Oracle® Audit Vault Administrator's Guide Release 10.2.3 Part Number E11059-03 |
|
|
View PDF |
Audit Vault Configuration Assistant (AVCA) is a command-line utility that provides the Audit Vault administrator with the ability to manage various Audit Vault components.
The user running the AVCA commands must be granted the AV_ADMIN
role.
Table A-1 describes the Audit Vault Configuration Assistant commands and where each is used, whether on the Audit Vault Server, on the Audit Vault Collection Agent, or in both places.
Table A-1 Audit Vault Configuration Assistant Commands
Command | Used Where? | Description |
---|---|---|
Server |
Adds a collection agent to Oracle Audit Vault |
|
Both |
Creates or updates a credential to be stored in the wallet |
|
Agent |
Creates a wallet to hold credentials |
|
Server |
Deploys the |
|
Server |
Drops a collection agent from Oracle Audit Vault |
|
Server |
Generates a certificate request |
|
Both |
Displays Help for the AVCA commands |
|
Server |
Imports the specified certificate into the wallet |
|
Both |
Redeploys the |
|
Server |
Removes the specified certificate from the wallet |
|
Collection Agent |
Secures the Audit Vault Collection Agent by enabling mutual authentication with Audit Vault |
|
Server |
Secures Audit Vault Server by enabling mutual authentication with the Audit Vault Collection Agent |
|
Server |
Controls the amount of data kept online in the data warehouse fact table |
|
Server |
Sets the schedule for refreshing data from the raw audit data store to the star schema |
Note:
In an Oracle RAC environment, AVCA commands must be issued from the node on which Oracle Enterprise Manager resides. This is the same node on which theav.ear
file is deployed.
If the node on which the av.ear
file is deployed is down, deploy the av.ear
file to another node using the AVCA deploy_av command.
Adds or registers a collection agent to Audit Vault. This command is run on the Audit Vault Server.
avca add_agent -agentname <agent name> [-agentdesc <desc>] -agenthost <host>
Argument | Description |
---|---|
-agentname <agent name> |
Specify the collection agent (by collection agent name) to be added. |
[-agentdesc <desc>] |
Optionally, specify a description of the collection agent. |
-agenthost <host> |
Specify an agent host name where this collection agent is to be installed. |
You will be prompted for the agent user name and agent user name password. See the example.
For information on how to install an Audit Vault Collection Agent, see Oracle Audit Vault Collection Agent Installation Guide.
The following example shows how to add a collection agent to Audit Vault:
avca add_agent -agentname TTAgent2 -agenthost stapj40 AVCA started Adding agent... Enter agent user name: <agentusername> Enter agent user password: <agent user pwd> Re-enter agent user password: <agent user pwd> Agent added successfully.
Creates or updates a credential to be stored in the wallet. This command is run on both the Audit Vault Server and Audit Vault Collection Agent as a script during collector development.
avca create_credential -wrl <wallet location> -dbalias <db alias>
Argument | Description |
---|---|
-wrl <wallet location> |
The location of the Audit Vault wallet; it is always $ORACLE_HOME/network/admin/avwallet on Linux and UNIX-based systems and ORACLE_HOME\network\ADMIN\avwallet on Windows systems. |
-dbalias <db alias> |
The database alias. In the Audit Vault Server home the database alias is the SID or Oracle instance identifier. In the Audit Vault Collection Agent home, the database alias is always av . |
Use this command to create a new certificate if someone changes the source user password on the source, thus eventually breaking the connection between the collector and the source.
The following example shows how to create a credential for the source user named srcuser1
in the Collection Agent home.
avca create_credential -wrl $ORACLE_HOME/network/admin/avwallet -dbalias av AVCA started Storing user credentials in wallet... Enter source user username: srcuser1 Enter source user password: password Re-enter source user password: password Create credential oracle.security.client.connect_string4 done.
Creates a wallet to hold credentials. This command is run on the Audit Vault Collection Agent.
avca create_wallet -wrl <wallet_location>
Argument | Description |
---|---|
-wrl |
The wallet location |
After you execute this command, .sso
and .p12
files are generated in the wallet location.
The following example shows how to create a wallet in the location specified as $T_WORK/tt_1:
$ avca create_wallet -wrl $T_WORK/tt_1
Enter wallet password: password
Deploys the av.ear
file to another node in an Oracle Real Application Clusters (Oracle RAC) environment. This command is run on the Audit Vault Server.
deploy_av -sid <sid> -dbalias <db_alias> -avconsoleport <av_console_port>
Argument | Description |
---|---|
-sid <sid> |
The Oracle system identifier (SID) for the instance |
-dbalias <db_alias> |
The database alias |
-avconsoleport <av_console_port> |
The port number for the Audit Vault Console |
None
In an Oracle RAC environment, AVCA commands must be issued from the node on which Oracle Enterprise Manager resides. This is the same node on which the av.ear
file is deployed.
