentation/bi_pub.html

13.1.1 About Oracle Business Intelligence Publisher

Reports help auditors determine whether there are any violations with respect to various industry regulations such as HIPPA, SOX, and other regulatory compliance demands. Oracle Fusion Middleware Audit Framework is integrated with Oracle Business Intelligence Publisher for out-of-the box reports.

Pre-defined reports are available as part of the Oracle Fusion Middleware Audit Framework. These reports are integrated with Oracle Business Intelligence Publisher to work in conjunction with the audit data in the audit store.

Oracle Fusion Middleware Audit Framework ships with over twenty pre-built reports in 11g Release 1 (11.1.1). For convenience, the reports are grouped in Oracle Business Intelligence Publisher according to functional areas and by component.

The functional areas consists of the following:

  • Error and Exception reports like authentication and authorization failures

  • User Activities including transaction history and authorization history

  • Operational reports including created, deleted, and locked-out users

  • Audit Service Events

The component-specific reports, as the name implies, are grouped based on the components themselves, for example, Oracle HTTP Server reports and Oracle Identity Federation reports.

Other features of Oracle Business Intelligence Publisher include:

  • Flexible Report Displays

    You can view reports online, change report parameters, change output types (pdf, html, rtf, excel and others), modify the appearance of reports, export to the desired format, and send to an E-mail address, fax or other destination.

  • Report Filters

    You can filter audit records to be included in the report using a range of options including the ability to modify the SQL used to extract records from the audit repository.

  • Scheduling Reports

    You can schedule reports to be run based on a range of criteria such as filters, templates, formats, locale, viewing restrictions and so on.

    See Also:

    For more information about scheduling features, see the Oracle Business Intelligence Publisher Enterprise documentation at:

    http://www.oracle.com/technology/documentation/bi_pub.html

  • Custom Reporting

    You can design your own reports and specify the data model, layout, parameters, bursting (for example, you can enable delivery based on delivery preference).

See Also:

All the auditing reports available in Oracle Business Intelligence Publisher provide these report filtering and formatting options:

  • View - View the report using the current parameters.

  • Schedule - Set up a schedule for the report along with job parameters and data filters.

  • History

  • Edit - Modify the query and parameter display formats.

  • Configure - Set up runtime configuration controls.

  • Export

13.1.2 Install Oracle Business Intelligence Publisher

If you already have Oracle Business Intelligence Publisher 10.1.3.4 or later installed at your site, you can skip this section and go to Section 13.1.3, "Set Up Oracle Reports in Oracle Business Intelligence Publisher".

If you need to install Oracle Business Intelligence Publisher, follow the instructions provided with the Oracle Business Intelligence Publisher Companion CD.

See Also:

Oracle Business Intelligence Publisher Enterprise documentation at:

http://www.oracle.com/technology/documentation/bi_pub.html

13.1.3 Set Up Oracle Reports in Oracle Business Intelligence Publisher

In this section you configure Oracle Business Intelligence Publisher to work with the audit datasource.

Note:

11g Release 1 (11.1.1) reports can work with the 11g Release 1 (11.1.1.2.0) schema. However, 11g Release 1 (11.1.1.2.0) reports can work only with an 11g Release 1 (11.1.1.2.0) schema; they cannot work with an 11g Release 1 (11.1.1) schema.

Take these steps to set up Oracle Business Intelligence Publisher for use with audit reports:

  1. Navigate to the Reports folder in your Oracle Business Intelligence Publisher installation. By default, the Reports folder is at %BIP_HOME%\XMLP\Reports.

  2. Unjar the AuditReportTemplate.jar into your Reports folder. You should see a new folder called Oracle_Fusion_Middleware_Audit. You can find AuditReportTemplate.jar at $MW_ORA_HOME/modules/oracle.iau_11.1.1/reports/AuditReportTemplates.jar

  3. Set up the DataSource for audit repository as follows:

    • Navigate to the Admin tab.

