Managing Authentication Metadata Using Oracle Advanced Security
Changing Oracle Audit Vault User Passwords on a Regular Basis
Managing Certificates for Oracle Audit Vault HTTPS/SSL Protocols
This chapter explains how to manage Oracle Audit Vault security. You should perform Oracle Audit Vault security tasks in this order of importance:
Secure management communication between the Oracle Audit Vault Server and collection agent, described in Section 5.6.
Manage user authentication metadata, described in Section 5.3.
Section 5.5 explains how Oracle Database Vault protects audit data and provides strong access control.
During the Oracle Audit Vault installation process, you created the following two system-generated user accounts:
Audit Vault administrator account. This user account is responsible for the administrative tasks described in this manual, and is granted the AV_ADMIN role.
Audit Vault auditor account. This user account is responsible for the auditing tasks described in Oracle Audit Vault Auditor's Guide, and is granted the AV_AUDITOR role.
As a best practice, you should use these two user accounts only as back-up accounts, and grant the appropriate Audit Vault role to the users who are responsible for the day-to-day Oracle Audit Vault operations. Each user account must have its own user name and password. For example, if your site requires two Audit Vault administrators and six auditors, then grant the administrators the AV_ADMIN role and the auditors the AV_AUDITOR role. Or, for example, if all your administrators are granted SEC_ADMIN role and everyone who has the SEC_ADMIN role must also administer Oracle Audit Vault, then grant the AV_ADMIN role to the SEC_ADMIN role.
This way, if an Audit Vault administrator or auditor leaves the department or your company, then you only need to revoke the role from this user. If all the users who have been granted a particular role leave your company, then you can use the back-up Audit Vault user account that you created during installation to grant the role to new users. The danger of relying on the default user accounts that you created during installation is that if multiple users use the account, then they all can log in using the same user account and password. Shared passwords make your system less secure.
Similarly, you should grant the DV_OWNER and DV_ACCTMGR roles to individual users, and only use the DV_OWNER and DV_ACCTMGR accounts that you created during installation as back-up accounts. This is particularly important in the case where a user must have his or her password reset, because only a user who has been granted the DV_ACCTMGR role or the ALTER USER privilege can set passwords.
In addition to the AV_ADMIN and AV_AUDITOR roles, a default Oracle Audit Vault installation provides a set of administrative roles that you can use to manage Oracle Audit Vault. These roles provide separation-of-duty tasks. See Table 5-1 for more information.
To create user accounts for use with Oracle Audit Vault:
Open a shell or command prompt for the Audit Vault Server.
UNIX: Set the environment variables, as described in Section 2.2.2.
Microsoft Windows: Go to the Audit Vault Server ORACLE_HOME\bin directory.
If you must create new user accounts, then log in to SQL*Plus as a user who has been granted the CREATE USER privilege or the DV_ACCTMGR role, and create the user accounts.
For example:
sqlplus avadmindva Enter password: password Connected. SQL> CREATE USER tjones IDENTIFIED BY password; -- The AV_ADMIN user SQL> CREATE USER psmith IDENTIFIED BY password; -- The AV_AUDITOR user
Connect as a user who has been granted the AV_ADMIN role and then grant the AV_ADMIN and AV_AUDITOR roles to these users.
For example:
SQL> CONNECT avadmin
Enter password: password
Connected.
SQL> GRANT AV_ADMIN TO tjones; -- The AV_ADMIN user
SQL> GRANT AV_AUDITOR TO psmith; -- The AV_AUDITOR user
Repeat these steps to create individual accounts to be granted the DV_OWNER and DV_ACCTMGR roles.
For the role grants, do the following:
When you are ready to grant the DV_OWNER role to the user, connect as a user who has been granted the DV_OWNER role.
When you are ready to grant the DV_ACCTMGR role to the user, connect as a user who has been granted the DV_ACCTMGR role.
See Table 1-7 for more information about these roles.
Optionally, audit the actions of the user who has been granted the AV_ADMIN role.
