Oracle® Audit Vault Administrator's Guide Release 10.2.3 Part Number E11059-03 |
|
|
View PDF |
Audit Vault Oracle Database (AVORCLDB) is a command-line utility that provides the ability to configure (add, alter, and drop) Oracle audit sources and Oracle collectors, verify source compatibility with the collectors, and set up Oracle Database audit sources for audit data collection by establishing the connection to the source through the collector.
Table C-1 describes the AVORCLDB commands and where each is used, whether on the Audit Vault Server, on the Audit Vault Collection Agent, or in both places.
Command | Where Used? | Description |
---|---|---|
Server |
Adds a collector to Audit Vault |
|
Server |
Registers an audit source with Audit Vault |
|
Server |
Alters the attributes of a collector |
|
Server |
Alters the attributes of a source |
|
Server |
Drops a collector from Audit Vault |
|
Server |
Drops a source from Audit Vault |
|
Both |
Displays Help for the AVORCLDB commands |
|
Collection Agent |
Adds the source user credentials to the wallet, creates a database alias in the wallet for the source user, and verifies the connection to the source using the wallet |
|
Both |
Verifies that the source is compatible with the collectors that are specified for setup |
The AVORCLDB command-line utility.
avorcldb <command> -help avorcldb <command> [<options>] <arguments>
Argument | Description |
---|---|
<command> |
One of the following commands: add_source , alter_source , drop_source , add_collector , alter_collector , drop_collector , setup , or verify |
[<options>] |
The optional AVORCLDB options |
<arguments> |
One or more of the AVORCLDB command arguments |
-help |
Displays Help for the AVORCLDB commands |
Issuing an AVORCLDB command generates the following log file: $ORACLE_HOME/av/log/avorcldb.log
.
The AVORCLDB command can be issued any number of times. The AVORCLDB command checks to see if a step has already been completed, and returns a warning in each such case, then skips that step and continues until it is completed.
The following output is from the avorcldb
command executed in the Audit Vault Server home shell.
$ avorcldb -help Oracle DB Setup for Audit Vault ------------------------------- Usage : avorcldb help avorcldb <command> -help avorcldb <command> <arguments> Source setup commands verify -src <host:port:service> -colltype [OSAUD,DBAUD,REDO,ALL] add_source -src <host:port:service> [-srcname <srcname>] [-desc <desc>] [-agentname <agentname>] alter_source -srcname <srcname> [attrname=value]+ drop_source -srcname <srcname> Collector setup commands add_collector -srcname <srcname> -agentname <agentname> -colltype [OSAUD|DBAUD|REDO] [-collname <collname>] [-desc <desc>] [-av <host:port:service>] [-instname <instname>] [-orclhome <orclhome>] alter_collector -srcname <srcname> -collname <collname> [attrname=value]+ drop_collector -srcname <srcname> -collname <collname>
The following output is from the avorcldb
command executed in the Audit Vault Collection Agent home shell.
$ avorcldb -help Oracle DB Setup for Audit Vault ------------------------------- Usage : avorcldb help avorcldb <command> -help avorcldb <command> <arguments> Agent Commands verify -src <host:port:service> -colltype [OSAUD,DBAUD,REDO,ALL] setup -srcname <srcname>
Adds a collector for the given source to Audit Vault. The source is verified for requirements of the collector. This command is run on the Audit Vault Server.
