8.7 Setting Up Auditing for Oracle Access Management

Before you perform auditing for Oracle Access Management, ensure to set up the audit data store and set up publishing for audit reports.

The following overview provides a list of the tasks that must be performed before auditing:

1. Set up the audit data store.

   See Setting Up the Audit Database Store.

2. Set up publishing for audit reports.

   See Preparing Oracle Business Intelligence Publisher EE.

3. Edit the Audit Configuration in the Oracle Access Management Console, as described in:

   • Using the Oracle Access Management Console for Audit Configuration

   • Adding, Viewing, or Editing Audit Settings

See Validating Auditing and Reports for details on how to test and validate the audit configuration.

8.7.1 Setting Up the Audit Database Store

Here is an overview of the tasks required to create the audit database and extend the schema using the Repository Creation Utility (RCU).

This task is required before you can audit events for Oracle Access Management if you choose a database store for audit data.

See Also:

• Securing Applications with Oracle Platform Security Services for details on managing the audit store

• Oracle Fusion Middleware Repository Creation Utility User's Guide

To create an audit database store:

1. Create an audit database, version 11.1.0.7 or later.

   See the Securing Applications with Oracle Platform Security Services.

2. Run the RCU against the database.

   See "Create the Audit Schema using RCU" in the Oracle Fusion Middleware Repository Creation Utility User's Guide.

3. Set up audit data sources for the audit loader and configure it for the OAM Server.

   See "Set Up Audit Data Sources" in the Securing Applications with Oracle Platform Security Services:

   • Use the Java EE audit loader configuration for WebLogic Server.

   • Use the JNDI name of the data source jdbc/AuditDB that points to the database that was set up in step 2 above.

4. In the service instance specified in the domain file ($DOMAIN_HOME/config/fmwconfig/jps-config.xml), enable database auditing by changing the value of the property audit.loader.repositoryType to DB. For example:

   <serviceInstance name="audit.db" provider="audit.provider">
      <property name="audit.loader.repositoryType" value="DB"/>
      <property name="auditstore.type" value="db"/>
      <property name="audit.loader.jndi" value="jdbc/AuditDB"/>
      <property name="audit.maxDirSize" value="0"/>
      <property name="audit.filterPreset" value="None"/>
      <property name="audit.maxFileSize" value="104857600"/>
      <property name="audit.loader.interval" value="15"/>
      <propertySetRef ref="props.db.1"/>
   </serviceInstance>
   

5. Restart the WebLogic Server.
6. Ensure that the audit loader is configured for the OAM Server and that it points to the proper database, as described in "Configure a Database Audit Store for Java Components" in the Securing Applications with Oracle Platform Security Services.
7. Maintain the bus-stop files, as described in "Tuning the Bus-stop Files" in the Securing Applications with Oracle Platform Security Services.

8.7.2 Preparing Oracle Business Intelligence Publisher EE

You must prepare Oracle Business Intelligence Publisher Enterprise Edition (EE) for use with Oracle Access Management audit reports.

Here is an outline of the procedure to prepare Oracle Business Intelligence Publisher EE.

See Also:

• Oracle Fusion Middleware Metadata Repository Builder's Guide for Oracle Business Intelligence Enterprise Edition

• Oracle Fusion Middleware Developer's Guide for Oracle Business Intelligence Enterprise Edition

• Securing Applications with Oracle Platform Security Services

To prepare Oracle Business Intelligence Publisher:

1. Install Oracle BI Publisher.

   See the Oracle Business Intelligence Enterprise Edition Installation and Upgrade Guide.

2. Perform the following tasks:

   See "Set Up Oracle Reports in Oracle Business Intelligence Publisher" in the Securing Applications with Oracle Platform Security Services:

   • Unzip the oam_audit_reports_11_1_2_0_0.zip into your Reports folder.

     This zip file is located in the $ORACLE_HOME/oam/server/reports/ directory.

   • Unjar the AuditReportTemplates.jar into your Reports folder.

     AuditReportTemplates.jar is located in the $MW_ORA_HOME/oracle_common/modules/oracle.iau_11.1.1/reports/ directory.

