This chapter covers only Oracle Internet Directory-specific information. See Oracle Fusion Middleware Application Security Guide for complete coverage of Audit Administration Tasks.
This chapter contains the following topics:
This introduction contains the following topics:
Section 23.1.2, "Oracle Internet Directory Audit Configuration"
Section 23.1.3, "Replication and Oracle Directory Integration Platform Audit Configuration"
Auditing is the process that collects and stores information about security requests and the outcome of those requests, thus providing an electronic trail of selected system activity for non-repudiation purposes. Auditing can be configured to track particular security events and management operations based on specific audit criteria. Audit records are kept in a centralized repository (LDAP, database, or file) that allows the creation, viewing, and storage of audit reports.As of release 11g Release 1 (11.1.1), Oracle Internet Directory uses an audit framework that is integrated with Oracle Fusion Middleware. Oracle Internet Directory uses this framework to audit its critical security related operations.The features of the framework are:
APIs for collecting audit information from AS components
Common audit record format to be used by all AS components
Audit repository database that collects audit records produced by components in the enterprise. (The customer also has an option to use the Audit vault as a repository)
Administrative interface for controlling the type of information captured by the audit facility.
Before reading this chapter, please read the auditing chapters in the Oracle Fusion Middleware Application Security Guide.
The new Oracle Internet Directory audit framework has the following advantages:
It uses the same record format as other Oracle Application Server components.
Records are stored in Oracle Database tables for better performance and security.
Records can be stored in Audit Vault for increased security.
As administrator, you can configure the type of information captured in the audit records by using Enterprise Manager.
Configuration changes are effective immediately.
An administrator can view audit records:
In Enterprise Manager
In summary reports based on XML Publisher
All audit configuration performed by the instance administrator is audited. This cannot be disabled.
See Also:
Oracle Fusion Middleware Application Security Guide for information about configuring the audit repository and audit filters.
You must configure an audit store to ensure that audit records are saved in a database. See the "Configuring and Managing Auditing" chapter in Oracle Fusion Middleware Application Security Guide for complete coverage of Audit Administration Tasks, including:
Managing the Audit Store
Advanced Management of Database Store
Audit configuration for Oracle Internet Directory consists of three attributes of the instance-specific entry:
cn=componentname,cn=osdldapd,cn=subconfigsubentry
Table 23-1 describes these attributes.
Table 23-1 Oracle Internet Directory Audit Configuration Attributes
For more information, see the Oracle Fusion Middleware Application Security Guide.
Replication and Oracle Directory Integration Platform auditing can be enabled by changing the value of the attribute orclextconfflag
in the instance-specific configuration entry. The default value is 3
, which disables both replication and Oracle Directory Integration Platform auditing. To enable both, change it to 7
. This is the only change you can make to orclextconfflag
, which is otherwise an internal attribute.
See Section 23.4.3, "Enabling Replication and Oracle Directory Integration Platform Auditing."
Audit records contain the following fields:
Event category–the class of event, such as authentication or authorization.
Event name
Initiator–the user who initiates the operation
Status–success or failure
Authentication method
Session ID–Connection ID
Target–the user on whom the operation is performed
Event date and time
Remote IP–source IP address of client
Component type–OID
ECID
Resource–entry or attribute on which operation is performed.
Audit information is held temporarily in a location called a busstop before it is written to its final location.
The file is in the directory ORACLE_INSTANCE
/auditlogs/
componentType
/
componentName
.
Audit files are permanently stored in either XML files or a database. XML files are the default storage mechanism for audit records. There is one XML repository for each Oracle instance. Audit records generated for all components running in a givenOracle instance are stored in the same repository. If using a database repository, audit records generated by all components in all Oracle instances in the domain are stored in the same repository.
See theOracle Fusion Middleware Application Security Guide chapter on audit analysis and reporting for information about generating audit reports. There are Oracle Internet Directory examples in the "Configuring and Managing Auditing" chapter of Oracle Fusion Middleware Application Security Guide.
You can use Oracle Enterprise Manager Fusion Middleware Control to manage auditing. The interface is basically the same for all Oracle Fusion Middleware components, as documented in the Oracle Fusion Middleware Application Security Guide.
From the Oracle Internet Directory menu, select Security, then Audit Policy Settings.
From the Audit Policy list, select Custom to configure your own filters, or one of the filter presets, None, Low, or Medium. (You cannot set All
from Fusion Middleware Control.)
If you want to audit only failures, click Select Failures Only. (You can only do this if you selected Custom in the previous step.
To configure a filter, click the Edit icon next to its name. The Edit Filter dialog for the filter appears.
