A AVCLI Commands Reference

Topics

A.1 About the AVCLI Commands

You can use the AVCLI commands to configure host connections from the command line. You must be granted the AV_ADMIN role before you can run these commands. This appendix does not list all of the AVCLI commands, however. It only covers the commands that an Audit Vault and Database Firewall administrator needs to configure secured target connections.

All AVCLI commands must end in a semi-colon (;).

See Also:

Using the Audit Vault Command-Line Interface for general usage information about using the AVCLI command line interface.

Setting the JAVA_HOME Environment Variable

In the Audit Vault Server, you must set the JAVA_HOME environment variable to point to JDK installation directory.

A.2 Agent Host AVCLI Commands

The AVCLI host commands enable you to configure the host computer on which the Audit Vault Agent will reside.

Table A-1 lists the AVCLI agent host commands.

Table A-1 AVCLI Agent Host Commands

Command Description

REGISTER HOST

Adds the host to Audit Vault Server and identifies it as a host on which an agent can be deployed

ALTER HOST

Alters a host registered with the Audit Vault Server

LIST HOST

Lists the names of the currently registered agent host computers

DROP HOST

Drops the specified agent host from Audit Vault Server

ACTIVATE HOST

Activates the host on Audit Vault Server

DEACTIVATE HOST

Deactivates the specified host

A.2.1 REGISTER HOST

Learn about the REGISTER HOST AVCLI command.

The REGISTER HOST command adds the host to Audit Vault Server and identifies it as a host on which an agent can be deployed.

Syntax

REGISTER HOST host_name [WITH IP ip_address]

Arguments

Argument Description

host_name

The name of the host computer that you want to register.

See Also:

ip_address

Optional. The IP ADDRESS associated with the host

Usage Notes

To change the IP address associated with a host, use the ALTER HOST command.

Examples

avcli> REGISTER HOST sample_host.example.com;

Registers the host, sample_host.example.com, to run the agent process with the Audit Vault Server.

avcli> REGISTER HOST sample_host.example.net with ip 192.0.2.1;

Registers the host, sample_host.example.net, and associates it with the IP address 192.0.2.1.

A.2.2 ALTER HOST

The ALTER HOST command alters a host registered with the Audit Vault Server.

Syntax

ALTER HOST hostname SET {key=value [,key=value...]}

ALTER HOST hostname SET {key=value [,LOGLEVEL=component_name:loglevel_value...]}

ALTER HOST hostname DROP ATTRIBUTE {attribute name}

Arguments

Argument Description

hostname

The name of the host.

key

The attribute being changed. See Table A-2 for supported key values.

Usage Notes

This command alters the attributes associated with the named host using key/value pairs. To modify multiple attributes in a single command invocation, specify comma-separated key/value pairs.

The following host name attributes are supported:

Table A-2 Host Attributes (key values)

Parameter Description

NAME

The new host name that replaces the existing one.

IP

The new IP address that replaces the existing IP address.

LOGLEVEL

The log level of various code components running on this host. This option can dynamically change the log levels of various Audit Vault Server code components.

The LOGLEVEL attribute takes a two part value, separated by a colon, as follows:

component_name:loglevel_value

where component_name can be av.agent, av.common, av.server:

See Table A-3 for descriptions of LOGLEVEL component names, and Table A-4 for LOGLEVEL values.

Multiple components log levels can be changed by delimiting them using the | symbol.

The following are valid values for the LOGLEVEL attribute:

Table A-3 LOGLEVEL Component Names

Parameter Description

av.agent

agent component_name of LOGLEVEL value

av.server

Audit Vault Server component_name of LOGLEVEL value

av.common

shared Server and Agent component_name of LOGLEVEL value

Table A-4 LOGLEVEL Values

Loglevel Value Description

INFO

INFO level, loglevel_value of LOGLEVEL value

WARNING

WARNING level, loglevel_value of LOGLEVEL value

ERROR

ERROR level, loglevel_value of LOGLEVEL value

DEBUG

DEBUG level, loglevel_value of LOGLEVEL value

Examples

avcli> ALTER HOST sample_host.example.com SET ip=192.0.2.1;

Alters the host, sample_host.example.com, and changes the associated IP address to 192.0.2.1.

avcli> ALTER HOST sample_host.example.com SET name=new_sample_host.example.com;

Alters the host, sample_host.example.com, to new_sample_host.example.com. Additionally, it updates the IP address by doing a lookup against new_sample_host.example.com.

avcli> ALTER HOST sample_host.example.com SET loglevel=av.agent:info|av.common:debug;

Alters the log levels of the av.agent and av.common code components embedded in the agent process running on the host, sample_host.example.com.

A.2.3 LIST HOST

The LIST HOST command lists the names of the currently registered agent host computers.

Syntax

LIST HOST

Example

avcli> LIST HOST;

The various active hosts registered with the Audit Vault Server are listed.

A.2.4 DROP HOST

Use the DROP HOST command to drop hosts that are specified by the value of the host_name parameter.

The DROP HOST command drops the host specified by the host_name from the Audit Vault Server and removes any associated metadata.

After dropping a host, if you want to register it again to collect audit data, you must reinstall the Audit Vault Agent on this host.

Syntax

DROP HOST hostname

Arguments

Argument Description

hostname

The name of the host computer being dropped.

See Also:

Usage Notes

Ensure that the agent process on this host is in the stopped state before dropping the host. The DROP HOST command will fail otherwise.

Example

avcli> DROP HOST sample_host;

The host, sample_host, and any associated metadata is dropped.

A.2.5 ACTIVATE HOST

The ACTIVATE HOST command activates the host specified by hostname.

Syntax

ACTIVATE HOST hostname

Arguments

Argument Description

hostname

The host name.

Usage Notes

Once an host is activated, an activation key appears, which must be entered when an agent process is started to complete activation process.

Example

avcli> ACTIVATE HOST sample_host.example.com;

Activates the host, sample_host.example.com, and displays the activation key for this host.

A.2.6 DEACTIVATE HOST

The DEACTIVATE HOST command deactivates the host specified by hostname.

Syntax:

DEACTIVATE HOST hostname

Arguments

Argument Description

hostname

The host name.

Usage Notes

Once a host is deactivated, it may not be able to connect to the Audit Vault Server.

Example

avcli> DEACTIVATE HOST sample_host.example.com;

Deactivates the host, sample_host.example.com. The agent process on this host may not be able to connect to the Audit Vault Server.

A.3 Database Firewall AVCLI Commands

The AVCLI Database Firewall commands enable you to configure the Database Firewall.

Table A-5 lists the AVCLI Database Firewall commands.

Table A-5 Database Firewall Commands

Command Description

REGISTER FIREWALL

Registers the Database Firewall that has the specified IP address with the Audit Vault Server

DROP FIREWALL

Drops an already registered Database Firewall from the Audit Vault Server.

LIST FIREWALL

Lists all the Database Firewalls registered with the Audit Vault Server

REBOOT FIREWALL

Reboots a named Database Firewall that is already registered with the Audit Vault Server

POWEROFF FIREWALL

Powers off a named Database Firewall that is already registered with the Audit Vault Server

CREATE RESILIENT PAIR

Creates a resilient pair with two Database Firewalls for high availability

SWAP RESILIENT PAIR

Swaps Database Firewalls in a resilient pair that includes the named Database Firewall

DROP RESILIENT PAIR

Drops the resilient pair that contains the specified Database Firewall

ALTER FIREWALL

Alters the Database Firewall attributes

SHOW STATUS FOR FIREWALL

Displays the status for a particular Database Firewall

A.3.1 REGISTER FIREWALL

The REGISTER FIREWALL command registers the Database Firewall that has the specified IP address with the Audit Vault Server.

Syntax

REGISTER FIREWALL firewall_name WITH IP ip_address

Arguments

Argument Descriptions

firewall_name

The name of the Database Firewall.

ip_address

The IP address of the Database Firewall.

Usage Notes

The Database Firewall must be installed at the given IP address location.

To specify a firewall name with a space, enclose the entire string in quotes.

Example

avcli> REGISTER FIREWALL sample_fw WITH IP 192.0.2.14;

Database Firewall sample_fw is installed at IP address 192.0.2.14.

A.3.2 DROP FIREWALL

The DROP FIREWALL command drops an already registered Database Firewall from the Audit Vault Server.

Syntax

DROP FIREWALL firewall_name

Arguments

Argument Descriptions

firewall_name

The name of the Database Firewall.

Example

avcli> DROP FIREWALL sample_fw;

The Database Firewall sample_fw is dropped.

A.3.3 LIST FIREWALL

The LIST FIREWALL command lists all the Database Firewalls registered with the Audit Vault Server.

Syntax

LIST FIREWALL

Example

avcli> LIST FIREWALL;

A list of the Database Firewalls registered with Audit Vault Server appears.

A.3.4 REBOOT FIREWALL

The REBOOT FIREWALL command reboots a named Database Firewall that is already registered with the Audit Vault Server.

Syntax

REBOOT FIREWALL firewall_name

Arguments

Argument Descriptions

firewall_name

The name of the Database Firewall.

Example

avcli> REBOOT FIREWALL sample_fw;

The Database Firewall sample_fw reboots.

A.3.5 POWEROFF FIREWALL

The POWEROFF FIREWALL command powers off a named Database Firewall that is already registered with the Audit Vault Server.

Syntax

POWEROFF FIREWALL firewall_name

Arguments

Argument Descriptions

firewall_name

The name of the Database Firewall.

Example

avcli> POWEROFF FIREWALL sample_fw;

The Database Firewall sample_fw switches off.

A.3.6 CREATE RESILIENT PAIR

The CREATE RESILIENT PAIR command creates a resilient pair with two Database Firewalls for high availability.

Syntax

CREATE RESILIENT PAIR FOR FIREWALL PRIMARY primary_firewall
  SECONDARY secondary_firewall

Arguments

Argument Descriptions

primary_firewall

The name of the primary Database Firewall. Only this Firewall can generate syslog alerts

secondary_firewall

The name of the secondary Database Firewall.

Example

avcli> CREATE RESILIENT PAIR FOR FIREWALL PRIMARY sample_fw1 SECONDARY sample_fw2;

A resilient pair is created with primary Database Firewall sample_fw1 and secondary Database Firewall sample_fw2.

A.3.7 SWAP RESILIENT PAIR

The SWAP RESILIENT PAIR command swaps Database Firewalls in a resilient pair that includes the named Database Firewall.

Syntax

SWAP RESILIENT PAIR HAVING FIREWALL firewall_name
 

Arguments

Argument Descriptions

firewall_name

The name of the Database Firewall.

Example

avcli> SWAP RESILIENT PAIR HAVING FIREWALL sample_fw1;

In the existing resilient pair, Database Firewall sample_fw1, the primary firewall is swapped with the secondary firewall, or the reverse.

A.3.8 DROP RESILIENT PAIR

The DROP RESILIENT PAIR command drops the resilient pair that contains the specified Database Firewall.

Syntax

DROP RESILIENT PAIR HAVING FIREWALL firewall_name

Arguments

Argument Descriptions

firewall_name

The name of the Database Firewall.

Example

avcli> DROP RESILIENT PAIR HAVING FIREWALL sample_fw1;

The existing resilient pair that includes Database Firewall sample_fw1 is broken.