    • If you deployed on Oracle WebLogic Server in Step 1, set up JNDI as follows:

      • Click JNDI Connection.

      • Click Add DataSource.

      • Specify the DataSource details:

        Name the Data Source Audit.

        Note:

        The reports refer to the audit data source, so the naming convention is important.

        JNDI Name - 'jdbc/AuditDB'

      • Test for a successful connection. If the connection is not successful, check the values you entered.

      • Press Apply to save your changes.

    • If you deployed on Oracle Containers for Java EE in Step 1, set up JNDI as follows:

      • Click JDBC Connection.

      • Click Add DataSource.

      • Specify the DataSource details:

        Name the Data Source Audit.

        Note:

        The reports refer to the audit data source, so the naming convention is important.

        Enter the details for the URL, username, and password for the audit schema. (Note: The username and password consist of the audit schema name including a prefix, for example, username: dev_iau or test_iau.)

      • Test for a successful connection. If the connection is not successful, check the values you entered.

      • Press Apply to save your changes.

13.1.4 Set Up Audit Report Templates

You can use the standard audit reports in their default formats out-of-the-box. However, if you wish to customize the appearance and other related aspects of the reports, you do so by setting up audit report templates.

From a report's Edit dialog, you can click the Layout option in the left panel to control layouts and output formats. Using this feature, you can:

  • Customize the report template and design your own layout; for example you can rearrange fields and highlight selected field labels.

  • Restrict the formats to which the report output is generated - by default, a large number of output formats are available including HTML, PDF, Excel spreadsheet, RTF, and others.

See Also:

Oracle Business Intelligence Publisher User's Guide.

13.1.5 Set Up Audit Report Filters

You can use the standard audit reports in their default formats out-of-the-box. However, if you wish to customize the scope of data and other related aspects of the reports, you do so by setting up audit report filters.

Oracle Business Intelligence Publisher provides both basic and advanced filtering options for your audit reports.

See Also:

Oracle Business Intelligence Publisher User's Guide.

Basic Filters

Clicking on the report's Schedule button brings up a page which you can use to schedule and administer the report.

In the Report Parameters area you can provide high-level filters to restrict the report:

  • Date Filters

    • show only recent audit records such as last hour or last week

    • show records generated within a specified starting and ending dates

    • limit number of records returned

  • Selected Report Fields

    For example, the Authentication Failures report can be filtered by:

    • Username

    • Component Type

    • Component Name

    • Application Name

    • Domain Name

Advanced Filters

Clicking on the report's Edit button brings up a page at which you can specify more detailed report filters and properties. This page consists of two panels. The left panel lets you select what element of the report is to be modified through these options. For each element you select, the right panel displays the corresponding information.

  • Data Model - This contains the SQL query that fetches the raw data for the report. The query can be modified according to your needs.

  • List of Values - Shows all the report columns. Selecting on a column displays the underlying SQL query that filters data for the attribute. You can modify the query as needed; for example you can specify more restrictive filter values.

  • Parameters - Shows all the report columns, and lets you select any column to modify display settings for that column. For example, you can specify a date display format for timestamp fields.

  • Layouts and output formats - This feature is described in the following section.

13.1.6 Configure Scheduler in Oracle Business Intelligence Publisher

Clicking on the report's Schedule button brings up a page which you can use to schedule and administer the report. Information you can specify on this page includes:

Note:

This feature assumes that the Oracle Business Intelligence Publisher repository is already configured.
  • Report Parameters - filters to restrict the data included in the report, for example records for the last hour only.

  • Job Properties - the job name, formatting locale and time zone, and so on.

  • Notification - one or more users to be notified by E-mail when the job completes or fails.

  • Time - report scheduling options; the report can be scheduled to run periodically or on a one-time basis.