As part of the Audit Vault Server and the Oracle Audit Vault collection agent installation, two wallets are created. One wallet resides on the Audit Vault Server and this one contains the credentials of the AV_ADMIN. The Audit Vault Console uses this wallet to communicate with the Oracle Audit Vault database. The Audit Vault Console provides the management service that initiates the communication with collection agents using HTTP. Audit Vault Configuration Assistant (AVCA) modifies the Database Control console server.xml file and other related files to enable Oracle Audit Vault management through the Oracle Enterprise Manager Database Control console. The wallet is located in the $ORACLE_HOME/network/admin/avwallet directory.
The other wallet resides on the Audit Vault collection agent and contains the AV_AGENT credentials. The collection agent uses this wallet to get configuration data from Oracle Audit Vault. This wallet is located in the $ORACLE_HOME/network/admin/avwallet directory. This wallet also contains the credentials used by the collectors to communicate with the source database (Oracle Database, Microsoft SQL Server database, Sybase ASE, or IBM DB2 database). The three ORCLDB collectors, the MSSQLDB collector, the SYBDB collector, and the DB2 collector all use these credentials to connect to the source database and to:
Open a connection to the source database to read, extract, and send audit records to the Audit Vault repository
Obtain metadata and metrics for all the collectors
Start and stop the collectors
Obtain audit settings as part of Audit Settings management for ORCLDB collectors
Obtain user entitlement information for ORCLDB collectors
The Oracle wallet is a password-protected container that stores credentials, such as certificates, authentication credentials, and private keys, all of which are used by SSL for strong authentication. You can manage Oracle wallets by using Oracle Wallet Manager. Oracle Wallet Manager can perform tasks such as wallet creation, certificate request generation, and importing certificates into the wallet.
Oracle Audit Vault uses third-party network authentication services (PKI-based authentication) to authenticate its user clients. Authentication systems based on public key infrastructure (PKI) issue digital certificates to user clients, which use them to authenticate directly to servers in the enterprise without involving an authentication server. These user certificates, along with the private key of the user and the set of trust points of a user (trusted certificate authorities), are stored in Oracle wallets.
This section contains:
You should have a policy in place for changing passwords for the Oracle Audit Vault user accounts. For example, you may require that users change their passwords on a regular basis, such as every 120 days, and that they create passwords that are not easily guessed.
Table 5-1 summarizes guidelines that you must follow when you change passwords for the Oracle Audit Vault user accounts.
Table 5-1 Storage Location of Audit Vault and Source User Name Passwords
| Audit Vault Role or User | Is Password Stored in Wallet? | How Do I Change the Password? |
|---|---|---|
|
|
Yes |
See Section 5.4.2. |
|
|
Yes |
See Section 5.4.3. |
|
|
Yes |
See Section 5.4.4. |
|
Source user on source database |
Yes |
See Section 5.4.5. |
|
|
No |
Use the See Section 5.4.6. |
After you have updated the AV_ADMIN user account using the ALTER USER SQL statement, you must update the password credentials of this user.
To change the password of a user who has been granted the AV_ADMIN role:
Open a shell or command prompt for the Audit Vault Server.
UNIX: Set the environment variables, as described in Section 2.2.2.
Microsoft Windows: Go to the Audit Vault Server ORACLE_HOME\bin directory.
Log in to SQL*Plus as the user whose password you must change, another user who has been granted the ALTER_USER privilege, or a user with the DV_ACCTMGR role, and then change the password.
For example:
sqlplus dvsmith Enter password: password Connected. SQL> ALTER USER avsmith IDENTIFIED BY password;
Exit SQL*Plus.
If this user was granted the AV_ADMIN role after the Oracle Audit Vault installation, then you have completed this procedure. Otherwise, if the AV_ADMIN user account had been created during the Audit Vault installation, then go to Step 4.
Run the avca create_credential command to change the password credentials of the AV_ADMIN user.
For example:
avca create_credential -wrl $ORACLE_HOME/network/admin/avwallet -dbalias av AVCA started Storing user credentials in wallet... Enter source user username: avadminuser Enter source user password: password Re-enter source user password: password Create credential Modify credential Modify 2 done.
In this example, the dbalias parameter specifies the Audit Vault Server SID in the Audit Vault Server home. You can find this information by running the lsnrctl status listener_AV_SID command on the computer where you installed the Audit Vault Server. For detailed information about using the avca create_credential command, see Section 7.4.
The AVREPORTUSER account is an internal account that is used to manage Audit Vault reports.
To update the AVREPORTUSER password:
Open a shell or command prompt for the Audit Vault Server.
