Oracle® Audit Vault Administrator's Guide 10g Release 2 (10.2.2) Part Number B25321-02 |
|
|
View PDF |
Audit Vault Oracle Database (AVORCLDB) is a command-line utility that provides the ability to configure (add, alter, and drop) Oracle audit sources and Oracle collectors, verify source compatibility with the collectors, and set up Oracle Database audit sources for audit data collection by establishing the connection to the source through the collector.
Table C-1 describes the AVORCLDB commands and where each is used, whether on the Audit Vault Server, on the Audit Vault Agent, or in both places.
Table C-1 AVORCLDB Commands
Command | Where Used? | Description |
---|---|---|
Server |
Adds a collector to Audit Vault |
|
Server |
Registers an audit source with Audit Vault |
|
Server |
Alters the attributes of a collector |
|
Server |
Alters the attributes of a source |
|
Server |
Drops a collector from Audit Vault |
|
Server |
Drops a source from Audit Vault |
|
Both |
Displays Help for the AVORCLDB commands |
|
Agent |
Sets up the database link from the source database through the Audit Vault Agent to the Audit Vault database (repository) and verifies the connection using the wallet |
|
Both |
Verifies that the source is compatible with the collectors that are specified for setup |
The AVORCLDB command-line utility.
Syntax
avorcldb <command> -help avorcldb <command> [<options>] <arguments>
Arguments
Argument | Description |
---|---|
<command> |
One of the following commands: add_source , alter_source , drop_source , add_collector , alter_collector , drop_collector , setup , or verify |
[<options>] |
The optional AVORCLDB options |
<arguments> |
One or more of the AVORCLDB command arguments |
-help |
Displays Help for the AVORCLDB commands |
Options
Table C-2 describes the options for the AVORCLDB commands.
Table C-2 AVORCLDB Options
Option | Description |
---|---|
|
Provides more detailed output to standard output |
|
Controls the amount of information logged. The |
Usage Notes
Issuing an AVORCLDB command generates the following log file: $ORACLE_HOME/av/log/avorcldb.log
.
The AVORCLDB command can be issued any number of times. The AVORCLDB command checks to see if a step has already been completed, and returns a warning in each such case, then skips that step and continues until it is completed.
Example
The following output is from the avorcldb
command executed in the Audit Vault Server home shell.
$ avorcldb -help Oracle DB Setup for Audit Vault ------------------------------- Usage : avorcldb help avorcldb <command> -help avorcldb <command> <arguments> Source setup commands verify -src <host:port:service> -srcusr <usr>/<pwd> -colltype [OSAUD,DBAUD,REDO,EVTLOG,ALL] add_source -src <host:port:service> -srcusr <usr>/<pwd> -avsrcusr <usr> [-srcname <srcname>] [-desc <desc>] [-agentname <agentname>] alter_source -srcname <srcname> [attrname=value]+ drop_source -srcname <srcname> Collector setup commands add_collector -srcname <srcname> -srcusr <usr>/<pwd> -agentname <agentname> -colltype [OSAUD|DBAUD|REDO|EVTLOG] [-collname <collname>] [-desc <desc>] [-avsrcusr <usr>/<pwd>] [-av <host:port:service>] [-instname <instname>] alter_collector -srcname <srcname> -collname <collname> [attrname=value]+ drop_collector -srcname <srcname> -collname <collname>
The following output is from the avorcldb
command executed in the Audit Vault Agent home shell.
$ avorcldb -help Oracle DB Setup for Audit Vault ------------------------------- Usage : avorcldb help avorcldb <command> -help avorcldb <command> <arguments> Agent Commands verify -src <host:port:service> -srcusr <usr>/<pwd> -colltype [OSAUD,DBAUD,REDO,EVTLOG,ALL] setup -srcname <srcname> -srcusr <usr>/<pwd> -wpwd <pwd>
Adds a collector for the given source to Audit Vault. The source is verified for requirements of the collector. This command is run on the Audit Vault Server.
