Skip Headers
Oracle® Audit Vault Administrator's Guide
Release 10.3

Part Number E23571-07
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

5 Managing Oracle Audit Vault Security

This chapter contains:

5.1 About Managing Oracle Audit Vault Security

This chapter explains how to manage Oracle Audit Vault security. You should perform Oracle Audit Vault security tasks in this order of importance:

  1. Secure management communication between the Oracle Audit Vault Server and collection agent, described in Section 5.6.

  2. Manage user authentication metadata, described in Section 5.3.

Section 5.5 explains how Oracle Database Vault protects audit data and provides strong access control.

5.2 Managing Oracle Audit Vault User Accounts

During the Oracle Audit Vault installation process, you created the following two system-generated user accounts:

  • Audit Vault administrator account. This user account is responsible for the administrative tasks described in this manual, and is granted the AV_ADMIN role.

  • Audit Vault auditor account. This user account is responsible for the auditing tasks described in Oracle Audit Vault Auditor's Guide, and is granted the AV_AUDITOR role.

As a best practice, you should use these two user accounts only as back-up accounts, and grant the appropriate Audit Vault role to the users who are responsible for the day-to-day Oracle Audit Vault operations. Each user account must have its own user name and password. For example, if your site requires two Audit Vault administrators and six auditors, then grant the administrators the AV_ADMIN role and the auditors the AV_AUDITOR role. Or, for example, if all your administrators are granted SEC_ADMIN role and everyone who has the SEC_ADMIN role must also administer Oracle Audit Vault, then grant the AV_ADMIN role to the SEC_ADMIN role.

This way, if an Audit Vault administrator or auditor leaves the department or your company, then you only need to revoke the role from this user. If all the users who have been granted a particular role leave your company, then you can use the back-up Audit Vault user account that you created during installation to grant the role to new users. The danger of relying on the default user accounts that you created during installation is that if multiple users use the account, then they all can log in using the same user account and password. Shared passwords make your system less secure.

Similarly, you should grant the DV_OWNER and DV_ACCTMGR roles to individual users, and only use the DV_OWNER and DV_ACCTMGR accounts that you created during installation as back-up accounts. This is particularly important in the case where a user must have his or her password reset, because only a user who has been granted the DV_ACCTMGR role or the ALTER USER privilege can set passwords.

In addition to the AV_ADMIN and AV_AUDITOR roles, a default Oracle Audit Vault installation provides a set of administrative roles that you can use to manage Oracle Audit Vault. These roles provide separation-of-duty tasks. See Table 5-1 for more information.

To create user accounts for use with Oracle Audit Vault:

  1. Open a shell or command prompt for the Audit Vault Server.

    • UNIX: Set the environment variables, as described in Section 2.2.2.

    • Microsoft Windows: Go to the Audit Vault Server ORACLE_HOME\bin directory.

  2. If you must create new user accounts, then log in to SQL*Plus as a user who has been granted the CREATE USER privilege or the DV_ACCTMGR role, and create the user accounts.

    For example:

    sqlplus avadmindva
    Enter password: password
    Connected.
    
    SQL> CREATE USER tjones IDENTIFIED BY password;  -- The AV_ADMIN user
    SQL> CREATE USER psmith IDENTIFIED BY password;  -- The AV_AUDITOR user
    
  3. Connect as a user who has been granted the AV_ADMIN role and then grant the AV_ADMIN and AV_AUDITOR roles to these users.

    For example:

    SQL> CONNECT avadmin
    Enter password: password
    Connected.
    
    SQL> GRANT AV_ADMIN TO tjones;    -- The AV_ADMIN user
    SQL> GRANT AV_AUDITOR TO psmith;  -- The AV_AUDITOR user
    
  4. Repeat these steps to create individual accounts to be granted the DV_OWNER and DV_ACCTMGR roles.

    For the role grants, do the following:

    • When you are ready to grant the DV_OWNER role to the user, connect as a user who has been granted the DV_OWNER role.

    • When you are ready to grant the DV_ACCTMGR role to the user, connect as a user who has been granted the DV_ACCTMGR role.

    See Table 1-7 for more information about these roles.

