Oracle® Audit Vault Administrator's Guide Release 10.2.3.2 Part Number E14459-11 |
|
|
PDF · Mobi · ePub |
This chapter describes common management activities that you need to perform after you have completed the configuration tasks in Chapter 2. You can use the Audit Vault Console or the command-line tools described in this chapter to manage Oracle Audit Vault.
This section contains:
The Audit Vault Console is a graphical user interface that you can use to perform commonly used Oracle Audit Vault administration tasks. If you prefer to use a command-line interface, you can use equivalent commands in the AVCA
and AVCTL
utilities.
To check the status of the Audit Vault Console:
Open a shell or command prompt for the Audit Vault Server.
UNIX: Set the environment variables, as described in Section 2.2.2.
Microsoft Windows: Go to the Audit Vault Server ORACLE_HOME
\bin
directory.
Run the following command:
avctl show_av_status
To start the Audit Vault Console:
Open a shell or command prompt for the Audit Vault Server.
UNIX: Set the environment variables, as described in Section 2.2.2.
Microsoft Windows: Go to the Audit Vault Server ORACLE_HOME
\bin
directory.
Ensure that the Audit Vault Console is running.
avctl show_av_status
If the avctl show_av_status
command indicates that the Audit Vault Console is not running, then enter the following command:
avctl start_av
At this stage, you can log in to the Audit Vault Console.
From a Web browser, enter the following URL:
http://host:port/av
In this specification:
host
: The host computer on which you installed the Audit Vault Server.
port
: The port number reserved for the Audit Vault Server.
If you are unsure of the host and port number values, then enter the avctl show_av_status
command, which displays this information.
In the Login page, enter the following information:
User Name: Enter the name of a user who has been granted the AV_ADMIN
role.
Password: Enter the user's password.
Connect As: From the list, select AV_ADMIN.
Click Login.
To stop the Audit Vault Server console:
Open a shell or command prompt for the Audit Vault Server.
UNIX: Set the environment variables, as described in Section 2.2.2.
Microsoft Windows: Go to the Audit Vault Server ORACLE_HOME
\bin
directory.
Run the following command:
avctl stop_av
If you must perform maintenance tasks or other similar activities that do not require alert settings to be active, then you can globally enable or disable the alert settings that Oracle Audit Vault auditors create. Do not disable alerts unless you are directed to do so by Oracle Support Services or if you encounter a problem with the alerts table. By default, alerts are enabled.
To globally disable and enable alerts:
Log in to the Audit Vault Console as a user who has been granted the AV_ADMIN
role.
See Section 3.2.3 for login instructions.
Select the Configuration tab, and then select the Alert subpage.
The Alert Settings page appears.
At the Alert Processing Status label, select either Disable or Enable.
Click Apply.
Audit event category management consists of viewing the Oracle Audit Vault audit event categories, their attributes, and their audited events. An audit event category defines how various types of events are organized. For example, invalid records are placed in the Invalid Record event category. See Oracle Audit Vault Auditor's Guide for more information about audit event categories.
Log in to the Audit Vault Console as a user who has been granted the AV_ADMIN
role.
See Section 3.2.3 for login instructions.
Select the Configuration tab, and then select the Audit Event Category subpage.
The Audit Event Category Management page appears.
Select an audit event category, and then click View to find detailed information about that category.
The View Audit Event Category page appears.
From the Audit Source Type list, select from the available source types: ORCLDB, MSSQLDB, SYBDB, and DB2DB.
Select the Attributes or Audit Events subpages to view detailed information about these categories.
Click OK when you complete viewing the audit event information for the category you selected.
Figure 3-1 shows the Audit Event Category Management page.
Figure 3-1 Audit Event Category Management Page
On the Audit Event Category Management page, audit event categories appear in a table with the following columns:
Audit Event Category
Audit Event Category Description
Format Name
Format Module
You can use the Audit Vault Console to view operational errors that Oracle Audit Vault catches, such as broken database connections and missing files.