A.3.9 ALTER FIREWALL

The ALTER FIREWALL command alters the Database Firewall attributes.

Syntax

ALTER FIREWALL firewall_name SET attribute=value [, attribute=value]

Arguments

Argument Description

firewall_name

The name of the Database Firewall.

attribute

The pair (attribute and new value) for the Database Firewall. Separate multiple pairs by a space on the command line. See Table A-6 for a list of attributes.

Usage Notes

Table A-6 lists Database Firewall attributes that you can specify for the attribute=value argument.

Table A-6 Oracle Database Firewall Attributes

Parameter Description

NAME

The new name of the Database Firewall.

IP

The IP address of the Database Firewall.

Example

avcli> ALTER FIREWALL sample_fw1 SET NAME=sample_newfw1;

Database Firewall name changes from sample_fw1 to sample_newfw1.

avcli> ALTER FIREWALL sample_fw1 SET IP=192.0.2.169;

Database Firewall IP address is set to 192.0.2.169.

A.3.10 SHOW STATUS FOR FIREWALL

The SHOW STATUS command displays the status for a particular Database Firewall.

Syntax

SHOW STATUS FOR FIREWALL firewall_name

Arguments

Argument Descriptions

firewall_name

The name of the Database Firewall.

Example

avcli> SHOW STATUS FOR FIREWALL sample_fw1;

The running information for Database Firewall sample_fw1 appears.

A.4 Enforcement Point AVCLI Commands

The AVCLI Enforcement Point commands enable you to configure the Database Firewall.

Table A-7 lists the AVCLI Enforcement Point commands.

Table A-7 Enforcement Point Commands

Command Description

CREATE ENFORCEMENT POINT

Creates an enforcement point with the specified name and protects the Database Firewall using either mode DAM or DPE

DROP ENFORCEMENT POINT

Drops the enforcement point

LIST ENFORCEMENT POINT

Lists all the enforcements points associated with the Database Firewall or secured target

START ENFORCEMENT POINT

Starts an enforcement point that was previously suspended

STOP ENFORCEMENT POINT

Stops the enforcement point monitoring the secured target

ALTER ENFORCEMENT POINT

Alters the enforcement point and attributes

A.4.1 CREATE ENFORCEMENT POINT

The CREATE ENFORCEMENT POINT command creates an enforcement point with the specified name and protects the Database Firewall using either mode DAM or DPE.

Syntax

CREATE ENFORCEMENT POINT enforcement_point_name 
  FOR SECURED TARGET secured_target_name 
  USING FIREWALL firewall_name 
  TRAFFIC SOURCE traffic_source_name
  WITH MODE DPE|DAM

Arguments

Argument Descriptions

enforcement_point_name

The name of the enforcement point.

secured_target_name

The name of the secured target.

firewall_name

The name of the Database Firewall.

traffic_source_name

The name of the traffic source

Example

avcli> CREATE ENFORCEMENT POINT sample_ep FOR SECURED TARGET sample_source USING 
  FIREWALL sample_fw TRAFFIC SOURCE sample_trafficsource WITH MODE DPE;

An enforcement point named sample_ep is created on Database Firewall sample_fw, using DPE mode to protect the secured target sample_source, and using the traffic source sample_trafficsource.

A.4.2 DROP ENFORCEMENT POINT

The DROP ENFORCEMENT POINT command drops the enforcement point.

Syntax

DROP ENFORCEMENT POINT enforcement_point_name

Arguments

Argument Descriptions

enforcement_point_name

The name of the enforcement point.

Example

avcli> DROP ENFORCEMENT POINT sample_ep;

The enforcement point named sample_ep is dropped from the Database Firewall.

A.4.3 LIST ENFORCEMENT POINT

The LIST ENFORCEMENT POINT command lists all the enforcements points associated with either the Database Firewall or the secured target.

Syntax

LIST ENFORCEMENT POINT FOR FIREWALL firewall_name

LIST ENFORCEMENT POINT FOR SECURED TARGET secured_target_name

Arguments

Argument Descriptions

firewall_name

The name of the Database Firewall.

secured_target_name

The name of the secured target.

Example

avcli> LIST ENFORCEMENT POINT FOR FIREWALL sample_fw;

A list of all the enforcement points associated with Database Firewall sample_fw appears.

avcli> LIST ENFORCEMENT POINT FOR SECURED TARGET sample_source;

A list all the enforcement points associated with secured target sample_source appears.

A.4.4 START ENFORCEMENT POINT

The START ENFORCEMENT POINT command starts an enforcement point that was previously suspended.

Syntax

START ENFORCEMENT POINT enforcement_point_name
 

Arguments

Argument Descriptions

enforcement_point_name

The name of the enforcement point.

Example

avcli> START ENFORCEMENT POINT sample_ep;

The enforcement point named sample_ep starts.

A.4.5 STOP ENFORCEMENT POINT

The STOP ENFORCEMENT POINT command stops the enforcement point monitoring the secured target.

Syntax

STOP ENFORCEMENT POINT enforcement_point_name

Arguments

Argument Descriptions

enforcement_point_name

The name of the enforcement point.

Example

avcli> STOP ENFORCEMENT POINT sample_ep;

The enforcement point named sample_ep stops.

A.4.6 ALTER ENFORCEMENT POINT

The ALTER ENFORCEMENT POINT command alters the enforcement point and attributes.

Syntax

ALTER ENFORCEMENT POINT enforcement_point_name SET attribute=value 
   [, attribute=value] 

Arguments

Argument Description

enforcement_point_name

The name of the enforcement point.

attribute

The pair (attribute and new value) for the enforcement point being altered. Separate multiple pairs by a space on the command line. See Table A-8 for enforcement point attributes.

Usage Notes

Attributes are specified by a comma-separated list of key=value/pairs. The following key values are supported:

Table A-8 Enforcement Point Attributes

Parameter Description

TARGET

The new secured target name, which should be registered already in the Audit Vault Server, including the address.

MODE

The mode which monitors the enforcement point. Valid modes are: DAM or DPE.

PRESERVE_CONNECTION

True or False where True indicates that when the database firewall starts operating in DPE mode (either because it had been changed from DAM, or because it has restarted), any existing connections passing through the firewall are allowed to continue. This favors availability over security, because the firewall cannot enforce policy on these connections.

False indicates that any preexisting connections are broken. The database firewall can then enforce the policy when clients reconnect. This is the default behavior.

TRAFFIC_SOURCE

New valid traffic sources for enforcement point.

DATABASE_RESPONSE

True or False indicates whether or not to activate database response monitoring function for enforcement point.

FULL_ERROR_MESSAGE

True or False enables this option. This starts logging the error message associated with the error code.

DATABASE_INTERROGATION

True or False enables this option. This starts the database interrogation feature for enforcement point.

HOST_MONITOR

True or False enables this option. This specifies whether or not the remote agent needs to be enabled.

HOST_MONITOR_ADDRESS

The new IP Address for Remote agent.

Examples

avcli> ALTER ENFORCEMENT POINT ep1 SET TARGET=newsource;

The enforcement point to monitor new secured target is altered.

avcli> ALTER ENFORCEMENT POINT ep1 SET MODE=dam;

The enforcement point monitoring is altered to DAM mode.

avcli> ALTER ENFORCEMENT POINT ep1 SET database_response=true,
  Full_error_message=true;

The enforcement point is altered to activate database response and log error messages associated with error codes.

avcli> ALTER ENFORCEMENT POINT ep1 SET database_interrogation=true;

The enforcement point is altered to activate direct database interrogation.

A.5 Secured Target AVCLI Commands

The AVCLI secured target commands enable you to configure both database and nondatabase secured targets for Audit Vault Server.

Table A-9 lists the AVCLI secured target commands.

Table A-9 AVCLI Secured Target Commands

Command Description

REGISTER SECURED TARGET

Registers a secured target to be monitored by Audit Server

ALTER SECURED TARGET

Modifies the attributes of a secured target

LIST ADDRESS FOR SECURED TARGET

Lists all the addresses registered with the secured target

LIST SECURED TARGET

Lists the various active secured targets registered with the Audit Vault Server

LIST SECURED TARGET TYPE

Lists the secured target types currently registered with Audit Vault Server

LIST ATTRIBUTE FOR SECURED TARGET

Lists the attributes of a given secured target

LIST METRICS

Lists the metrics of a given secured target, such as the various trails

DROP SECURED TARGET

Removes the registration of the specified secured target from Audit Vault Server

A.5.1 REGISTER SECURED TARGET

The REGISTER SECURED TARGET command registers a secured target to be monitored by Audit Vault Server.

Syntax

REGISTER SECURED TARGET secured_target_name OF SECURED TARGET TYPE 
   "secured_target_type" [AT location] [AUTHENTICATED BY username/password] 

Arguments

Argument Description

secured_target_name

Name of secured target. Must be unique.

secured_target_type

A valid secured target type, for example "Oracle".

See Also:

LIST SECURED TARGET TYPE to find a list of supported secured target types.

location

The secured target database connection information.

This is optional. It can be added later.

The location is an opaque string that specifies how to connect to the secured target, typically a JDBC connect string. The syntax that you use depends on the secured target type. See the database-specific Usage Notes below.

If location is not provided, certain features such as entitlement retrieval, audit settings management, SPA retrieval, and audit trail collection are disabled if applicable to this secured target type.

user_name/password

Optional. Credentials to connect to the secured target.

After you enter this argument and run the REGISTER SECURED TARGET command, Audit Vault Server prompts you for the user name and password of the secured target user account. For secured target databases, this account must exist on the secured target database. Optional.

See the database-specific Usage Notes in the following sections.

Note:

The syntax of this command will be changed in Oracle Audit Vault and Database Firewall release 20.1.0.0.0.

General Examples

avcli> HELP REGISTER SECURED TARGET;

Displays detailed help for the REGISTER SECURED TARGET command.

Oracle Database Usage Notes and Examples

  • For the location argument, enter the host name, port number, and service ID (SID), separated by a colon. Use the following syntax:

    AT host:port:service
    

    For example:

    Oracle Database: jdbc:oracle:thin:@//host:port/service
    

    If you are unsure of this connection information, then run the lsnrctl status listener_name command on the computer where you installed the secured target database.

  • The AUTHENTICATED BY command prompts for the secured target user name and password. This user account must exist in the secured target database.

    To find this user, query the SESSION_PRIVS and SESSION_ROLES data dictionary views.

Oracle Database Examples:

avcli> REGISTER SECURED TARGET sample_source OF SECURED TARGET TYPE "Oracle Database" 
   AT jdbc:oracle:thin:@//anymachinename:1521/example.com  
   AUTHENTICATED BY system/welcome_1; 

Registers a Oracle secured target, sample_source, of secured target type Oracle Database, reachable using connect string jdbc:oracle:thin:@//anymachinename: 1521/example.com using credentials system/welcome_1.

