14 Managing Oracle Privileged Account Manager Auditing and Logging

This chapter describes how to configure and use Oracle Privileged Account Manager's auditing and logging functionality.

This chapter includes the following sections:

• Section 14.1, "Understanding Oracle Privileged Account Manager Auditing"

• Section 14.2, "Understanding Oracle Privileged Account Manager Logging"

Note:

If you are using Oracle Privileged Account Manager on IBM WebSphere, refer to "Differences in Managing Oracle Privileged Account Manager Auditing and Logging" in the Oracle Fusion Middleware Third-Party Application Server Guide for Oracle Identity and Access Management for information about this topic.

14.1 Understanding Oracle Privileged Account Manager Auditing

Oracle Privileged Account Manager audits all security events that occur under its purview, which gives you better visibility into how privileged accounts are used within your organization and enables you to effectively manage sensitive information.

Specifically, the Oracle Privileged Account Manager audit logger logs any events that modify entity states; such as when you add, modify, or remove new accounts, targets, or policies.

The following table describes all of the event categories and event types for which an audit can be generated:

Table 14-1 Audited Oracle Privileged Account Manager Events

Event Category	Event Types	Description
Account Management		Events related to managing principal accounts Note: A principal can be an end-user or a pseudo-user (a service within the system).
	Add Account	Adding users, groups, or any other principal accounts
	Change Password	Changes to user passwords
	Disable Account	Disabling users, groups, or any other principal accounts
	Enable Account	Enabling users, groups, or any other principal accounts
	Modify Account	Modifying account attributes
	Query Account	Queries to a user's account
	Remove Account	Removing users, groups, or any other principal accounts
Policy Management		Events related to managing policies
	Create Policy	Creating policies
	Delete Policy	Deleting policies
	Modify Policy	Modifying policies
	Query Policy	Querying policies
Target Management		Events related to managing targets
	Add Target	Adding targets
	Modify Target	Modifying targets
	Query Target	Querying targets
	Remove Target	Removing targets

Logging these audit events creates a processing history that allows reporting tools to gather statistics, as described in Section 14.1.2, "Understanding Oracle Privileged Account Manager Audit Reports."

14.1.1 Configuring Auditing in Oracle Privileged Account Manager

You can configure Oracle Privileged Account Manager to save audit events into a database or a file. When a database is not available, Oracle Privileged Account Manager saves its audit logs into this file,

DOMAIN_HOME/servers/<opamserver>/logs/auditlogs/OPAM

You can also configure Oracle Privileged Account Manager to deploy audit reports in BI Publisher (version 11.1.1.5.0 or higher), and use BI Publisher to view audit events in the database. Reports in BI Publisher are only possible if the audit events are being pushed into a database and not a file.

The following topics provide instructions for configuring auditing in Oracle Privileged Account Manager:

• Configuring File-Based Auditing in Oracle Privileged Account Manager

• Configuring Database-Based Auditing in Oracle Privileged Account Manager

• Deploying Oracle Privileged Account Manager Audit Reports in BI Publisher

• Setting the Audit Logging Levels

Note:

To configure auditing for Oracle Privileged Account Manager on an IBM WebSphere server, refer to "Configuring Auditing for Oracle Privileged Account Manager" in the Oracle Fusion Middleware Third-Party Application Server Guide for Oracle Identity and Access Management before starting the procedures described in this section.

14.1.1.1 Configuring File-Based Auditing in Oracle Privileged Account Manager

This section describes how to configure file-based auditing in Oracle Privileged Account Manager.

Before You Begin

Before starting the following configuration steps, review these publications:

• "Using WLST Online or Offline" in the Oracle Fusion Middleware Oracle WebLogic Scripting Tool

• "OPSS Scripts for Auditing" in the Oracle Fusion Middleware Application Security Guide for detailed information about the getAuditPolicy, setAuditPolicy, getAuditRepository, and setAuditRepository WLST audit commands used in the configuration steps.