  • Delivery - deliver the report to one or more users

13.2 Organization of Audit Reports

Oracle Fusion Middleware Audit Framework ships with a set of pre-defined reports that are designed to work, out-of-the-box, with Oracle Fusion Middleware components. These reports are organized into two main categories:

  • Common Reports

    These reports capture common events such as authentication success and failures, account-related status (lockout, disabled, and so on). Many components have implemented audit capability for these common events. The common reports are located under the Common Reports subfolder of the Audit Reports, and all audit-enabled events from across the components are captured in these reports.

    For example, "Authentication History" displays authentication history across all the components where authentication events are being captured.

    You can use these reports to examine audit records for a specific area across components or to examine the audit records of a single user across multiple components for that specific area.

  • Component-specific

    These reports are component-specific. They are needed because not all audit events may be relevant to each component. The Component Specific folder serves two purposes. First, it identifies the valid reports among the Common Reports that are relevant to the component and show only the audit records for that component. Secondly, for some components, component-specific reports have been defined to suit the specific needs of that component. While audit records themselves are generic for all the components, the representation of an audit record may have component-specific requirements. For example, an access policy may need to be shown in a format to be useful.

    For example, you can locate the Authentication History report in the Common folder, where it displays authentication events for all components. You can also find the same report under a component-specific folder, where it displays authentication events for that component only.

  • There is also a generic report at the top level called "All Events", which shows all the events across all audit-enabled components. The "All Events" report is also available in each component-specific folder, to show all the events for individual components.

    This report can be used to query audit data.

13.3 View Audit Reports

This section explains how to view audit reports using Oracle Business Intelligence Publisher.

Take these steps to view an audit report:

  1. Log in to Oracle Business Intelligence Publisher using a URL of the form:

    http://host.domain.com:port/xmlpserver/

  2. On the main page, click Oracle Fusion Middleware Audit under Shared Folders.

  3. The audit reports are organized into:

    • reports that are common to multiple components; these are further organized by report types

    • reports that are specific to a component; these are further organized by component

    See Also:

    Table 13-1 for a description of the standard reports.
  4. Navigate to the report of interest; for example, you can click on the Common Reports folder, then Errors and Exceptions, then click on All Errors and Exceptions.

    The report is displayed.

  5. The report display page contains these major areas:

    • Filters at the top of the page enable you to determine the type, scope, and number of records to include in the report. These filters include:

      • User

      • Start and End Dates

      • Last n time period

      • Component type and name

      • Application Name

      • Domain Name

      Use relevant filters to limit the report to the desired records.

      Note:

      Initially, the report is displayed with default filter values that you can modify.
    • Format control buttons enable you to determine:

      • the template type, which can be:

           HTML - This is the default display format.

           PDF - Displays a printable PDF view.

           Data - Displays an unformatted XML data set.

        To change the template type while viewing a report, select the type from the drop-down list and click View.

      • output format

      • delivery options

    • The report record display area. The appearance and number of columns depend on previously selected options and filters.

      Each column header also acts as a sort option.

  6. View, save or export the report as desired.

13.4 Example of Oracle Business Intelligence Publisher Reports

This section uses a common scenario to demonstrate how Oracle Business Intelligence Publisher reports are used to view audit data generated by Oracle Platform Security Services events.

In this example, some activity is generated on the credential store for an Oracle WebLogic Server domain. We then use Oracle Business Intelligence Publisher to take a look at the relevant report to see the audit records. Subsequently, a few other reports are examined.

  1. As the system administrator, locate the domain whose credentials are to be managed.

  2. Use the relevant commands to generate some credential management records; for example, create and delete some user credentials.

    See Also:

    Section 9.5, "Managing the Domain Credential Store" for details about credential management.
  3. Log in to Oracle XML Publisher using a URL of the form:

    http://host.domain.com:port/xmlpserver/

  4. Under the Reports tab, click on Shared Folders, and select Fusion Middleware Audit.

  5. On the main page, click Fusion Middleware Audit under Shared Folders.

  6. The audit report menu appears. Audit reports are organized in various folders by type.

  7. To view audit records for Oracle Platform Security Services, for example, navigate to the Component Specific folder, then Oracle Platform Security Services.