  5. Optionally, audit the actions of the user who has been granted the AV_ADMIN role.

5.3 Managing Authentication Metadata Using Oracle Advanced Security

As part of the Audit Vault Server and the Oracle Audit Vault collection agent installation, two wallets are created. One wallet resides on the Audit Vault Server and this one contains the credentials of the AV_ADMIN. The Audit Vault Console uses this wallet to communicate with the Oracle Audit Vault database. The Audit Vault Console provides the management service that initiates the communication with collection agents using HTTP. Audit Vault Configuration Assistant (AVCA) modifies the Database Control console server.xml file and other related files to enable Oracle Audit Vault management through the Oracle Enterprise Manager Database Control console. The wallet is located in the $ORACLE_HOME/network/admin/avwallet directory.

The other wallet resides on the Audit Vault collection agent and contains the AV_AGENT credentials. The collection agent uses this wallet to get configuration data from Oracle Audit Vault. This wallet is located in the $ORACLE_HOME/network/admin/avwallet directory. This wallet also contains the credentials used by the collectors to communicate with the source database (Oracle Database, Microsoft SQL Server database, Sybase ASE, or IBM DB2 database). The three ORCLDB collectors, the MSSQLDB collector, the SYBDB collector, and the DB2 collector all use these credentials to connect to the source database and to:

  • Open a connection to the source database to read, extract, and send audit records to the Audit Vault repository

  • Obtain metadata and metrics for all the collectors

  • Start and stop the collectors

  • Obtain audit settings as part of Audit Settings management for ORCLDB collectors

  • Obtain user entitlement information for ORCLDB collectors

The Oracle wallet is a password-protected container that stores credentials, such as certificates, authentication credentials, and private keys, all of which are used by SSL for strong authentication. You can manage Oracle wallets by using Oracle Wallet Manager. Oracle Wallet Manager can perform tasks such as wallet creation, certificate request generation, and importing certificates into the wallet.

Oracle Audit Vault uses third-party network authentication services (PKI-based authentication) to authenticate its user clients. Authentication systems based on public key infrastructure (PKI) issue digital certificates to user clients, which use them to authenticate directly to servers in the enterprise without involving an authentication server. These user certificates, along with the private key of the user and the set of trust points of a user (trusted certificate authorities), are stored in Oracle wallets.

5.4 Changing Oracle Audit Vault User Passwords on a Regular Basis

This section contains:

5.4.1 About Oracle Audit Vault User Passwords

You should have a policy in place for changing passwords for the Oracle Audit Vault user accounts. For example, you may require that users change their passwords on a regular basis, such as every 120 days, and that they create passwords that are not easily guessed.

Table 5-1 summarizes guidelines that you must follow when you change passwords for the Oracle Audit Vault user accounts.

Table 5-1 Storage Location of Audit Vault and Source User Name Passwords

Audit Vault Role or User Is Password Stored in Wallet? How Do I Change the Password?

AV_ADMIN role

Yes

  1. If the system-generated AV_ADMIN user account password changes, then use the ALTER USER SQL statement to change the password of this user in the database. (You do not need to change the password for other users who have been granted the AV_ADMIN role.)

  2. Use the avca create_credential command to change the password in the wallet in the Audit Vault Server home.

See Section 5.4.2.

AVREPORTUSER user

Yes

  1. Use the ALTER USER SQL statement to change the password of this user in the database.

  2. Use the avca create_credential command to change the password in the wallet in the Audit Vault Server home.

See Section 5.4.3.

AV_AGENT role

Yes

  1. Use the ALTER USER SQL statement to change the password of this user in the database.

  2. Use the avca create_credential command to change the password in the wallet in the Audit Vault collection agent home.

See Section 5.4.4.

Source user on source database

Yes

  1. For Oracle Database source user accounts, use the ALTER USER SQL statement in the source database to change the password.

  2. For Oracle, SQL Server, and Sybase source database types, run the setup command of the AVORCLDB, AVMSSQLDB, or AVSYBDB utility to change the password in the wallet in both the Audit Vault Server and Audit Vault collection agent home.

  3. For IBM DB2 databases, you only need to change the password of the designated user account. (The AVDB2DB utility has no setup command.)

See Section 5.4.5.

AV_AUDITOR role

No

Use the ALTER USER SQL statement in the Audit Vault Server home to change this user's password.