Syntax
avorcldb add_collector -srcname <srcname> -srcusr <usr>/<pwd> -agentname <agentname> -colltype [OSAUD,DBAUD,REDO,EVTLOG] [-collname <collname>] [-desc <desc>] [-avsrcusr <usr>/<pwd>] [-av <host:port:service>] [-instname <instname>]
Arguments
Argument | Description |
---|---|
-srcname <srcname> |
The source name for which the collector is to be added |
-srcusr <usr>/<pwd> |
The credentials of the user on the source database to collect audit data. The -srcusr argument can be omitted if the corresponding environment variable, AVORCLDB_SRCUSR is set to usr/ pwd . If the command-line argument -srcusr is specified, then the command-line argument overrides the environment variable. |
-agentname <agentname> |
The agent name where the collector is to be added |
-colltype [OSAUD,DBAUD,REDO,EVTLOG] |
The collector type to be added |
[-collname <collname>] |
The collector name. This argument is optional. If this argument is not specified, <colltype>_Collector will be used. |
[-desc <desc>] |
A brief description of the collector. This argument is optional. |
[-avsrcusr <usr>/<pwd>] |
The user on Audit Vault associated with the given source. This argument is required if the -colltype argument is REDO; otherwise, this argument is optional. The -avsrcusr argument can be omitted if the corresponding environment variable, AVORCLDB_AVSRCUSR is set to usr/ pwd . If the command-line argument -srcusr is specified, then the command-line argument overrides the environment variable. |
[-av <host:port:service>] |
The connection information for Audit Vault used for the database link from the source database to Audit Vault. This argument is required if the -colltype argument is REDO; otherwise, this argument is optional. |
[-instname <instname>] |
The instance name of Audit Vault Oracle RAC installation. This argument must be used to add multiple OSAUD collectors (one for each instance). |
Usage Notes
Run any collector-specific preparation scripts before you execute the AVCA add_collector
command.
The user specified in the -srcusr
argument must exist on the source database.
Example
The following example shows how to add an OSAUD collector to Oracle Audit Vault on Linux and UNIX platforms in an Oracle Real Application Clusters (Oracle RAC) installation using the -instname
argument. In these examples, the AVORCLDB_SRCUSR
environment variable is set to srcusr1/
pwd
and the -srcusr
argument is omitted.
avorcldb add_collector -srcname source1db.domain.com -agentname 'Agent1' -colltype OSAUD -instname av01 source SOURCE1DB.DOMAIN.COM verified for OS File Audit Collector collector Adding collector... Collector added successfully. collector successfully added to Audit Vault remember the following information for use in avctl Collector name (collname): OSAUD_Collector
The following example shows how to add an OSAUD collector to Oracle Audit Vault on Windows platforms for the event log:
avorcldb add_collector -srcname source1db.domain.com -agentname agent1 -colltype EVTLOG source SOURCE1DB.DOMAIN.COM verified for Windows Event Log Audit Collector collector Adding collector... Collector added sucessfully. collector successfully added to Audit Vault remember the following information for use in avctl Collector name (collname): EVTLOG_Collector
The following example shows how to add a DBAUD collector to Audit Vault:
avorcldb add_collector -srcname source1db.domain.com -agentname 'Agent1' -colltype DBAUD source SOURCE1DB.DOMAIN.COM verified for Aud$/FGA_LOG$ Audit Collector collector Adding collector... Collector added successfully. collector successfully added to Audit Vault remember the following information for use in avctl Collector name (collname): DBAUD_Collector
The following example shows how to add a REDO collector to Audit Vault. In this example, the AVORCLDB_AVSRCUSR
environment variable is set to avsrcuser1/
pwd
and the -avsrcusr
argument is omitted.
avorcldb add_collector -srcname source1db.domain.com -agentname 'Agent1' -colltype REDO -av system1.domain.com:1521:av source SOURCE1DB.DOMAIN.COM verified for REDO Log Audit Collector collector Adding collector... Collector added successfully. collector successfully added to Audit Vault remember the following information for use in avctl Collector name (collname): REDO_Collector initializing REDO Collector setting up APPLY process on Audit Vault server setting up CAPTURE process on source database
Registers an audit source with Audit Vault for audit data consolidation. This command is run on the Audit Vault Server.
Syntax
avorcldb add_source -src <host:port:service> -srcusr <usr>/<pwd> -avsrcusr <usr> [-srcname <srcname>] [-desc <desc>] [-agentname <agentname>]
Arguments
Argument | Description |
---|---|
-src <host:port:service> |
Source database connection information: host name, port number, and service ID (SID), separated by a colon |
-srcusr <usr>/<pwd> |
Credentials of the user on the source database to collect audit data. The -srcusr argument can be omitted if the corresponding environment variable, AVORCLDB_SRCUSR is set to usr/ password . If the command-line argument -srcusr is specified, then the command-line argument overrides the environment variable. |
-avsrcusr <usr> |
The user on Audit Vault used to send audit data |
[-srcname <srcname>] |
Optional source name. If this argument is not specified, the global database name of the source will be used. |
[-desc <desc>] |
Optional description of the source |
[-agentname <agentname>] |
Optional agent name to configure policy management |
Usage Notes
For the REDO collector, you should run any source-specific preparation scripts on the agent and on the Audit Vault system before you execute the AVORCLDB add_source
command.