  8. The Oracle Platform Security Services folder contains several reports. Click All Events.

    The report shows activity in a default time range. Modify the time range to show only the day's events.

    The activity performed on that day appears on the page.

    Surrounding text describes audjpsrpt1.gif.

    Observe the different regions of the report and their functions: report filters, format control, scheduling, and the data display itself.

  9. In each report, the last data column is a Detail column. Click on a detail to view all the attributes of the specific audit record.

    Surrounding text describes audjpsrpt2.gif.
  10. Return to the main folder to view some other reports of interest. For example, in the Common Reports folder, navigate to the Account Management folder, and click Account Profile History.

    The Account Profile History report appears.

    Surrounding text describes audjpsrpt3.gif.
  11. Click on the Event Details for an event of interest:

    Surrounding text describes audjpsrpt4.gif.
  12. Finally, return to the Common Reports folder and select Errors and Exceptions. Select the All Errors and Exceptions report.

  13. A number of records are displayed. To narrow the report to records of interest, use the Event drop-down to select checkPermission events.

    One row is returned showing an authorization check failure:

    Surrounding text describes audcmnrpt1.gif.
  14. Click Details to obtain more information:

    Surrounding text describes audcmnrpt2.gif.

13.5 Audit Report Details

This section provides detailed reference information about the standard (pre-built) audit report.

The standard audit reports are grouped as follows:

  1. The All Events report

    This report contains all audit records generated in a pre-defined interval.

  2. Common Reports

    These are reports that contain audit records across multiple components.

  3. Component-Specific Reports

    Each report is dedicated to a specific component.

Common Reports

Common reports are organized as follows:

  • Account Management

    • Account Profile History

    • Accounts Deleted

    • Accounts Enabled

    • Accounts Disabled

    • Accounts Created

    • Accounts Locked Out

    • Password Changes

    • dashboard

  • User Activities

    • Authentication History

    • Multiple Logins from Same IP

    • Authorization History

    • Event Details

    • Related Audit Events

    • Dashboard

  • Errors and Exceptions

    • All Errors and Exceptions

    • Authorization Failures

    • Authentication Failures

    • Dashboard

Component-Specific Reports

For a list of reports, see Section C.2.2, "Component-Specific Audit Reports".

13.5.1 List of Audit Reports in Oracle Business Intelligence Publisher

Table 13-1 provides a brief description of each audit report in Oracle Business Intelligence Publisher.

Note:

The folder path shown in the column titled "Located in Folder" is relative to the Oracle Fusion Middleware Audit folder. To get to this folder, log in to Oracle Business Intelligence Publisher, and navigate to Shared Folders, then Oracle Fusion Middleware Audit.

Table 13-1 List of Audit Reports

Report Description Located in Folder

Accounts Created

shows accounts created in various components

Common Reports, then Account Management. Also in Component Specific folders.

Accounts Deleted

shows accounts deleted in various components

Common Reports, then Account Management. Also in Component Specific folders.

Accounts Disabled

shows accounts disabled in various components

Common Reports, then Account Management. Also in Component Specific folders.

Accounts Enabled

shows accounts enabled in various components

Common Reports, then Account Management. Also in Component Specific folders.

Accounts Locked Out

shows accounts locked out due to excessive authentication failures

Common Reports, then Account Management. Also in Component Specific folders.

Account Profile History

shows profile changes in accounts, such as change in address and password changes

Common Reports, then Account Management. Also in Component Specific folders.

All Errors and Exceptions

captures all errors and exceptions across components

Common Reports, then Errors and Exceptions. Also in Component Specific folders.

All Events

displays all audit events

Oracle Fusion Middleware Audit. Also in Component Specific folders.

Application Policy Management

displays application level policy management

Component Specific, then Oracle Platform Security Services.

Application Role Management

shows application role to enterprise role mappings

Component Specific, then Oracle Platform Security Services.

Assertion Activity

Assertion Activity in Oracle Identity Federation

Component Specific, then Oracle Identity Federation.

