This chapter describes how to configure and use Oracle Privileged Account Manager's auditing and logging functionality.
This chapter includes the following sections:
Section 14.1, "Understanding Oracle Privileged Account Manager Auditing"
Section 14.2, "Understanding Oracle Privileged Account Manager Logging"
Note:
If you are using Oracle Privileged Account Manager on IBM WebSphere, refer to "Differences in Managing Oracle Privileged Account Manager Auditing and Logging" in the Oracle Fusion Middleware Third-Party Application Server Guide for Oracle Identity and Access Management for information about this topic.
Oracle Privileged Account Manager audits all security events that occur under its purview, which gives you better visibility into how privileged accounts are used within your organization and enables you to effectively manage sensitive information.
Specifically, the Oracle Privileged Account Manager audit logger logs any events that modify entity states; such as when you add, modify, or remove new accounts, targets, or policies.
The following table describes all of the event categories and event types for which an audit can be generated:
Table 14-1 Audited Oracle Privileged Account Manager Events
Event Category | Event Types | Description |
---|---|---|
Account Management |
Events related to managing principal accounts Note: A principal can be an end-user or a pseudo-user (a service within the system). |
|
Add Account |
Adding users, groups, or any other principal accounts |
|
Change Password |
Changes to user passwords |
|
Disable Account |
Disabling users, groups, or any other principal accounts |
|
Enable Account |
Enabling users, groups, or any other principal accounts |
|
Modify Account |
Modifying account attributes |
|
Query Account |
Queries to a user's account |
|
Remove Account |
Removing users, groups, or any other principal accounts |
|
Policy Management |
Events related to managing policies |
|
Create Policy |
Creating policies |
|
Delete Policy |
Deleting policies |
|
Modify Policy |
Modifying policies |
|
Query Policy |
Querying policies |
|
Target Management |
Events related to managing targets |
|
Add Target |
Adding targets |
|
Modify Target |
Modifying targets |
|
Query Target |
Querying targets |
|
Remove Target |
Removing targets |
Logging these audit events creates a processing history that allows reporting tools to gather statistics, as described in Section 14.1.2, "Understanding Oracle Privileged Account Manager Audit Reports."
You can configure Oracle Privileged Account Manager to save audit events into a database or a file. When a database is not available, Oracle Privileged Account Manager saves its audit logs into this file,
DOMAIN_HOME/servers/<opamserver>/logs/auditlogs/OPAM
You can also configure Oracle Privileged Account Manager to deploy audit reports in BI Publisher (version 11.1.1.5.0 or higher), and use BI Publisher to view audit events in the database. Reports in BI Publisher are only possible if the audit events are being pushed into a database and not a file.
The following topics provide instructions for configuring auditing in Oracle Privileged Account Manager:
Configuring File-Based Auditing in Oracle Privileged Account Manager
Configuring Database-Based Auditing in Oracle Privileged Account Manager
Deploying Oracle Privileged Account Manager Audit Reports in BI Publisher
Note:
To configure auditing for Oracle Privileged Account Manager on an IBM WebSphere server, refer to "Configuring Auditing for Oracle Privileged Account Manager" in the Oracle Fusion Middleware Third-Party Application Server Guide for Oracle Identity and Access Management before starting the procedures described in this section.
This section describes how to configure file-based auditing in Oracle Privileged Account Manager.
Before starting the following configuration steps, review these publications:
"Using WLST Online or Offline" in the Oracle Fusion Middleware Oracle WebLogic Scripting Tool
"OPSS Scripts for Auditing" in the Oracle Fusion Middleware Application Security Guide for detailed information about the getAuditPolicy
, setAuditPolicy
, getAuditRepository
, and setAuditRepository
WLST audit commands used in the configuration steps.
To configure Oracle Privileged Account Manager for file-based auditing:
Start the WebLogic Scripting Tool (WLST) and connect to the Oracle WebLogic Server:
Open a command window and navigate to the following directory, which contains the WLST:
MW_HOME/oracle_common/common/bin
Start WLST by typing one of the following commands:
On UNIX, type: sh wlst.sh
On Windows, type: wlst.cmd
You know that WLST has started when the command prompt changes to wls:>/offline
.