To configure Oracle Privileged Account Manager for file-based auditing:

1. Start the WebLogic Scripting Tool (WLST) and connect to the Oracle WebLogic Server:

   1. Open a command window and navigate to the following directory, which contains the WLST:

      MW_HOME/oracle_common/common/bin
      

   2. Start WLST by typing one of the following commands:

      On UNIX, type: sh wlst.sh

      On Windows, type: wlst.cmd

      You know that WLST has started when the command prompt changes to wls:>/offline.

   3. Connect to the Oracle WebLogic Server by typing the following command:

      connect('WLS_Admin_Name','WLS_Admin_Password','WLS_Machine_Name:Port')
      

      For example,

      connect('weblogic','Welcome1','localhost:7004')
      

      WLST validates the administrator's username and password, the machine name, and the port that are associated with the WebLogic Admin Server. If all of these values are correct, WLST connects to the WebLogic Admin Server and the command prompt changes to

      wls:>/base_domain/serverConfig
      

      Note:

      Refer to "Securing Access from WLST Online" in the Oracle Fusion Middleware Oracle WebLogic Scripting Tool for additional information.

2. To set the audit logging level for Oracle Privileged Account Manager:

   1. If the filterPreset parameter is set to NONE, use the setAuditPolicy command to change the value to All, Medium, or Low, based on how much logging you want Oracle Privileged Account Manager to provide:

      setAuditPolicy(filterPreset='All')
      

      A confirmation message displays to indicate the audit logging level was successfully updated.

      Note:

      For a description of the different logging levels, refer to the table on page 14-10.

   2. Verify the current logging level for Oracle Privileged Account Manager, by typing getAuditPolicy( ) at the prompt, and then checking the filterPreset parameter value.

3. To change the Repository Type to database (DB):

   1. Type the setAuditRepository command as follows:

      setAuditRepository(switchToDB='true')
      

      A confirmation message displays to let you know that the audit repository was successfully updated.

   2. You can use the WLST getAuditRepository command to verify that the audit repository is set to database-based auditing:

      getAuditRepository( )
      

      The setAuditRepository parameter value (as indicated by the Repository Type field) should be FILE.

4. Restart both the Administration Server and the Oracle Privileged Account Manager Managed Server.

   Note:

   For detailed information about starting a Managed Server, refer to "Starting or Stopping the Oracle Stack" in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.

   You must restart both servers for your changes to take effect. After the server restarts, audit logs will start appearing in this location:

   DOMAIN_HOME/servers/<opamserver>/logs/auditlogs/OPAM
   

14.1.1.2 Configuring Database-Based Auditing in Oracle Privileged Account Manager

This section describes how to configure Oracle Privileged Account Manager to save audit events into the Oracle database that is associated with Oracle Privileged Account Manager.

Prerequisites

Before starting the following configuration steps,

• Review these publications:

  • "Using WLST Online or Offline" in the Oracle Fusion Middleware Oracle WebLogic Scripting Tool

  • "WLST Commands for Auditing" in the Oracle Fusion Middleware Application Security Guide for detailed information about the getAuditPolicy, setAuditPolicy, getAuditRepository, and setAuditRepository WLST audit commands used in the configuration steps.

• Install the following

  • A database

  • The Repository Creation Utility application, which is used to create a schema and load a repository into the database.

    Note:

    For information about installing and working with the Repository Creation Utility, refer to Oracle Fusion Middleware Repository Creation Utility User's Guide available at http://www.oracle.com/technology/documentation/index.html

To configure database-based auditing:

1. Start the WebLogic Scripting Tool (WLST) and connect to the Oracle WebLogic Server:

   1. Open a command window and navigate to the following directory, which contains the WLST:

      MW_HOME/oracle_common/common/bin
      

   2. Start WLST by typing one of the following commands:

      On UNIX, type: sh wlst.sh

      On Windows, type: wlst.cmd

      You know that WLST has started when the command prompt changes to wls:>/offline.