The global database name of the source database is used as the source name in Oracle Audit Vault.
The user specified in the -srcusr
argument must exist on the source database.
The user specified in the -avsrcusr
argument must exist on Oracle Audit Vault.
Example
The following example shows how to register a source with Oracle Audit Vault. In this example, the AVORCLDB_SRCUSR
environment variable is set to srcusr1/
pwd
and the -srcusr
argument is omitted.
avorcldb add_source -src lnxserver:4523:hrdb.domain.com -avsrcusr srcusr1 -desc 'HR Database' Adding source... Source added successfully. source successfully added to Audit Vault remember the following information for use in avctl Source name (srcname): RDBMSRC1.US.ORACLE.COM map_source_to_agent map_source_to_agent
Modifies the attributes of a collector. This command is run on the Audit Vault Server.
Syntax
avorcldb alter_collector -srcname <srcname> -collname <collname> [<attrname>=<attrvalue>...<attrname>=<attrvalue>]
Arguments
Argument | Description |
---|---|
-srcname <srcname> |
Specify the source (by source name) to which this collector belongs. |
-collname <collname> |
Specify the collector (by collector name) to be modified. |
[<attrname>=<attrvalue>] |
Specify the pair (attribute name, new attribute value) for mutable collector attributes for this collector type. This argument is optional. Separate multiple pairs by a space on the command line. |
Usage Notes
You can modify one or more collector attributes at a time. Table C-3, Table C-4, and Table C-5 list the collector attributes (parameters) by collector type, whether the parameter is mutable, and its default value.
Table C-3 DBAUD Collector Attributes
Parameter | Mutable | Default Value |
---|---|---|
AUDAUDIT_DELAY_TIME |
Yes |
20 seconds |
AUDAUDIT_SLEEP_TIME |
Yes |
5000 seconds |
AUDAUDIT_ACTIVE_SLEEP_TIME |
Yes |
1000 seconds |
AUDAUDIT_MAX_PROCESS_RECORDS |
Yes |
1000 centiseconds |
AUDAUDIT_SORT_POLICY |
Yes |
NULL |
AUDAUDIT_AUDIT_VAULT_ALIAS |
No |
NULL |
AUDAUDIT_SOURCE_ALIAS |
No |
NULL |
Table C-4 OSAUD Collector Attributes
Parameter | Mutable | Default Value |
---|---|---|
OSAUDIT_DEFAULT_FILE_DEST |
Yes |
$ORACLE_HOME/audit |
OSAUD_FILE_DEST |
Yes |
$ORACLE_HOME/aidit |
OSAUDIT_NLS_LANGUAGE |
Yes |
AMERICAN |
OSAUDIT_NLS_TERRITORY |
Yes |
AMERICA |
OSAUDIT_NLS_CHARSET |
Yes |
WE8ISO8859P1 |
OSAUDIT_LOG_LEVEL |
Yes |
WARNING |
OSAUDIT_MAX_PROCESS_TIME |
Yes |
600 centiseconds |
OSAUDIT_MAX_PROCESS_RECORDS |
Yes |
10000 |
OSAUDIT_CHANNEL_TYPE |
No |
NULL |
OSAUDIT_AUDIT_VALUE_ALIAS |
No |
NULL |
OSAUDIT_NT_ORACLE_SID |
Yes |
NULL |
Table C-5 REDO Collector Attributes
Parameter | Mutable | Default Value |
---|---|---|
STRCOLL_SRCADM_NAME |
No |
NULL |
STRCOLL_SRCADM_ALIAS |
No |
NULL |
STRCOLL_HEARTBEAT_TIME |
Yes |
60 seconds |
STRCOLL_DBSERVICE |
No |
NULL |
STRCOLL_DBPORT |
Yes |
NULL |
AV.DATABASE.NAME |
No |
NULL |
Example
The following example shows how to alter the AUDAUDIT_DELAY_TIME
attribute for the DBAUD_Collector collector in Audit Vault:
avorcldb alter_collector -srcname lnxserver.domain.com -collname DBAUD_Collector AUDAUDIT_DELAY_TIME=60 Altering collector... Collector altered successfully.
Modifies the attributes of the source. This command is run on the Audit Vault Server.