Connect to the Oracle WebLogic Server by typing the following command:
connect('WLS_Admin_Name','WLS_Admin_Password','WLS_Machine_Name:Port')
For example,
connect('weblogic','Welcome1','localhost:7004')
WLST validates the administrator's username and password, the machine name, and the port that are associated with the WebLogic Admin Server. If all of these values are correct, WLST connects to the WebLogic Admin Server and the command prompt changes to
wls:>/base_domain/serverConfig
Note:
Refer to "Securing Access from WLST Online" in the Oracle Fusion Middleware Oracle WebLogic Scripting Tool for additional information.
To set the audit logging level for Oracle Privileged Account Manager:
If the filterPreset
parameter is set to NONE
, use the setAuditPolicy
command to change the value to All
, Medium
, or Low
, based on how much logging you want Oracle Privileged Account Manager to provide:
setAuditPolicy(filterPreset='All')
A confirmation message displays to indicate the audit logging level was successfully updated.
Note:
For a description of the different logging levels, refer to Table 14-2, "Audit Logging Levels".
Verify the current logging level for Oracle Privileged Account Manager, by typing getAuditPolicy( )
at the prompt, and then checking the filterPreset
parameter value.
To change the Repository Type to database (DB
):
Type the setAuditRepository
command as follows:
setAuditRepository(switchToDB='true')
A confirmation message displays to let you know that the audit repository was successfully updated.
You can use the WLST getAuditRepository
command to verify that the audit repository is set to database-based auditing:
getAuditRepository( )
The setAuditRepository
parameter value (as indicated by the Repository Type field) should be FILE
.
Restart both the Administration Server and the Oracle Privileged Account Manager Managed Server.
Note:
For detailed information about starting a Managed Server, refer to "Starting or Stopping the Oracle Stack" in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.
You must restart both servers for your changes to take effect. After the server restarts, audit logs will start appearing in this location:
DOMAIN_HOME/servers/<opamserver>/logs/auditlogs/OPAM
This section describes how to configure Oracle Privileged Account Manager to save audit events into the Oracle database that is associated with Oracle Privileged Account Manager.
Before starting the following configuration steps,
Review these publications:
"Using WLST Online or Offline" in the Oracle Fusion Middleware Oracle WebLogic Scripting Tool
"WLST Commands for Auditing" in the Oracle Fusion Middleware Application Security Guide for detailed information about the getAuditPolicy
, setAuditPolicy
, getAuditRepository
, and setAuditRepository
WLST audit commands used in the configuration steps.
Install the following
A database
The Repository Creation Utility application, which is used to create a schema and load a repository into the database.
Note:
For information about installing and working with the Repository Creation Utility, refer to Oracle Fusion Middleware Repository Creation Utility User's Guide available at http://www.oracle.com/technology/documentation/index.html
To configure database-based auditing:
Start the WebLogic Scripting Tool (WLST) and connect to the Oracle WebLogic Server:
Open a command window and navigate to the following directory, which contains the WLST:
MW_HOME/oracle_common/common/bin
Start WLST by typing one of the following commands:
On UNIX, type: sh wlst.sh
On Windows, type: wlst.cmd
You know that WLST has started when the command prompt changes to wls:>/offline
.
Connect to the Oracle WebLogic Server by typing the following command:
connect('WLS_Admin_Name','WLS_Admin_Password','WLS_Machine_Name:Port')
For example,
connect('weblogic','Welcome1','localhost:7004')
WLST validates the administrator's username and password, the machine name, and the port that are associated with the WebLogic Admin Server. If all of these values are correct, WLST connects to the WebLogic Admin Server and the command prompt changes to
wls:>/base_domain/serverConfig
Note:
Refer to "Securing Access from WLST Online" in the Oracle Fusion Middleware Oracle WebLogic Scripting Tool for additional information.
To set the audit logging level for Oracle Privileged Account Manager:
If the filterPreset
parameter is set to NONE
, use the setAuditPolicy
command to change the value to All
, Medium
, or Low
, based on how much logging you want Oracle Privileged Account Manager to provide:
setAuditPolicy(filterPreset='All')
A confirmation message displays to indicate the audit logging level was successfully updated.
Note:
For a description of the different logging levels, refer to Table 14-2, "Audit Logging Levels".
Verify the current logging level for Oracle Privileged Account Manager, by typing getAuditPolicy( )
at the prompt, and then checking the filterPreset
parameter value.