   3. Connect to the Oracle WebLogic Server by typing the following command:

      connect('WLS_Admin_Name','WLS_Admin_Password','WLS_Machine_Name:Port')
      

      For example,

      connect('weblogic','Welcome1','localhost:7004')
      

      WLST validates the administrator's username and password, the machine name, and the port that are associated with the WebLogic Admin Server. If all of these values are correct, WLST connects to the WebLogic Admin Server and the command prompt changes to

      wls:>/base_domain/serverConfig
      

      Note:

      Refer to "Securing Access from WLST Online" in the Oracle Fusion Middleware Oracle WebLogic Scripting Tool for additional information.

2. To set the audit logging level for Oracle Privileged Account Manager:

   1. If the filterPreset parameter is set to NONE, use the setAuditPolicy command to change the value to All, Medium, or Low, based on how much logging you want Oracle Privileged Account Manager to provide:

      setAuditPolicy(filterPreset='All')
      

      A confirmation message displays to indicate the audit logging level was successfully updated.

      Note:

      For a description of the different logging levels, refer to the table on page 14-10.

   2. Verify the current logging level for Oracle Privileged Account Manager, by typing getAuditPolicy( ) at the prompt, and then checking the filterPreset parameter value.

3. To change the Repository Type to database (DB):

   1. Type the setAuditRepository command as follows:

      setAuditRepository(switchToDB='true')
      

      A confirmation message displays to let you know that the audit repository was successfully updated.

   2. You can use the WLST getAuditRepository command to verify that the audit repository is set to database-based auditing:

      getAuditRepository( )
      

      The setAuditRepository parameter value (as indicated by the Repository Type field) should be DB.

4. Use the Repository Creation Utility to create and load the audit schema into the database, and then use the WebLogic Server Administrative Console to create a new JDBC data source.

   A data source contains credentials that BI Publisher needs to connect to the Oracle database associated with Oracle Privileged Account Manager. BI Publisher uses this connection to retrieve data from the Oracle Privileged Account Manager database. BI Publisher then uses this data to generate reports for targets, privileged accounts, grants, and policies.

   Note:

   Instructions for creating the audit schema and for creating a JDBC data source are provided in the "Configuring and Managing Auditing" section of the Oracle Fusion Middleware Application Security Guide.

5. Restart both the Administration Server and the Oracle Privileged Account Manager Managed Server.

   You must restart both servers for your changes to take effect. After restarting both servers, audit logs will start appearing in the installed database.

14.1.1.3 Deploying Oracle Privileged Account Manager Audit Reports in BI Publisher

This section describes how to deploy Oracle Privileged Account Manager audit reports in Oracle Business Intelligence Publisher (BI Publisher), a component used to manage and deliver reports.

Use the following steps:

1. Install and configure BI Publisher version 11.1.1.5.0 or higher if it is not already installed.

   Refer to "Configuring Oracle Business Intelligence Publisher" in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Navigator for instructions.

2. After installing BI Publisher, locate the following directory in the WebLogic domain:

   Note:

   You can deploy BI Publisher on the same host or in a different domain.

   BI_DOMAIN_HOME/config/bupublisher/repository/Reports
   

3. Locate the opam_product_BIP11gReports_11_1_2_1_0.zip file in the following directory:

   ORACLE_HOME/opam/reports
   

   Unzip this file into the Reports folder noted in step 2 and verify that the following directory was created:

   ORACLE_HOME/opam/reports/Oracle Privileged Account Manager
   

4. To set up the catalog and configure data sources, open a browser window and enter the URL for BI Publisher.

   The format for this URL is

   http://hostname: port/xmlpserver/

   For example

   http:/localhost:7001/xmlpserver/

5. When the BI Publisher login page displays, log in as a user with WebLogic privileges and click Sign In.

6. Set up the catalog as follows:

   1. Select Administration > System Maintenance > Server Configuration.

   2. When the System Maintenance page displays, go to the Path field in the Configuration Folder section and enter the path to your Configuration folder. For example,

