5 Testing Audit Collection Plug-ins

This chapter provides a general description of the kind of testing that you might want to do for your collection plug-ins. Be sure to analyze your database and audit trails for other issues that require testing.

This chapter contains:

5.1 Requirements for Testing Audit Collection Plug-ins

You should prepare for testing by performing the following:

  • Deploy the Audit Vault Server and an Audit Vault Agent, as described in "Before You Set Up the Development Environment".

  • Have an available source system, a system that generates the audit events.

  • Ensure that the agent is deployed on the same computer where the audit trail resides if the audit trail must be collected locally (for example, if it is written to operating system files).

5.2 Typical Audit Collection Plug-in Testing Processes

The typical testing process as follows:

  1. Perform functional testing:

    1. Deploy the collection plug-in in the generated .zip archive that you created in Chapter 4, "Packaging Audit Collection Plug-ins," in your test Oracle Audit Vault Server environment.

    2. Redeploy the agent (containing the updated plug-in artifacts) into your test Oracle Audit Vault agent environment, as described in "Redeploying the Oracle Audit Vault Agent".

    3. Register the source using the AVCLI utility. See Oracle Audit Vault and Database Firewall Administrator's Guide.

    4. Issue an AVCLI START COLLECTION command to start gathering records from the audit trail supported by this collection plug-in. See Oracle Audit Vault and Database Firewall Administrator's Guide.

    5. Validate the process, by looking at the data reports through the AVDF Console, to ensure that:

      - Records in the source are now in the Oracle Audit Vault Server.

      - The data makes sense.

      - Fields are correctly mapped.

      - Values are valid.

    6. Issue an AVCLI STOP COLLECTION command. See Oracle Audit Vault and Database Firewall Administrator's Guide.

    7. Undeploy the collection plug-in. See Oracle Audit Vault and Database Firewall Administrator's Guide.

    8. Redeploy the agent as described in Step 1b.

  2. Perform failure testing to see what happens when various things go wrong.

    Some examples of failure are network failure, a source shutting down in the middle of collection, a power outage, and malformed input data. In all cases, the collection plug-in should not crash, and should be able to recover gracefully, continuing collection from where it left off. The guarantee you need to provide is that each audit record is sent to the Audit Vault Server once, and exactly once, regardless of failure.

  3. Analyze performance by checking how many of these components the collection plug-in uses:

    - The CPU

    - The memory

    - The disk I/O

    - The network I/O

  4. Check the performance under stress.

    Some examples of stress are thirty days of continuous use, heavy event volume, or collection of trails for multiple sources at the same time, both on the same host, and on multiple hosts.

  5. Perform security testing (for example, see if you can inject HTML or SQL).

  6. Perform internationalization testing. Test the ability to handle data in multiple input languages.

  7. If bugs are found, fix them and then repeat these steps.

5.3 Deploying an Oracle Audit Vault Agent

This agent can be on the same computer as the Audit Vault Server or a different one.

To deploy the agent, follow these steps:

  1. Register the agent host using the AVCLI command REGISTER HOST. See Oracle Audit Vault and Database Firewall Administrator's Guide.

  2. Create a directory ($AGENT_HOME) on the agent host.

  3. Copy the agent.jar from the Audit Vault Server $ORACLE_HOME/av/jlib/agent.jar to the $AGENT_HOME.

  4. Install the agent using following command:

    $ java -jar agent.jar -d $AGENT_HOME
  5. Send the activation request to the Audit Vault Server Administrator using the following command:

    $ $AGENT_HOME/bin/agentctl activate

    The Audit Vault Server Administrator must approve the activation request using either the following command or the Administrator Console.

    avcli> activate host '<agent host>';

    The activation key generated during the activation approval process must be sent to agent administrator.

  6. Start the agent using the activation key provided by the Audit Vault Administrator:

    $ $AGENT_HOME/bin/agentctl start -key <activation key>

    Subsequently, starting the agent does not require the user to provide the activation key. The agent can be started using the following command:

    $ $AGENT_HOME/bin/agentctl start
  7. The agent can be stopped anytime using the following command:

    $ $AGENT_HOME/bin/agentctl stop

    It may take several seconds before the agent comes to a complete stop and the agent process is shutdown.

    Activation is a one-time activity. You will not have to do it again.

5.4 Redeploying the Oracle Audit Vault Agent

You may need to redeploy the agent for various reasons while testing the collection plug-in. It is assumed that an agent is already set up and a directory created.

To redeploy the agent, follow these steps:

  1. Copy the agent.jar from the Audit Vault Server to a local directory.

  2. Update the agent by using the following command:

    $ java -jar agent.jar -d $AGENT_HOME
  3. Start the agent by invoking the $AGENT_HOME/bin/agentctl start command.


The agent automatically determines if it is an upgrade or a new install depending on the destination directory provided to the java -jar agent.jar command.