SQL Server Example With DB

avcli > REGISTER SECURED TARGET sample_mssqldb OF SECURED TARGET TYPE "Microsoft SQL Server" AT jdbc:av:sqlserver://hostname:port authenticated by <user>/<password>;

SQL Server Example with Windows Authentication

avcli > REGISTER SECURED TARGET sample_mssqldb OF SECURED TARGET TYPE "Microsoft SQL Server" AT “jdbc:av:sqlserver://<Host Name>:<Port>;authenticationMethod=ntlmjava;domain=<domain name>” authenticated by <windows user>/<windows user password>;

IBM DB2 Example

avcli> REGISTER SECURED TARGET sample_db2db OF SECURED TARGET TYPE "IBM DB2 LUW" AT jdbc:av:db2://host:port;

Registers a DB2 secured target, sample_db2db, of secured target type "IBM DB2 LUW", reachable using connect string jdbc:av:db2://host:port using credentials sa/welcome_1.

A.5.2 ALTER SECURED TARGET

The ALTER SECURED TARGET command modifies the attributes of a secured target.

Syntax

ALTER SECURED TARGET secured_target_name  
   SET attribute=value [, attribute=value]

ALTER SECURED TARGET secured target name ADD ADDRESS ip:port:[service]

ALTER SECURED TARGET secured target name DROP ADDRESS ip:port:[service]

Arguments

Argument Description

secured_target_name

The name of the secured target database to be modified. The name is case-sensitive.

See Also:

LIST SECURED TARGET to find a list of existing secured targets.

attribute=value

The key/value pair for the secured target attributes of the secured target to be modified. You can modify one or more secured target attributes at a time using a space on the command line.

See Also:

ip

The IP address

port

The port number

service

REQUIRED FOR ORACLE DATABASE ONLY: The service name or SID

Note:

The syntax of this command will be changed in Oracle Audit Vault and Database Firewall release 20.1.0.0.0.

Table A-10 lists secured target attributes that you can specify,

Table A-10 Secured Target Attributes

Attribute Description

NAME

The name for this secured target database instance. This must not be defined already in the Audit Vault Server for another secured target.

LOCATION

The location of the secured target

CREDENTIALS

The new set of username and password pair used to connect to the secured target. This is a two part value separated by a slash (/).

DESCRIPTION

The description for this secured target database instance

MAXIMUM_ENFORCEMENT_POINT_THREADS

The maximum number of enforcement point threads for the secured target. The valid range is between 1 and 16 (inclusive). The default value is 1.

General Usage Examples:

avcli> ALTER SECURED TARGET sample_source SET name=sample_source2;

The secured target name of sample_source changed to sample_source2.

avcli> ALTER SECURED TARGET sample_source SET credentials=scott/leopard;

The credentials used to connect to the secured target, sample_source, are changed.

avcli> ALTER SECURED TARGET sample_source SET description='This is a new description';

Number of enforcement point threads is set for secured target, sample_source.

avcli> ALTER SECURED TARGET sample_source SET maximum_enforcement_point_threads=14;

The description for the secured target, sample_source, is changed.

avcli> ALTER SECURED TARGET sample_source ADD address 192.0.2.2:1234:srcdb;

New secured target address is registered with secured target sample_source.

avcli> ALTER SECURED TARGET sample_source DROP address 192.0.2.2:1234:srcdb;

Secured target address registered before with secured target, sample_source, is dropped.

avcli> ALTER SECURED TARGET sample_source set maximum_enforcement_point_threads = 10;

Sets the maximum number of enforcement point threads for secured target sample_source to 10.

Oracle Example:

avcli> ALTER SECURED TARGET secured target sample_source set
 location=jdbc:oracle:thin:@//new_sample_host:1521:sample_db;

The location of the secured target, sample_source, changes.

A.5.3 UPLOAD OR DELETE WALLET FILE

This command is used to upload and delete a secured target wallet file.

Syntax

ALTER SECURED TARGET <Secured target name> SET WALLET_FILE=<Path of the wallet file>

ALTER SECURED TARGET <Secured target name> DROP ATTRIBUTE WALLET_FILE

Arguments

Argument Description

<Secured target name>

Name of the secured target.

WALLET_FILE

Name of wallet attribute (Key).

<Path of the wallet file>

Path to wallet file (Value).

A.5.4 LIST ADDRESS FOR SECURED TARGET

The LIST ADDRESS FOR SECURED TARGET command lists all the addresses registered with the secured target.

Syntax

LIST ADDRESS FOR SECURED TARGET secured_target_name

Arguments

Argument Descriptions

secured_target_name

The name of the secured target.

Example

avcli> LIST ADDRESS FOR SECURED TARGET sample_source;

All the addresses for secured target, sample_source, appear.

A.5.5 LIST SECURED TARGET

The LIST SECURED TARGET command lists the active secured targets registered with the Audit Vault Server.

Syntax

LIST SECURED TARGET;

Lists the active secure targets registered with the Audit Vault Server.

A.5.6 LIST SECURED TARGET TYPE

The LIST SECURED TARGET TYPE command lists the secured target types currently supported in the Audit Vault Server.

Syntax

LIST SECURED TARGET TYPE

Examples

avcli> LIST SECURED TARGET TYPE;

Lists the secured target types currently supported in the Audit Vault Server.

A.5.7 LIST ATTRIBUTE FOR SECURED TARGET

The LIST ATTRIBUTE FOR SECURED TARGET command lists the attributes of a given secured target.

Syntax

LIST ATTRIBUTE FOR SECURED TARGET secured target name;

Arguments

Argument Description

secured target name

The name of the secured target. To find all registered secured targets, see "LIST SECURED TARGET".

A.5.8 LIST METRICS

The LIST METRICS command lists the metrics of a given secured target, such as various trails.

Syntax

LIST METRICS FOR SECURED TARGET secured_target_name

Arguments

Argument Description

secured_target_name

The name of the secured target

To find all registered secured targets, see "LIST SECURED TARGET".

Usage Notes

The LIST METRICS command has the same usage for all secured target types.

Examples

avcli> LIST METRICS FOR SECURED TARGET sample_source;

Metrics available for the secured target, sample_source, are listed.

A.5.9 DROP SECURED TARGET

The DROP SECURED TARGET command removes the registration of the specified secured target from Audit Vault Server.

Syntax

DROP SECURED TARGET secured_target_name

Arguments

Argument Description

secured_target_name

The name of the secured target. To find all registered secured targets, see "LIST SECURED TARGET".

Usage Notes

Ensure that all trails associated with this secured target are in stopped state before dropping the secured target. Otherwise, the DROP SECURED TARGET command fails. See HELP STOP COLLECTION for an explanation of how to stop active trails.

Dropping a secured target stops the Audit Vault Server from monitoring it. Any audit data collected earlier continues to be available in the Audit Vault Server repository.

Examples

avcli> DROP SECURED TARGET sample_source;

Drops the sample_source secured target.

A.6 Target Group AVCLI Commands

The AVCLI target group commands enable you to alter a target group.

Table A-11

Table A-11 AVCLI Target Group Commands

Command Description

ADD TARGET

Adds a specific target to a target group.

DELETE TARGET

Deletes a specific target from a target group.

A.6.1 ADD TARGET

Use this command to add a specific target to a target group.

Syntax

ALTER TARGETGROUP <target group name> ADD TARGET <target name>

HELP ALTER TARGETGROUP

Arguments

Argument Description

help

To seek help on available options.

target name

The name of the specific target that needs to be added.

target group name

The name of the specific target group.

Example

alter targetgroup tg1 add target t1

A.6.2 DELETE TARGET

Use this command to delete a specific target from a target group.

Syntax

ALTER TARGETGROUP <target group name> DELETE TARGET <target name>

HELP ALTER TARGETGROUP

Arguments

Argument Description

help

To seek help on available options.

target name

The name of the specific target that needs to be deleted.

target group name

The name of the specific target group.

Example

alter targetgroup tg1 delete target t1

A.7 Audit Trail Collection AVCLI Commands

The AVCLI secured target audit trial collection commands enable you to manage the audit trail collections for the secured targets.

Table A-12 lists the AVCLI secured target connection commands.

Table A-12 AVCLI Secured Target Connection Commands

Command Description

START COLLECTION FOR SECURED TARGET

Starts the collection of specified audit trail data from a given secured target

STOP COLLECTION FOR SECURED TARGET

Stops the audit trail collection

LIST TRAIL FOR SECURED TARGET

Lists the available audit trails that have been started with the START COLLECTION command or stopped with the STOP COLLECTION command

DROP TRAIL FOR SECURED TARGET

Drops an audit trail

A.7.1 START COLLECTION FOR SECURED TARGET

The START COLLECTION FOR SECURED TARGET command starts the collection of specified audit trail data from a given secured target, optionally using the specified collection plug-in.

Syntax

START COLLECTION FOR SECURED TARGET secured_target_name USING HOST host FROM location
   [USING PLUGIN plugin id]

Arguments

Argument Description

secured_target_name

The name of the secured target whose audit trail collection you want to begin.

host

The name of the host where the secured target agent resides.

location

The location is one of following:

  • DIRECTORY directory name / mask

  • TABLE tablename

  • SYSLOG DEFAULT | filename / file mask

  • NETWORK

  • EVENT LOG eventlog_name

  • TRANSACTION LOG

  • CUSTOM name

plugin id

The collection plug-in id being used. Required if there is more than one possible plug-in. Optional if there is only one plug-in.

See Also:

General Usage Notes

To start the trail, the agent process which manages the trail should also be in running state. If the collection process connects to the secured target, the secured target must up and running. When multiple plug-ins can process audit data from a secured target, use the optional USING PLUGIN directive to disambiguate the collection process.

A trail starts in the START_REQUESTED state and transitions to a starting state, followed by a running state. If there is no outstanding audit data to process from the given trail, the collection process switches to an idle state. The current state can be viewed using the LIST TRAIL command.

If a trail must be authenticated, the Audit Vault Server uses the credentials provided in the AUTHENTICATED BY argument of the REGISTER SECURED TARGET command.

After you run the START COLLECTION command, the Audit Vault Server begins to collect audit data from the configured secured targets. If you want to stop the collection, then run the STOP COLLECTION command.

Windows Systems Usage Notes

On Windows systems, enter directory and file name locations in either double-quoted strings or as a nonquoted string using forward slashes. For example:

... FROM DIRECTORY "c:\app\oracle\product\11.1\av";

... FROM DIRECTORY c:/app/oracle/product/11.1/av;

General Examples

avcli> START COLLECTION FOR SECURED TARGET sample_source USING HOST foo FROM
   directory /opt/audit_trail;

Audit data collection from trail /opt/audit_trail for secured target sample_source starts.

avcli> START COLLECTION FOR SECURED TARGET sample_source USING HOST foo FROM TABLE sys.aud$;

Audit data collection from table trail sys.aud$ for secured target sample_source starts.

avcli> START COLLECTION FOR SECURED TARGET sample_source USING HOST foo FROM syslog
   /usr/syslog/syslog*;

Collecting syslog trail /usr/syslog/syslog* for secured target sample_source starts.

avcli> START COLLECTION FOR SECURED TARGET sample_source USING HOST foo FROM event
  log application;

Collecting application event log trail for secured target sample_source starts.

avcli> START COLLECTION FOR SECURED TARGET sample_source USING HOST foo 
  FROM transaction log;

Collecting transaction log trails for secured target sample_source starts.

avcli> START COLLECTION FOR SECURED TARGET sample_source USING HOST foo
  FROM TABLE sys.aud$ USING PLUGIN com.sample_plugin;

Audit data collection from table trail sys.aud$ for the secured target sample_source, using the com.sample_plugin, plug-in starts.

