8.3 Access Manager Events You Can Audit

Oracle Access Management uses the Oracle Fusion Middleware Common Audit Framework to support auditing for a large number of user authentication and authorization run-time events, and administrative events.

The following topics describe how to audit Access Manager events:

8.3.1 Access Manager Administrative Events You Can Audit

Administrative events are those generated when the Oracle Access Management Console is used.

The Access Manager-specific administrative events that can be audited and the details captured for them are listed in Table 8-2. These event definitions and configurations are implemented as part of the audit service in Oracle Platform Security Services.

Note:

The amount and type of information that is logged is controlled by choosing a filter preset from the Audit Configuration section. Auditable events for each filter preset are fixed in the read-only component_events.xml file. Editing or customizing this file is not supported.

Table 8-3lists the details that have been captured.

Table 8-2 Access Manager Administrative Audit Events

Administrative Event Event Data Include

Oracle Access Management Console Login success/failure

  • User name

  • Remote IP

  • Roles

Authentication Policy Creation

  • Policy name

  • Authentication scheme details

  • Resource details

  • Policy type (authentication or authorization)

Authentication Policy Modification

  • Policy name

  • Authentication scheme details

  • Resource details

  • Policy type (authentication or authorization

  • Old Policy name

  • Old Authentication scheme details

  • Old Resource details

Authentication Policy Removal

  • Policy name

  • Authentication scheme details

  • Resource details

  • Policy type (authentication or authorization

Resource Creation

  • Resource name

  • URI

  • Operation

  • Resource type

Resource Modification

  • Resource name

  • URI

  • Operation

  • Resource type

  • Old Resource name

  • Old URI

  • Old Operation

Resource Removal

  • Resource name

  • URI

  • Operation

  • Resource type

Authentication Scheme Creation

  • Scheme name

  • Authentication modules

  • Level

Authentication Scheme Modification

  • Scheme name

  • Authentication modules

  • Level

  • Old Scheme name

  • Old Authentication modules

  • Old Level

Authentication Scheme Removal (Delete)

  • Scheme name

  • Authentication modules

  • Level

Response Creation

  • Response name

  • Response key

  • Data source

  • Response Type

Response Modification

  • Response name

  • Response key

  • Data source

  • Response Type

  • Old Response name

  • Old Response key

  • Old Data source

Response Removal (Delete)

  • Response name

  • Response key

  • Data source

  • Response Type

Partner Addition

  • Partner name

  • Partner ID

  • Partner URL

  • Logout URL

Partner Modification

  • Partner name

  • Partner ID

  • Partner URL

  • Logout URL

  • Old Partner name

  • Old Partner URL

  • Old Logout URL

Partner Removal

  • Partner name

  • Partner ID

  • Partner URL

  • Logout URL

Conditions creation

  • Condition Name

  • Condition type

  • Condition data

Conditions Modification

  • Condition Name

  • Condition type

  • Condition data

  • Old Condition name

  • Old Condition type

  • Old Condition data

Conditions Removal

  • Condition Name

  • Condition type

  • Condition data

Server Domain creation

  • Domain Name

Server Domain Modification

  • Domain Name

  • Old Domain Name

Server Domain Removal

  • Domain Name

Server configuration change

  • New details

  • Old details

  • Instance Name

  • Application Name

  • User Name

  • Remote ID

  • Roles

  • Date and time

8.3.2 Access Manager Run-time Events You Can Audit

Run-time events are those generated by some of the events the Access Manager component engines issue when interacting with one another. The run-time events that can be audited, when they are issued. These event definitions and configurations are implemented as part of the audit service in Oracle Platform Security Services.

Note:

The amount and type of information that is logged is controlled by choosing a filter preset in the Audit Configuration. Auditable events for each filter preset are fixed in the read-only component_events.xml file. Editing or customizing this file is not supported.

Table 8-3 Access Manager Run-time Audit Events

Run-time Event Issued When Event Details Include

Authentication Attempt

A user attempts to access a protected resource and the request arrives at the SSO server; this event might be followed by the events credential submit and authentication success or failure.

  • Remote IP

  • Resource ID

  • Partner ID

  • Resource ID

  • Authentication scheme ID

  • Authentication Policy ID

Authentication Success

A client submits credentials and credential validation is successful.

  • Remote IP

  • User Name

  • User DN

  • Resource ID

  • Authentication scheme ID

  • Authentication Policy ID

  • Partner ID

Authentication Failure

A client submits credentials and credential validation fails.

  • Remote IP

  • User Name

  • User DN

  • Resource ID

  • Authentication Scheme ID

  • Failure Error Code

  • Retry count

  • Authentication Policy ID

  • Partner ID

Session Creation

Authentication succeeds.

  • SSO Session ID

  • User Name

  • User DN

  • Remote IP

  • Resource ID

  • Authentication scheme ID

  • Authentication Policy ID

Session Destroy

Authentication succeeds.

  • SSO Session ID

  • User Name

  • User DN

  • Partner ID

Login success

A client finishes the login procedure and it is forwarded to the agent.

  • Remote IP

  • User Name

  • User DN

  • Authentication level

  • Resource ID

  • Authentication scheme ID

  • Authentication Policy ID

  • Partner ID

Login failure

A client fails to login; this event is issued only when all the retry authentication attempts allowed have failed or when the account is locked.

  • Remote IP

  • User Name

  • Authentication level

  • Resource ID

  • Authentication scheme ID

  • Authentication Policy ID

  • Partner ID

Logout success

A client finishes the logout procedure and is forwarded to the agent.

  • Remote IP

  • User DN

  • Authentication level

  • SSO Session ID

  • Partner ID

Logout failure

A client fails to logout.

  • Remote IP

  • User DN

  • SSO Session ID

  • Failure details

  • Partner ID

Credential Collection

A client is redirected to the credential collection page.

  • Remote IP

  • Resource Name

  • Resource ID

  • Authentication scheme ID

  • Authentication Policy ID

Credential Submit

A client submits credentials.

  • Remote IP

  • User Name

  • Resource ID

  • Authentication scheme ID

  • Authentication Policy ID

Authorization Success

A client has been authorized to access a resource.

  • Remote IP

  • User DN

  • Resource ID

  • Authorization Policy ID

Authorization Failure

A client has not been authorized to access a resource.

  • Remote IP

  • User DN

  • Resource ID

  • Authorization Policy ID

Server Start Up

The server starts up.

  • Date and time

  • Instance Name

  • Application Name

Server Shut Down

The server shuts down.

  • Date and time

  • Instance Name

  • Application Name

8.3.3 Auditing Authentication Events

Auditing events during authentication can help Administrators scrutinize security weaknesses in their systems.

The events that an Administrator can configure for auditing during authentication are:

  • Authentication success

  • Authentication failure

  • Create, modify, delete, or view Authentication Policy data

Information related to the user being authenticated may include the following:

  • IP address

  • Browser type

  • User Login ID

  • Time of Access

Note:

Oracle recommends that you avoid auditing, logging, or tracing sensitive user attributes, such as user passwords.

Information about users requesting authentication or brute force attacks can be stored in the file system or in a back-end database.

8.3.4 Auditing Events for Delegated Administrators

Auditing of policy object and system configuration operations performed by delegated administrators are captured under GenericAdminOperation audit event. The audit data that is captured in the audit log are as listed below:

  • Granted Role Name

  • Revoked Role Name

  • Granted to Identity Name

  • Revoked from Identity Name

  • Application Domain Name

  • Date and time

  • IP

  • User Name

  • Application Name

  • Server Name

Following examples illustrate the audit log for admin delegated events:

Example 8-1 Audit log for privileged user granting a role to an identity

Audit log snippet- 2016-04-11 08:02:43.189 "weblogic" "GenericAdminOperation" true 
"Role:'Application Administrator' Granted to:'admin1'" "weblogic"-
"Application Administrator"---...

Example 8-2 Audit log for privileged user revoking a role from an identity

Audit log snippet- 2016-04-11 08:03:27.040 "weblogic" "GenericAdminOperation" true 
"Role:'Application Administrator' Revoked From:'admin1'" "weblogic"-
"Application Administrator"---...

Example 8-3 Audit log for privileged user granting a role to an identity within an Application Domain

Audit log snippet- 2016-04-11 08:08:32.487 "weblogic" "GenericAdminOperation" true 
"Role:'Application Domain Administrator' Granted to:'admin1' 
AppDomain:'appdomain'" "weblogic"-...

Example 8-4 Audit log for privileged user revoking a role from an identity within an Application Domain

Audit log snippet- 2016-04-11 08:09:03.099 "weblogic" "GenericAdminOperation" true 
"Role:'Application Domain Administrator' Revoked From:'admin1' 
AppDomain:'appdomain'" "weblogic" - "Application Domain Administrator"--
"appdomain" "oam_admin(11.1.2.3)"...