See Section 5.4.6.


5.4.2 Changing the AV_ADMIN User Password

After you have updated the AV_ADMIN user account using the ALTER USER SQL statement, you must update the password credentials of this user.

To change the password of a user who has been granted the AV_ADMIN role:

  1. Open a shell or command prompt for the Audit Vault Server.

    • UNIX: Set the environment variables, as described in Section 2.2.2.

    • Microsoft Windows: Go to the Audit Vault Server ORACLE_HOME\bin directory.

  2. Log in to SQL*Plus as the user whose password you must change, another user who has been granted the ALTER_USER privilege, or a user with the DV_ACCTMGR role, and then change the password.

    For example:

    sqlplus dvsmith
    Enter password: password
    Connected.
    
    SQL> ALTER USER avsmith IDENTIFIED BY password;
    
  3. Exit SQL*Plus.

    If this user was granted the AV_ADMIN role after the Oracle Audit Vault installation, then you have completed this procedure. Otherwise, if the AV_ADMIN user account had been created during the Audit Vault installation, then go to Step 4.

  4. Run the avca create_credential command to change the password credentials of the AV_ADMIN user.

    For example:

    avca create_credential -wrl $ORACLE_HOME/network/admin/avwallet -dbalias av
    
    AVCA started
    Storing user credentials in wallet... 
    Enter source user username: avadminuser
    Enter source user password: password
    Re-enter source user password: password
    Create credential Modify credential
    Modify 2
    done.
    

    In this example, the dbalias parameter specifies the Audit Vault Server SID in the Audit Vault Server home. You can find this information by running the lsnrctl status listener_AV_SID command on the computer where you installed the Audit Vault Server. For detailed information about using the avca create_credential command, see Section 7.4.

5.4.3 Changing the AVREPORTUSER Password

The AVREPORTUSER account is an internal account that is used to manage Audit Vault reports.

To update the AVREPORTUSER password:

  1. Open a shell or command prompt for the Audit Vault Server.

    • UNIX: Set the environment variables, as described in Section 2.2.2.

    • Microsoft Windows: Go to the Audit Vault Server ORACLE_HOME\bin directory.

  2. Log in to SQL*Plus as the user whose password you must change, another user who has been granted the ALTER_USER privilege, or a user with the DV_ACCTMGR role, and then change the password.

    For example:

    sqlplus dvsmith
    Enter password: password
    Connected.
    
    SQL> ALTER USER avreportuser IDENTIFIED BY password;
    
  3. Run the avca create_credential command to change the password credentials of the AVREPORTUSER account.

    For example:

    avca create_credential -wrl $ORACLE_HOME/network/admin/avwallet -dbalias av_auditor_user
    
    AVCA started
    Storing user credentials in wallet... 
    Enter source user username: AVREPORTUSER
    Enter source user password: password
    Re-enter source user password: password
    Create credential Modify credential
    Modify 2
    done.
    

5.4.4 Changing the AV_AGENT Password

When you change the AV_AGENT user password, you must also update this user's credentials for each agent that connects to the Audit Vault Server as the AV_AGENT user account.

To change the password credentials for the AV_AGENT user account:

  1. Open a shell or command prompt for the Audit Vault collection agent.

    • UNIX: Set the environment variables, as described in Section 2.2.3.

    • Microsoft Windows: Go to the collection agent ORACLE_HOME\bin directory.

  2. Log in to SQL*Plus as the Audit Vault AV_AGENT user, and then use the ALTER USER SQL statement to change the AV_AGENT user password.

    For example:

    sqlplus /@av
    Enter password: password
    Connected.
    
    SQL> ALTER USER avagent_usr IDENTIFIED BY password;
    

    If you do not have the AV_AGENT user password, then contact the AV_ADMIN user and ask them to recreate this password.

  3. Access the shell or command prompt used for the Audit Vault collection agent.

  4. For each agent that connects to the server as the AV_AGENT user account, run the avca create_credential command to update the locally cached credentials with the new password.

    For example:

    avca create_credential -wrl $ORACLE_HOME/network/admin/avwallet -dbalias av
    AVCA started
    Storing user credentials in wallet... 
    Enter source user username: avagentuser
    Enter source user password: password
    Re-enter source user password: password
    Create credential Modify credential
    Modify 2
    done.
    