Syntax
avorcldb alter_source -srcname <srcname> [<attrname>=<attrvalue>...<attrname>=<attrvalue>]
Arguments
Argument | Description |
---|---|
-srcname <srcname> |
Specify the source (by source name) to be modified. |
[<attrname>=<attrvalue>] |
Specify the pair (attribute name, new attribute value) for the mutable source attributes of this source to be modified. This argument is optional. Separate multiple pairs by a space on the command line. |
Usage Notes
You can modify one or more source attributes at a time. Table C-6 lists the source attributes (parameters), the values allowed for certain parameters, whether the parameter is mutable, and its default value.
Table C-6 Source Attributes
Parameter | Description | Mutable | Default Value |
---|---|---|---|
SOURCETYPE |
A new source type name for this source |
Yes |
NULL |
NAME |
A new name for this source |
Yes |
NULL |
HOST |
A new source host name |
Yes |
NULL |
HOSTIP |
A new source host IP address |
Yes |
NULL |
VERSION |
A new source version |
Yes |
NULL |
TIMEZONE |
A new time zone for this source |
Yes |
NULL |
USERNAME |
A new user name used to connect to this audit data source |
Yes |
NULL |
PASSWORD |
The password of the user used to connect to this audit data source |
Yes |
NULL |
AUTHETICATION |
A new authentication method, either AUTH_TYPE_PWD or AUTH_TYPE_SSL |
Yes |
NULL |
DESCRIPTION |
A new description for this source |
Yes |
NULL |
DB_SERVICE |
A new audit data source service name |
Yes |
NULL |
PORT |
A new port number for this system where the source audit data resides |
Yes |
NULL |
GLOBAL_DATABASE_NAME |
The new global database name |
Yes |
NULL |
WALLET_LOC |
The new wallet location, if used, for this audit data source |
Yes |
NULL |
Example
The following example shows how to alter the DESCRIPTION
and SOURCE_HOST
attributes for the source named lnxserver.domain.com in Oracle Audit Vault:
avorcldb alter_source -srcname lnxserver.domain.com DESCRIPTION='HR Database' SOURCE_HOST='lnxserver.domain.com' Altering source... Source altered successfully.
Drops a collector from Oracle Audit Vault. This command is run from the Audit Vault Server.
Syntax
avorcldb drop_collector -srcname <srcname> -collname <collname>
Arguments
Argument | Description |
---|---|
-srcname <srcname> |
Specify the name of the source to which the collector (specified in the -collname argument) belongs. |
-collname <collname> |
Specify the collector (by collector name) to be dropped from Oracle Audit Vault. |
Usage Notes
The drop_collector
command will not delete the collector from Oracle Audit Vault; it actually disables the collector. The user can neither add the same collector name again nor enable the old name.
Example
The following example shows how to drop the collector named 'DBAud_Collector' from Oracle Audit Vault:
avorcldb drop_collector -srcname lnxserver.domain.com -collname DBAud_Collector Dropping collector... Collector dropped successfully.
Drops a source from Oracle Audit Vault. This command is run on the Audit Vault Server.
Syntax
avorcldb drop_source -srcname <srcname>
Arguments
Argument | Description |
---|---|
-srcname <srcname> |
Specify the source (by source name) to be dropped from Oracle Audit Vault. |
Usage Notes
The drop_source
command does not delete the source from Oracle Audit Vault; it disables the source. The user can neither add the same source name again nor enable the old source. Audit data from this source is no longer collected once the source has been dropped, but the information of this source is maintained in Oracle Audit Vault with a status as dropped (inactive) for future reporting purposes.
A source cannot be dropped or deleted if there are any active collectors for this source. All collectors must be inactive (dropped) to successfully drop a source from Oracle Audit Vault.
Example
The following example shows how to drop the source named lnxserver.domain.com
from Oracle Audit Vault:
avorcldb drop_source -srcname lnxserver.domain.com Dropping source... Source dropped successfully.
Displays Help for the AVORCLDB commands. This command is run on both the Audit Vault Server and the Audit Vault Agent.
Syntax
avorcldb -help avorcldb <command> -help
Arguments
Argument | Description |
---|---|
<command> |
The name of an AVORCLDB command for which you want Help to appear |
Usage Notes
None
Example
The following example shows how to display general AVORCLDB utility Help in Audit Vault:
avorcldb -help
The following example shows how to display specific AVORCLDB Help for the add_source
command in the Audit Vault Server home shell.