Assertion Template Management

lists assertion Template management operations in Oracle Web Services Manager

Component Specific, then Oracle Web Services Manager, then Policy Management

Authentication Failures

authentication errors and exceptions; can be cross-component or specific to a component.

Common Reports, then Errors and Exceptions. Also in Component Specific folders.

Authentication History

Authentications across all components

Common Reports, then User Activities. Also in Component Specific folders.

Authorization Failures

captures authorization failures

Common Reports, then Errors and Exceptions. Also in Component Specific folders.

Authorization History

Authorizations across all components

Common Reports, then User Activities. Also in Component Specific folders.

Confidentiality Enforcements

lists enforcements related to confidentiality in Oracle Web Services Manager

Component Specific, then Oracle Web Services Manager, then Policy Enforcements

Configuration Changes

configuration changes made in Fusion Middleware Audit Framework.

Component Specific, then Oracle Fusion Middleware Audit Framework

Credential Access

displays credential accesses by users and applications in Oracle Platform Security Services

Component Specific, then Oracle Platform Security Services.

Credential Management

displays credential management operations performed in Oracle Platform Security Services.

Component Specific, then Oracle Platform Security Services.

Federation User Activity

lists federation user activities in Oracle Identity Federation

Component Specific, then Oracle Identity Federation.

Message Integrity Enforcements

shows enforcements related to message integrity in Oracle Web Services Manager

Component Specific, then Oracle Web Services Manager, then Policy Enforcements

Multiple Logins from Same IP

lists machines from where successful logins are made into different user accounts.

Common Reports, then User Activities.

Password Changes

shows password changes done in various accounts.

Common Reports, then Account Management. Also in Component Specific folders.

Policy Attachments

shows Policy to web service endpoint attachments

Component Specific, then Oracle Web Services Manager

Policy Enforcements

general policy enforcements for Oracle Web Services Manager

Component Specific, then Oracle Web Services Manager, then Policy Enforcements

Profile Management Events

shows changes to Directory Integration Platform's profiles.

Component Specific, then Directory Integration Platform.

Request Response

shows requests sent and responses received from web services

Component Specific, then Oracle Web Services Manager

System Policy Management

displays system level policy management operations

Component Specific, then Oracle Platform Security Services.

Violations

Enforcement violations.

Component Specific, then Oracle Web Services Manager, then Policy Enforcements

Web Services Policy Management

shows policy management operations.

Component Specific, then Oracle Web Services Manager, then Policy Management


13.5.2 Attributes of Audit Reports in Oracle Business Intelligence Publisher

Table 13-2 lists the attributes that appear in the various audit reports. When viewing a report, you can use this table to learn more about the attributes that appear in the report.

Note the following:

  • Not all attributes appear in each report.

  • The user or users attribute, which appears in each report, can mean different things in different reports; see Table 13-1 for an explanation of this attribute.

  • Not all the attributes are displayed in Oracle Business Intelligence Publisher audit reports. If you wish to include some additional attributes in your custom reports, see Appendix C, "Oracle Fusion Middleware Audit Framework Reference".

Table 13-2 Attributes of Audit Reports

Attribute Description

Activity

The type of action, either user- or system-initiated.

Application Name

The complete application path and name.

Application Server Instance

The instance of the application server in use.

Attempted

The action that was attempted, for example, a single sign-on attempted by the user.

Component Name

The name of the component instance.

Component Type

The type of component, for example Oracle Identity Federation.

Domain Name

Oracle WebLogic Server domain name.

ECID

The execution context ID.

Event Type

The type of event that occurred, for example, account creation.

Initiator

The user who initiated the event.

Internet Protocol Address, IP Address

The IP address of the user's machine from which the action was initiated.

Message Text

The text of the message; a description of the event.

Policy Name

The name of the policy involved in the action.

Time Range

The time range which allows you to limit your data set to a specific time interval, for example, the last 24 hours.

Timestamp

The date and time of the event.