      BI_DOMAIN_HOME/config/bupublisher/repository
      

      The files that contain your server configuration settings (such as the JDBC data source you created in step 4 of Section 14.1.1.2) are stored in a Configuration folder. The path to this folder is stored in the xmlp-server-config.xml configuration file. The xmlp-server-config.xml file is located in

      BI_DOMAIN_HOME/config/bupublisher/repository/Admin/Configuration
      

   3. Locate the Catalog section on the System Maintenance page and specify the following information:

      Parameter Name	Parameter Value
      Catalog Type	Select BI Publisher - File System from the menu.
      Path	Enter the path to the BI Publisher Catalog folder. For example, BI_DOMAIN_HOME/config/bipublisher/repository Caution: The path to the BI Publisher Catalog includes the reports subdirectory where you unpacked the Oracle Privileged Account Manager reports. Do not include the reports subdirectory in the Path field or you will corrupt BI Publisher.

      
      

      Note:

      Because the file system contains the reports repository, the platform where you are running BI Publisher determines the case-sensitivity of folder and report names. Repository object names are not case-sensitive in a Windows-based environment, but they are case-sensitive in a UNIX-based environment.

   4. Click Apply.

      A confirmation message is displayed.

   5. Log in as an administrator.

   6. Click Catalog to open the Shared Folder/ Oracle Privileged Account Manager folder.

      Note:

      If this folder does not display, restart the application from the WebLogic console.

7. One JDBC (Oracle Privileged Account Manager JDBC) connection is required for Oracle Privileged Account Manager reports. Use the following steps to define an Oracle Privileged Account Manager JDBC connection and define the data sources:

   1. Click the Administration link found on the right side of the BI Publisher page.

      The BI Publisher Administration page displays. (Note the Data Sources section on this page.)

   2. Click the JDBC Connection link found in the Data Sources section.

   3. When the Data Sources page displays, click Add Data Source in the JDBC section to create a JDBC connection to your database.

   4. On the Add Data Source page, enter the following information:

      Data Source Name	OPAM JDBC
      Driver Type	Select a driver type to suit your database (for example, Oracle 10g or Oracle 11g).
      Database Driver Class	oracle.jdbc.driver.OracleDriver (Define a driver class to suit your database.)
      Connection String	Provide the database connection details. For example, hostname:port:sid.
      User name	Provide the Oracle Privileged Account Manager Audit DB user name.
      Password	Provide the Oracle Privileged Account Manager Audit DB user password.

      
      

      If the connection to the database is established, a confirmation message is displayed indicating the success.

   5. Click Apply.

      You should see this newly defined connection (Oracle Privileged Account Manager JDBC) in the list of JDBC Data Sources.

   6. Navigate to Oracle Privileged Account Manager Audit Reports.

      The Catalog page is displayed as a tree structure on the left side of the page with details on the right.

   7. Expand Shared Folders and select the Oracle Privileged Account Manager folder to view all of the objects in that folder.

8. Use Oracle Identity Navigator to configure a connection to the BI Publisher server.

   Refer to "Creating a Connection to BI Publisher" in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Navigator for the necessary instructions.

When you configure the connection successfully, the My Reports section of the Oracle Identity Navigator Dashboard page will contain the link, Click here to create reports. In addition, users with the Security Auditor role can now perform the following tasks:

• View Oracle Identity Management BI Publisher reports and audit reports

  Note:

  Oracle Privileged Account Manager provides a set of out-of-the box audit reports that are integrated with BI Publisher 11g and the Oracle Fusion Middleware Audit Framework. Oracle Privileged Account Manager generates these reports based on audit events logged in the audit store. Refer to Section 14.2, "Understanding Oracle Privileged Account Manager Logging" for more information.

• Select and add reports to the My Reports list

• View and run any reports for which you have access privileges

You can now navigate in BI Publisher and use the Oracle Privileged Account Manager 11g BI reports.