If the node on which the av.ear
file is deployed is down, deploy the av.ear
file to another node using the AVCA deploy_av
command.
Note that when the AVCA deploy_av
command is issued, a wallet containing the default avadmin
entries is also created on the other node. However, other entries, such as the source user credentials must be added to the wallet using the AVCA create_credential command) being used that matches the collectors that are in use.
To use the AV Console from this other node, enter its host name or IP address (<host>
) and port number (<port>
) as you did previously in the Address field of the browser window (http://<host>:<port>/av
), but replace the original host name or IP address with that for the other node.
The following example shows how to deploy the av.ear
file to another node in an Oracle RAC environment. In this example, the AVCA_AVADM
environment variable is set to usr/pwd
and the -avadm
argument is omitted.
avca deploy_av -sid av -dbalias av -avconsoleport 5700
Drops a collection agent from Audit Vault. This command is run on the Audit Vault Server.
avca drop_agent -agentname <agent name>
Argument | Description |
---|---|
-agentname <agent name> |
Specify the collection agent (by collection agent name) to be dropped from Audit Vault. |
The drop_agent
command does not delete the collection agent from Audit Vault; it disables the collection agent. The user can neither add the same collection agent name again nor enable the dropped collection agent.
An error will be raised if active collectors are still running in the collection agent.
The following example shows how to drop a collection agent named 'OC4JAgent1' from Audit Vault:
avca drop_agent -agentname OC4JAgent1 AVCA started Dropping agent... Agent dropped successfully.
Generates certificate requests. This command is run on the Audit Vault Server.
generate_csr -certdn <Audit Vault Server host DN> -[keysize 512|1024|2048] -out <certificate request output file>
Argument | Description |
---|---|
-certdn <Audit Vault Server host DN> |
Distinguished name (DN) of the Audit Vault Server host |
-[keysize 512|1024|2048] |
The key size (in bits). The default key size is 1024 bits. |
-out <certificate request output file> |
The path and name of the certificate request output file |
None
This command must be used to generate certificate requests. After generating the certificate request, send it to your CA and get it signed and then returned as a signed certificate.
The DN of the Audit Vault Server is provided by the Audit Vault Administrator and is typically of the form:
CN=<hostname fully-qualified>,OU=<Org Unit>,O=<Organization>,ST=<State>,C=<Country>
The following example shows how to generate a certificate request.
avca generate_csr -certdn CN=<valid-AV-hostname>,OU=DBSEC,O=Oracle,ST=CA,C=US -out cert_request.txt
Displays Help for the AVCA commands. This command is run on both the Audit Vault Server and Audit Vault Collection Agent.
avca -help avca <command> -help
Argument | Description |
---|---|
<command> |
The name of an AVCA command for which you want Help to appear |
None
None
The following example shows how to display general AVCA utility Help in the Audit Vault Server home.
avca -help -------------------------------------------- AVCA Usage -------------------------------------------- Oracle Audit Vault Server Installation commands avca deploy_av -sid <sid> -dbalias <db alias> -avconsoleport <av console port> avca generate_csr -certdn <Audit Vault Server host DN> [-keysize 512|1024|2048] -out <certificate request output file> avca import_cert -cert <User/Trusted certificate> [-trusted] avca remove_cert -certdn <Audit Vault Server host DN> avca secure_av -avkeystore <keystore location> -avtruststore <truststore location> avca secure_av -remove Oracle Audit Vault Configuration commands - Agent: avca add_agent -agentname <agent name> [-agentdesc <desc>] -agenthost <host> avca drop_agent -agentname <agent name> Oracle Audit Vault Configuration commands - Warehouse: avca set_warehouse_schedule -schedulename <schedule name> avca set_warehouse_schedule -startdate <start date> -rptintrv <repeat interval> [-dateformat <date format>] avca set_warehouse_retention -intrv <year-month interval> Oracle Audit Vault Agent Installation commands avca secure_agent -agentkeystore <keystore location> -avdn <DN of Audit Vault> -agentdn <DN of agent> avca secure_agent -remove Oracle Audit Vault Configuration commands - Authentication: avca create_wallet -wrl <wallet_location> avca create_credential -wrl <wallet_location> -wpwd <wallet_pwd> -dbalias <db alias> -usr <usr>/<pwd> avca -help
The following example shows how to display specific AVCA Help for the add_agent
command in Audit Vault.
avca add_agent -help avca add_agent -agentname <agent name> [-agentdesc <desc>] -agenthost <host> ------------------------------------------------ -agentname <agent name> [-agentdesc <agent description>] -agenthost <agent host> ------------------------------------------------
The following example shows how to display general AVCA utility Help in the Audit Vault Collection Agent home.