To change the Repository Type to database (DB
):
Type the setAuditRepository
command as follows:
setAuditRepository(switchToDB='true')
A confirmation message displays to let you know that the audit repository was successfully updated.
You can use the WLST getAuditRepository
command to verify that the audit repository is set to database-based auditing:
getAuditRepository( )
The setAuditRepository
parameter value (as indicated by the Repository Type field) should be DB
.
Use the Repository Creation Utility to create and load the audit schema into the database, and then use the WebLogic Server Administrative Console to create a new JDBC data source.
A data source contains credentials that BI Publisher needs to connect to the Oracle database associated with Oracle Privileged Account Manager. BI Publisher uses this connection to retrieve data from the Oracle Privileged Account Manager database. BI Publisher then uses this data to generate reports for targets, privileged accounts, grants, and policies.
Note:
Instructions for creating the audit schema and for creating a JDBC data source are provided in the "Configuring and Managing Auditing" section of the Oracle Fusion Middleware Application Security Guide.
Restart both the Administration Server and the Oracle Privileged Account Manager Managed Server.
You must restart both servers for your changes to take effect. After restarting both servers, audit logs will start appearing in the installed database.
This section describes how to deploy Oracle Privileged Account Manager audit reports in Oracle Business Intelligence Publisher (BI Publisher), a component used to manage and deliver reports.
Use the following steps:
Install and configure BI Publisher version 11.1.1.5.0 or higher if it is not already installed.
Refer to "Configuring Oracle Business Intelligence Publisher" in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Navigator for instructions.
After installing BI Publisher, locate the following directory in the WebLogic domain:
Note:
You can deploy BI Publisher on the same host or in a different domain.
BI_DOMAIN_HOME/config/bupublisher/repository/Reports
Locate the opam_product_BIP11gReports_11_1_2_1_0.zip
file in the following directory:
ORACLE_HOME/opam/reports
Unzip this file into the Reports
folder noted in step 2 and verify that the following directory was created:
ORACLE_HOME/opam/reports/Oracle Privileged Account Manager
To set up the catalog and configure data sources, open a browser window and enter the URL for BI Publisher.
The format for this URL is
http://hostname: port/xmlpserver/
For example
http:/localhost:7001/xmlpserver/
When the BI Publisher login page displays, log in as a user with WebLogic privileges and click Sign In.
Set up the catalog as follows:
Select Administration > System Maintenance > Server Configuration.
When the System Maintenance page displays, go to the Path field in the Configuration Folder section and enter the path to your Configuration folder. For example,
BI_DOMAIN_HOME/config/bupublisher/repository
The files that contain your server configuration settings (such as the JDBC data source you created in step 4 of Section 14.1.1.2) are stored in a Configuration folder. The path to this folder is stored in the xmlp-server-config.xml
configuration file. The xmlp-server-config.xml
file is located in
BI_DOMAIN_HOME/config/bupublisher/repository/Admin/Configuration
Locate the Catalog section on the System Maintenance page and specify the following information:
Parameter Name | Parameter Value |
---|---|
Catalog Type |
Select BI Publisher - File System from the menu. |
Path |
Enter the path to the BI Publisher Catalog folder. For example,
BI_DOMAIN_HOME/config/bipublisher/repository
Caution: The path to the BI Publisher Catalog includes the Do not include the |
Note:
Because the file system contains the reports repository, the platform where you are running BI Publisher determines the case-sensitivity of folder and report names. Repository object names are not case-sensitive in a Windows-based environment, but they are case-sensitive in a UNIX-based environment.
Click Apply.
A confirmation message is displayed.
Log in as an administrator.
Click Catalog to open the Shared Folder/ Oracle Privileged Account Manager
folder.
Note:
If this folder does not display, restart the application from the WebLogic console.
One JDBC (Oracle Privileged Account Manager JDBC) connection is required for Oracle Privileged Account Manager reports. Use the following steps to define an Oracle Privileged Account Manager JDBC connection and define the data sources:
Click the Administration link found on the right side of the BI Publisher page.
The BI Publisher Administration page displays. (Note the Data Sources section on this page.)
Click the JDBC Connection link found in the Data Sources section.
When the Data Sources page displays, click Add Data Source in the JDBC section to create a JDBC connection to your database.