14.1.1.4 Setting the Audit Logging Levels

To change the amount of audit logging provided by Oracle Privileged Account Manager, use the following steps:

1. Launch an application server shell (WLST) and establish a connection to the Oracle WebLogic Server as described in step 4 of Section 14.1.1.2, "Configuring Database-Based Auditing in Oracle Privileged Account Manager."

   Note:

   Refer to "Securing Access from WLST Online" in the Oracle Fusion Middleware Oracle WebLogic Scripting Tool for more information.

2. Use the getAuditPolicy command to get the current audit policy.

   If the FilterPreset field is set to NONE, use the setAuditPolicy command to change the value. Choose one of the options noted the following table, depending on the type of events to be audited:

   Note:

   Refer to "getAuditPolicy" and "setAuditPolicy" in the Oracle Fusion Middleware Application Security Guide for detailed information about these WLST audit commands.

   Option	Logged Events
   All	Logs all event types.
   Medium	Logs the following event types: In the AccountManagement category: ChangePassword, CheckinAccount, CreateAccount, DeleteAccount, DisableAccount, EnableAccount, ModifyAccount, and QueryAccount In the PolicyManagement category: All In the TargetManagement category: All
   Low	Logs the following event types: In the AccountManagement category: ChangePassword, CheckinAccount, CreateAccount, DeleteAccount, DisableAccount, EnableAccount, and ModifyAccount In the PolicyManagement category: CreatePolicy, DeletePolicy, and ModifyPolicy In the TargetManagement category: CreateTarget, DeleteTarget, and ModifyTarget
   None	No logging is performed.

   
   

3. Restart the Oracle Privileged Account Manager server.

   Note:

   For detailed information about starting a Managed Server, refer to "Starting or Stopping the Oracle Stack" in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.

   After the server restarts, audit logs will start appearing in this location:

   DOMAIN_HOME/servers/<opamserver>/logs/auditlogs/OPAM
   

14.1.2 Understanding Oracle Privileged Account Manager Audit Reports

Oracle Privileged Account Manager supplies a set of default audit reports that are integrated with BI Publisher 11g and the Oracle Fusion Middleware Audit Framework. Oracle Privileged Account Manager generates these reports based on the audit events logged in the audit store.

The default audit report types include:

• Accounts Checkin Checkout Report: Provides account checkout and check-in history.

• All Events Report: Includes all audit events that are logged in the audit store.

• Error Events Report: Provides information about any errors that occur in Oracle Privileged Account Manager, such as authentication and authorization failures.

• General Report: Provides information about events related to checking in, checking out, or modifying privileged accounts and events related to queries about privileged accounts and targets.

• Target Management Report: Provides information about events related to adding, modifying, querying, or removing targets.

Oracle Privileged Account Manager audit reports can show who checked out an account and on which system it was checked out, justifications, requests for a system that is already checked out, and requests for a system to which a user does not have privileges.

For example, the following figure shows a typical Oracle Privileged Account Manager audit report as viewed in BI Publisher.

Note:

You can view Oracle Privileged Account Manager audit reports in BI Publisher.

Figure 14-1 Example Oracle Privileged Account Manager Audit Report

Notice that this report provides the following information:

• Event: Type of event that occurred

• Status: Event results, where 1 is success and 0 is a failure

• User ID: User that initiated the event

• Target: Target on which the event occurred

• Resource ID: Resource identifier

• Message: Message returned from server

• Time: Date and time the event occurred

14.1.3 Auditing Application Consumption of Credentials from CSF

Oracle Privileged Account Manager can synchronize passwords to CSF, as described in Section 17.3, "Integrating with the Credential Store Framework." However, Oracle Privileged Account Manager cannot audit any CSF content because Oracle Privileged Account Manager and CSF are two separate entities in the WebLogic domain. If you want to audit CSF access, then you must enable auditing in CSF itself.

Note:

For information about enabling auditing in CSF, refer to the following sections in the Oracle Fusion Middleware Application Security Guide:

• For a list of the audit events that are supported by CSF, refer to "Oracle Platform Security Services Events and their Attributes."