   • Set up the JNDI connection for the audit data source or the JDBC connection the audit database.

     The datasource name must be "Audit".

3. Set up audit report templates, as described in the section "Set Up Audit Report Templates" of the Securing Applications with Oracle Platform Security Services.
4. Set up audit report filters, as described in the section "Set Up Audit Report Filters" of the Securing Applications with Oracle Platform Security Services.
5. View reports from the following path: Reports/Oracle_Fusion_Middleware_Audit reports.

   See Also:

   Validating Auditing and Reports

8.7.3 Using the Oracle Access Management Console for Audit Configuration

Within Oracle Access Management, certain Audit Configuration settings are accessible as Common Settings under the System Configuration. These settings are not required when you audit to a database.

Figure 8-2 shows the Audit Configuration section of the Common Settings page.

Figure 8-2 Common Settings: Auditing Configuration

Description of "Figure 8-2 Common Settings: Auditing Configuration"

The Auditing section provides settings for the Log Directory, Filter Settings, and Audit Configuration Users.

Note:

The actual log directory cannot be configured using the Oracle Access Management Console. It is the default directory for the Common Audit Framework audit loader. Changing the directory impacts the audit loader and is not supported.

Table 8-13 describes the elements in the Audit Configuration page.

Table 8-13 Audit Configuration Elements

Elements	Description
Maximum Directory Size	The maximum size, in MBs, of the directory that contains audit output files. For example, assuming that the maximum file size is 10, a value of 100 for this parameter implies that the directory allows a maximum of 10 files. Once the maximum directory size is reached, the audit logging stops. For example, a value of 100 specifies a maximum of 10 files if the file size is 10 MB. If the size exceeds this, the creation of audit logs stops. This is configured using the max.DirSize property described in the configuration filejps-config.xml. This property controls the maximum size of a bus-stop directory for Java components as described in the Securing Applications with Oracle Platform Security Services.
Maximum File Size	The maximum size, in MBs, of an audit log file. Once the size of a file reaches the maxi mum size, a new log file is created. For example, specifying 10 directs file rotation when the file size reaches 10 MB. This is configured using the max.fileSize property described in the configuration filejps-config.xml. This property controls the maximum size of a bus-stop file for Java components as described in the Securing Applications with Oracle Platform Security Services.
Filter Enabled	Check this box to enable event filtering.
Filter Preset	Defines the amount and type of information that is logged when the filter is enabled. The default value is Low. All: captures and records all auditable OAM events Low: captures and records a specific set of auditable OAM events Medium: captures and records events covered by the Low setting plus a number of other auditable OAM events None: no OAM events are captured and recorded Events for each filter preset are fixed in the read-only component_events.xml file. Editing or customizing this file is not supported for Oracle Access Management. Only items that are configured for auditing at the specified filter preset can be audited.
Users	Specifies the list of users whose actions are included only when the filter is enabled. All actions of the special users are audited regardless of the filter preset. Administrators can add, remove or edit special users from this table.

8.7.4 Adding, Viewing, or Editing Audit Settings

The Administrator controls the amount and type of information that is logged by choosing a filter preset from the Audit Configuration tab on the OAM Server Common Properties page.

Note:

Auditable events for each filter preset are fixed in the read-only component_events.xml file. Editing or customizing this file is not supported.

The following procedure describes how to add, view, or edit OAM Server Common Audit Configuration settings. Individual audit policies cannot be configured using Fusion Middleware Control. Oracle Access Management does not use JPS infrastructure to configure the audit configuration. There are no WebLogic Scripting Tool (WLST) commands for auditing.

1. In the Oracle Access Management Console, click Configuration at the top of the window.
2. In the Settings section, select Common Settings from the View menu.
3. In the Audit Configuration section, enter appropriate details for your environment See Table 8-13:

   • Maximum Log directory size

   • Maximum Log file size

   • Filter Enabled

   • Filter Preset (to define verbosity of audit data)

   • Users to include specific users from the audit by clicking the Add (+) button above the Users table and entering a value in the field.

4. Click Apply to submit the Audit Configuration (or close the page without applying changes).
5. Restart AdminServer and OAM Servers after changes are applied.