To view errors using Oracle Audit Vault:
Log in to the Audit Vault Console as a user who has been granted the AV_ADMIN
role.
See Section 3.2.3 for login instructions.
Select the Management tab, and then select the Audit Errors subpage.
The Audit Errors page appears.
After the Error Time label, specify a time range of errors to view.
Select from the Last 24 Hours, Last One Week, or Last One Month options to view errors from those times, or select The Period and then enter a start date in the From field and end date in the To field to specify a different time range.
Click Go.
Figure 3-2 shows the Audit Errors page with audit errors from the last 24 hours.
The Audit Errors page displays error information as a table with the following column headings:
Error Time: Local time when the audit error was generated
Audit Source: The audit source database on which the audit error originated
Collector: The collector on which the audit error originated
Module: The module name involved in the audit error
Message: The content of the audit error message
Altering Collector Properties and Attributes Using the Audit Vault Console
Altering Collector Properties and Attributes from a Command Line
After you add a collector to a database source, Oracle Audit Vault creates the collector with a set of default properties that are internal to Oracle Audit Vault. They have no effect on the source database. These properties control aspects such as the frequency of audit data collection from the source database, the name of the source database, and so on.
To alter collector properties and attributes using the Audit Vault Console:
Log in to the Audit Vault Console as a user who has been granted the AV_ADMIN
role.
See Section 3.2.3 for login instructions.
Select the Configuration tab, and then select the Audit Source subpage.
The Source Configuration Management page appears.
Select the Collector subpage.
The Collector Configuration Management page appears, which displays the current settings for the available collectors.
Select the collector that you want to modify, and then click the Edit button.
The Edit Collector page appears.
Under Attributes, modify the attributes for the collectors by editing the values in the Value column.
For more information about these attributes, see the following sections:
Section 8.4 for the Oracle Database collector attributes
Section 9.4 for the SQL Server collector attributes
Section 10.4 for the Sybase ASE collector attributes
Section 11.4 for the IBM DB2 collector attributes
Click OK.
Restart the collector.
Return to the Collectors subpage, select the collector from the list, and click the Stop button. Then click Start to restart the collector.
To alter collector properties from a command line:
Open a shell or command prompt for the Audit Vault Server.
UNIX: Set the environment variables, as described in Section 2.2.2.
Microsoft Windows: Go to the Audit Vault Server ORACLE_HOME
\bin
directory.
Run the alter_collector
command for each collector type, as shown in the following examples:
For Oracle Database:
avorcldb alter_collector -srcname ORCL -collname DBAUD_Collector AUDAUDIT_DELAY_TIME=60
See Section 8.4 for more information about the avorcldb alter_collector
command.
For Microsoft SQL Server:
avmssqldb alter_collector -srcname mssqldb4 -collname MSSQLCollector NO_OF_RECORDS=1500 DESCRIPTION="MSSQLDB collector 45" SERVERSIDE_TRACE_FILEPATH="c:\SQLAuditFile*.trc"
See Section 9.4 for more information about the avmssqldb alter_collector
command.
For Sybase ASE:
avsybdb alter_collector -srcname sybdb4 -collname SybaseCollector NO_OF_RECORDS=1500 DESCRIPTION="Sybase collector 45"
See Section 10.4 for more information about the avsybdb alter_collector
command.
For IBM DB2:
avdb2db alter_collector -srcname db2db4 -collname DB2Collector NO_OF_RECORDS=1500 DESCRIPTION="IBM DB2 collector 95"
See Section 11.4 for more information about the avdb2db alter_collector
command.
Restart the collector.
In the Audit Vault Server shell, run commands similar to the following:
avctl stop_collector -collname DBAUD_Collector -srcname ORCL avctl start_collector -collname DBAUD_Collector -srcname ORCL
See Section 7.14 for more information about avctl stop_collector
and Section 7.11 for information about avctl start_collector
.