On the Add Data Source page, enter the following information:
Data Source Name |
|
---|---|
Driver Type |
Select a driver type to suit your database (for example, Oracle 10g or Oracle 11g). |
Database Driver Class |
|
Connection String |
Provide the database connection details. |
User name |
Provide the Oracle Privileged Account Manager Audit DB user name. |
Password |
Provide the Oracle Privileged Account Manager Audit DB user password. |
If the connection to the database is established, a confirmation message is displayed indicating the success.
Click Apply.
You should see this newly defined connection (Oracle Privileged Account Manager JDBC) in the list of JDBC Data Sources.
Navigate to Oracle Privileged Account Manager Audit Reports.
The Catalog page is displayed as a tree structure on the left side of the page with details on the right.
Expand Shared Folders
and select the Oracle Privileged Account Manager
folder to view all of the objects in that folder.
Use Oracle Identity Navigator to configure a connection to the BI Publisher server.
Refer to "Creating a Connection to BI Publisher" in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Navigator for the necessary instructions.
When you configure the connection successfully, the My Reports section of the Oracle Identity Navigator Dashboard page will contain the link, Click here to create reports. In addition, users with the Security Auditor role can now perform the following tasks:
View Oracle Identity Management BI Publisher reports and audit reports
Note:
Oracle Privileged Account Manager provides a set of out-of-the box audit reports that are integrated with BI Publisher 11g and the Oracle Fusion Middleware Audit Framework. Oracle Privileged Account Manager generates these reports based on audit events logged in the audit store. Refer to Section 14.2, "Understanding Oracle Privileged Account Manager Logging" for more information.
Select and add reports to the My Reports list
View and run any reports for which you have access privileges
You can now navigate in BI Publisher and use the Oracle Privileged Account Manager 11g BI reports.
To change the amount of audit logging provided by Oracle Privileged Account Manager, use the following steps:
Launch an application server shell (WLST) and establish a connection to the Oracle WebLogic Server as described in step 4 of Section 14.1.1.2, "Configuring Database-Based Auditing in Oracle Privileged Account Manager."
Note:
Refer to "Securing Access from WLST Online" in the Oracle Fusion Middleware Oracle WebLogic Scripting Tool for more information.
Use the getAuditPolicy
command to get the current audit policy.
If the FilterPreset field is set to NONE
, use the setAuditPolicy
command to change the value. Choose one of the options noted in Table 14-2, depending on the type of events to be audited:
Note:
Refer to "getAuditPolicy" and "setAuditPolicy" in the Oracle Fusion Middleware Application Security Guide for detailed information about these WLST audit commands.
Table 14-2 Audit Logging Levels
Option | Logged Events |
---|---|
All |
Logs all event types. |
Medium |
Logs the following event types:
|
Low |
Logs the following event types:
|
None |
No logging is performed. |
Restart the Oracle Privileged Account Manager server.
Note:
For detailed information about starting a Managed Server, refer to "Starting or Stopping the Oracle Stack" in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.
After the server restarts, audit logs will start appearing in this location:
DOMAIN_HOME/servers/<opamserver>/logs/auditlogs/OPAM
Oracle Privileged Account Manager supplies a set of default audit reports that are integrated with BI Publisher 11g and the Oracle Fusion Middleware Audit Framework. Oracle Privileged Account Manager generates these reports based on the audit events logged in the audit store.
The default audit report types include:
Accounts Checkin Checkout Report: Provides account checkout and check-in history.
All Events Report: Includes all audit events that have been logged in the audit store.
Error Events Report: Provides information about any errors that occur in Oracle Privileged Account Manager, such as authentication and authorization failures.
General Report: Provides information about events related to checking in, checking out, or modifying privileged accounts and events related to queries about privileged accounts and targets.
Target Management Report: Provides information about events related to adding, modifying, querying, or removing targets.
Oracle Privileged Account Manager audit reports can show who checked out an account and on which system it was checked out, justifications, requests for a system that is already checked out, and requests for a system to which a user does not have privileges.
For example, the following figure shows a typical Oracle Privileged Account Manager audit report as viewed in BI Publisher.
Note:
You can view Oracle Privileged Account Manager audit reports in BI Publisher.