• For information about the WLST commands used to enable auditing in CSF, refer to "WLST Commands for Auditing" or enter the following command from the command line:

  help('<Audit WLST command>')
  

• For information about using Enterprise Manager to manage this type of auditing, refer to "Managing Audit Policies."

For information about using WSAdmin commands to enable auditing in CSF, refer to "Executing Common Audit Framework wsadmin Commands" in the Oracle Fusion Middleware Third-Party Application Server Guide for Oracle Identity and Access Management.

14.2 Understanding Oracle Privileged Account Manager Logging

Oracle Privileged Account Manager is fully integrated with Oracle Fusion Middleware Logging and the Oracle Diagnostic Logging (ODL) framework.

The Oracle Privileged Account Manager generic logger (oracle.idm.opam) takes care of all logs not recorded by the audit logger, which includes debugging statements and exception messages. Processing tools can use these logs to diagnose problems that occur within the Oracle Privileged Account Manager server.

Table 14-2 describes the different Oracle Privileged Account Manager-related log files:

Table 14-2 Oracle Privileged Account Manager-Related Log Files

File Name	Description
AdminServer.log	Generic log file where the WebLogic Admin Server writes messages from its subsystems and applications.
AdminServer-diagnostic.log	Diagnostic log file used to store messages generated by the WebLogic Admin Server.
base_domain.log	Generic log file where the WebLogic Admin Server writes messages about the overall status of the domain.
access.log	Generic log file used to store information about requests to access privileged accounts and targets.
opam_server1.log	Generic log file where the Oracle Privileged Account Manager Server writes messages from its subsystems and applications.
opam_server1-diagnostic.log	Diagnostic log file used to store messages generated by the Oracle Privileged Account Manager Server.

Oracle Privileged Account Manager log files are stored in the following locations:

• Server log files are stored in

  DOMAIN_HOME/servers/OPAM managed server/logs
   
  

  Server application logging is spooled to

  OPAM managed server-diagnostic.log
   
  

• Console log files are stored in

  DOMAIN_HOME/servers/AdminServer/logs
   
  

Note:

For more information about Oracle Fusion Middleware Logging and the Oracle Diagnostic Logging (ODL) framework, refer to "Managing Log Files and Diagnostic Data" in the Oracle Fusion Middleware Administrator's Guide.

14.2.1 Configuring Basic Logging

You can configure Oracle Privileged Account Manager logging by using the standard WLST commands as described in "Logging Custom WLST Commands" in the Oracle Fusion Middleware WebLogic Scripting Tool Command Reference.

Following are some task-based invocations based on the preceding reference:

Note:

The same commands apply if you are configuring logging on an IBM WebSphere server, however there are some differences to consider.

Before using these commands, refer to "Configuring Basic Logging for Oracle Privileged Account Manager" in the Oracle Fusion Middleware Third-Party Application Server Guide for Oracle Identity and Access Management.

• To list all of the available Oracle Privileged Account Manager loggers and their current configured levels, run the listLoggers command:

  listLoggers(target="<opamserver>",pattern="oracle.idm.opam.*")
  

  For example,

  listLoggers(target="opam_server1",pattern="oracle.idm.opam.*")
  

• To check Oracle Privileged Account Manager's current log level, run the getLogLevel command:

  getLogLevel(logger="oracle.idm.opam",target="<opamserver>")
  

  For example,

  getLogLevel(logger="oracle.idm.opam",target="opam_server1")
  

• To set the log level for a particular logger, run the setLogLevel command:

  setLogLevel(target="<opamserver>",logger="oracle.idm.opam",level="TRACE:32",
  persist=1)
  

  For example,

  setLogLevel(target="opam_server1",logger="oracle.idm.opam",level="TRACE:32",
  persist=1)
  

14.2.2 Example Logging Data

This figure shows some example logging data as viewed from the WebLogic console.

Figure 14-2 Example Logging Report

Notice that this report provides the following information:

• Date and timestamp when the event occurred

• Subsystem on which the event occurred

• Message severity

• Message ID

• Message describing the operation that was performed