This section contains:
The collectors collect audit data from their source databases and send it to the Oracle Audit Vault repository. The repository stores the data in an internal format. This repository also contains a data warehouse, which is automatically refreshed with the latest audit records. Oracle Audit Vault provides predefined reports that display the data in the warehouse to the auditor.
You can perform the following activities with the Oracle Audit Vault data warehouse:
Set a retention period for the data that has been refreshed. The data warehouse then contains the most recent data for that length of time.
Load older data from the raw audit data store into the data warehouse tables. You can load older data into the data warehouse so that it can be available for analysis in the Oracle Audit Vault reports. However, you cannot load data from outside sources—just data that has been previously collected by the collectors but is too old to be loaded into the data warehouse as part of a normal refresh.
Purge audit data. If you load older audit data into the warehouse, you can purge it from the data warehouse. Oracle Audit Vault still maintains this data in the Audit Vault repository but does not make is available for analysis in the warehouse.
This section contains:
Oracle Audit Vault initially inserts audit data from the databases into a raw audit data store (that is, the internal format) as well as into the data warehouse so that it can be made available for the Oracle Audit Vault reports. As an AV_ADMIN
user, you can specify how long the audit data should remain in the warehouse tables for online reporting. You can set a retention period that determines the content of an Audit Vault report.
For example, suppose on August 19, 2009, you set the warehouse retention period for 1 year. One month later, the retention period will have shifted forward: Now the data warehouse contains audit data from September 19, 2008 to September 19, 2009. Using a nightly job, Oracle Audit Vault then deletes the audit data from the warehouse tables used by the reports before September 19, 2008, because now it is older than the retention period. This way, you always have the most recent year of audit data, right up to the current time. The AV_AUDITOR
user can specify the retention period for the raw audit data store. When audit records are deleted from the warehouse, a compressed copy of the audit data remains in the repository that may be reloaded in back into the warehouse for future reporting needed.
You can create a retention period from either the Audit Vault Console or at a shell or command prompt by using the AVCA
utility.
See Also:
Oracle Audit Vault Auditor's Guide for more information about the raw audit data store in the Audit Vault data warehouse schema
Section 3.4.3 for information about loading audit data to the Audit Vault data warehouse
Section 3.4.4 for information about purging audit data from the Audit Vault data warehouse
To create the retention period using the Audit Vault Console:
Log in to the Audit Vault Console as a user who has been granted the AV_ADMIN
role.
See Section 3.2.3 for login instructions.
Select the Configuration tab, and then select the Warehouse subpage.
The Warehouse Settings page appears.
Set the retention window, that is, the period of time during which the data sent to the Oracle Audit Vault data warehouse remains in storage.
For example, suppose that you want to keep the audit data in storage for the next year and a half. To do so, you would enter 1
in the Year field and 6
in the Months field.
Click Apply.
To create a retention period from a command line:
Open a shell or command prompt for the Audit Vault Server.
UNIX: Set the environment variables, as described in Section 2.2.2.
Microsoft Windows: Go to the Audit Vault Server ORACLE_HOME
\bin
directory.
Run the avca set_warehouse_retention
command to set the retention period.
For example, to specify a period of 1 year and 6 months, enter the following command:
avca set_warehouse_retention -intrv +01-06
See Section 6.24 for more information about the avca set_warehouse_retention
command.
This section contains:
You can load data that is older than the retention period from the raw audit data store into the Oracle Audit Vault data warehouse tables. After you load this data, it is available to auditors to generate reports or perform analysis.
To find the current retention period setting, view the Warehouse Settings page of the Audit Vault Console (see Section 3.4.2).
To load the data warehouse data using the Audit Vault Console:
Log in to the Audit Vault Console as a user who has been granted the AV_ADMIN
role.
See Section 3.2.3 for login instructions.
Optionally, disable the alert settings.
See Section 3.2.5 for more information.
Select the Management tab, and then select the Warehouse subpage.
The Warehouse Activity page appears.
Select the Load Activity subpage.
The Load Activity page appears.