    For detailed information about using the avca create_credential command, see Section 7.4.

5.4.5 Changing the Source User Password

After you have updated the source database stored password credential, you must update the password credentials of this account.

To change the password credentials for the source user account:

  1. In the source database, change the password for the source database user.

    For an Oracle Database source, use the ALTER USER SQL statement to change the password.

    For example:

    sqlplus dvsmith
    Enter password: password
    Connected.
    SQL> ALTER USER srcuser_ora IDENTIFIED BY password;
    

    For source user accounts created for Microsoft Windows, Sybase ASE, and IBM DB2, log in to the appropriate source database and then change the password there.

  2. Open a shell or command prompt for the Audit Vault collection agent.

    • UNIX: Set the environment variables, as described in Section 2.2.3.

    • Microsoft Windows: Go to the collection agent ORACLE_HOME\bin directory.

  3. For Oracle Database, SQL Server, and Sybase: Run the appropriate setup command on the collection agent to configure the source user password. (Ensure that you only run this command on the agent, not the server.)

    • Oracle Database source databases: Run the avorcldb setup command (see Section 9.9). For example:

      avorcldb setup -srcname hrdb.example.com
      Enter Source user name: srcuser_ora
      Enter Source password: password
      
    • SQL Server source databases: Run the avmssqldb setup command (Section 10.9). For example:

      avmssqldb setup -srcname mssqldb4
      Enter a username : source_user_name
      Enter a password : password
      
    • Sybase ASE source databases: Run the avsybdb setup command (Section 11.9). For example:

      avsybdb setup -srcname sybdb4 
      Enter a username : source_user_name
      Enter a password : password
      
  4. Open a shell or command prompt for the Audit Vault Server.

    • UNIX: Set the environment variables, as described in Section 2.2.2.

    • Microsoft Windows: Go to the Audit Vault Server ORACLE_HOME\bin directory.

  5. For Oracle Database, SQL Server, and Sybase: Run the appropriate setup command on the Audit Vault Server to configure the source user password. (Ensure that you only run this command on the agent, not the server.)

    • Oracle Database source databases: Run the avorcldb setup command (see Section 9.9). For example:

      avorcldb setup -srcname hrdb.example.com
      Enter Source user name: srcuser_ora
      Enter Source password: password
      
    • SQL Server source databases: Run the avmssqldb setup command (Section 10.9). For example:

      avmssqldb setup -srcname mssqldb4
      Enter a username : source_user_name
      Enter a password : password
      
    • Sybase ASE source databases: Run the avsybdb setup command (Section 11.9). For example:

      avsybdb setup -srcname sybdb4 
      Enter a username : source_user_name
      Enter a password : password
      
  6. For IBM DB2 databases: The avdb2db utility has no setup command. For IBM DB2 databases, you only need to change the password of the designated user account.

5.4.6 Changing the AV_AUDITOR Password

To change the password of a user who has been granted the AV_AUDITOR role, you must change the passwords in both the Audit Vault Server home in the Audit Vault database by using the SQL ALTER_USER command. Log in as the user with the role of Database Vault Account Manager.

For example:

  1. Open a shell or command prompt for the Audit Vault Server.

    • UNIX: Set the environment variables, as described in Section 2.2.2.

    • Microsoft Windows: Go to the Audit Vault Server ORACLE_HOME\bin directory.

  2. Log in to SQL*Plus as the Database Vault Account Manager (that is, a user who has been granted the DV_ACCTMGR role).

    For example:

    sqlplus dvsmith
    Enter password: password
    Connected.
    SQL>
    
  3. Use the ALTER USER SQL statement to change the AV_AUDITOR user account.

    For example:

    SQL> ALTER USER avauditorusr-name IDENTIFIED BY password;
    

5.4.7 Ensuring That All Changed User Name Passwords Work Correctly

To test the changed passwords for users who have been granted the AV_ADMIN and AV_AUDITOR roles, log in to the Audit Vault Console as the Audit Vault administrator and then as the Audit Vault auditor. See Section 3.2.3 for instructions on logging in to the Audit Vault Console. If the login is not successful, repeat the procedures described in this section to re-create the passwords, and then retest them.