Oracle Database Secured Target Usage Notes

Audit Trail Settings

For the operating system type of audit trail, use the following settings:

Type of Audit Trail trail_type Setting audit_trail Setting

Operating system directory

DIRECTORY

directory_location

Syslog file

SYSLOG

file_name

Windows event log

EVENTLOG

N/A

SQL Server Secured Target Usage Notes

Audit Trail Settings

You can write the SQL Server audit trail to the Windows event log, C2 trace files, or server side trace files. The FROM trail_type audit_trail arguments are as follows:

Type of Audit Trail trail_type Setting audit_trail Setting

Windows event log

EVENTLOG

N/A

C2 trace file

DIRECTORY

file_wildcard

Server-side trace files

DIRECTORY

file_wildcard

SQLAUDIT files

DIRECTORY

file_wildcard

Best Practice:

The user must have admin privileges to access the security event log collector system. The user has an option to choose the following properties as the maximum event log size.

Event Log Properties To Accomplish

Overwrite event as needed

To delete the oldest event first. It automatically clears events.

Do not overwrite events

To avoid overwriting of existing events. In this case the user has to manually clear the event log.

Sybase ASE Secured Target Usage Notes and Examples

For the Sybase ASE audit trail, set the trail_type audit_trail setting to TABLE SYSAUDITS.

Sybase ASE Example

avcli> START COLLECTION FOR SECURED TARGET hr_syb_db USING HOST sybserver 
FROM TABLE SYSAUDITS;

MySQL Usage Notes

The trail location is the path to the directory where converted XML files are created by running the MySQL XML transformation utility.

IBM DB2 Usage Notes and Examples

For the IBM DB2 audit trail, set the trail_type audit_trail setting to DIRECTORY directory_location.

IBM DB2 Example

avcli> START COLLECTION FOR SECURED TARGET hr_db2_db USING HOST db2server
FROM DIRECTORY "d:\temp\trace";

Oracle Solaris Secured Target Usage Notes

For an Oracle Solaris secured target, the trail location used in this command must be in the format:

hostname:path_to_trail

where hostname matches the hostname in the audit log names, which look like this:

timestamp1.timestamp2.hostname

Windows Secured Target Usage Notes

For a Windows secured target, the event log audit trail type collects data from the Windows Security Event Log. The trail location used in this command must be security.

Best Practice:

The user must have admin privileges to access the security event log collector system. The user has an option to choose the following properties as the maximum event log size.

Event Log Properties To Accomplish

Overwrite event as needed

To delete the oldest event first. It automatically clears events.

Do not overwrite events

To avoid overwriting of existing events. In this case the user has to manually clear the event log.

Active Directory Secured Target Usage Notes

For Active Directory secured target, the event log audit trail type collects data from the security and directory service. The trail location used in this command must be security or directory service.

Best Practice:

Event Log Properties When Maximum Event Log Size Is Reached To Accomplish

Overwrite event as needed

It is recommended to select Overwrite event as needed (Oldest event first) or Do not overwrite events.

To delete the oldest event first. It automatically clears events.

Do not overwrite events

To avoid overwriting of existing events. In this case the user has to manually clear the event log.

A.7.2 STOP COLLECTION FOR SECURED TARGET

The STOP COLLECTION FOR SECURED TARGET command stops the audit trail collection.

Syntax

STOP COLLECTION FOR SECURED TARGET secured_target_name USING HOST hostname FROM location
 [USING PLUGIN plugin_id]]

Arguments

Argument Description

secured_target_name

The name of the secured target for the trail collection you want to stop.

hostname

The name of the host where the secured target agent resides.

location

The location is one of following:

  • DIRECTORY directory name / mask

  • TABLE tablename

  • SYSLOGDEFAULT | filename / file mask

  • NETWORK

  • EVENT LOG eventlog name

  • TRANSACTION LOG

  • CUSTOM name

plugin_id

The collection plug-in id being used. Required if there is more than one possible plug-in. Optional if there is only one plug-in.

See Also:

General Usage Notes

Since the command is sent to the trail directly, the agent process does not need to be in running state. When multiple plug-ins process audit data from a secured target, use the optional USING PLUGIN directive to disambiguate the process.

A trail will be in a STOP_REQUESTED state when stopped and transitions to a stopping state, followed by a stopped state.

Windows Systems Usage Notes

On Windows systems, enter directory and file name locations in either double-quoted strings or as a nonquoted string using forward slashes. For example:

... FROM DIRECTORY "c:\app\oracle\product\11.1\av";

... FROM DIRECTORY c:/app/oracle/product/11.1/av;

General Examples

avcli> STOP COLLECTION FOR SECURED TARGET sample_source USING HOST sample_host FROM directory /opt/audit_trail;

Audit data collection from trail /opt/audit_trail for secured target sample_source stops.

avcli> STOP COLLECTION FOR SECURED TARGET sample_source USING HOST sample_host FROM TABLE sys.aud$;

Audit data collection from table trail sys.aud$ for secured target sample_source stops.

avcli> STOP COLLECTION FOR SECURED TARGET sample_source USING HOST sample_host FROM syslog
  /usr/syslog/syslog*;

Collecting syslog trail /usr/syslog/syslog* for secured target sample_source stops.

avcli> STOP COLLECTION FOR SECURED TARGET sample_source USING HOST sample_host FROM event log application;

Collecting application event log trail for secured target sample_source stops

avcli> STOP COLLECTION FOR SECURED TARGET sample_source USING HOST sample_host FROM transaction log;

Collecting transaction log trail for secured target sample_source stops

avcli> STOP COLLECTION FOR SECURED TARGET sample_source USING HOST sample_host FROM TABLE sys.aud$ USING PLUGIN com.sample_plugin;

Audit data collection from table sys.aud$ for the secured target, sample_source, using the com.sample_plugin, plug-in stops

Oracle Database Usage Notes and Examples

Audit Trail Settings

For the operating system type of audit trail, use the following settings:

Oracle Database Examples

Operating system directory example:

avcli> STOP COLLECTION FOR SECURED TARGET hr_sql_db USING HOST hrdb.example.com 
FROM DIRECTORY $ORACLE_HOME/logs;

Operating system syslog file example:

avcli> STOP COLLECTION FOR SECURED TARGET hr_sql_db USING HOST hrdb.example.com 
FROM SYSLOG /etc/syslog.conf;

Operating system Windows event log example:

avcli> STOP COLLECTION FOR SECURED TARGET hr_sql_db USING HOST hrdb.example.com 
FROM EVENTLOG;

Database audit trail example:

avcli> START COLLECTION FOR SECURED TARGET hr_sql_db USING HOST hrdb.example.com 
FROM TABLE sys.aud$;

REDO log example:

avcli> START COLLECTION FOR SECURED TARGET hr_sql_db USING HOST hrdb.example.com 
FROM TRANSACTION LOG;

SQL Server Usage Notes and Example

The SQL Server audit trail can be in the Windows event log, C2 trace files, or server side trace files. The FROM trail_type audit_trail arguments are as follows:

Type of Audit Trail trail_type Setting audit_trail Setting

Windows event log

EVENTLOG

n/a

C2 trace file

C2TRACE

file_wildcard

Server-side trace files

SERVERSIDETRACE

file_wildcard

SQL Server Examples

Windows event log example:

avcli> STOP COLLECTION FOR SECURED TARGET hr_sql_db USING HOST mssqlserver 
FROM EVENTLOG;

C2 trace example:

avcli> STOP COLLECTION FOR SECURED TARGET hr_sql_db USING HOST mssqlserver 
FROM DIRECTORY "c:\SQLAuditFile*.trc";

Server-side trace example:

avcli> STOP COLLECTION FOR SECURED TARGET hr_sql_db USING HOST mssqlserver 
FROM DIRECTORY "c:\SQLAuditFile*.trc";

Sybase ASE Usage Notes and Example

For the Sybase ASE audit trail, set the trail_type audit_trail setting to TABLE SYSAUDITS.

Sybase ASE Example

avcli> STOP COLLECTION FOR SECURED TARGET hr_syb_db USING HOST sybserver 
FROM TABLE SYSAUDITS;

MySQL Usage Notes

The trail location is the path to the directory where converted XML files are created by running the MySQL XML transformation utility.

IBM DB2 Usage Notes and Example

For the IBM DB2 audit trail, set the trail_type audit_trail setting to DIRECTORY directory_location.

IBM DB2 Example

avcli> STOP COLLECTION FOR SECURED TARGET hr_db2_db USING HOST db2server
FROM DIRECTORY "d:\temp\trace";

Oracle Solaris Usage Notes

For Oracle Solaris, the trail location must be in the format:

hostname:path_to_trail

where hostname matches the hostname in the audit log names, which look like this:

timestamp1.timestamp2.hostname

Windows Secured Target Usage Notes

For a Windows secured target, the event log audit trail type collects data from the Windows Security Event Log. The trail location used in this command must be security.

A.7.3 LIST TRAIL FOR SECURED TARGET

The LIST TRAIL FOR SECURED TARGET command lists the available audit trails that have been started with the START COLLECTION command or stopped with the STOP COLLECTION command.

Syntax

LIST TRAIL FOR SECURED TARGET secured_target_name

Arguments

Argument Description

secured_target_name

The name of the secured target.

To find a list of existing secured targets, see "LIST SECURED TARGET".

Usage Notes

LIST TRAIL FOR SECURED TARGET does not list audit trails have been created but not yet started or stopped.

Examples

avcli> LIST TRAIL FOR SECURED TARGET sample_source;

The trails available for the secured target sample_souce are listed.

A.7.4 DROP TRAIL FOR SECURED TARGET

The DROP TRAIL FOR SECURED TARGET drops a trail that no longer needs to be monitored.

Note:

An audit trail must be in a STOPPED state in order for it to be dropped. A trail that has previously collected audit data associated with it cannot be dropped.

Syntax

DROP TRAIL FOR SECURED TARGET secured_target_name USING HOST hostname FROM location

Arguments

Argument Description

secured_target_name

The name of the secured target whose audit trail you want to drop.

hostname

The name of the host where the secured target agent resides.

location

The location is one of following:

  • DIRECTORY directory name / mask

  • TABLE tablename

  • SYSLOG DEFAULT | filename / file mask

  • NETWORK

  • EVENT LOG eventlog name

  • TRANSACTION LOG

  • CUSTOM name

See Also:

Examples

avcli> DROP TRAIL FOR SECURED TARGET sample_source USING HOST foo FROM
   DIRECTORY /opt/audit_trail;

The audit trail from the directory /opt/audit_trail for secured target sample_source is dropped.

avcli> DROP TRAIL FOR SECURED TARGET sample_source USING HOST foo FROM TABLE sys.aud$;

The audit trail from table trail sys.aud$ for secured target sample_source is dropped.

avcli> DROP TRAIL FOR SECURED TARGET sample_source USING HOST foo FROM SYSLOG DEFAULT
   /usr/syslog/syslog*;

Syslog trail /usr/syslog/syslog* for secured target sample_source is dropped.

avcli> DROP TRAIL FOR SECURED TARGET sample_source USING HOST foo 
   FROM TRANSACTION LOG;

The transaction log trail for secured target sample_source is dropped.

A.8 SMTP Connection AVCLI Commands

The AVCLI SMTP commands enable you to manage SMTP email notifications for Audit Vault Server reports and alert.