In the Start Date field, enter the beginning date of the data that you want to load. For example, suppose the source database contains audit data that is 10 years old, and you want to load the last 5 years worth of audit data into the Oracle Audit Vault data warehouse. Assuming that today's date is August 8, 2008, you would specify August 8, 2003 as the start date.
In the Number of Days field, enter the number of days, starting from the start date, through which you want to load data.
Click the Load Now button.
Oracle Audit Vault schedules the data load operation, which is listed on this page the next time you access it.
Reenable the alert settings if you had disabled them.
See Section 3.2.5 for more information.
To load the data warehouse data from a command line:
Optionally, disable the alert settings.
See Section 3.2.5 for more information.
Open a shell or command prompt for the Audit Vault Server.
UNIX: Set the environment variables, as described in Section 2.2.2.
Microsoft Windows: Go to the Audit Vault Server ORACLE_HOME
\bin
directory.
Run the avctl load_warehouse
command.
For example, to load 10 days of audit data that was recorded starting on August 8, 2003, enter the following command:
avctl load_warehouse -startdate 08-AUG-03 -numofdays 10
See Section 7.2 for more information about the avctl load_warehouse
command.
Reenable the alert settings if you had disabled them.
See Section 3.2.5 for more information.
This section contains:
When you no longer need the audit data that you have loaded into Audit Vault Server using the avctl load_warehouse
command for reporting, you can remove it from the Oracle Audit Vault data warehouse. If in the future you decide that you need to run reports against this purged data, follow the instructions in Section 3.4.3 to reload the necessary data into the data warehouse.
To purge the data warehouse data using the Audit Vault Console:
Log in to the Audit Vault Console as a user who has been granted the AV_ADMIN
role.
See Section 3.2.3 for login instructions.
Select the Management tab, and then select the Warehouse subpage.
The Warehouse Activity page appears.
Select the Purge Activity page.
The Purge Activity subpage appears.
In the Start Date field, enter the beginning date of the data that you want to purge.
In the Number of Days field, enter the number of days, starting from the start date, through which you want to purge data.
Click the Purge Now button.
Oracle Audit Vault schedules the data purge operation, which is listed on this page the next time you access it.
To purge the data warehouse data from a command line:
Open a shell or command prompt for the Audit Vault Server.
UNIX: Set the environment variables, as described in Section 2.2.2.
Microsoft Windows: Go to the Audit Vault Server ORACLE_HOME
\bin
directory.
Run the avctl purge_warehouse
command.
For example, to purge 10 days of audit data that was recorded starting on January 1, 2004, and to specify that the operation wait until the previous purge job completes, enter the following command:
avctl purge_warehouse -startdate 01-JAN-04 -numofdays 10 -wait
See Section 7.3 for more information about the avctl purge_warehouse
command.
After you register a source database, Oracle Audit Vault creates a set of properties that reflect general aspects of the source database itself, such as its port number and IP address. These properties are internal to Oracle Audit Vault and have no effect on the source database.
To alter the source database attributes using the Audit Vault Console:
Log in to the Audit Vault Console as a user who has been granted the AV_ADMIN
role.
See Section 3.2.3 for login instructions.
Select the Configuration tab, and then select the Audit Source subpage.
The Source Configuration Management page appears.
Select the Source subpage.
The Source Configuration Management page displays the current settings for the available collectors.
Select the source database that you want to modify, and then click the Edit button.
The Edit Source page appears.
Under Properties, optionally modify the description of the source database.
Under Attributes, modify the attributes for the source database by editing the values in the Value column.
For more information about these attributes, see the following sections:
Section 8.5 for the Oracle Database source database attributes
Section 9.5 for the SQL Server source database attributes
Section 10.5 for the Sybase ASE source database attributes
Section 11.5 for the IBM DB2 source database attributes
Click OK.
To alter source database attributes from a command line:
Open a shell or command prompt for the Audit Vault Server.
UNIX: Set the environment variables, as described in Section 2.2.2.
Microsoft Windows: Go to the Audit Vault Server ORACLE_HOME
\bin
directory.