UNIX: Set the environment variables, as described in Section 2.2.2.
Microsoft Windows: Go to the Audit Vault Server ORACLE_HOME\bin directory.
Log in to SQL*Plus as the user whose password you must change, another user who has been granted the ALTER_USER privilege, or a user with the DV_ACCTMGR role, and then change the password.
For example:
sqlplus dvsmith Enter password: password Connected. SQL> ALTER USER avreportuser IDENTIFIED BY password;
Run the avca create_credential command using av_auditor_user for the dbalias parameter.
For example:
avca create_credential -wrl $ORACLE_HOME/network/admin/avwallet -dbalias av_auditor_user AVCA started Storing user credentials in wallet... Enter source user username: AVREPORTUSER Enter source user password: password Re-enter source user password: password Create credential Modify credential Modify 2 done.
When you change the AV_AGENT user password, you must also update this user's credentials for each agent that connects to the Audit Vault Server as the AV_AGENT user account.
To change the password credentials for the AV_AGENT user account:
Open a shell or command prompt for the Audit Vault collection agent.
UNIX: Set the environment variables, as described in Section 2.2.3.
Microsoft Windows: Go to the collection agent ORACLE_HOME\bin directory.
Log in to SQL*Plus as the Audit Vault AV_AGENT user, and then use the ALTER USER SQL statement to change the AV_AGENT user password.
For example:
sqlplus /@av Enter password: password Connected. SQL> ALTER USER avagent_usr IDENTIFIED BY password;
If you do not have the AV_AGENT user password, then contact the AV_ADMIN user and ask them to recreate this password.
Access the shell or command prompt used for the Audit Vault collection agent.
For each agent that connects to the server as the AV_AGENT user account, run the avca create_credential command to update the locally cached credentials with the new password.
For example:
avca create_credential -wrl $ORACLE_HOME/network/admin/avwallet -dbalias av AVCA started Storing user credentials in wallet... Enter source user username: avagentuser Enter source user password: password Re-enter source user password: password Create credential Modify credential Modify 2 done.
For detailed information about using the avca create_credential command, see Section 7.4.
After you have updated the source database stored password credential, you must update the password credentials of this account.
To change the password credentials for the source user account:
In the source database, change the password for the source database user.
For an Oracle Database source, use the ALTER USER SQL statement to change the password.
For example:
sqlplus dvsmith Enter password: password Connected. SQL> ALTER USER srcuser_ora IDENTIFIED BY password;
For source user accounts created for Microsoft Windows, Sybase ASE, and IBM DB2, log in to the appropriate source database and then change the password there.
Open a shell or command prompt for the Audit Vault collection agent.
UNIX: Set the environment variables, as described in Section 2.2.3.
Microsoft Windows: Go to the collection agent ORACLE_HOME\bin directory.
For Oracle Database, SQL Server, and Sybase: Run the appropriate setup command on the collection agent to configure the source user password. (Ensure that you only run this command on the agent, not the server.)
Oracle Database source databases: Run the avorcldb setup command (see Section 9.9). For example:
avorcldb setup -srcname hrdb.example.com
Enter Source user name: srcuser_ora
Enter Source password: password
SQL Server source databases: Run the avmssqldb setup command (Section 10.9). For example:
avmssqldb setup -srcname mssqldb4 Enter a username : source_user_name Enter a password : password
Sybase ASE source databases: Run the avsybdb setup command (Section 11.9). For example:
avsybdb setup -srcname sybdb4 Enter a username : source_user_name Enter a password : password
Open a shell or command prompt for the Audit Vault Server.
UNIX: Set the environment variables, as described in Section 2.2.2.
Microsoft Windows: Go to the Audit Vault Server ORACLE_HOME\bin directory.
For Oracle Database, SQL Server, and Sybase: Run the appropriate setup command on the Audit Vault Server to configure the source user password. (Ensure that you only run this command on the agent, not the server.)
Oracle Database source databases: Run the avorcldb setup command (see Section 9.9). For example:
avorcldb setup -srcname hrdb.example.com
Enter Source user name: srcuser_ora
Enter Source password: password
SQL Server source databases: Run the avmssqldb setup command (Section 10.9). For example:
avmssqldb setup -srcname mssqldb4 Enter a username : source_user_name Enter a password : password
Sybase ASE source databases: Run the avsybdb setup command (Section 11.9). For example:
avsybdb setup -srcname sybdb4 Enter a username : source_user_name Enter a password : password
For IBM DB2 databases: The avdb2db utility has no setup command. For IBM DB2 databases, you only need to change the password of the designated user account.