Specify the filter condition using the buttons, selections from the menus, and strings that you enter. Condition subjects include HostID, HostNwaddr, InitiatorDN, TargetDN, Initiator, Remote IP, and Roles. Condition tests include -contains, -contains_case, endswith, endswith_case, -eq, -ne, -startswith, and -startswith-case. Enter values for the tests as strings. Parentheses are used for grouping and AND and OR for combining.
To add a condition, click the Add icon.
When you have completed the filter, click Apply to save the changes or Revert to discard the changes.
Oracle Internet Directory stores its audit configuration in the three instance-specific configuration entry attributes described in Table 23-1, "Oracle Internet Directory Audit Configuration Attributes". The correspondence between the fields on the Audit Policy Page and the attributes is shown in Table 23-2.
You can use wlst
to manage auditing, as described in "Manage Audit Policies with WLST" in the Oracle Fusion Middleware Application Security Guide. You use the commands getAuditPolicy()
, setAuditPolicy()
, or listAuditEvents()
.
For component that manage their audit policy locally, such as Oracle Internet Directory, you must include an MBean name as an argument to the command. The name for an Audit MBean is of the form:
oracle.as.management.mbeans.register:type=component.auditconfig,name=auditconfig1,instance=INSTANCE,component=COMPONENT_NAME
For example:
oracle.as.management.mbeans.register:type=component.auditconfig,name=auditconfig1,instance=instance1,component=oid1
Another wlst
command you must use is invoke()
. As described in Section 9.3, "Managing System Configuration Attributes by Using WLST," before you make any changes to attributes, you must ensure that the MBean has the current server configuration. To do that, you must use the invoke()
command to load the configuration from Oracle Internet Directory server to the mbean. After making changes, you must use the invoke()
command to save the MBean configuration to the Oracle Internet Directory server. In order to use invoke()
in this way, you must navigate to the Root Proxy MBean in the tree. The name for a Root Proxy MBean is of the form:
oracle.as.management.mbeans.register:type=component,name=COMPONENT_NAME,instance=INSTANCE
For example:
oracle.as.management.mbeans.register:type=component,name=oid1,instance=instance1
Here is an example of a wlst
session using setAuditPolicy()
and invoke()
:
ORACLE_COMMON_HOME/common/bin/wlst.sh connect('username', 'password', 'protocol://localhost:7001', 'localhost:7001') custom() cd('oracle.as.management.mbeans.register') cd('oracle.as.management.mbeans.register:type=component,name=oid1,instance=instance1') invoke('load',jarray.array([],java.lang.Object),jarray.array([],java.lang.String)) setAuditPolicy(filterPreset='None', on='oracle.as.management.mbeans.register:type=component.auditconfig, name=auditconfig1,instance=instance1,component=oid1') invoke('save',jarray.array([],java.lang.Object),jarray.array([],java.lang.String))
You can manage auditing by using LDAP tools.
You can use ldapsearch
to view audit configuration. For example:
ldapsearch -p 3060 -h myhost.example.com -D cn=orcladmin -q \ -b "cn=oid1,cn=osdldapd,cn=subconfigsubentry" \ -s base "objectclass=*" > /tmp/oid1-config.txt grep orclaud oid1-config.txt orclaudsplusers=cn=orcladmin orclaudcustevents=UserLogin.FAILURESONLY, UserLogout, CheckAuthorization, ModifyDataItemAttributes, CompareDataItemAttributes, ChangePassword.FAILURESONLY orclaudfilterpreset=custom
You can use ldapmodify
commands to manage auditing. You must create an LDIF file to make the required changes to the attributes orclAudFilterPreset, orclAudCustEvents, and orclAudSplUsers.
The command is:
ldapmodify -D cn=orcladmin -q -p portNum -h hostname -f ldifFile
For example to enable auditing for user login events only, use this LDIF file with the preceding ldapmodify
command:
dn: cn=componentname,cn=osdldapd,cn=subconfigsubentry
changetype: modify
replace: orclaudFilterPreset
orclaudFilterPreset: Custom
-
replace: orclaudcustevents
orclaudcustevents: UserLogin
For more information, see the Oracle Fusion Middleware Application Security Guide.
The following LDIF file enables both replication and Oracle Directory Integration Platform auditing.
dn: cn=oid1,cn=osdldapd,cn=subconfigsubentry changetype: modify replace: orclextconfflag orclextconfflag: 7
The following LDIF file disables both:
dn: cn=oid1,cn=osdldapd,cn=subconfigsubentry changetype: modify replace: orclextconfflag orclextconfflag: 3
Use a command line similar to this:
ldapmodify -h host -p port -D "cn=orcladmin" -q -f ldiffile