Oracle® Audit Vault Administrator's Guide 10g Release 2 (10.2.2) Part Number B25321-02 |
|
|
View PDF |
This chapter describes important administrative tasks to perform on the Audit Vault system. These tasks are especially important if your audit data collectors are collecting high volumes of audit records and rapidly filling default tablespace and disk space settings.
The Audit Vault system Administrator should perform the following administrative tasks on a running Audit Vault system:
Following an Audit Vault Server installation and the creation of the Audit Vault database, the SYSAUX
tablespace is created by default with one data file. The SYSAUX
tablespace is a locally managed tablespace with automatic segment space management.
The Audit Vault administrator should monitor the space usage for the SYSAUX
tablespace and set up additional datafiles for storage as needed. See Oracle Database Administrator's Guide for more information about the SQL ALTER TABLESPACE
command.
During an Audit Vault Server installation, ARCHIVELOG mode is turned on by default. For this reason, the Audit Vault administrator must monitor the disk space usage for these files to prevent a small disk from quickly filling to capacity. See Oracle Database Administrator's Guide for more information about changing the LOG_ARCHIVE_DEST_n location to relocate these archive log files to larger disks. For information about backing up the archive logs, see Oracle Database Backup and Recovery Advanced User's Guide.
In an Oracle Real Application Clusters (Oracle RAC) environment, after the Audit Vault Agent is set up, the node on which the agent was installed has its listener set up to listen to only that node. Thus, only that node can be specified to which to connect. However, the administrator can set up the listener to listen to the other nodes.
For the OSAUD and DBAUD collectors, the Administrator must update the tnsnames.ora
file during installation of the Audit Vault Agents.
After the agent is set up, the tnsnames.ora
file located in $ORACLE_HOME/network/admin
might have the following alias:
AV = (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = node01) (PORT = 1521))(CONNECT_DATA = (SERVICE_NAME = av.us.oracle.com)))
For high availability, the administrator might need to edit the Audit Vault Agent home tnsnames.ora
file after the agent is set up and add the host and port of the other listeners. For example:
AV = (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = node01)(PORT = 1521)) (ADDRESS = (PROTOCOL = TCP)(HOST = node02)(PORT = 1521)) (ADDRESS = (PROTOCOL = TCP)(HOST = node03)(PORT = 1521)) (ADDRESS = (PROTOCOL = TCP)(HOST = node04)(PORT = 1521)) (LOAD_BALANCE = yes) (CONNECT_DATA = (SERVER = DEDICATED) (SERVICE_NAME = av.us.oracle.com) ) )
For the REDO collector, the administrator must log in as the srcuser
at the source database and re-create the database link for av.us.oracle.com
. The new database link can either have a list of host and port numbers or point to a tnsnames
entry with the list of host and port numbers.
When a source is added to Oracle Audit Vault, the Audit Vault administrator must provide the host:port:service
information for the source being added. This information is used for the following tasks from the agent:
REDO collector: starting and stopping the capture process on the source
DBAUD collector: retrieving rows from aud$ and fga_log$ tables
Policy management: retrieving source dictionary information
Typically, when the Oracle Database instance on the host goes down or if the host machine goes down, the connectivity to the source from the Audit Vault Agent is broken and any attempt to perform these tasks is unsuccessful because this connection is not available:
The Audit Vault administrator can do any or all of the following operations to make the connection between the source and the Audit Vault Agent more highly available:
Update in the Audit Vault Agent home, the tnsnames.ora
file in the /network/admin
directory on Linux or UNIX systems or in the \network\admin directory on Windows systems to add additional host or port information for the service. The user can also add options for load balancing and failure in the connect string. For additional information, see Oracle Database Net Services Administrator's Guide and specifically Chapter 13 "Enabling Advanced Features of Oracle Net Services".
Configure a listener on the Oracle RAC nodes to support connecting to remote nodes and configuring the Oracle Database to communicate with remote listeners. This will help in the situation when the Oracle Database instance goes down, then the listener on the host can create connections on a different Oracle RAC node. For additional information, see Oracle Database Net Services Administrator's Guide and specifically Chapter 10 "Configuring and Administering the Listener".