avorcldb add_collector -srcname <srcname> -agentname <agentname> -colltype [OSAUD,DBAUD,REDO] [-collname <collname>] [-desc <desc>] [-av <host:port:service>] [-instname <instname>] [-orclhome <orclhome>]
Argument | Description |
---|---|
-srcname <srcname> |
The source name for which the collector is to be added |
-agentname <agentname> |
The collection agent name where the collector is to be added |
-colltype [OSAUD,DBAUD,REDO] |
The collector type to be added |
[-collname <collname>] |
The collector name. This argument is optional. If this argument is not specified, <colltype>_Collector will be used. |
[-desc <desc>] |
A brief description of the collector. This argument is optional. |
[-av <host:port:service>] |
The connection information for Audit Vault used for the database link from the source database to Audit Vault. This argument is required if the -colltype argument is REDO; otherwise, this argument is optional. |
[-instname <instname>] |
The instance name of Audit Vault Oracle RAC installation. This argument must be used to add multiple OSAUD collectors (one for each instance). |
[-orclhome <orclhome>] |
The Oracle home of the source database. This argument is required if the -colltype argument is OSAUD; otherwise, this argument is optional. See the usage notes. |
Run any collector-specific preparation scripts before you execute the AVCA add_collector
command.
On Windows systems, specifying the OSAUD collector type automatically includes the Event Log and XML audit trails.
When adding an OSAUD collector on Windows, specify the value for the -orclhome
argument as either a quoted string using a backslash (for example, -orclhome "c:\app\oracle\product\10.2.3\av_1"
) or as a non quoted string using a slash (for example, -orclhome c:/app/oracle/product/10.2.3/av_1
).
There is a 2 GB audit file size limit for the OSAUD collector to be able to collect audit records from audit trails stored in files, which includes the SYSLOG
, .AUD
, and .XML
files. If a file size greater than 2 GB is encountered, the OSAUD collector will ignore all audit records beyond 2 GB. To control the size of the operating system audit trail and select the audit trail type to set, set the DBMS_AUDIT_MGMT.OS_FILE_MAX_SIZE
property and the DBMS_AUDIT_MGMT.AUDIT_TRAIL_TYPE
type by using the DBMS_AUDIT_MGMT.SET_AUDIT_TRAIL_PROPERTY
PL/SQL procedure. See Section 4.4 for tutorial information and Appendix G for reference information.
The following example shows how to add an OSAUD collector to Oracle Audit Vault on Linux and UNIX platforms in an Oracle Real Application Clusters (Oracle RAC) installation using the -instname
argument.
avorcldb add_collector -srcname source1db.domain.com -agentname Agent1 -colltype OSAUD -instname av01 -orclhome /u01/app/oracle/product/10.2.0/db_1 source SOURCE1DB.DOMAIN.COM verified for OS File Audit Collector collector Adding collector... Collector added successfully. collector successfully added to Audit Vault remember the following information for use in avctl Collector name (collname): OSAUD_Collector
The following example shows how to add a DBAUD collector to Audit Vault:
avorcldb add_collector -srcname source1db.domain.com -agentname Agent1 -colltype DBAUD source SOURCE1DB.DOMAIN.COM verified for Aud$/FGA_LOG$ Audit Collector collector Adding collector... Collector added successfully. collector successfully added to Audit Vault remember the following information for use in avctl Collector name (collname): DBAUD_Collector
The following example shows how to add a REDO collector to Audit Vault.
avorcldb add_collector -srcname source1db.domain.com -agentname Agent1 -colltype REDO -av system1.domain.com:1521:av source SOURCE1DB.DOMAIN.COM verified for REDO Log Audit Collector collector Adding collector... Collector added successfully. collector successfully added to Audit Vault remember the following information for use in avctl Collector name (collname): REDO_Collector initializing REDO Collector setting up APPLY process on Audit Vault server setting up CAPTURE process on source database
Registers an audit source with Audit Vault for audit data consolidation. This command is run on the Audit Vault Server.
avorcldb add_source -src <host:port:service> [-srcusr <usr>/<pwd>] [-srcname <srcname>] [-desc <desc>] [-agentname <agentname>]
Argument | Description |
---|---|
-src <host:port:service> |
Source database connection information: host name, port number, and service ID (SID), separated by a colon |
[-srcusr <usr>/<pwd>] |
Credentials of the user on the source database to collect audit data. The -srcusr argument can be omitted if the corresponding environment variable, AVORCLDB_SRCUSR is set to usr/passowrd . If the command-line argument -srcusr is specified, then the command-line argument overrides the environment variable.