Transaction ID

The transaction identifier.


13.6 Customizing Audit Reports

This section discusses advanced report generation and creation options:

13.6.1 Using Advanced Filters on Pre-built Reports

Clicking on the report's Edit button brings up a page at which you can specify more detailed report filters and properties. This page consists of two panels. The left panel lets you select what element of the report is to be modified through these options. For each element you select, the right panel displays the corresponding information.

  • Data Model - This contains the SQL query that fetches the raw data for the report. The query can be modified according to your needs.

  • List of Values - Shows all the report columns. Selecting on a column displays the underlying SQL query that filters data for the attribute. You can modify the query as needed; for example you can specify more restrictive filter values.

  • Parameters - Shows all the report columns, and lets you select any column to modify display settings for that column. For example, you can specify a date display format for timestamp fields.

  • Layouts and output formats - This feature is described in the following section.

13.6.2 Creating Custom Reports

Oracle Business Intelligence Publisher provides a complete set of capabilities for designing and creating custom reports.

See Also:

Here is a simple example illustrating the basic steps to customize an existing audit report with Oracle Business Intelligence Publisher.

  1. Log in to Oracle Business Intelligence Publisher as administrator.

    Surrounding text describes biplogin.gif.
  2. Navigate to the Oracle Fusion Middleware Audit folder.

    Surrounding text describes bipnav.gif.
  3. Create a folder to maintain your custom reports. Under Folder and Event Tasks, click New Folder.

    Enter a folder name.

    Surrounding text describes bipnewfolder.gif.
  4. The new folder, Custom BI Reports, appears on the main audit reports folder.

    Surrounding text describes bipnewmenu.gif.
  5. Select an existing report that will be a starting point to create a custom report, by clicking the icon to the left of the report. In this example the All Events report is selected:

    Surrounding text describes bipcopyreq.gif.

    Click Copy this report.

  6. This action copies the report to the clipboard. To send it to the new folder:

    • Select the Custom BI Reports folder.

    • Under Folder and Report Tasks, click Paste from clipboard.

    • A dialog box appears requesting confirmation. Click Yes.

      Surrounding text describes bipconfcopy.gif.

      The report is now moved from the clipboard to the custom folder:

      Surrounding text describes biprptpasted.gif.
    • Provide a descriptive name for the new report by selecting the icon to the left of the report, and clicking Rename this report.

      Surrounding text describes biprename.gif.
  7. Now you are ready to customize the report. Click Edit from the menu choices under the report title.

  8. The Edit page appears.

    Surrounding text describes bipeditpage.gif.

    Two panels are displayed; on the main panel titled General Settings, you can control basic features like the report title and runtime controls. To the left of the main panel, a second panel displays two sets of information that you can use to create relevant content for your report:

    • List of Values shows the fields that are being used currently in the report. When you click on a field, the main panel automatically displays the name and the SQL query used to select the values to include for that field.

    • Parameters shows the available parameters from which you can choose the ones to include in the report. Notice that a subset of the parameters is already in the report; for example, userid (which is the initiator of the audit event) provides the Users data, while timeRange provides the Time Range data.

    The palette of choices on the left panel is context-sensitive and provides information to help you build the report.

  9. You can use the Query Builder to customize the data to include in your report. For example, to include only login events for a component, you can:

    • Select ComponentName from the list of values and click Query Builder.

      Surrounding text describes bipcname.gif.
    • A table appears listing the available components. Select the component, say JPS. A second table appears showing the component event fields:

      Surrounding text describes bipqb1.gif.
    • In the JPS table select IAU_EVENTTYPE.

      Surrounding text describes bipqb2.gif.
    • Click Conditions, enter the condition login and click Save.

      Surrounding text describes bipqb3.gif.
  10. The condition is now included in the report. Be sure to click Save again on the upper left corner to commit your changes to the report definition.

    Surrounding text describes bipqb4.gif.
  11. You can now return to the report in the Custom BI Reports folder and view the data.