For the AV_ADMIN role, you must also test that the credentials were stored correctly in the wallet.

Follow these steps:

  1. Open a shell or command prompt for the Audit Vault Server.

    • UNIX: Set the environment variables, as described in Section 2.2.2.

    • Microsoft Windows: Go to the Audit Vault Server ORACLE_HOME\bin directory.

  2. In SQL*Plus, log in to the Audit Vault Server.

    For example, assuming the SID of the Audit Vault Server is av:

    sqlplus /@av 
    

To test the AV_AGENT and source database user account passwords, stop the collection agents, and then restart the collection agent and each collector. See Chapter 8 for information about the commands you use to perform this test. If you are able to collect new audit records, then the AV_AGENT and source database user account passwords are working. If you cannot collect audit records, then check the log files (see Appendix A for more information) to determine which user name password might be the cause of the problem. If necessary, re-create the passwords and then retest them.

5.5 Using Oracle Database Vault within Oracle Audit Vault

By default, Oracle Database Vault is enabled in the Audit Vault Server. Oracle Database Vault restricts access to the data in the Audit Vault Server from any user, including users who have administrative access. For Oracle Audit Vault, Oracle Database Vault protects the Audit Vault Server by using a realm. To ensure that the data in the Audit Vault Server is protected, do not disable Oracle Database Vault.

The inclusion of Oracle Database Vault provides the DV_OWNER and DV_ACCTMGR roles. The DV_OWNER role manages the database roles and configuration, and the DV_ACCTMGR role manages user accounts. As with all Oracle Database roles, grant these roles only to those users who are responsible for the tasks associated with the role.

Be aware that Oracle Database Vault revokes some privileges from several roles supplied by the Oracle database roles, including SYS and SYSTEM. Oracle Database Vault Administrator's Guide describes roles and privileges that Oracle Database Vault affects. Remember that only the user who has been granted the DV_ACCTMGR role can create, alter, and drop users. However, the DV_ACCTMGR user cannot grant these roles to these users. Only the user who has been granted the AV_ADMIN role can grant the AV_ADMIN and AV_AUDITOR roles to another user.

Table 5-2 shows the roles and privileges an administrative user is granted when that user is granted and Oracle Audit Vault or Oracle Database Vault roles. For detailed information about the Oracle Audit Vault or Oracle Database Vault roles, see Section 1.5.

Table 5-2 Roles and Privileges Granted to Audit Vault or Database Vault Administrators

Role Granted to User Roles Granted to This Role Privileges Granted

AV_ADMIN

SELECT_CATALOG_ROLE

AQ_ADMINISTRATOR_ROLE

AV_AUDITORFoot 1 

AV_AGENT

XDBADMIN

CREATE SESSION

GRANT ANY ROLE

AV_AUDITOR

SELECT_CATALOG_ROLE

CREATE SESSION

AV_AGENT

No additional roles granted

CREATE SESSION

CREATE ANY VIEW

DV_ACCTMGR

DV_PUBLIC

CONNECT

CREATE SESSION

CREATE USER

ALTER USER

DROP USER

CREATE PROFILE

ALTER PROFILE

DROP PROFILE

DV_OWNER

DV_PUBLIC

CONNECT

DV_ADMIN

DV_SECANALYST

CREATE SESSION

GRANT ANY ROLE

ALTER ANY TRIGGER

ADMINISTER DATABASE TRIGGER


Footnote 1 The AV_ADMIN role is granted the AV_AUDITOR role only if you did not create the AV_AUDITOR user during installation.

Table 5-3 shows other database core accounts that are created in the default Oracle Audit Vault installation. Oracle Audit Vault permits operating system authentication to the database. It disables remote authentication to the database if you try to use the SYSDBA privilege, but if it is needed, you can enable it by using a password file. See the sections that discuss postinstallation tasks in the Oracle Audit Vault Installation Guide for more information about unlocking and resetting user passwords and enabling or disabling connections with the SYSDBA privilege.

Table 5-3 Database Core Accounts Created and Privileges Use

Account Privileges Privilege In Use Password to Use

SYS

SYSTEM

SYSMAN

DBSNMP

ManyFoot 1 

Yes

Use same password as user granted AV_ADMIN role for basic installation or password may be set separately in advanced installation

SYS AS or

/ AS

SYSDBA

Yes, allowed

Operating system authentication to the database is enabled by default.