avca -help -------------------------------------------- AVCA Usage -------------------------------------------- Oracle Audit Vault Agent Installation commands avca secure_agent -agentkeystore <keystore location> -avdn <DN of Audit Vault> -agentdn <DN of agent> avca secure_agent -remove Oracle Audit Vault Configuration commands - Authentication: avca create_wallet -wrl <wallet_location> avca create_credential -wrl <wallet_location> -wpwd <wallet_pwd> -dbalias <db alias> -usr <usr>/<pwd> avca -help
Imports the specified User or Trusted certificate into the wallet. This command is run on the Audit Vault Server.
import_cert -cert <User/Trusted certificate> -[trusted]
Argument | Description |
---|---|
-cert <User/Trusted certificate> |
The path and file name of the certificate to be imported into the wallet |
-[trusted] |
Optional. A key word to indicate whether the certificate is a Trusted or CA certificate |
None
This certificate must match a pending certificate request in the wallet. The Trusted or CA certificate for this certificate must be imported first.
The following example shows how to import a user certificate into the wallet.
avca import_cert -cert user_certificate.cer
The following example shows how to import a trusted certificate into the wallet.
avca import_cert -cert ca_certitificate.cer -trusted
Redeploys the av.ear file
on the Audit Vault Server system or the AVAgent.ear
file on the Audit Vault Collection Agent system.
avca redeploy
None
None
None
The following example shows how to redeploy either the av.ear
file on the Audit Vault Server system or the AVAgent.ear
file on the Audit Vault Collection Agent system.
avca redeploy
Removes the specified certificate from the wallet. This command is run on the Audit Vault Server.
remove_cert -cert <Audit Vault Server host DN>
Argument | Description |
---|---|
-cert <Audit Vault Server host DN> |
Distinguished name (DN) of the Audit Vault Server host |
None
The Certificate or Key pair for the DN matching the given DN will be removed from the wallet.
You can use this command, for example, to remove a certificate that expires or is revoked by the CA, and replace it with a renewed certificate.
The DN of the Audit Vault Server is provided by the Audit Vault Administrator and is typically of the form:
CN=<hostname fully-qualified>,OU=<Org Unit>,O=<Organization>,ST=<State>,C=<Country>
The following example shows how to remove a certificate from the wallet.
avca remove_cert -certdn CN=<valid-AV-hostname>,OU=DBSEC,O=Oracle,ST=CA,C=US
Secures the Audit Vault Collection Agent by enabling mutual authentication with the Audit Vault Server. This command is run on the Audit Vault Collection Agent. This command also removes mutual authentication with Audit Vault Server.
avca secure_agent -agentkeystore <keystore location> -avdn <DN of Audit Vault Server> -agentdn <DN of agent> [-agentkeystorepwd <ketstore pwd>] avca secure_agent -remove
Argument | Description |
---|---|
-agentkeystore <keystore location> |
Specify the key store location for this collection agent. |
[-agentkeystorepwd <ketstore pwd>] |
Specify the key store password for Audit Vault Server. The -agentkeystorepwd argument can be omitted if the corresponding environment variable, AVCA_AGENTKEYSTOREPWD is set to keystore password . If the command-line argument -agentkeystorepwd is specified, then the command-line argument overrides the environment variable. This argument is provided for backward compatibility.
For password handling security, do not specify this argument on the command-line nor use the environment variable. Instead, let the command prompt you for the key store password. See the example. |
-avdn <DN of Audit Vault Server> |
Distinguished name (DN) of the Audit Vault Server |
-agentdn <DN of agent> |
DN of this Audit Vault collection agent |
-remove |
Keyword to indicate removing mutual authentication with Audit Vault Server |
The key store and certificate must be in place at the collection agent side before you execute this command.
Use the following command to generate a key store:
$ORACLE_HOME/jdk/bin/keytool
When you issue the secure_agent
command for the specified collection agent with both the collection agent and its collectors in a running state, the collection agent and all its collectors will shut down when the collection agent OC4J shuts down and starts up again. The specified collection agent and its collectors must all be manually started again.
The following example shows how to secure the Audit Vault Collection Agent by enabling mutual authentication with the Audit Vault Server.
avca secure_agent -agentkeystore /tmp/agentkeystore -agentdn "CN=agent1, OU=development, O=oracle, L=redwoodshores, ST=ca, C=us" -avdn "CN=av1, OU=development, O=oracle, L=redwoodshores, ST=ca, C=us" Enter keystore password: *******
The following example shows how to unsecure the Audit Vault Collection Agent by disabling mutual authentication with the Audit Vault Server.
avca secure_agent -remove AVCA started Restarting agent OC4J... OC4J restarted successfully.