For password handling security, do not specify this argument on the command-line nor use the environment variable. Instead, let the command prompt you for the source user name and password. See the example. |
[-srcname <srcname>] |
Optional source name. If this argument is not specified, the global database name of the source will be used. |
[-desc <desc>] |
Optional description of the source |
[-agentname <agentname>] |
Optional collection agent name; however, this parameter must be specified in order to configure policy management using the Audit Vault Auditor's Console. |
The global database name of the source database is used as the source name in Oracle Audit Vault.
The user name specified for the source user must exist on the source database. When prompted enter the credentials for the source user name and password.
The -agentname <agentname>
parameter must be specified in order to configure policy management using the Audit Vault Auditor's Console.
The following example shows how to register a source with Oracle Audit Vault. In this example, the AVORCLDB_SRCUSR
environment variable is set to srcusr1/
pwd
and the -srcusr
argument is omitted.
avorcldb add_source -src lnxserver:4523:hrdb.domain.com -agentname agent1 Enter Source user name: <username> Enter Source password: ******* Adding source... Source added successfully. source successfully added to Audit Vault remember the following information for use in avctl Source name (srcname): RDBMSRC1.US.ORACLE.COM Storing user credentials in wallet... Create credential oracle.security.client.connect_string3 done. Mapping Source to Agent...
Modifies the attributes of a collector. This command is run on the Audit Vault Server.
avorcldb alter_collector -srcname <srcname> -collname <collname> [<attrname>=<attrvalue>...<attrname>=<attrvalue>]
Argument | Description |
---|---|
-srcname <srcname> |
Specify the source (by source name) to which this collector belongs. |
-collname <collname> |
Specify the collector (by collector name) to be modified. |
[<attrname>=<attrvalue>] |
Specify the pair (attribute name, new attribute value) for mutable collector attributes for this collector type. This argument is optional. Separate multiple pairs by a space on the command line. |
You can modify one or more collector attributes at a time. Table C-2, Table C-3, and Table C-4 list the collector attributes (parameters) by collector type, whether the parameter is mutable, and its default value. See Section 3.1.3.2 for a description of these attributes.
Table C-2 DBAUD Collector Attributes
Parameter | Description | Mutable | Default Value |
---|---|---|---|
AUDAUDIT_ACTIVE_SLEEP_TIME |
The amount of active sleep time (in milliseconds) for the DBAUD process when the last retrieval actually did retrieve records. |
Yes |
1000 milliseconds |
AUDAUDIT_AUDIT_VAULT_ALIAS |
The alias name for the Audit Vault Server. |
No |
NULL |
AUDAUDIT_DELAY_TIME |
The amount of delay time (in seconds) for the DBAUD process. |
Yes |
20 seconds |
AUDAUDIT_MAX_PROCESS_RECORDS |
The maximum number of records after which the collector commits records to the raw audit data store and generates minor recovery context. In the case of fine-grained auditing (FGA_LOG$) and 9.X sources, the collector might need to delay this until the record with the higher timestamp is retrieved. A valid value is an integer value from 10 to 10000. |
Yes |
1000 records |
AUDAUDIT_SLEEP_TIME |