Provide host information using the virtual IP address of the node instead of the physical IP address. This will help when the host machine goes down, then all traffic to the host will get redirected to a different node.
Most businesses and groups adhere to some internal policy for changing user name passwords. This is usually part of a password management policy. This policy often requires users to make password changes on a regular basis, such as every 120 days. Changing Audit Vault user name passwords should be considered part of the same password management policy. This section provides additional information about Audit Vault user names and source user names and how and where password changes are implemented.
Table 5-1 shows where the passwords for the Audit Vault user names and source user names are stored and where password changes must be made. Note that if a password for a source user name is updated in the source database, then the password, because it is also stored in the wallet in the Audit Vault Agent home, must also be updated.
Table 5-1 Where Passwords for the Audit Vault User Names and Source User Names Are Stored
Audit Vault Role | Audit Vault User Name | Is Password Stored in Wallet? | How Is Password Change Made? |
---|---|---|---|
|
|
Yes |
Use the |
|
|
Yes |
Use the |
Source user on source database |
|
Yes |
Use the SQL |
|
|
No |
Use the SQL |
|
|
No |
Use the SQL |
Change the Passwords of the avauditorusr and avsrcusr User Names in the Audit Vault Server Home
To change the passwords of the avauditorusr
and the avsrcusr
user names, make the change in the Audit Vault Server home in the Audit Vault database using the SQL ALTER_USER
command. Log in as the user with the role of Database Vault Account Manager.
For example, to change passwords of the avauditorusr
and avsrcusr
user names, perform the following steps:
Log in to SQL*Plus as the Database Vault Account Manager.
For the Basic installation, log in as follows:
sqlplus /nolog SQL> connect <avadmin>dva Enter password: <avadmin user password> Connected. SQL>
For the Advanced installation, log in as follows:
sqlplus /nolog SQL> connect <dv_acctmgr user name> Enter password: <dv_acctmgr user password> Connected. SQL>
To change the avauditorusr name
password, use the SQL ALTER USER
command.
SQL> alter user <avauditorusr name> identified by <avauditorusr password>;
To change the avsrcusr name
password, use the SQL ALTER USER
command.
SQL> alter user <avsrcusr name> identified by <avsrcusr password>; SQL> exit
Change the Password of the avadminusr User Name in the Audit Vault Server Home
To change the password of the avadminusr
user name in the wallet location, use the mkstore
command-line utility found in the $ORACLE_HOME/bin
directory on LINUX and UNIX systems or found in the ORACLE_HOME\bin
directory on Windows systems of the Audit Vault Server home.
For example, to change password of the avadminusr
user name, perform the following steps in the Audit Vault Server home:
To list all entries (all database service names (aliases) and the corresponding user name (schema) for that database) in the wallet, use the following mkstore
command. The password that you enter is the current avadminusr
user name password. For example:
mkstore -wrl ORACLE_HOME/network/admin/avwallet -listCredential Enter password: <current avadminusr password> List credential (index: connect_string username) 1: av avadminusr
To update the password for the credential, use the following mkstore
command. The password that you enter is the new avadminusr
user name password. At the Enter password:
prompt, enter the new password for the avadminusr
user name. For example:
mkstore -wrl ORACLE_HOME/network/admin/avwallet -modifyCredential av avadmin <new avadminusr password> Enter password: <new avadminusr password>
Change the Passwords of the avagentusr and srcusr User Name in the Audit Vault Agent Home
To change the passwords of the avagentusr
and srcusr
user names in the wallet location, use the mkstore
command-line utility found in the $ORACLE_HOME/bin
directory on LINUX and UNIX systems or found in the ORACLE_HOME\bin
directory on Windows systems of the Audit Vault Agent home.