To change the password of a user who has been granted the AV_AUDITOR role, you must change the passwords in both the Audit Vault Server home in the Audit Vault database by using the SQL ALTER_USER command. Log in as the user with the role of Database Vault Account Manager.
For example:
Open a shell or command prompt for the Audit Vault Server.
UNIX: Set the environment variables, as described in Section 2.2.2.
Microsoft Windows: Go to the Audit Vault Server ORACLE_HOME\bin directory.
Log in to SQL*Plus as the Database Vault Account Manager (that is, a user who has been granted the DV_ACCTMGR role).
For example:
sqlplus dvsmith
Enter password: password
Connected.
SQL>
Use the ALTER USER SQL statement to change the AV_AUDITOR user account.
For example:
SQL> ALTER USER avauditorusr-name IDENTIFIED BY password;
To test the changed passwords for users who have been granted the AV_ADMIN and AV_AUDITOR roles, log in to the Audit Vault Console as the Audit Vault administrator and then as the Audit Vault auditor. See Section 3.2.3 for instructions on logging in to the Audit Vault Console. If the login is not successful, repeat the procedures described in this section to re-create the passwords, and then retest them.
For the AV_ADMIN role, you must also test that the credentials were stored correctly in the wallet.
Follow these steps:
Open a shell or command prompt for the Audit Vault Server.
UNIX: Set the environment variables, as described in Section 2.2.2.
Microsoft Windows: Go to the Audit Vault Server ORACLE_HOME\bin directory.
In SQL*Plus, log in to the Audit Vault Server.
For example, assuming the SID of the Audit Vault Server is av:
sqlplus /@av
To test the AV_AGENT and source database user account passwords, stop the collection agents, and then restart the collection agent and each collector. See Chapter 8 for information about the commands you use to perform this test. If you are able to collect new audit records, then the AV_AGENT and source database user account passwords are working. If you cannot collect audit records, then check the log files (see Appendix A for more information) to determine which user name password might be the cause of the problem. If necessary, re-create the passwords and then retest them.
By default, Oracle Database Vault is enabled in the Audit Vault Server. Oracle Database Vault restricts access to the data in the Audit Vault Server from any user, including users who have administrative access. For Oracle Audit Vault, Oracle Database Vault protects the Audit Vault Server by using a realm. To ensure that the data in the Audit Vault Server is protected, do not disable Oracle Database Vault.
The inclusion of Oracle Database Vault provides the DV_OWNER and DV_ACCTMGR roles. The DV_OWNER role manages the database roles and configuration, and the DV_ACCTMGR role manages user accounts. As with all Oracle Database roles, grant these roles only to those users who are responsible for the tasks associated with the role.
Be aware that Oracle Database Vault revokes some privileges from several roles supplied by the Oracle database roles, including SYS and SYSTEM. Oracle Database Vault Administrator's Guide describes roles and privileges that Oracle Database Vault affects. Remember that only the user who has been granted the DV_ACCTMGR role can create, alter, and drop users. However, the DV_ACCTMGR user cannot grant these roles to these users. Only the user who has been granted the AV_ADMIN role can grant the AV_ADMIN and AV_AUDITOR roles to another user.
Table 5-2 shows the roles and privileges an administrative user is granted when that user is granted and Oracle Audit Vault or Oracle Database Vault roles. For detailed information about the Oracle Audit Vault or Oracle Database Vault roles, see Section 1.5.
Table 5-2 Roles and Privileges Granted to Audit Vault or Database Vault Administrators
| Role Granted to User | Roles Granted to This Role | Privileges Granted |
|---|---|---|
|
|
|
|
|
|
|
|
|
No additional roles granted |
|
|
|
|
|
|
|
|
|
Footnote 1 The AV_ADMIN role is granted the AV_AUDITOR role only if you did not create the AV_AUDITOR user during installation.