The amount of sleep time (in milliseconds) for the DBAUD process. For example, if it is now 10:00:00 AM, the collector will retrieve the records with the timestamps that are less than 9:59:40. However, the next time the collector will only retrieve records with the timestamps of 9:59:40 or higher. The assumption is that within 20 seconds after the timestamp is assigned to the record, the record would be visible (retrievable). This attribute is used only for time-based retrieval, which is currently used for fine-grained auditing (FGA_LOG$) on 9.X sources. In Audit Vault release 10.2.3, time-based retrieval is used for all retrievals. |
Yes |
5000 milliseconds |
AUDAUDIT_SORT_POLICY |
The audit data sort policy. This attribute is not implemented. It is deprecated for release 10.2.3. |
Yes |
NULL |
AUDAUDIT_SOURCE_ALIAS |
The alias name for the audit data source. |
No |
NULL |
Table C-3 OSAUD Collector Attributes
Parameter | Description | Mutable | Default Value |
---|---|---|---|
OSAUDIT_AUDIT_VALUE_ALIAS |
The alias name for the Audit Vault Server. |
No |
NULL |
OSAUDIT_CHANNEL_TYPE |
The channel type being used by the collector. This attribute is not implemented. It is deprecated for release 10.2.3. |
No |
NULL |
OSAUDIT_DEFAULT_FILE_DESTFoot 1 |
The default directory for Oracle operating system audit files containing mandatory audit records. |
Yes |
|
OSAUDIT_FILE_DEST |
The directory where Oracle operating system audit files containing SYS and normal audit records can be found. |
Yes |
|
OSAUDIT_LOG_LEVEL |
The log level: FATAL, ERROR, WARNING, INFO, and DEBUG. This attribute is not implemented. It is deprecated for release 10.2.3. |
Yes |
WARNING |
OSAUDIT_MAX_PROCESS_RECORDS |
The maximum number of records to be processed during each call to process the collector. A valid value is an integer value from 10 to 10000. |
Yes |
10000 |
OSAUDIT_MAX_PROCESS_TIME |
The maximum processing time for each call to process the collector (in centiseconds). A valid value is an integer value from 10 to 10000. |
Yes |
600 centiseconds |
OSAUDIT_NLS_CHARSET |
The NLS character set of the data source. |
Yes |
WE8ISO8859P1 |
OSAUDIT_NLS_LANGUAGE |
The NLS language of the data source. |
Yes |
AMERICAN |
OSAUDIT_NLS_TERRITORY |
The NLS territory of the data source. |
Yes |
AMERICA |
OSAUDIT_RAC_INSTANCE_ID |
The instance ID in the Oracle RAC environment. |
Yes |
1.0 |
OSAUDIT_SOURCE_ALIAS |
The alias, connection string, to the source database. |
Yes |
NULL |
OSAUDIT_SYSLOG_FILE |
The Syslog file name and location, if other than the default as indicated in the |
Yes |
NULL |
OSAUDIT_NT_ORACLE_SID |
The Oracle SID name on Windows systems. |
Yes |
NULL |
Footnote 1 To avoid collecting duplicate operating system audit trail records, do not set the attribute value for the OSAUDIT_DEFAULT_FILE_DEST
attribute and the OSAUDIT_FILE_DEST
attribute such that the values although different resolves to the same directory.
Table C-4 REDO Collector Attributes
Parameter | Description | Mutable | Default Value |
---|---|---|---|
AV.DATABASE.NAME |
The Audit Vault database name. |
No |
NULL |
STRCOLL_DBPORT |
The port number of the audit data source Oracle database. |
Yes |
NULL |
STRCOLL_DBSERVICE |
The service name of the audit data source Oracle database. |
No |
NULL |
STRCOLL_HEARTBEAT_TIME |
The time, in seconds, between events for monitoring the status of the Audit Vault REDO collection system. |
Yes |
60 seconds |
STRCOLL_SRCADM_ALIAS |
The alias name for the audit data source. |
No |
NULL |
STRCOLL_SRCADM_NAME |
The name of the audit data source. |
No |
NULL |
On Windows systems, if the path value for the OSAUDIT_DEFAULT_FILE_DEST
attribute is set incorrectly using backslashes, use the Audit Vault Console and log in as the Audit Vault Administrator and connect as AV_ADMIN
, click Configuration, click Collector, select the OSAUD_Collector name, then click Edit and edit the value for this attribute using slashes instead of backslashes. When finished, click OK to save your changes.