For example, to change the passwords of the avagentusr
and srcusr
user names, perform the following steps in the Audit Vault Agent home:
To list all entries (all database service names (aliases) and the corresponding user name (schema) for that database) in the wallet, use the following mkstore
command. The password that you enter is the current avagentusr
user name password. For example:
mkstore -wrl ORACLE_HOME/network/admin/avwallet -listCredential Enter password: <current avagentusr password> List credential (index: connect_string username)1: AV avagentusr 2: SRCDB1 srcusr
To update the passwords, use the following mkstore
command. The passwords that you enter are the new avagentusr
user name password or the new srcusr
user name password. At the Enter password:
prompt, enter the new password for each user name. For example:
mkstore -wrl $ORACLE_HOME/network/admin/avwallet -modifyCredential AV agentuser1 <new avagntusr password> Enter password: <new avagntusr password> mkstore -wrl ORACLE_HOME/network/admin/avwallet -modifyCredential SRCDB1 srcusr <new srcusr password> Enter password: <new srcusr password>
Check To Ensure All Changed User Name Passwords Work Correctly
Always check to make sure all changed passwords for Audit Vault user names and source user names are working correctly. To check the passwords of the avadminusr
and avauditorusr
user name, open a Web browser and log in to the Audit Vault Console as the Audit Vault administrator. Then log out and log in to the Audit Vault Console as the Audit Vault auditor. A successful log in indicates that the new avadminusr
and avauditor
user name passwords are working fine. If your login is not successful after several attempts, repeat the steps previously mentioned in this section to change the password again for that particular Audit Vault user name and retry the login.
Next, stop the agent and collectors and start the agent and each collector. If the agent and the collectors each start up and collectors are collecting audit records again, the new avagntusr
, avsrcusr
, and srcusr
user name passwords are all working.
If you experience problems, check the log files (see Chapter 6 for more information) to determine which user name password might be the source of the problem. Then, if needed, repeat the steps previously mentioned to change the password for that user name and try to start up the agent and the collectors again.
Oracle Audit Vault patches do not have the ability to be rolled back, therefore you should take precautions to backup the files before any Oracle Audit Vault patch is applied until you have tested the patchset apply.
Back Up the Database
Out of the box, Audit Vault does not enable the SYSDBA
privilege. Therefore, if you will be using RMAN
to backup the database, you will need to follow the directions in Section 3.7.2 "Enabling or Disabling Connections with the SYSDBA Privilege" in the Audit Vault Server installation guide for the respective platform install documentation. After cleanly shutting down the instance following the analysis of the database, you should perform a full backup of the database. Complete the following steps:
Sign on to RMAN:
rman "target / nocatalog"
Issue the following RMAN commands:
RUN { ALLOCATE CHANNEL chan_name TYPE DISK; BACKUP DATABASE FORMAT 'some_backup_directory%U' TAG before_upgrade; BACKUP CURRENT CONTROLFILE TO 'save_controlfile_location'; }
Caution:
If you encounter problems with the upgrade and wish to abandon the upgrade completely, then you will need to restore the database from this backup. Therefore, make sure you back up your database now as a precaution.See Also:
Oracle Database Backup and Recovery Basics for more information about backing up a database.Back Up Audit Vault Server Home
Because the patchset will update files in the Audit Vault Server Home, these files should all be backed up or copied to another directory until the patchset has been tested.
Back Up Audit Vault Collection Agent Home
Because the patchset will update files in the Audit Vault Collection Agent Home, these files should be backed up or copied to another directory until the patchset has been tested.
Abandon the Upgrade
If the patchset apply is not successful, to abandon the upgrade, perform the following steps:
Copy (Restore) the Audit Vault Server Home files back.
Copy (Restore) the Audit Vault Agent Home files back.
If you completed the steps in Back Up the Database to back up your database, then restore that backup. Complete the following steps:
Log in to the system as the owner of the Oracle home directory of the previous release.
Sign on to RMAN:
rman "target / nocatalog"
Issue the following RMAN commands:
STARTUP NOMOUNT RUN { REPLICATE CONTROLFILE FROM 'save_controlfile_location'; ALTER DATABASE MOUNT; RESTORE DATABASE FROM TAG before_upgrade ALTER DATABASE OPEN RESETLOGS; }