SYS AS

SYSDBA

No, not allowed for remote connection

To use for remote connection, user must create a password file to enable its use. Password is set when password file is created.

SYS AS

SYSOPER

Yes, allowed

Use same password as user granted AV_ADMIN role


Footnote 1 To find the privileges associated with the user account, log in to SQL*Plus as the user and then run the following query: SELECT * FROM SESSION_ROLES;

5.6 Managing Certificates for Oracle Audit Vault HTTPS/SSL Protocols

This section contains:

5.6.1 About Configuring Self-Signed Certificates

Oracle Audit Vault is configured to use the HTTPS/SSL protocol out-of-the-box with self-signed certificates. This includes the Oracle Enterprise Manager Web URL and Audit Vault Console URL. This section explains how you can replace the Oracle Enterprise Manager and Oracle Audit Vault Web administration self-signed certificates if you need to.

See Also:

Oracle Database Security Guide for more information about PKI-based authentication, digital certificates, secure external password stores, and Oracle wallets.

5.6.2 Replacing Oracle Enterprise Manager Self-Signed Certificates

You can replace Oracle Enterprise self-signed certificates with third-party certificates. For more information, see "Configuring Third Party Certificates" in the following version of Oracle Enterprise Manager Advanced Configuration:

http://docs.oracle.com/cd/B16240_01/doc/em.102/e10954/security2.htm#sthref474

5.6.3 Replacing the Audit Vault Console's Self-Signed Certificates

You can replace the Audit Vault Console's self-signed certificates with third-party certificates. Before you can replace the self-signed certificate with a third-party certificate, you must remove the existing self-signed certificate.

To replace the Audit Vault Console self-signed certificates:

  1. Open a shell or command prompt for the Audit Vault Server.

    • UNIX: Set the environment variables, as described in Section 2.2.2.

    • Microsoft Windows: Go to the Audit Vault Server ORACLE_HOME\bin directory.

  2. Run the avca remove_cert command to remove the existing self-signed certificate.

    For example:

    avca remove_cert -certdn cn=myserver
    

    Ensure that the value you provide for the -certdn matches that of the self-signed certificate. You can find this value by logging into the Audit Vault Console as a user who has been granted the AV_AUDITOR role and then looking for the phrase Subject Name in the certificate that is displayed in the browser.

    See Section 7.18 for more information about avca remove_cert.

  3. Run the avca generate_csr command to generate a certificate request that matches your needs.

    For example:

    avca generate_csr -certdn CN=myserver.mydomain -keysize 2048 -out /tmp/cert_req.out
    

    Provide a value for the -certn argument here that suits your organizational needs. Oracle recommends a key size of 2048. The generated certificate request is stored in the full path that you provide for the -out argument.

    See Section 7.12 for more information about avca generate_csr.

  4. Ask your third-party certificate authority (CA) or organizational certificate authority to sign the certificate request.

    Consult your IT department on how to get this certificate request signed by your appropriate certification authority. At the end of this process, you should be having the following:

    • Organizational certificate authority's certificate (or certificate chain)

    • End-entity certificate (based on the request generated from Step 3)

  5. Run the avca import_cert command to import the organizational or third-party CA certificate.

    For example:

    avca import_cert -cert /home/rahanum/openssl/ca_cert.cer -trusted
    

    Because this is a trusted certificate, ensure that you specify the -trusted flag.

    See Section 7.14 for more information about avca import_cert.

  6. Run the avca import_cert command to import the end-entity certificate.

    Because this certificate is an end-entity certificate, do not specify the -trusted flag.

    For example:

    avca import_cert -cert /home/rahanum/openssl/ee_cert.cer
    
  7. Run the following commands in the order shown to restart the Audit Vault Server.

    From the command line:

    avctl stop_av
    lsnrctl stop listener_AV_SID
    

    Log into SQL*Plus for the Audit Vault Server and run the following command:

    shutdown
    

    From the command line:

    lsnrctl start listener_AV_SID
    

    Log into SQL*Plus for the Audit Vault Server and run the following command:

    startup
    

    From the command line:

    avctl start_av