The following example shows how to alter the AUDAUDIT_DELAY_TIME
attribute for the DBAUD_Collector collector in Audit Vault:
avorcldb alter_collector -srcname lnxserver.domain.com -collname DBAUD_Collector AUDAUDIT_DELAY_TIME=60 Altering collector... Collector altered successfully.
Modifies the attributes of the source. This command is run on the Audit Vault Server.
avorcldb alter_source -srcname <srcname> [<attrname>=<attrvalue>...<attrname>=<attrvalue>]
Argument | Description |
---|---|
-srcname <srcname> |
Specify the source (by source name) to be modified. |
[<attrname>=<attrvalue>] |
Specify the pair (attribute name, new attribute value) for the mutable source attributes of this source to be modified. This argument is optional. Separate multiple pairs by a space on the command line. |
Table C-5 lists the source attributes (parameters) that can be changed (mutable), a brief description, and its default value. You can modify one or more source attributes at a time.
Parameter | Description | Mutable | Default Value |
---|---|---|---|
HOSTIP |
The Internet protocol address of the host system on which the source resides |
Yes |
NULL |
VERSION |
The source version |
Yes |
NULL |
DESCRIPTION |
The description for this source |
Yes |
NULL |
DB_SERVICE |
A new audit data source service name |
Yes |
NULL |
PORT |
A new port number for this system where the source audit data resides |
Yes |
NULL |
GLOBAL_DATABASE_NAME |
The new global database name |
Yes |
NULL |
The following example shows how to alter the PORT
attribute for the source named lnxserver.domain.com in Oracle Audit Vault:
avorcldb alter_source -srcname lnxserver.domain.com PORT=1522 Altering source... Source altered successfully.
Drops a collector from Oracle Audit Vault. This command is run from the Audit Vault Server.
avorcldb drop_collector -srcname <srcname> -collname <collname>
Argument | Description |
---|---|
-srcname <srcname> |
Specify the name of the source to which the collector (specified in the -collname argument) belongs. |
-collname <collname> |
Specify the collector (by collector name) to be dropped from Oracle Audit Vault. |
The drop_collector
command will not delete the collector from Oracle Audit Vault; it actually disables the collector. The user can neither add the same collector name again nor enable the old name.
The following example shows how to drop the collector named 'DBAud_Collector' from Oracle Audit Vault:
avorcldb drop_collector -srcname lnxserver.domain.com -collname DBAud_Collector Dropping collector... Collector dropped successfully.
Drops a source from Oracle Audit Vault. This command is run on the Audit Vault Server.
avorcldb drop_source -srcname <srcname>
Argument | Description |
---|---|
-srcname <srcname> |
Specify the source (by source name) to be dropped from Oracle Audit Vault. |
The drop_source
command does not delete the source from Oracle Audit Vault; it disables the source. The user can neither add the same source name again nor enable the old source. Audit data from this source is no longer collected once the source has been dropped, but the information of this source is maintained in Oracle Audit Vault with a status as dropped (inactive) for future reporting purposes.
A source cannot be dropped or deleted if there are any active collectors for this source. All collectors must be inactive (dropped) to successfully drop a source from Oracle Audit Vault.
The following example shows how to drop the source named lnxserver.domain.com
from Oracle Audit Vault:
avorcldb drop_source -srcname lnxserver.domain.com Dropping source... Source dropped successfully.
Displays Help for the AVORCLDB commands. This command is run on both the Audit Vault Server and the Audit Vault Collection Agent.
avorcldb -help avorcldb <command> -help
Argument | Description |
---|---|
<command> |
The name of an AVORCLDB command for which you want Help to appear |
None
The following example shows how to display general AVORCLDB utility Help in Audit Vault:
avorcldb -help
The following example shows how to display specific AVORCLDB Help for the add_source
command in the Audit Vault Server home shell.