Table A-13 lists the SMTP-specific AVCLI commands.

Table A-13 AVCLI SMTP Commands

Command Description

REGISTER SMTP SERVER

Registers the SMTP server configuration with the Audit Vault Server

ALTER SMTP SERVER

Modifies the SMTP server configuration and state

ALTER SMTP SERVER ENABLE

Enables SMTP server configurations for servers registered with the REGISTER SMTP SERVER command or modified with the ALTER SMTP SERVER command

ALTER SMTP SERVER DISABLE

Disables the SMTP server configuration

ALTER SMTP SERVER SECURE MODE ON

Enables the SMTP server configuration and specifies the secure protocol mode used

ALTER SMTP SERVER SECURE MODE OFF

Disables secure mode in an existing secure SMTP server

TEST SMTP SERVER

Tests SMTP integration with the Audit Vault Server by sending a test email

LIST ATTRIBUTE OF SMTP SERVER

Displays the current SMTP configuration details used by Audit Vault Server

DROP SMTP SERVER

Unregisters the SMTP Server registered with the Audit Vault Server and removes any associated configuration metadata

A.8.1 REGISTER SMTP SERVER

The REGISTER SMTP SERVER command registers the SMTP server configuration with the Audit Vault Server.

Syntax

REGISTER SMTP SERVER AT host:[port] SENDER ID sender_id SENDER EMAIL sender_email 
[AUTHENTICATED BY username/password]

Arguments

Argument Description

host:[port]

The name, and optionally, the outgoing port number of the SMTP server. The port defaults to 25, if unspecified.

sender_id

The user ID of the person responsible for sending the email (that is, the email address that appears after From).

sender_email

The email address of the person whose ID you entered for the SENDER ID, in Request For Comments (RFC) 822 format.

username/password

Optional. The authentication credentials for the recipient user.

If the SMTP server runs in authenticated mode and needs a valid username/password to connect to send emails, use the AUTHENTICATED BY clause to specify those credentials.

Note:

The syntax of this command will be changed in Oracle Audit Vault and Database Firewall release 20.1.0.0.0.

Usage Notes

  • Right after you create the SMTP server configuration, it is enabled and ready to use.

  • If the SMTP server is a secure server, then run the ALTER SYSTEM SMTP SECURE MODE ON command after you run REGISTER SMTP SERVER.

  • To test the configuration, run the TEST SMTP SERVER command.

  • This command associates the sender id and sender email with this configuration data so that all generated emails are sent with this sender id and sender email.

Examples

avcli> REGISTER SMTP SERVER AT sample_mail.example.com sender id "do-not-reply";

For an SMTP server running in non-authentication mode at sample_mail.example.com, all email is generated and sent from the address: do-not-reply<donotreply@example.com>.

avcli> REGISTER SMTP SERVER AT sample_mail.example.com:455 SENDER ID av-alerts  SENDER
  EMAIL avalerts@example.com AUTHENTICATED BY smtpuser/smtppass;

For an SMTP server running in authentication mode at sample_mail.example.com, port 455; all email is generated and sent from the address: av-alerts<avalerts@example.com>. The credentials smtpuser/smtppass connect to this server to send emails.

A.8.2 ALTER SMTP SERVER

The ALTER SMTP SERVER command modifies the SMTP server configuration and state.

Syntax

ALTER_SMTP SERVER AT host:[port] [SENDER ID sender_id]| 
  [SENDER EMAIL sender_email] | [AUTHENTICATED BY username/password]
  

Arguments

Argument Description

host:[port]

The name, and optionally, the outgoing port number of the SMTP server. The port defaults to 25.

sender_id

The user ID of the person responsible for sending the email (that is, the email address that appears after From).

sender_email

The email address of the person whose ID you entered for the SENDER ID, in Request For Comments (RFC) 822 format.

username/password

Optional. The authentication credentials for the recipient user.

If the SMTP server runs in authenticated mode and needs a valid username/password to connect to send emails, use the AUTHENTICATED BY clause to specify those credentials.

Note:

The syntax of this command will be changed in Oracle Audit Vault and Database Firewall release 20.1.0.0.0.

Usage Notes

  • After you complete the SMTP server configuration, it is enabled and ready to use.

  • If the SMTP server is a secure server, then run the ALTER SYSTEM SMTP SECURE MODE ON command after you run REGISTER SMTP SERVER.

  • To test the configuration, run the TEST SMTP SERVER command.

  • If you omit an argument, then Audit Vault Server uses the previously configured setting.

Example

avcli> ALTER SMTP SERVER AT new_sample_host:465;

The host and port configuration information of the SMTP server is changed.

avcli> ALTER SMTP SERVER SENDER ID new-do-not-reply;

The sender ID configuration information of the SMTP server is changed.

avcli> ALTER SMTP SERVER AT new_sample_host:465 sender id new-do-not-reply;

The host and port as well as the sender ID of the SMTP server is changed.

A.8.3 ALTER SMTP SERVER ENABLE

The ALTER SMTP SERVER ENABLE command enables SMTP server configurations for servers registered with the REGISTER SMTP SERVER command or modified with the ALTER SMTP SERVER command.

Syntax

ALTER SMTP SERVER ENABLE

Usage Notes

  • When you enable the configuration, Audit Vault Server uses the configuration that was in place when you last disabled the SMTP configuration.

  • To find details about the most recent service configuration, see "LIST ATTRIBUTE OF SMTP SERVER".

Example

avcli> ALTER SMTP SERVER ENABLE;

SMTP integration is enabled.

Enables the integration between the Audit Vault and SMTP server.

A.8.4 ALTER SMTP SERVER DISABLE

The ALTER SMTP SERVER DISABLE command disables the SMTP server configuration.

Syntax

ALTER SMTP SERVER DISABLE

Usage Notes

  • After you disable the configuration, Audit Vault Server preserves the most recent configuration. So, when you re-enable the configuration, this configuration is made active again.

  • To find details about the most recent service configuration, see "LIST ATTRIBUTE OF SMTP SERVER".

  • This command may be useful when the SMTP Server is down for system maintenance.

Example

avcli> ALTER SMTP SERVER DISABLE;

SMTP integration is disabled.

Disables the integration between the Audit Vault and SMT Server.

A.8.5 ALTER SMTP SERVER SECURE MODE ON

Use the ALTER SMTP SERVER SECURE MODE ON command to enable SMTP server configurations and specify the secure protocol mode that is in use.

The ALTER SMTP SERVER SECURE MODE ON command enables the SMTP server configuration and specifies the secure protocol mode used.

Syntax

ALTER SMTP SERVER SECURE MODE ON PROTOCOL [SSL | TLS ] [TRUSTSTORE location]

Arguments

Argument Description

PROTOCOL

Optional: One of the following types of protocol:

  • SSL: Secure Sockets Layer (default)

  • TLS: Transport Layer Security

location

The path to the truststore file used to validate the server certificates. Optional.

Usage Notes

Run this command after you run either the REGISTER SMTP SERVER or ALTER SMTP SERVER command.

Only run this command if the SMTP server that you are configuring is a secure server.

Examples

avcli> ALTER SMTP SERVER SECURE MODE ON PROTOCOL ssl TRUSTSTORE /sample_tstore;

This command acknowledges that the SMTP Server registered with Oracle Audit Vault Server is in secure mode, that is, supports SSL or TLS, and uses the file /sample_tstore to validate the certificate obtained from the SMTP Server during connects.

avcli> ALTER SMTP SERVER SECURE MODE ON PROTOCOL tls TRUSTSTORE /sample_tstore;

This example sets TLS protocol instead of SSL.

A.8.6 ALTER SMTP SERVER SECURE MODE OFF

Use the ALTER SMTP SERVER SECURE MODE OFF command to disable the secure mode in secure SMTP servers.

The ALTER SMTP SERVER SECURE MODE OFF command disables secure mode in an existing secure SMTP server.

Syntax

ALTER SMTP SERVER SECURE MODE OFF

Usage Notes

Run this command after you run either the REGISTER SMTP SERVER or ALTER SMTP SERVER command.

Example

avcli> ALTER SMTP SERVER SECURE MODE OFF;

Updated SMTP server configuration to not use secure protocol.

Sets the SMTP Server registered with Oracle Audit Server to non-secure mode.

A.8.7 TEST SMTP SERVER

Use the TEST SMTP SERVER command to test the SMTP integration with Oracle Audit Vault Server by sending a test email.

The TEST SMTP SERVER command tests SMTP integration with the Audit Vault Server by sending a test email.

Syntax

TEST SMTP SERVER SEND EMAIL TO email_address 

Arguments

Argument Description

email_address

Recipient of the test email notification

Usage Notes

  • If the test fails, then check the configuration by running the LIST ATTRIBUTE OF SMTP SERVER command.

  • You can recreate the configuration by running the ALTER_SMTP SERVER command.

  • If there are no errors, a test email appears in the mail box of the user specified by the e-mail address argument.

  • You can provide a list of comma-separated email addresses to this command.

  • A SMTP Server must first be registered with the Audit Vault Server before this command can be used.

Example

avcli> TEST SMTP SERVER SEND EMAIL TO me@example.com;

To test the SMTP integration, a test email is sent to the email address, me@example.com.

avcli> TEST SMTP SERVER SEND EMAIL TO abc@example1.com,xyz@example2.com;

To test the SMTP integration, a test email is sent to the email address list, abc@example1.com,xyz@example2.com.

A.8.8 LIST ATTRIBUTE OF SMTP SERVER

The LIST ATTRIBUTE OF SMTP SERVER command displays the current SMTP configuration details used by Audit Vault Server.

Syntax

LIST ATTRIBUTE OF SMTP SERVER

Usage Notes

To reconfigure the SMTP service connection, run the ALTER SMTP SERVER ("ALTER SMTP SERVER") command.

Example

avcli> LIST ATTRIBUTE OF SMTP SERVER;

The configuration data/attributes for the SMTP server appear.

A.8.9 DROP SMTP SERVER

The DROP SMTP SERVER command unregisters the SMTP Server registered with the Audit Vault Server and removes any associated configuration metadata.

Syntax

DROP SMTP SERVER

Example

avcli> DROP SMTP SERVER;

SMTP server unregistered successfully.

The SMTP Server is unregistered and any associated configuration metadata is removed.

A.9 Security Management AVCLI Commands

The AVCLI security management command enable you to manage various administrator and super administrator privileges.

Table A-14 AVCLI Security Management Commands

Command Description

ALTER DATA ENCRYPTION

Changes Transparent Data Encryption (TDE) configuration to rekey or to reset the repository encryption password

SHOW DATA ENCRYPTION STATUS

Shows whether data encryption is enabled or disabled for the Audit Vault Server repository

GRANT SUPERADMIN

Grants super administrator privileges to the user specified by username

REVOKE SUPERADMIN

Revokes super administrator privileges from users specified by username

GRANT ACCESS

Grants access to secured target name or secured target group name to specified user

REVOKE ACCESS

Revokes access to secured target or secured target group name from specified user

GRANT ADMIN

Grants administrator privileges to specified user

REVOKE ADMIN

Revokes administrator privileges from specified user

ALTER USER

Unlocks a user account

A.9.1 ALTER DATA ENCRYPTION

The ALTER DATA ENCRYPTION command lets a super administrator change the Transparent Data Encryption (TDE) configuration in the Audit Vault Server repository. A super administrator can use this command to rekey the master encryption key, or to reset the repository encryption (wallet) password.