Run the alter_source
command for each source database type, as shown in the following examples.
For Oracle Database:
avorcldb alter_source -srcname ORCL PORT=1522
See Section 8.5 for more information about the avorcldb alter_source
command.
For Microsoft SQL Server:
avmssqldb alter_source -srcname mssqldb4 DESCRIPTION="HR Database"
See Section 9.5 for more information about the avmssqldb alter_source
command.
For Sybase ASE:
avsybdb alter_source -srcname sybdb4 DESCRIPTION="HR Database"
See Section 10.5 for more information about the avsybdb alter_source
command.
For IBM DB2:
avdb2db alter_source -srcname db2db4 DESCRIPTION="HR Database"
See Section 11.5 for more information about the avdb2db alter_source
command.
You can configure Oracle Audit Vault to send users e-mail notifications when Audit Vault alerts are generated. The e-mail notifications can be sent in text format to mobile devices, or routed through an SMS gateway if you already have one.
Note the following:
You can configure one SMTP (or ESMTP) server for each Oracle Audit Vault installation.
You can configure Oracle Audit Vault to work with both unsecured SMTP servers as well as secured and authenticated SMTP servers.
After you have configured the e-mail notification service, then an Oracle Audit Vault auditor can configure the Audit Vault to generate e-mail alerts.
See Also:
Chapter 6, "Audit Vault Configuration Assistant (AVCA) Reference" for e-mail notification commands (search for smtp
)
Section 7.8 (avctl show_smtp_status
command)
To configure the e-mail notification service:
Open a shell or command prompt for the Audit Vault Server.
UNIX: Set the environment variables, as described in Section 2.2.2.
Microsoft Windows: Go to the Audit Vault Server ORACLE_HOME
\bin
directory.
Register the SMTP server details that your e-mail server uses.
For example, to register an SMTP server that requires authentication:
avca register_smtp -server 192.0.2.8:2223 -sender_id ikuksa -sender_email ima.kuksa@example.com -auth Enter user: idaneau Enter password: password Re-enter password: password
In this example:
-server
: Enter either the IP address or host name of the server, and its port number.
-sender_id
: Enter the name of the user on whose behalf the Oracle Audit Vault e-mail alerts will be sent.
-sender_email
: Enter the e-mail ID of the user on whose behalf the e-mail alerts will be sent.
-auth
: Enter either -auth
to indicate that the SMTP server requires authentication, or enter -noauth
to indicate the SMTP needs no authentication.
Enter user
: Enter the name of the user with which to connect to SMTP Server.
Enter password
and Re-enter password
: Enter the password of the user with which to connect to the SMTP server.
See Section 6.17 for detailed information about the avca register_smtp
command.
If the SMTP server is a secure server, then specify the type of protocol it uses and optionally, the truststore to validate the server certificate chain.
For example, to register an SMTP server that requires transport layer security (TLS) authentication:
avca secure_smtp -protocol tls -truststore $ORACLE_HOME/wallets/smtp_keystore
In this example:
-protocol
: Enter the protocol type. Acceptable values are SSL
(Secure Sockets Layer) or TLS
(Transport Layer Security). These values are case insensitive.
-truststore
: Enter the directory path to the truststore used to validate the server certificates.
See Section 6.22 for detailed information about the avca secure_smtp
command.
Optionally, test the configuration by trying to send an e-mail notification to a user in your network.
For example:
avca test_smtp -to idaneau@example.com
In this example, user Ida Neau should receive an e-mail similar to the following:
Subject header: Oracle Audit Vault: Test Message
Body text: This is a test message from Oracle Audit Vault
If the test fails, then check the configuration and status by running the avca show_smtp_config
(Section 6.27) and avctl show_smtp_status
(Section 7.8) commands. You can recreate the configuration by using the avca alter_smtp
command (Section 6.3).