Notice that this report provides the following information:
Event: Type of event that occurred
Status: Event results, where 1 is success and 0 is a failure
User ID: User that initiated the event
Target: Target on which the event occurred
Resource ID: Resource identifier
Message: Message returned from server
Time: Date and time the event occurred
Oracle Privileged Account Manager can synchronize passwords to CSF, as described in Section 17.3, "Integrating with the Credential Store Framework." However, Oracle Privileged Account Manager cannot audit any CSF content because Oracle Privileged Account Manager and CSF are two separate entities in the WebLogic domain. If you want to audit CSF access, then you must enable auditing in CSF itself.
Note:
For information about enabling auditing in CSF, refer to the following sections in the Oracle Fusion Middleware Application Security Guide:
For a list of the audit events that are supported by CSF, refer to "Oracle Platform Security Services Events and their Attributes."
For information about the WLST commands used to enable auditing in CSF, refer to "WLST Commands for Auditing" or enter the following command from the command line:
help('<Audit WLST command>')
For information about using Enterprise Manager to manage this type of auditing, refer to "Managing Audit Policies."
For information about using WSAdmin commands to enable auditing in CSF, refer to "Executing Common Audit Framework wsadmin Commands" in the Oracle Fusion Middleware Third-Party Application Server Guide for Oracle Identity and Access Management.
Oracle Privileged Account Manager is fully integrated with Oracle Fusion Middleware Logging and the Oracle Diagnostic Logging (ODL) framework.
The Oracle Privileged Account Manager generic logger (oracle.idm.opam) takes care of all logs not recorded by the audit logger, which includes debugging statements and exception messages. Processing tools can use these logs to diagnose problems that occur within the Oracle Privileged Account Manager server.
Table 14-3 describes the different Oracle Privileged Account Manager-related log files:
Table 14-3 Oracle Privileged Account Manager-Related Log Files
File Name | Description |
---|---|
|
Generic log file where the WebLogic Admin Server writes messages from its subsystems and applications. |
|
Diagnostic log file used to store messages generated by the WebLogic Admin Server. |
|
Generic log file where the WebLogic Admin Server writes messages about the overall status of the domain. |
|
Generic log file used to store information about requests to access privileged accounts and targets. |
|
Generic log file where the Oracle Privileged Account Manager Server writes messages from its subsystems and applications. |
|
Diagnostic log file used to store messages generated by the Oracle Privileged Account Manager Server. |
Oracle Privileged Account Manager log files are stored in the following locations:
Server log files are stored in
DOMAIN_HOME/servers/OPAM managed server/logs
Server application logging is spooled to
OPAM managed server-diagnostic.log
Console log files are stored in
DOMAIN_HOME/servers/AdminServer/logs
Note:
For more information about Oracle Fusion Middleware Logging and the Oracle Diagnostic Logging (ODL) framework, refer to "Managing Log Files and Diagnostic Data" in the Oracle Fusion Middleware Administrator's Guide.
You can configure Oracle Privileged Account Manager logging by using the standard WLST commands as described in "Logging Custom WLST Commands" in the Oracle Fusion Middleware WebLogic Scripting Tool Command Reference.
Following are some task-based invocations based on the preceding reference:
Note:
The same commands apply if you are configuring logging on an IBM WebSphere server, however there are some differences to consider.
Before using these commands, refer to "Configuring Basic Logging for Oracle Privileged Account Manager" in the Oracle Fusion Middleware Third-Party Application Server Guide for Oracle Identity and Access Management.
To list all of the available Oracle Privileged Account Manager loggers and their current configured levels, run the listLoggers
command:
listLoggers(target="<opamserver>",pattern="oracle.idm.opam.*")
For example,
listLoggers(target="opam_server1",pattern="oracle.idm.opam.*")
To check Oracle Privileged Account Manager's current log level, run the getLogLevel
command:
getLogLevel(logger="oracle.idm.opam",target="<opamserver>")
For example,
getLogLevel(logger="oracle.idm.opam",target="opam_server1")
To set the log level for a particular logger, run the setLogLevel
command:
setLogLevel(target="<opamserver>",logger="oracle.idm.opam",level="TRACE:32",
persist=1)
For example,
setLogLevel(target="opam_server1",logger="oracle.idm.opam",level="TRACE:32", persist=1)
This figure shows some example logging data as viewed from the WebLogic console.
Notice that this report provides the following information:
Date and timestamp when the event occurred
Subsystem on which the event occurred
Message severity
Message ID
Message describing the operation that was performed