A AVCLI Commands Reference

The AVCLI commands enable you to perform tasks such as creating Database Firewall monitoring points and managing audit trails.

A.1 About AVCLI Commands

Learn about AVCLI commands and their uses.

Use the AVCLI commands to configure host connections from the command line. You must be granted the AV_ADMIN role before you can run these commands. This appendix does not list all of the AVCLI commands, however. It only covers the commands that Oracle Audit Vault and Database Firewall administrators need to configure target connections.

All AVCLI commands must end in a semi-colon (;).

See Also:

Using the Audit Vault Command Line Interface for general usage information about using the AVCLI command line interface.

Setting the JAVA_HOME Environment Variable

In Oracle Audit Vault Server, you must set the JAVA_HOME environment variable to point to JDK installation directory.

A.2 Agent Host AVCLI Commands

The agent host AVCLI commands enable you to perform agent host-related tasks such as registering hosts.

A.2.1 About the Agent Host AVCLI Commands

The AVCLI host commands enable you to configure the host computer on which the Audit Vault Agent will reside.

A.2.2 ACTIVATE HOST

Learn how to use the ACTIVATE HOST AVCLI command.

The ACTIVATE HOST command activates the host specified by hostname.

Syntax

ACTIVATE HOST hostname

Arguments

Argument Description

hostname

The host name.

Usage Notes

Once an host is activated, an activation key appears, which must be entered when an Agent process is started to complete activation process.

Example

avcli> ACTIVATE HOST sample_host.example.com;

Activates the host, sample_host.example.com, and displays the activation key for this host.

A.2.3 ALTER HOST

Learn how to use the ALTER HOST AVCLI command.

The ALTER HOST command alters a host registered with the Audit Vault Server.

Syntax

ALTER HOST hostname SET {key=value [,key=value...]}

ALTER HOST hostname SET {key=value [,LOGLEVEL=component_name:loglevel_value...]}

ALTER HOST hostname DROP ATTRIBUTE {attribute name}

Arguments

Argument Description

hostname

The name of the host.

key

The attribute being changed. See Table A-1 for supported key values.

Usage Notes

This command alters the attributes associated with the named host using key/value pairs. To modify multiple attributes in a single command invocation, specify comma separated key/value pairs.

The following host name attributes are supported:

Table A-1 Host Attributes (key values)

Parameter Description

NAME

The new host name that replaces the existing one.

IP

The new IP address that replaces the existing IP address.

LOGLEVEL

The log level of various code components running on this host. This option can dynamically change the log levels of various Audit Vault Server code components.

The LOGLEVEL attribute takes a two part value, separated by a colon, as follows:

component_name:loglevel_value

where component_name can be av.agent, av.common, av.server:

See Table A-2 for descriptions of LOGLEVEL component names, and Table A-3 for LOGLEVEL values.

Multiple components log levels can be changed by delimiting them using the | symbol.

AGENT_PHYSICAL_ADDRESS_XX

XX can be any value between 01 and 99. Value for the attribute must be a valid IP address of a node in a cluster environment.

The corresponding attribute value should be a valid IP address of a node in the cluster.

Note:

Ensure to understand the Agent's functionality completely before modifying the above mentioned values. They have been set to optimal value by default. Any incorrect value may degrade the performance.

The following are valid values for the LOGLEVEL attribute:

Table A-2 LOGLEVEL Component Names

Parameter Description

av.agent

agent component_name of LOGLEVEL value

av.server

Audit Vault Server component_name of LOGLEVEL value

av.common

shared Server and Agent component_name of LOGLEVEL value

Table A-3 LOGLEVEL Values

Loglevel Value Description

INFO

INFO level, loglevel_value of LOGLEVEL value

WARNING

WARNING level, loglevel_value of LOGLEVEL value

ERROR

ERROR level, loglevel_value of LOGLEVEL value

DEBUG

DEBUG level, loglevel_value of LOGLEVEL value

Examples

avcli> ALTER HOST sample_host.example.com SET ip=192.0.2.1;

Alters the host, sample_host.example.com, and changes the associated IP address to 192.0.2.1.

avcli> ALTER HOST sample_host.example.com SET name=new_sample_host.example.com;

Alters the host, sample_host.example.com, to new_sample_host.example.com. Additionally, it updates the IP address by doing a lookup against new_sample_host.example.com.

avcli> ALTER HOST sample_host.example.com SET loglevel=av.agent:info|av.common:debug;

Alters the log levels of the av.agent and av.common code components embedded in the Agent process running on the host, sample_host.example.com.

A.2.4 DEACTIVATE HOST

Use the DEACTIVATE HOST command to deactivate hosts that are specified by the hostname parameter.

The DEACTIVATE HOST command deactivates the host specified by hostname.

Syntax:

DEACTIVATE HOST hostname

Arguments

Argument Description

hostname

The host name.

Usage Notes

Once a host is deactivated, it may not be able to connect to the Audit Vault Server.

Example

avcli> DEACTIVATE HOST sample_host.example.com;

Deactivates the host, sample_host.example.com. The agent process on this host may not be able to connect to the Audit Vault Server.

A.2.5 DROP HOST

Use the DROP HOST command to drop hosts that are specified by the value of the host_name parameter.