Syntax

ALTER DATA ENCRYPTION REKEY

ALTER DATA ENCRYPTION CHANGE WALLET PASSWORD

Examples

avcli> ALTER DATA ENCRYPTION REKEY;

This command rekeys the master encryption key for the Audit Vault Server repository.

avcli> ALTER DATA ENCRYPTION CHANGE WALLET PASSWORD;

This commands gives prompts to change the repository encryption (wallet) password.

A.9.2 SHOW DATA ENCRYPTION STATUS

The SHOW DATA ENCRYPTION STATUS command shows whether encryption is enabled or disabled. Encryption is automatically enabled on new installations.

Syntax

SHOW DATA ENCRYPTION STATUS

Example

avcli> SHOW DATA ENCRYPTION STATUS;

This command shows the encryption status (enabled or disabled).

A.9.3 GRANT SUPERADMIN

The GRANT SUPERADMIN command grants super administrator privileges to the user specified by username.

Syntax

GRANT SUPERADMIN TO username

Arguments

Argument Description

username

The specified user.

Usage Notes

This user automatically receives regular administrator rights as well.

Example

avcli> GRANT SUPERADMIN TO scott;

Super administrator (and administrator) privileges granted to user scott.

A.9.4 REVOKE SUPERADMIN

The REVOKE SUPERADMIN command revokes super administrator privileges from users specified by username.

Syntax:

REVOKE SUPERADMIN FROM username

Arguments

Argument Description

username

The specified user.

Usage Notes

The user continues to retain regular administrator rights.

Example:

avcli> REVOKE SUPERADMIN FROM scott;

Super administrator privileges are revoked from user scott.

A.9.5 GRANT ACCESS

The GRANT ACCESS command grants access to a secured target name or secured target group name to a specified user.

Syntax

GRANT ACCESS ON SECURED TARGET secured_target_name TO username

GRANT ACCESS ON SECURED TARGET GROUP secured_target_group name TO username

Arguments

Argument Description

username

The specified user.

secured_target_name

The name of the secured target.

secured_target_group_name

The name of the secured target group.

Example

avcli> GRANT ACCESS ON SECURED TARGET sample_source TO scott;

User scott granted access to secured target sample_source.

avcli> GRANT ACCESS ON SECURED TARGET GROUP hr_db_group TO hr;

User hr granted access to group of secured targets specified by the group hr_db_group.

A.9.6 REVOKE ACCESS

The REVOKE ACCESS command revokes access to a secured target or secured target group name from a specified user.

Syntax

REVOKE ACCESS ON SECURED TARGET secured_target_name FROM username

REVOKE ACCESS ON SECURED TARGET GROUP secured_target_group_name FROM username

Arguments

Argument Description

username

The specified user.

secured_target_name

The name of the secured target.

secured_target_group_name

The name of the secured target group.

Example

avcli> REVOKE ACCESS ON SECURED TARGET sample_source FROM scott;

Access to secured target sample_source revoked from user scott.

avcli> REVOKE ACCESS ON SECURED TARGET GROUP hr_db_group FROM hr;

Access to a group of secured targets specified by the group hr_db_group revoked from user hr.

A.9.7 GRANT ADMIN

The GRANT ADMIN command grants administrator privileges to specified user.

Syntax

GRANT ADMIN TO username

Arguments

Argument Description

username

The specified user.

Example

avcli> GRANT ADMIN TO scott;

Administrator privileges granted to user scott.

A.9.8 REVOKE ADMIN

The REVOKE ADMIN command revokes administrator privileges from specified user.

Syntax:

REVOKE ADMIN FROM username

Arguments

Argument Description

username

The specified user.

Example:

avcli> REVOKE ADMIN FROM scott;

Administrator privileges revoked from user scott.

A.9.9 ALTER USER

The ALTER USER command unlocks a user account. Only super administrators can run this command.

Syntax:

ALTER USER username ACCOUNT UNLOCK

Example:

avcli> ALTER USER scott ACCOUNT UNLOCK;

The account for user scott is unlocked.

A.10 SAN Storage AVCLI Commands

Table A-15 lists SAN storage AVCLI commands.

Table A-15 AVCLI SAN Storage Commands

Command Description

REGISTER SAN SERVER

Registers a SAN server of a specified storage type with the Audit Vault Server

ALTER SAN SERVER

Alters a SAN server registered with the Audit Vault Server by logging into or logging out of a target available on the SAN server

LIST TARGET FOR SAN SERVER

Displays the details of targets available on a specified SAN server

DROP SAN SERVER

Drops a SAN server registered with Audit Vault Server

LIST DISK

Displays details of disks available on the system

ALTER DISKGROUP

Alters a diskgroup by adding or dropping disks

LIST DISKGROUP

Displays details of all diskgroups in the system

LIST SAN SERVER

Displays details of SAN servers registered with the Audit Vault Server

SHOW iSCSI INITIATOR DETAILS FOR SERVER

Displays iSCSI initiator details for the Audit Vault Server

A.10.1 REGISTER SAN SERVER

The REGISTER SAN SERVER command registers a SAN server with the Audit Vault Server.

Syntax:

REGISTER SAN SERVER SAN_server_name OF TYPE storage_type ADDRESS address [PORT port] [METHOD discovery_method] [ON SECONDARY]

Use the [ON SECONDARY] option in a high availability configuration to apply this command to secondary Audit Vault Server.

Arguments

Argument Description

SAN_server_name

Name of the SAN server. Must be unique.

storage_type

Storage type. Currently, only iSCSI is supported (case-insensitive).

address

IP address SAN server

port

Optional. Port number. Default is 3260.

discovery_method

Optional. Method used to discover targets. Possible values are:

SENDTARGETS [AUTHENTICATED BY username/password]
ISNS

Default is SENDTARGETS.

Note:

The syntax of this command will be changed in Oracle Audit Vault and Database Firewall release 20.1.0.0.0.

Examples:

avcli> REGISTER SAN SERVER testServer1 OF TYPE iSCSI ADDRESS 192.0.2.1;

Registers a SAN server testServer1 of storage type iSCSI at address 192.0.2.1. The default port number 3260 and the default discovery method sendtargets will be used.

avcli> REGISTER SAN SERVER testServer2 Of Type iSCSI ADDRESS 192.0.2.1 METHOD sendtargets AUTHENTICATED BY username2/password2;

Registers a SAN server testServer2 of storage type iSCSI at address 192.0.2.1 using the discover method sendtargets with credentials username2 and password2.

A.10.2 ALTER SAN SERVER

Use the ALTER SAN SERVER command to alter SAN servers that are registered with Oracle Audit Vault Server by logging into or logging out of a target that is available on the SAN server

The ALTER SAN SERVER command alters a SAN server registered with the Audit Vault Server by logging in or logging out of a target available on the SAN server.

Syntax:

ALTER SAN SERVER server_name LOGIN target_name ADDRESS address  [PORT port][AUTHENTICATED BY username/password] [ON SECONDARY]

ALTER SAN SERVER server_name LOGOUT target_name ADDRESS address  [PORT port][AUTHENTICATED BY username/password] [ON SECONDARY]

Use the [ON SECONDARY] option in a high availability configuration to apply this command to secondary Audit Vault Server.

Arguments

Argument Description

server_name

Name of the SAN server registered with the Audit Vault Server.

target_name

Name of the target on the SAN server. To get a list of targets, use the command "LIST TARGET FOR SAN SERVER".

address

IP address or hostname of the target on the SAN server

port

Optional. Default is 3260.

username/password

If needed, credential used to log in to the target.

Note:

The syntax of this command will be changed in Oracle Audit Vault and Database Firewall release 20.1.0.0.0.

Example:

avcli> ALTER SAN SERVER testServer1 LOGIN target1 ADDRESS sample_target.example.com   AUTHENTICATED BY username1/password1;

Alter the SAN server testServer1 by logging into target1 at address sample_target.example.com using credentials username1 and password1. The default port number 3260 will be used.

avcli> ALTER SAN SERVER testServer2 LOGOUT target2 ADDRESS sample_target.example.com;

Alter the SAN server testServer2 by logging out of target2 at address sample_target.example.com.

A.10.3 LIST TARGET FOR SAN SERVER

The LIST TARGET FOR SAN SERVER command displays details of the targets available on a specified SAN server.

Syntax:

LIST TARGET FOR SAN SERVER server_name [ON SECONDARY]

Use the [ON SECONDARY] option in a high availability configuration to apply this command to secondary Audit Vault Server.

Arguments

Argument Description

server_name

Name of the SAN server registered with the Audit Vault Server.

Example:

avcli> LIST TARGET FOR SAN SERVER testServer1;

Displays the details of targets available on SAN server testServer1.

A.10.4 DROP SAN SERVER

The DROP SAN SERVER command removes a SAN server registered with the Audit Vault Server.

Syntax:

DROP SAN SERVER server_name [ON SECONDARY]

Use the [ON SECONDARY] option in a high availability configuration to apply this command to secondary Audit Vault Server.

Arguments

Argument Description

server_name

Name of the SAN server registered with the Audit Vault Server.

Example:

avcli> DROP SAN SERVER testServer1;

Removes SAN server testServer1 from the Audit Vault Server.

A.10.5 LIST DISK

The LIST DISK command displays details of all disks available in the system, or disks in a specific disk group.

Syntax:

LIST DISK [FOR DISKGROUP SYSTEMDATA|EVENTDATA|RECOVERY] [ON SECONDARY]

Use the [ON SECONDARY] option in a high availability configuration to apply this command to secondary Audit Vault Server.

Examples:

avcli> LIST DISK;

Displays the details of all disks in the system.

avcli> LIST DISK FOR DISKGROUP SYSTEMDATA;

Displays the details of the SYSTEMDATA disk group.

A.10.6 ALTER DISKGROUP

The ALTER DISKGROUP command alters a disk group by adding or dropping disks from the group.

Syntax:

ALTER DISKGROUP SYSTEMDATA|EVENTDATA|RECOVERY ADD DISK disk_name 
   [ON SECONDARY]

ALTER DISKGROUP SYSTEMDATA|EVENTDATA|RECOVERY DROP DISK disk_name 
   [ON SECONDARY]

Use the [ON SECONDARY] option in a high availability configuration to apply this command to secondary Audit Vault Server.

Arguments

Argument Description

disk_name

Name of the disk to add or drop. When adding a disk, the disk must be available in the system, and not previously added to a disk group. To display all disks available in the system, use the command "LIST DISK".

Examples:

avcli> ALTER DISKGROUP SYSTEMDATA ADD DISK disk1;

Adds disk1 to the SYSTEMDATA disk group.

avcli> ALTER DISKGROUP RECOVERY DROP DISK disk2;

Drops disk2 from the RECOVERY disk group.

A.10.7 LIST DISKGROUP

The LIST DISKGROUP command displays details of a disk group in the Audit Vault Server.

Syntax:

LIST DISKGROUP [ON SECONDARY]

Use the [ON SECONDARY] option in a high availability configuration to apply this command to secondary Audit Vault Server.