$ avorcldb add_source -help avorcldb add_source command add_source -src <host:port:service> [-srcusr <usr>/<pwd>] [-srcname <srcname>] [-desc <desc>] [-agentname <agentname>] Purpose: The source is added to Audit Vault. The global DB Name of the source database is used as the Source Name in Audit Vault. Arguments: -src : Source DB connection information -srcusr : Optional source user name and password. Will be prompted. -srcname : Optional name of source, default : <global_dbname> -desc : Optional description of the source -agentname : Optional agent name to configure policy management Examples: avorcldb add_source -src lnxserver:4523:hrdb.domain.com -desc 'HR Database'
Adds the source user credentials to the wallet, creates a database alias in the wallet for the source user, and verifies the connection to the source using the wallet. This command is run on the Audit Vault Collection Agent. This command can also be used to change the source user credentials in the wallet when the credentials are changed on the source.
avorcldb setup -srcname <srcname> [-srcusr <usr>/<pwd>]
Argument | Description |
---|---|
-srcname <srcname> |
The name of the source database |
[-srcusr <usr>/<pwd>] |
Credentials of the user on the source database to collect audit data. The -srcusr argument can be omitted if the corresponding environment variable, AVORCLDB_SRCUSR is set to usr/passowrd . If the command-line argument -srcusr is specified, then the command-line argument overrides the environment variable. This argument is provided for backward compatibility.
For password handling security, do not specify this argument on the command-line nor use the environment variable. Instead, let the command prompt you for the source user name and password. See the example. |
If you happen to enter an incorrect user name or password or both when issuing the setup command and receive an error message that the verification of the credentials to make the connection to the source database using the wallet was not successful, reissue the setup command again using the correct credentials.
The following example sets up the REDO and OSAUD collectors.
avorcldb setup -srcname lnxserver:hrdb.domain.com Enter Source user name: <username> Enter Source password: ******* adding credentials for user srcuser1 for connection [SRCDB1] Storing user credentials in wallet... Create credential oracle.security.client.connect_string3 done. updated tnsnames.ora with alias [SRCDB1] to source database verifying SRCDB1 connection using wallet
To change the srcusr
user name password in the wallet in the Audit Vault Collection Agent home, use the following setup command, where the source name is orcl1
and the source user name is srcuser1
.
avorcldb setup -srcname orcl1 Enter Source user name: srcuser1 Enter Source password: ******* adding credentials for user srcuser1 for connection [SRCDB1] Storing user credentials in wallet... Create credential oracle.security.client.connect_string3 done. updated tnsnames.ora with alias [SRCDB1] to source database verifying SRCDB1 connection using wallet
Verifies that the source is compatible for setting up the specified collectors. This command can be run on both the Audit Vault Server and the Audit Vault Collection Agent.
avorcldb verify -src <host:port:service> [-srcusr <usr>/<pwd>] -colltype [OSAUD,DBAUD,REDO,ALL]
Argument | Description |
---|---|
-src <host:port:service> |
Source database connection information: host name, port number, and service name, separated by a colon |
[-srcusr <usr>/<pwd>] |
Credentials of the user on the source database to collect audit data. The -srcusr argument can be omitted if the corresponding environment variable, AVORCLDB_SRCUSR is set to usr/passowrd . If the command-line argument -srcusr is specified, then the command-line argument overrides the environment variable. This argument is provided for backward compatibility.
For password handling security, do not specify this argument on the command-line nor use the environment variable. Instead, let the command prompt you for the source user name and password. See the example. |
-colltype [OSAUD,DBAUD,REDO,ALL] |
List of collector types [REDO, DBAUD, OSAUD] or ALL |
None
The following example verifies that the source is compatible with the OSAUD, DBAUD, and REDO collectors on a Linux or UNIX-based system.
avorcldb verify -src lnxserver:4523:hrdb.domain.com -colltype ALL Enter Source user name: <username> Enter Source password: ******* source HRDB.DOMAIN.COM verified for OS File Audit Collector collector source HRDB.DOMAIN.COM verified for Aud$/FGA_LOG$ Audit Collector collector source HRDB.DOMAIN.COM verified for REDO Log Audit Collector collector