Secures Audit Vault Server by enabling mutual authentication with the Audit Vault Collection Agent. This command is run on the Audit Vault Server. This command also removes mutual authentication with Audit Vault Collection Agent.
avca secure_av -avkeystore <keystore location> -avtruststore <truststore location> [-avkeystorepwd <ketstore pwd>] avca secure_av -remove
Argument | Description |
---|---|
-avkeystore <keystore location> |
Specify the key store location for Audit Vault Server. |
[-avkeystorepwd <ketstore pwd>] |
Specify the key store password for Audit Vault Server. The -avkeystorepwd argument can be omitted if the corresponding environment variable, AVCA_AVKEYSTOREPWD is set to keystore password . If the command-line argument -avkeystorepwd is specified, then the command-line argument overrides the environment variable. This argument is provided for backward compatibility.
For password handling security, do not specify this argument on the command-line nor use the environment variable. Instead, let the command prompt you for the key store password. See the example. |
-avtruststore <truststore location> |
Specify the trust store location for Audit Vault Server. |
-remove |
Keyword to indicate removing mutual authentication with the Audit Vault Collection Agent. |
The key store and certificate must be in place at Audit Vault Server before you execute this command.
Use the following command to generate a key store:
$ORACLE_HOME/jdk/bin/keytool
When you issue the secure_av
command, the Audit Vault Console OC4J will shut down and start up again, requiring you to log in to Audit Vault Console again.
The following example shows how to secure Audit Vault Server by enabling mutual authentication with the Audit Vault Collection Agent.
avca secure_av -avkeystore /tmp/avkeystore -avtruststore /tmp/avkeystore Enter keystore password: *******
The following example shows how to unsecure Audit Vault Server by disabling mutual authentication with the Audit Vault Collection Agent.
avca secure_av -remove AVCA started Stopping OC4J... OC4J stopped successfully. Starting OC4J... OC4J started successfully. Oracle Audit Vault 10g Database Control Release 10.2.3.0.0 Copyright (c) 1996,2008 Oracle Corporation. All rights reserved. http://stacd05.us.oracle.com:5700/av Oracle Audit Vault 10g is running. ------------------------------------ Logs are generated in directory /scratch/10.2.2/av_1/av/log
Controls the amount of data kept online in the data warehouse fact table. This command is run on the Audit Vault Server.
avca set_warehouse_retention -intrv <year-month interval>
Argument | Description |
---|---|
-intrv <year-month interval> |
Specify the year month interval in the form [+]YY-MM. |
The interval must be positive.
The data loaded using the AVCTL refresh_warehouse command is removed automatically based on the warehouse retention specified using the AVCA set_warehouse_retention
command.
The following example shows how to control the amount of data kept online in the data warehouse table. In this case, a time interval of one year is specified.
avca set_warehouse_retention -intrv +01-00 AVCA started Setting warehouse retention period... done.
Sets the schedule for refreshing data from the raw audit data store to the star schema. This command is run on the Audit Vault Server.
avca set_warehouse_schedule -schedulename <schedule name>
avca set_warehouse_schedule -startdate <start date> -rptintrv <repeat interval> [-dateformat <date format>]
Argument | Description |
---|---|
-schedulename <schedule name> |
Specify the schedule name created using the DBMS_SCHEDULER.create_schedule procedure. |
-startdate <start date> |
Specify the start date for a warehouse refresh job using the default format DD-MON-YY. To use a different format, specify the -dateformat argument. |
-rptintrv <repeat interval> |
Specify the repeat interval for the schedule using the syntax used in the DBMS_SCHEDULER.create_schedule procedure. |
[-dateformat <date format>] |
Optionally, specify the date format for the -startdate argument. |
The schedule can be set using a named schedule created using the DBMS_SCHEDULER.create_schedule
procedure, or the schedule can be set by providing the start date and repeat interval.
The following are error conditions:
The schedule name argument must be a valid schedule created using the DBMS_SCHEDULER.create_schedule
procedure.
The repeat interval argument must be a valid interval specification consistent with the DBMS_SCHEDULER
package.
The following examples show how to set the schedule for refreshing data from the raw audit data store to the star schema by schedule name and by start date using the AVCA set_warehouse_schedule
command.
The following example uses a schedule name argument based on a valid schedule created using the DBMS_SCHEDULER.create_schedule
procedure.
avca set_warehouse_schedule -schedulename daily_refresh AVCA started Set warehouse schedule... done.
The following example uses a start date and repeat interval argument.
avca set_warehouse_schedule -startdate 01-JUL-06 -rptintrv 'FREQ=DAILY;BYHOUR=0' AVCA started Set warehouse schedule... done.
The following example uses a start date with a specified date format and a repeat interval argument.
avca set_warehouse_schedule -startdate 01-07-2006 -dateformat 'DD-MM-YYYY' -rptintrv 'FREQ=DAILY;BYHOUR=0' AVCA started Set warehouse schedule... done.