Table 5-3 shows other database core accounts that are created in the default Oracle Audit Vault installation. Oracle Audit Vault permits operating system authentication to the database. It disables remote authentication to the database if you try to use the SYSDBA privilege, but if it is needed, you can enable it by using a password file. See the sections that discuss postinstallation tasks in the Oracle Audit Vault Installation Guide for more information about unlocking and resetting user passwords and enabling or disabling connections with the SYSDBA privilege.
Table 5-3 Database Core Accounts Created and Privileges Use
| Account | Privileges | Privilege In Use | Password to Use |
|---|---|---|---|
|
ManyFoot 1 |
Yes |
Use same password as user granted |
|
|
|
|
Yes, allowed |
Operating system authentication to the database is enabled by default. |
|
|
|
No, not allowed for remote connection |
To use for remote connection, user must create a password file to enable its use. Password is set when password file is created. |
|
|
Yes, allowed |
Use same password as user granted |
Footnote 1 To find the privileges associated with the user account, log in to SQL*Plus as the user and then run the following query: SELECT * FROM SESSION_ROLES;
Replacing Oracle Enterprise Manager Self-Signed Certificates
Replacing the Audit Vault Console's Self-Signed Certificates
Oracle Audit Vault is configured to use the HTTPS/SSL protocol out-of-the-box with self-signed certificates. This includes the Oracle Enterprise Manager Web URL and Audit Vault Console URL. This section explains how you can replace the Oracle Enterprise Manager and Oracle Audit Vault Web administration self-signed certificates if you need to.
See Also:
Oracle Database Security Guide for more information about PKI-based authentication, digital certificates, secure external password stores, and Oracle wallets.You can replace Oracle Enterprise self-signed certificates with third-party certificates. For more information, see "Configuring Third Party Certificates" in the following version of Oracle Enterprise Manager Advanced Configuration:
http://docs.oracle.com/cd/B16240_01/doc/em.102/e10954/security2.htm#sthref474
You can replace the Audit Vault Console's self-signed certificates with third-party certificates. Before you can replace the self-signed certificate with a third-party certificate, you must remove the existing self-signed certificate.
To replace the Audit Vault Console self-signed certificates:
Open a shell or command prompt for the Audit Vault Server.
UNIX: Set the environment variables, as described in Section 2.2.2.
Microsoft Windows: Go to the Audit Vault Server ORACLE_HOME\bin directory.
Run the avca remove_cert command to remove the existing self-signed certificate.
For example:
avca remove_cert -certdn cn=myserver
Ensure that the value you provide for the -certdn matches that of the self-signed certificate. You can find this value by logging into the Audit Vault Console as a user who has been granted the AV_AUDITOR role and then looking for the phrase Subject Name in the certificate that is displayed in the browser.
See Section 7.18 for more information about avca remove_cert.
Run the avca generate_csr command to generate a certificate request that matches your needs.
For example:
avca generate_csr -certdn CN=myserver.mydomain -keysize 2048 -out /tmp/cert_req.out
Provide a value for the -certn argument here that suits your organizational needs. Oracle recommends a key size of 2048. The generated certificate request is stored in the full path that you provide for the -out argument.
See Section 7.12 for more information about avca generate_csr.
Ask your third-party certificate authority (CA) or organizational certificate authority to sign the certificate request.
Consult your IT department on how to get this certificate request signed by your appropriate certification authority. At the end of this process, you should be having the following:
Organizational certificate authority's certificate (or certificate chain)
End-entity certificate (based on the request generated from Step 3)
Run the avca import_cert command to import the organizational or third-party CA certificate.
For example:
avca import_cert -cert /home/rahanum/openssl/ca_cert.cer -trusted
Because this is a trusted certificate, ensure that you specify the -trusted flag.
See Section 7.14 for more information about avca import_cert.
Run the avca import_cert command to import the end-entity certificate.
Because this certificate is an end-entity certificate, do not specify the -trusted flag.
For example:
avca import_cert -cert /home/rahanum/openssl/ee_cert.cer
Run the following commands in the order shown to restart the Audit Vault Server.
From the command line:
avctl stop_av
lsnrctl stop listener_AV_SID
Log into SQL*Plus for the Audit Vault Server and run the following command:
shutdown
From the command line:
lsnrctl start listener_AV_SID
Log into SQL*Plus for the Audit Vault Server and run the following command:
startup
From the command line:
avctl start_av