Example:

avcli> LIST DISKGROUP;

Displays details for all disk groups in the system, for example, name, total space, and free space. To see details of disk in a specific disk group, use the command "LIST DISK".

A.10.8 LIST SAN SERVER

The LIST SAN SERVER command displays details of SAN servers registered with the Audit Vault Server.

Syntax:

LIST SAN SERVER [ON SECONDARY]

Use the [ON SECONDARY] option in a high availability configuration to apply this command to secondary Audit Vault Server.

Example:

avcli> LIST SAN SERVER;

Displays details of SAN servers registered in the system, for example, storage name, storage type, etc.

A.10.9 SHOW iSCSI INITIATOR DETAILS FOR SERVER

The SHOW ISCSI INITIATOR DETAILS FOR SERVER command displays iSCSI initiator details for the Audit Vault Server. These initiator details are used in the SAN server configuration to allow it to connect to the Audit Vault Server.

Syntax:

SHOW ISCSI INITIATOR DETAILS FOR SERVER [ON SECONDARY]

Use the [ON SECONDARY] option in a high availability configuration to apply this command to secondary Audit Vault Server.

Example:

avcli> SHOW ISCSI INITIATOR DETAILS FOR SERVER;

Displays the iSCSI initiator details for the Audit Vault Server.

A.11 Remote File System AVCLI Commands

Table A-16 lists the remote filesystem AVCLI commands. Currently these commands support registering and managing connections to NFS filesystems that are used as archive locations.

Table A-16 AVCLI Remote Filesystem Commands

Command Description

REGISTER REMOTE FILESYSTEM

Registers a remote filesystem with the Audit Vault Server

ALTER REMOTE FILESYSTEM

Alters a remote filesystem registered with the Audit Vault Server

DROP REMOTE FILESYSTEM

Drops a remote filesystem registered with the Audit Vault Server

LIST EXPORT

Displays the list of exports available on an NFS server

LIST REMOTE FILESYSTEM

Lists all remote filesystems registered with the Audit Vault Server

SHOW STATUS OF REMOTE FILESYSTEM

Shows the status of a remote filesystem registered with the Audit Vault Server

A.11.1 REGISTER REMOTE FILESYSTEM

Use the REGISTER REMOTE FILESYSTEM command to register remote file systems with Oracle Audit Vault Server.

The REGISTER REMOTE FILESYSTEM command registers a remote filesystem with the Audit Vault Server. This command currently supports registering an NFS filesystem. After registering a remote filesystem, an administrator can select it when specifying an archive location.

Syntax:

REGISTER REMOTE FILESYSTEM filesystem_name OF TYPE NFS ON HOST NFS_server_address USING EXPORT export [MOUNT]

Arguments

Argument Description

filesystem_name

A unique name for the remote filesystem

NFS_server_address

Hostname or IP address of the NFS server

export

Name of the export directory on the NFS server. This directory must be created in etc/exports file of the NFS server.

Note:

  1. Log in as Oracle user 503 to register the remote filesystem. Use the same user name on the NFS Server and the Audit Vault Server.

  2. If this is any different, then edit the /etc/passwd/ file in the NFS Server and change the USER ID of Oracle user to 503.

Examples:

avcli> REGISTER REMOTE FILESYSTEM sample_Filesystem OF TYPE NFS ON HOST example_host.example.com USING EXPORT /export/home1;

Registers a remote NFS filesystem named sample_Filesystem on the host example_host.example.com using the export directory /export/home1. This will mount the registered remote filesystem.

avcli> REGISTER REMOTE FILESYSTEM sample_Filesystem OF TYPE NFS ON HOST example_host.example.com USING EXPORT /export/home1 MOUNT;

Registers a remote NFS filesystem named sample_Filesystem on the host example_host.example.com using the export directory /export/home1. This will also mount the registered remote filesystem.

A.11.2 ALTER REMOTE FILESYSTEM

The ALTER REMOTE FILESYSTEM command alters a remote filesystem registered with the Audit Vault Server.

Syntax:

ALTER REMOTE FILESYSTEM filesystem_name SET {key=value [,key=value...]}

ALTER REMOTE FILESYSTEM filesystem_name MOUNT

ALTER REMOTE FILESYSTEM filesystem_name UNMOUNT [FORCE]

Arguments

Argument Description

filesystem_name

Name of the remote filesystem

key

For an NFS remote filesystem, the key NAME is supported.

Examples:

avcli> ALTER REMOTE FILESYSTEM sample_filesystem SET NAME=newfilesystem;

Changes the name of the remote filesystem sample_filesystem to newfilesystem.

avcli> ALTER REMOTE FILESYSTEM sample_filesystem MOUNT;

Mounts the remote filesystem sample_filesystem.

avcli> ALTER REMOTE FILESYSTEM sample_filesystem UNMOUNT;

Unmounts remote filesystem sample_filesystem.

avcli> ALTER REMOTE FILESYSTEM sample_filesystem UNMOUNT FORCE;

Unmounts remote filesystem sample_filesystem and forces this operation.

A.11.3 DROP REMOTE FILESYSTEM

The DROP REMOTE FILESYSTEM command drops a remote filesystem registered with the Audit Vault Server.

Syntax:

DROP REMOTE FILESYSTEM file_system_name

Arguments

Argument Description

filesystem_name

Name of the remote filesystem.

Examples:

avcli> DROP REMOTE FILESYSTEM filesystem1;

Drops the remote filesystem filesystem1.

A.11.4 LIST EXPORT

The LIST EXPORT command displays the list of exports available on a NFS server.

Syntax:

LIST EXPORT OF TYPE NFS ON HOST address

Arguments

Argument Description

address

Hostname or IP address of the NFS server.

Example:

avcli> LIST EXPORT OF TYPE NFS ON HOST example_server.example.com;

Lists the exports available on the NFS server example_server.example.com.

A.11.5 LIST REMOTE FILESYSTEM

The LIST REMOTE FILESYSTEM command lists all remote filesystems registered with the Audit Vault Server.

Syntax:

LIST REMOTE FILESYSTEM

Example:

avcli> LIST REMOTE FILESYSTEM;

Lists all remote filesystems registered with the Audit Vault Server.

A.11.6 SHOW STATUS OF REMOTE FILESYSTEM

The SHOW STATUS OF REMOTE FILESYSTEM command shows the status of a specified remote filesystem.

Syntax:

SHOW STATUS OF REMOTE FILESYSTEM filesystem_name

Arguments

Argument Description

filesystem_name

Name of the remote filesystem

Examples:

avcli> SHOW STATUS OF REMOTE FILESYSTEM filesystem1;

Shows the status of remote filesystem filesystem1.

A.12 Server Management AVCLI Commands

Table A-17 AVCLI Server Management Commands

Command Description

ALTER SYSTEM SET

Modifies system configuration data

SHOW CERTIFICATE

Displays the certificate for the Audit Vault Server

DOWNLOAD LOG FILE

Downloads the Audit Vault Server log file for diagnostics

A.12.1 ALTER SYSTEM SET

Use the ALTER SYSTEM SET command to modify system configuration data.

The ALTER SYSTEM command modifies system configuration data.

Syntax:

ALTER SYSTEM SET {attribute=value [,attribute=value...]}

Arguments

Argument Description

attribute

System attributes as key/value pairs. See Table A-18.

Usage Notes

Typically, system configuration data affects all components system-wide.

Multiple component log levels can be changed by delimiting them using the | symbol.

Modify system configuration data by altering the attributes associated with the data using key=value pairs and multiple attributes by specifying comma-separated pairs.

Log files are in the $Oracle_Home/av/log directory in the Audit Vault Server.

The following attributes are supported:

Table A-18 System Attributes

Parameter Description

LOGLEVEL

The log level of components running on this host.

The LOGLEVEL attribute takes a two part value, separated by a colon, as follows:

component_name:loglevel_value

See Table A-19 for component names and log level values.

Multiple components' log levels can be changed by delimiting them using the | symbol.

SYS.HEARTBEAT_INTERVAL

Sets the system heartbeat interval to a numerical value in seconds.

SYS.AUTOSTART_INTERVAL

The interval in seconds before the system will try to restart failed audit trails. Default: 1800

SYS.AUTOSTART_RETRY_COUNT

The number of times the system will retry starting failed audit trails. Default: 5

Table A-19 shows valid values for component_name and loglevel_value for the LOGLEVEL attribute:

Table A-19 Logging component names and values

Logging component name Values

AlertLog

Alert

AgentLog

Agent

ARLog

Archive and Retrieve

DWLog

Data Warehouse

FWLog

Database Firewall

GUIlog

Web Concole UI

JfwkLog

Java Server Process

NotifyLog

Notification

PfwkLog

Plug-in Management

PolicyLog

Policy Management

ReportLog

Report Generation

SanLog

SAN Storage

TransLog

Transaction Log Trail

All

All components. Valid only with ERROR and WARNING log level values.

Table A-20 Logging level and values

Parameter Description

ERROR

The ERROR log level

WARNING

The WARNING log level (not supported for GUIlog)

INFO

The INFO log level

DEBUG

The DEBUG log level

Be aware that DEBUG generates many files and that this can affect the performance of your system. Only use it when you are trying to diagnose problems.

Examples

avcli> ALTER SYSTEM SET SYS.HEARTBEAT_INTERVAL=10;

The SYS.HEARTBEAT_INTERVAL system configuration setting changes to 10 seconds.

avcli> ALTER SYSTEM SET LOGLEVEL=JfwkLog:DEBUG|PfwkLog:INFO;

The log levels of the JfwkLog and PfwkLog components running on the system change.

avcli> ALTER SYSTEM SET SYS.AUTOSTART_INTERVAL=900;

The system will restart failed audit trails after 900 seconds.

See Also:

Downloading Detailed Diagnostics Reports for the Audit Vault Server for information about generating a diagnostics report that captures Audit Vault Server appliance information.

A.12.2 SHOW CERTIFICATE

The SHOW CERTIFICATE command displays the certificate for the Audit Vault Server.

Syntax

SHOW CERTIFICATE FOR SERVER

Example

avcli> SHOW CERTIFICATE FOR SERVER;

The Audit Vault Server certificate appears.

A.12.3 DOWNLOAD LOG FILE

The DOWNLOAD LOG FILE command downloads the diagnostics log file (as a .zip file) from the Audit Vault Server and saves it in the following directory:

AVCLI_installation_path/av/log

Syntax

DOWNLOAD LOG FILE FROM SERVER

Example

avcli> DOWNLOAD LOG FILE FROM SERVER;

The Audit Vault Server log file is downloaded.

A.13 Collection Plug-In AVCLI Commands

The AVCLI collection plug-in commands enable you to manage the deployment of collection plug-ins.

Table A-13 lists the collection plug-in AVCLI commands.

Table A-21 AVCLI Collection Plug-In Commands

Command Description

DEPLOY PLUGIN

Deploys a plug-in into Audit Vault Server home from a given archive file

LIST PLUGIN FOR SECURED TARGET TYPE

Lists all the plug-ins in an Audit Vault Server installation

UNDEPLOY PLUGIN

Undeploys a plug-in from an Audit Vault Server home

A.13.1 DEPLOY PLUGIN

The DEPLOY PLUGIN command deploys a plug-in into the Audit Vault Server home from a given archive file.

Syntax

DEPLOY PLUGIN plugin archive

Arguments

Argument Description

plugin archive

The plug-in archive.

