Topics
When administrators log in to Oracle Audit Vault and Database Firewall, they have access only to administrative functions, whereas auditors have access only to the auditing functions.
Oracle Audit Vault and Database Firewall has three types of administrative user accounts:
Audit Vault Server Super Administrator:
Manages system-wide settings
Creates user accounts for super administrators and administrators
Has access to all secured targets and secured target groups
Grants access to secured targets or secured target groups to administrators
Audit Vault Server Administrator: Has access to specific secured targets or secured target groups granted by a super administrator. Administrators cannot manage system-wide settings.
Database Firewall Administrator: Has access to the Database Firewall administrative interface. The Database Firewall has only one administrator.
After installing Oracle Audit Vault and Database Firewall, a post-installation configuration page lets you create and specify passwords for one super administrator account and one super auditor account for the Audit Vault Server, and one administrator account for the Database Firewall.
Thereafter, the Audit Vault Server super administrator can create other administrative users, and the super auditor can create other auditor users, for the server.
This chapter describes managing user accounts and passwords for the Oracle Audit Vault and Database Firewall administrator user interfaces.
See Also:
Oracle Audit Vault and Database Firewall Installation Guide for information on post-installation configuration.
Oracle Audit Vault and Database Firewall Auditor's Guide for information on managing auditor accounts.
Oracle Audit Vault and Database Firewall follow STIG rules for user accounts.
Oracle Audit Vault and Database Firewall follows the Security Technical Implementation Guides (STIG) and implementation rules for user accounts.
The default Oracle Audit Vault and Database Firewall user accounts must have custom passwords.
The number of consecutive failed login attempts is 3.
When a user exceeds the maximum number of unsuccessful login attempts, the account is locked until a super administrator releases it.
Account lockouts will persist until a super administrator resets the user account.
See Also:
Security Technical Implementation Guides for more information about STIG compliance
You can change an administrative account type from administrator to super administrator, or vice versa.
Note that if you change a user's account type from administrator to super administrator, that user will have access to all secured targets and secured target groups.
To change a user account type in Oracle AVDF:
Log in to the Audit Vault Server as a super administrator.
Click the Settings tab.
The Manage Admins page appears by default, and displays existing users and the secured targets or groups to which they have access.
Click the name of the user account you want to change.
In the Modify Admin page, in the Type section, click Change.
In the Type drop-down list, select the new administrator type.
If you changed the type from Super Admin to Admin, grant or revoke access to any secured targets or groups as necessary for this user:
Select the secured targets or groups to which you want to grant or revoke access.
Click Grant Access or Revoke Access.
A check mark indicates access granted. An X indicates access revoked.
Repeat steps a and b if necessary.
Click Save.
The sudo command enables a trusted user to have administrative access to a system without having to log in using the root user password.
When users have been given sudo access, they can precede an administrative command with sudo, and then be prompted to enter their password. Once authenticated, and assuming that the command is permitted, the command is executed as if it had been run by the root user.
You must have root privileges to configure sudo access for a user.
Log in to the system as the root user.
Create a normal user account using the useradd command.
For example, to create a normal user account for the user psmith:
# useradd psmith
Set a password for the user using the passwd command.
For example:
# passwd psmith Changing password for user psmith. New password: new_password Retype new password: new_password passwd: all authentication tokens updated successfully
Run the visudo utility to edit the /etc/sudoers file.
# visudo
The sudoers file defines the policies that the sudo command applies.
Find the lines in the sudoers file that grant access to users in the wheel group when enabled.
## Allows people in group wheel to run all commands # %wheel ALL=(ALL) ALL
Remove the comment character (#) at the start of the second line, which begins with %wheel.
This enables the configuration option.
Save your changes and exit the editor.
Add the user account that you created earlier to the wheel group using the usermod command.
For example:
usermod -aG wheel psmith
Test that the updated configuration enables the user that you created to run commands using sudo.
Use the su command to switch to the new user account that you created.
# su psmith
Use the groups command to verify that the user is in the wheel group.
$ groups psmith wheel
Use the sudo command to run the whoami command.
Because this is the first time that you have run a command using sudo from this user account, the banner message is displayed. You will be prompted to enter the password for the user account.
$ sudo whoami
The following output should appear:
We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility.
Enter the password when prompted:
[sudo] password for psmith: password
root
The last line of the output is the user name that is returned by the whoami command. If sudo access has been configured correctly, then this value is root.
Topics
Super administrators have access to all secured targets and secured target groups, and can grant access to specific targets and groups to administrators.
You can control access to secured targets or groups in two ways:
Modify a secured target or group to grant or revoke access for one or more users.
Modify a user account to grant or revoke access to one or more secured targets or groups.
Topics
You should have a policy in place for changing passwords for the Audit Vault and Database Firewall user accounts. For example, you may require that users change their passwords on a regular basis, such as every 120 days, and that they create passwords that are not easily guessed.
Requirements for Passwords Containing Unicode Characters
If your password contains unicode characters (such as non-English characters with accent marks), the password requirement is that it:
Be between 8 and 30 characters long.
Requirements for English-Only (ASCII) Passwords
If you are using English-only, ASCII printable characters, Oracle AVDF requires that passwords:
Be between 8 and 30 characters long.
Contain at least one of each of the following:
Lowercase letters: a-z.
Uppercase letters: A-Z.
Digits: 0-9.
Punctuation marks: comma (,), period (.), plus sign (+), colon(:), exclamation mark (!), and underscore (_)
Not contain double quotes ("), back space, or control characters.
In addition, Oracle recommends that passwords:
Not be the same as the user name.
Not be an Oracle reserved word.
Not be an obvious word (such as welcome, account, database, and user).
Not contain any repeating characters.
When your Oracle Audit Vault and Database Firewall user passwords expires, you will be prompted to create a new one. However, you can change your password at any time.
Changing Your Own Password
To change your Audit Vault Server user password:
Log in to the Audit Vault Server as an administrator.
Click the Settings tab, and then click Change Password.
Type your Current Password, New Password, and then re-type the new password in the appropriate fields.
Ensure that the password is a custom password.
Click Save.
Changing the Password of Another Administrator
If you are a super administrator, you can change the password of administrators.
To change the password of another administrator:
Log in to the Audit Vault Server as a super administrator.
Click the Settings tab.
In the Manage Admins page, click the name of the administrator.
In the Change Password section, fill the New Password and Re-enter New Password fields, and then click Save.
Ensure that the password is a custom password.
See Also: