Oracle Access Management uses the Oracle Fusion Middleware Common Audit Framework to support auditing for a large number of user authentication and authorization run-time events, and administrative events.
The following topics describe how to audit Access Manager events:
Administrative events are those generated when the Oracle Access Management Console is used.
The Access Manager-specific administrative events that can be audited and the details captured for them are listed in Table 8-2. These event definitions and configurations are implemented as part of the audit service in Oracle Platform Security Services.
Note:
The amount and type of information that is logged is controlled by choosing a filter preset from the Audit Configuration section. Auditable events for each filter preset are fixed in the read-only component_events.xml
file. Editing or customizing this file is not supported.
Table 8-3lists the details that have been captured.
Table 8-2 Access Manager Administrative Audit Events
Administrative Event | Event Data Include |
---|---|
Oracle Access Management Console Login success/failure |
|
Authentication Policy Creation |
|
Authentication Policy Modification |
|
Authentication Policy Removal |
|
Resource Creation |
|
Resource Modification |
|
Resource Removal |
|
Authentication Scheme Creation |
|
Authentication Scheme Modification |
|
Authentication Scheme Removal (Delete) |
|
Response Creation |
|
Response Modification |
|
Response Removal (Delete) |
|
Partner Addition |
|
Partner Modification |
|
Partner Removal |
|
Conditions creation |
|
Conditions Modification |
|
Conditions Removal |
|
Server Domain creation |
|
Server Domain Modification |
|
Server Domain Removal |
|
Server configuration change |
|
Run-time events are those generated by some of the events the Access Manager component engines issue when interacting with one another. The run-time events that can be audited, when they are issued. These event definitions and configurations are implemented as part of the audit service in Oracle Platform Security Services.
Note:
The amount and type of information that is logged is controlled by choosing a filter preset in the Audit Configuration. Auditable events for each filter preset are fixed in the read-only component_events.xml
file. Editing or customizing this file is not supported.
Table 8-3 Access Manager Run-time Audit Events
Run-time Event | Issued When | Event Details Include |
---|---|---|
Authentication Attempt |
A user attempts to access a protected resource and the request arrives at the SSO server; this event might be followed by the events credential submit and authentication success or failure. |
|
Authentication Success |
A client submits credentials and credential validation is successful. |
|
Authentication Failure |
A client submits credentials and credential validation fails. |
|
Session Creation |
Authentication succeeds. |
|
Session Destroy |
Authentication succeeds. |
|
Login success |
A client finishes the login procedure and it is forwarded to the agent. |
|
Login failure |
A client fails to login; this event is issued only when all the retry authentication attempts allowed have failed or when the account is locked. |
|
Logout success |
A client finishes the logout procedure and is forwarded to the agent. |
|
Logout failure |
A client fails to logout. |
|
Credential Collection |
A client is redirected to the credential collection page. |
|
Credential Submit |
A client submits credentials. |
|
Authorization Success |
A client has been authorized to access a resource. |
|
Authorization Failure |
A client has not been authorized to access a resource. |
|
Server Start Up |
The server starts up. |
|
Server Shut Down |
The server shuts down. |
|
Auditing events during authentication can help Administrators scrutinize security weaknesses in their systems.
The events that an Administrator can configure for auditing during authentication are:
Authentication success
Authentication failure
Create, modify, delete, or view Authentication Policy data
Information related to the user being authenticated may include the following:
IP address
Browser type
User Login ID
Time of Access
Note:
Oracle recommends that you avoid auditing, logging, or tracing sensitive user attributes, such as user passwords.
Information about users requesting authentication or brute force attacks can be stored in the file system or in a back-end database.
Auditing of policy object and system configuration operations performed by delegated administrators are captured under GenericAdminOperation audit event. The audit data that is captured in the audit log are as listed below:
Granted Role Name
Revoked Role Name
Granted to Identity Name
Revoked from Identity Name
Application Domain Name
Date and time
IP
User Name
Application Name
Server Name
Following examples illustrate the audit log for admin delegated events:
Example 8-1 Audit log for privileged user granting a role to an identity
Audit log snippet- 2016-04-11 08:02:43.189 "weblogic" "GenericAdminOperation" true "Role:'Application Administrator' Granted to:'admin1'" "weblogic"- "Application Administrator"---...
Example 8-2 Audit log for privileged user revoking a role from an identity
Audit log snippet- 2016-04-11 08:03:27.040 "weblogic" "GenericAdminOperation" true "Role:'Application Administrator' Revoked From:'admin1'" "weblogic"- "Application Administrator"---...
Example 8-3 Audit log for privileged user granting a role to an identity within an Application Domain
Audit log snippet- 2016-04-11 08:08:32.487 "weblogic" "GenericAdminOperation" true "Role:'Application Domain Administrator' Granted to:'admin1' AppDomain:'appdomain'" "weblogic"-...
Example 8-4 Audit log for privileged user revoking a role from an identity within an Application Domain
Audit log snippet- 2016-04-11 08:09:03.099 "weblogic" "GenericAdminOperation" true "Role:'Application Domain Administrator' Revoked From:'admin1' AppDomain:'appdomain'" "weblogic" - "Application Domain Administrator"-- "appdomain" "oam_admin(11.1.2.3)"...