$ avorcldb add_source -help avorcldb add_source command add_source -src <host:port:service> -srcusr <usr>/<pwd> -avsrcusr <usr> [-srcname <srcname>] [-desc <desc>] [-agentname <agentname>] Purpose: The source is added to Audit Vault. The global DB Name of the source database is used as the Source Name in Audit Vault. The user specified in -srcusr argument must exist on the source DB. The user specified in -avsrcusr argument must exist on Audit Vault. Arguments: -src : Source DB connection information -srcusr : Credentials of user on Source DB to collect audit data -avsrcusr : User on Audit Vault used to send audit data -srcname : Optional name of source, default : <global_dbname> -desc : Optional description of the source -agentname : Optional agent name to configure policy management Examples: avorcldb add_source -src lnxserver:4523:hrdb.domain.com -srcusr srcusr/passwd -avsrcusr avsrcuser -desc 'HR Database'
Sets up the database link from the source database through the Audit Vault Agent to the Audit Vault database (repository) and verifies the connection using the wallet. This command is run on the Audit Vault Agent.
Syntax
avorcldb setup -srcname <srcname> -srcusr <usr>/<pwd> -wpwd <pwd>
Arguments
Argument | Description |
---|---|
-srcname <srcname> |
The name of the source database |
-srcusr <usr>/<pwd> |
Credentials of the user on the source database to collect audit data. The -srcusr argument can be omitted if the corresponding environment variable, AVORCLDB_SRCUSR is set to usr/ pwd . If the command-line argument -srcusr is specified, then the command-line argument overrides the environment variable. |
-wpwd <pwd> |
The wallet password (the password needed to open the wallet). This is the password of the agent user granted the AV_AGENT role. The -wpwd argument can be omitted if the corresponding environment variable, AVORCLDB_WPWD is set to pwd . If the command-line argument -wpwd is specified, then the command-line argument overrides the environment variable. |
Options
See Table C-2 command for a list of options.
Usage Notes
The source is verified for compatibility with the collectors. The source and collectors are added to Oracle Audit Vault. The source users are created as necessary (unless Oracle Database Vault is installed).
The setup operation for the REDO collector does not start the source collector and the destination collector. Use the AVCTL start_collector command to start the REDO, OSAUD, and DBAUD collectors.
Example
The following example sets up the REDO and OSAUD collectors. In this example, the AVORCLDB_SRCUSR
environment variable is set to srcusr1/
pwd
and the AVORCLDB_WPWD
environment variable is set to pwd
and the -srcusr
and -wpwd
arguments are omitted.
avorcldb setup -verbose -srcname lnxserver:hrdb.domain.com updated tnsnames.ora with alias [SRCDB1] to source database adding credentials for user srcdba2 for connection [SRCDB1] Storing user credentials in wallet... Create credential oracle.security.client.connect_string2 done. verifying SRCDB1 connection using wallet
Verifies that the source is compatible for setting up the specified collectors. This command can be run on both the Audit Vault Server and the Audit Vault Agent.
Syntax
avorcldb verify -src <host:port:service> -srcusr <usr>/<pwd> -colltype [OSAUD,DBAUD,REDO,EVTLOG,ALL]
Arguments
Argument | Description |
---|---|
-src <host:port:service> |
Source database connection information: host name, port number, and service ID (SID), separated by a colon |
-srcusr <usr>/<pwd> |
Credentials of the user with privileges required to verify the source. The -srcusr argument can be omitted if the corresponding environment variable, AVORCLDB_SRCUSR is set to usr/ pwd . If the command-line argument -srcusr is specified, then the command-line argument overrides the environment variable. |
-colltype [OSAUD,DBAUD,REDO,EVTLOG,ALL] |
List of collector types [REDO, DBAUD, OSAUD, EVTLOG] or ALL |
Options
See Table C-2 for a list of options.
Usage Notes
None
Example
The following example verifies that the source is compatible with the OSAUD, DBAUD, and REDO collectors on a Linux or UNIX-based system. For Windows systems, one additional OS File Audit Collector type is displayed for collecting audit records from the Windows event log. In this example, the AVORCLDB_SRCUSR
environment variable is set to srcusr1/
pwd
and the -srcusr
argument is omitted.
avorcldb verify -src lnxserver:4523:hrdb.domain.com -colltype ALL source HRDB.DOMAIN.COM verified for OS File Audit Collector collector source HRDB.DOMAIN.COM verified for Aud$/FGA_LOG$ Audit Collector collector source HRDB.DOMAIN.COM verified for REDO Log Audit Collector collector