Archive files have an .zip extension, specifying custom plug-ins that third-party vendors or partners develop to add functionality to Audit Vault Server.

Usage Notes

No action is required after this command.

The DEPLOY PLUGIN command updates the agent archive with the contents of this plug-in for future Agent deployments.

When a newer version of the plug-in is available, use the DEPLOY PLUGIN command to update the plug-in artifacts. Multiple plug-ins can support a single secured target type.

Example

avcli> DEPLOY PLUGIN /opt/avplugins/sample_plugin.zip;

Deploys the plug-in at /opt/avplugins/sample_plugin.zip into the Audit Vault Server and updates the agent archive by adding the plug-in to its contents.

A.13.2 LIST PLUGIN FOR SECURED TARGET TYPE

The LIST PLUGIN FOR SECURED TARGET TYPE command lists all the plug-ins that support a particular secured target type.

Syntax

LIST PLUGIN FOR SECURED TARGET TYPE secured target type name

Arguments

Argument Description

secured target type name

The name of the secured target type

Usage Notes

To find a list of available secured target types, see "LIST SECURED TARGET TYPE".

Examples

avcli> LIST PLUGINS FOR SECURED TARGET TYPE "Oracle Database";

The plug-ins that support the secured target type "Oracle Database" are listed.

A.13.3 UNDEPLOY PLUGIN

The UNDEPLOY PLUGIN command deletes a plug-in from an Audit Vault Server home.

Syntax

UNDEPLOY PLUGIN plugin_id

Arguments

Argument Description

plugin_id

The ID of the plug-in that you want to undeploy.

Usage Notes

UNDEPLOY PLUGIN attempts to identify dependent plug-ins or packages prior to deleting the plug-in.

This command undeploys a plug-in specified by the plug-in ID from the Audit Vault Server. It also updates the agent archive removing this plug-in, so that it is not deployed in future agent deployments.

Examples

avcli> UNDEPLOY PLUGIN com.abc.sample_plugin;

The plug-in, com.abc.sample_plugin, is undeployed from Oracle Audit Vault Server and the agent archive is updated by removing the plug-in.

A.14 General Usage AVCLI Commands

Table A-22 lists the general usage AVCLI commands.

Table A-22 AVCLI HELP and EXIT Commands

Command Description

CONNECT

Connects the current user in AVCLI as a different user

STORE CREDENTIALS

Stores administrator credentials in the AVCLI wallet, or overwrites previously stored credentials.

SHOW USER

Displays the currently logged in AVCLI user

CLEAR LOG

Clears the systems's diagnostic logs

HELP

Lists all AVCLI commands with their categories

-HELP

Displays help information for all of the commands in the AVCLI utility

-VERSION

Displays the version number for AVCLI

QUIT

Exits AVCLI

A.14.1 CONNECT

The CONNECT command enables you to connect as a different user in AVCLI.

Syntax

CONNECT [username]

Usage Notes

  • If you have logged into to AVCLI without specifying a username and password, then you must use the CONNECT command to connect as a valid user.

  • For additional ways to connect to AVCLI, see "Using the Audit Vault Command-Line Interface".

Example 1

avcli> CONNECT psmith;
Enter password: password

Connected.

Example 2

avcli> CONNECT;
Enter user name: username
Enter password: password

Connected.

A.14.2 STORE CREDENTIALS

Use the STORE CREDENTIALS command to store administrator credentials in AVCLI wallet, or to overwrite previously stored credentials.

The STORE CREDENTIALS command lets you store credentials for one Oracle Audit Vault and Database Firewall administrator in the Oracle AVCLI wallet, or update existing credentials in the wallet.

Syntax

STORE CREDENTIALS [FOR USER username]

Example 1

avcli> STORE CREDENTIALS FOR USER admin1;
Enter password: password
Re-enter password: password

Example 2

avcli> STORE CREDENTIALS;
Enter user name: admin1
Enter password: password
Re-enter password: password

A.14.3 SHOW USER

The SHOW USER command displays the currently logged in AVCLI user.

Syntax

SHOW USER

Example

avcli> SHOW USER;

A.14.4 CLEAR LOG

The CLEAR LOG command deletes all log files in the directory $ORACLE_HOME/av/log on the Audit Vault Server.

Syntax

CLEAR LOG

Example

avcli> CLEAR LOG;

A.14.5 HELP

The HELP command lists all available AVCLI commands and their categories.

Syntax

HELP

Example

avcli> HELP;

A.14.6 -HELP

The -HELP command displays version number and help information about the AVCLI commands. Run the -HELP command from outside of AVCLI.

Syntax

avcli -h
avcli -H
avcli -help
avcli -HELP

Example

avcli -help:
 
[oracle@slc02vjp ~]$ avcli -help
 
 
AVCLI : Release 12.2.0.0.0 - Production on Thu Nov 8 00:53:54 UTC 2012
 
 
Copyright (c) 1996, 2015 Oracle.  All Rights Reserved.
 
 
Usage 1: avcli -{h|H} | -{v|V}
 
    -{h|H}             Displays the AVCLI version and the usage help
 
    -{v|V}             Displays the AVCLI version.
 
Usage 2: avcli [ [<option>] [<logon>] [<start>] ]
 
   <option> is: [-{l|L} <log level>]
 
    -{l|L} <log level>   Sets the log level to the level specified.
                         Supported log levels: INFO, WARNING, ERROR, DEBUG
 
   <logon> is: -{u|U} <username>
     Specifies the database account username for the database
     connection
 
   <start> is: -{f|F} <filename>.<ext>
     Runs the specified AVCLI script from the local file system
     (filename.ext). Valid AVCLI script files should have
     their file extension as '.av' (e.g. sample_script.av)
 

A.14.7 -VERSION

The -VERSION command displays the version number for AVCLI. Run the -VERSION command from outside of AVCLI.

Syntax

avcli -v
avcli -V
avcli -version
avcli -VERSION

Example

avcli -v;

AVCLI : Release 12.2.0.0.0 - Production on Tue Apr 26 14:25:31 PDT 2011
 
Copyright (c) 2014, Oracle.  All Rights Reserved.

A.14.8 QUIT

The QUIT command exits AVCLI.

Syntax

QUIT

Example

avcli> QUIT;

A.15 AVCLI User Commands

You can use the AVCLI user commands to create user, assign necessary roles, reset password, and delete the user.

Table A-23 AVCLI User Commands

Command Description

CREATE AUDITOR

To create a user with auditor role. Only a superauditor can create a user with auditor role.

ALTER AUDITOR

To reset the password for existing auditor or superauditor user. Only a superauditor can reset password for auditor or superauditor user.

DROP AUDITOR

To drop or delete an existing auditor or superauditor user. Only a superauditor can drop an auditor or superauditor user.

CREATE ADMIN

To create a user with admin role. Only a superadmin can create a user with admin role.

ALTER ADMIN

To reset the password for existing admin or superadmin user. Only a superadmin can reset password for admin or superadmin user.

DROP ADMIN

To drop or delete an existing admin or superadmin user. Only a superadmin can drop an admin or superadmin user.

A.15.1 CREATE AUDITOR

Use the CREATE AUDITOR command to create users with the auditor role. Only superauditors can create users with the auditor role.

The CREATE AUDITOR command creates a user with the auditor role. A superauditor can create a user with auditor role.

Syntax

CREATE AUDITOR user name

Arguments

Argument Description

user name

The name of the user being created with auditor role. The user name cannot be null, start with any reserved user name, or the same as any of the existing user role. It must be alphanumeric only and can contain underscore (_), dollar sign ($), and pound sign (#).

password

The command prompts a password before creating a user with auditor role. The password must have at least one uppercase letter, one lowercase letter, one digit(0-9), and one special character(.,+:_!). A password must be at least 8 characters and at most 30 bytes in length.

Example

create auditor myauditor

This command creates a user myauditor with auditor role. The user password is taken from the prompt.

A.15.2 ALTER AUDITOR

Use the ALTER AUDITOR command to reset the password for existing auditors or superauditor users. Only a superauditor can reset the password for auditors or superauditor users.

The ALTER AUDITOR command resets the password of the user with auditor role. A superauditor can modify the password of the user with auditor role.

Syntax

ALTER AUDITOR <user name>

Arguments

Argument Description

user name

The existing user with auditor role who requires a password reset.

password

The command prompts a password for modifying the password of the user with auditor role. The password must have at least one uppercase letter, one lowercase letter, one digit(0-9), and one special character(.,+:_!). A password must be at least 8 characters and at most 30 bytes in length.

Example

alter auditor myauditor

This command resets the password of the existing user myauditor. The password for myauditor is taken from the prompt.

A.15.3 DROP AUDITOR

Use the DROP AUDITOR command to drop or delete auditors or superauditor users. Only superauditors can drop an auditor or superauditor user.

The DROP AUDITOR command drops or deletes a user with auditor role. A superauditor can drop a user with auditor role.

Syntax

DROP AUDITOR user name

Arguments

Argument Description

user name

The existing user with auditor role who needs to be dropped or deleted.

Example

drop auditor myauditor

This command drops the existing user myauditor. The command performs a cleanup, expire the password, lock the account, kill any existing sessions for the user, and drop the user completely from the database.

A.15.4 CREATE ADMIN

Use the CREATE ADMIN command to create users with the admin role. Only a superadmin can create a user with admin role.

The CREATE ADMIN command creates a user with admin role. A superadmin can create a user with admin role.

Syntax

CREATE ADMIN user name

Arguments

Argument Description

user name

The name of the user being created with admin role. The user name cannot be null, start with any reserved user name, or be the same as any of the existing user role. It must be alphanumeric only and can contain underscore (_), dollar sign ($), and pound sign (#).

password

The command prompts a password before creating a user with admin role. The password must have at least one uppercase letter, one lowercase letter, one digit(0-9), and one special character(.,+:_!). A password must be at least 8 characters and at most 30 bytes in length.

Example

create admin myadmin

This command creates a user myadmin with admin role. The user password is taken from the prompt.

A.15.5 ALTER ADMIN

Use the ALTER ADMIN command to reset the password for an admin or superadmin user. Only a superadmin can reset the password for an admin or superadmin user.

The ALTER ADMIN command resets the password of the user with admin role. A superadmin can modify the password of the user with admin role.

Syntax

ALTER ADMIN <user name>

Arguments

Argument Description

user name

The existing user with admin role who requires a password reset.

password

The command prompts a password for modifying the password of the user with admin role. The password must have at least one uppercase letter, one lowercase letter, one digit(0-9), and one special character(.,+:_!). A password must be at least 8 characters and at most 30 bytes in length.

Example

alter admin myadmin

This command resets the password of the existing user myadmin. The password for myadmin is taken from the prompt.

A.15.6 DROP ADMIN

Use the DROP ADMIN command to drop or delete admin or superadmin users. Only a superadmin can drop an admin or superadmin user.

The DROP ADMIN command drops or deletes a user with admin role. A superadmin can drop a user with admin role.

Syntax

DROP ADMIN user name

Arguments

Argument Description

user name

The existing user with admin role who needs to be dropped or deleted.

Example

drop admin myadmin

This command drops the existing user myadmin. The command performs a cleanup, expire the password, lock the account, kill any existing sessions for the user, and drop the user completely from the database.