You can configure Oracle Audit Vault to connect to BMC Remedy Action Request (AR) System Server 7.x. This connection enables Oracle Audit Vault auditors to raise trouble tickets in response to Audit Vault alerts. You can configure one Remedy server for each Oracle Audit Vault installation. After you have configured this connection, an Audit Vault auditor can create templates and the necessary configuration to handle the details of the alert.
See Also:
Chapter 6, "Audit Vault Configuration Assistant (AVCA) Reference" for Remedy trouble ticket configuration commands (search for remedy
)
Section 7.7 (avctl show_remedy_status
command)
To configure Oracle Audit Vault to connect to the Remedy trouble ticket server:
Make a copy of the remedy.properties.tmpl
descriptor properties file, which by default is located in the $ORACLE_HOME/av/conf
directory of the Audit Vault Server.
Modify the remedy.properties.tmpl
descriptor properties file.
Follow the instructions in the file to change the appropriate settings, and then save the file. You can store the file in any location within the Audit Vault Server.
Open a shell or command prompt for the Audit Vault Server.
UNIX: Set the environment variables, as described in Section 2.2.2.
Microsoft Windows: Go to the Audit Vault Server ORACLE_HOME
\bin
directory.
Run the avca register_remedy
command to register the BMC Remedy Action Request System server with Oracle Audit Vault.
For example:
avca register_remedy -config $ORACLE_HOME/av/conf/remedy.properties
The change takes place right away. You do not need to restart the Audit Vault Server.
If the BMC Remedy Action Request System Server is on a secure server, then run the following command:
avca secure_remedy -truststore $ORACLE_HOME/wallets/remedy_keystore
See Section 6.21 for more information.
Optionally, test the configuration by using an existing Remedy trouble ticket number.
You can use any trouble ticket number in the Remedy system.
For example:
avca test_remedy -ticket_id INC000000000010
If the test is successful, then the avca test_rememdy
command displays a summary of the trouble ticket's fields. If the test fails, then check the configuration and status by running the avca show_remedy_config
(Section 6.25) and avctl show_remedy_status
(Section 7.7) commands. You can recreate the configuration by using the avca alter_remedy
command (Section 6.2).
If you no longer need to have a source database registered with Oracle Audit Vault, you can use either the Audit Vault Console or the command-line utilities to remove the source database from Oracle Audit Vault. After you have removed the source database, its audit data still resides in the data warehouse within its retention period. To purge this audit data, see Section 3.4.4. You can check the length of the retention period in the Audit Vault Console; see Section 3.4.2.
Remember that after you have removed a source database, its identity data remains in Oracle Audit Vault so that there will be a record of source databases that have been dropped. Therefore, you cannot add a new source database with the name of a dropped source database. Remove the source database only if you no longer want to collect its data or if it has moved to a new host computer.
To remove a source database from Oracle Audit Vault using the Audit Vault Console:
Log in to the Audit Vault Console as a user who has been granted the AV_ADMIN
role.
See Section 3.2.3 for login instructions.
Select the Configuration tab, and then select the Audit Source subpage.
The Source Configuration Management subpage appears.
From the list of source databases, select the database that you want to remove, and then click Delete.
You can search for a source database by entering data in the Source Type and Source fields.
Click Yes in the Confirmation window.
To remove a source database from Oracle Audit Vault from a command line:
Open a shell or command prompt for the Audit Vault Server.
UNIX: Set the environment variables, as described in Section 2.2.2.
Microsoft Windows: Go to the Audit Vault Server ORACLE_HOME
\bin
directory.
Run the drop_source
command for the source database, as shown in the following examples:
For Oracle Database:
avorcldb drop_source -srcname ORCL
See Section 8.7 for more information about the avorcldb drop_source
command.
For Microsoft SQL Server:
avmssqldb drop_source -srcname mssqldb4
See Section 9.7 for more information about the avmssqldb drop_source
command.
For Sybase ASE:
avsybdb drop_source -srcname sybdb4
See Section 10.7 for more information about the avsybdb drop_source
command.
For IBM DB2:
avdb2db drop_source -srcname db2db4
See Section 11.7 for more information about the avdb2db drop_source
command.