The DROP HOST command drops the host specified by the host_name from the Audit Vault Server and removes any associated metadata.

After dropping a host, if you want to register it again to collect audit data, you must reinstall the Audit Vault Agent on this host.

Syntax

DROP HOST hostname

Arguments

Argument Description

hostname

The name of the host computer being dropped.

See Also:

Usage Notes

Ensure that the agent process on this host is in the stopped state before dropping the host. The DROP HOST command will fail otherwise.

Example

avcli> DROP HOST sample_host;

The host, sample_host, and any associated metadata is dropped.

Oracle AVDF 20.5 and Later

Syntax

DROP HOST hostname [FORCE]

Arguments

Argument Description

hostname

The name of the host computer being dropped.

See Also:

FORCE

This is an optional parameter. Use this argument to forcefully drop the host and all the associated trails, when the hosts or trails are in stopped state or in unreachable state for more than two hours.

A.2.6 LIST HOST

Use the LIST HOST command to see the names of registered Agent host computers.

The LIST HOST command lists the names of the currently registered agent host computers.

Syntax

LIST HOST

Example

avcli> LIST HOST;

The various active hosts registered with the Audit Vault Server are listed.

Oracle AVDF 20.3 and later

This command lists the various active hosts registered with the Audit Vault Server.

Syntax

LIST HOST [hostname]

This command lists the various active hosts registered with the Audit Vault Server.

Argument

Argument Description

host name

The hostname parameter is optional and can be specified to list a particular active host.

Example

list host testhost1;

Lists the details of testhost1 registered with the Audit Vault Server.

A.2.7 REGISTER HOST

Learn about the REGISTER HOST AVCLI command.

The REGISTER HOST command adds the host to Audit Vault Server and identifies it as a host machine on which an Agent can be deployed.

Syntax

REGISTER HOST <host_name> WITH IP <ip_address>

Arguments

Argument Description

host_name

The name of the host computer that you want to register.

See Also:

ip_address

The IP address associated with the host.

Usage Notes

To change the IP address associated with a host, use the ALTER HOST command.

Example

avcli> REGISTER HOST sample_host.example.net with ip 192.0.2.1;

Registers the host machine, sample_host.example.net, and associates it with the IP address 192.0.2.1.

A.3 Database Firewall AVCLI Commands

The AVCLI Database Firewall commands enable you to configure the Database Firewall.

A.3.1 About the Database Firewall AVCLI Commands

The AVCLI database firewall commands enable you to perform tasks such as registering or altering a database firewall.

A.3.2 ALTER FIREWALL

Use the ALTER FIREWALL command to alter Oracle Database Firewall attributes.

The ALTER FIREWALL command alters the Database Firewall attributes.

Syntax

ALTER FIREWALL firewall_name SET attribute=value [, attribute=value]

Arguments

Argument Description

firewall_name

The name of the Database Firewall.

attribute

The pair (attribute and new value) for the Database Firewall. Separate multiple pairs by a space on the command line. See Table A-4 for a list of attributes.

Usage Notes

Table A-4 lists Database Firewall attributes that you can specify for the attribute=value argument.

Table A-4 Oracle Database Firewall Attributes

Parameter Description

NAME

The new name of the Database Firewall.

IP

The IP address of the Database Firewall.

Example

avcli> ALTER FIREWALL sample_fw1 SET NAME=sample_newfw1;

Database Firewall name changes from sample_fw1 to sample_newfw1.

avcli> ALTER FIREWALL sample_fw1 SET IP=192.0.2.169;

Database Firewall IP address is set to 192.0.2.169.

A.3.3 CREATE RESILIENT PAIR

Use the CREATE RESILIENT PAIR command to create a resilient pair with two Oracle Database Firewall installations for high availability.

The CREATE RESILIENT PAIR command creates a resilient pair with two Database Firewalls for high availability.

Syntax

CREATE RESILIENT PAIR FOR FIREWALL PRIMARY primary_firewall
  STANDBY standby_firewall

Arguments

Argument Descriptions

primary_firewall

The name of the primary Database Firewall. Only this Firewall can generate syslog alerts

standby_firewall

The name of the standby Database Firewall.

This argument is available starting Oracle AVDF release 20.6.

Starting Oracle AVDF 20.6, the pairing process of the Database Firewall instances is a background job. See the Jobs dialog in the Audit Vault Server console to check the status of high availability pairing. Locate for the job against the entry Create DBFW resilient pair. After completion of the pairing process, navigate to the Database Firewalls tab and then to High Availability tab in left navigation menu to verify the resilient pair.

Example

avcli> CREATE RESILIENT PAIR FOR FIREWALL PRIMARY sample_fw1 SECONDARY sample_fw2;

A resilient pair is created with primary Database Firewall sample_fw1 and standby Database Firewall sample_fw2.

A.3.4 DROP FIREWALL

Use the DROP FIREWALL command to drop a registered Oracle Database Firewall from Oracle Audit Vault Server.

The DROP FIREWALL command drops an already registered Database Firewall from the Audit Vault Server.

Syntax

DROP FIREWALL firewall_name

Arguments

Argument Descriptions

firewall_name

The name of the Database Firewall.

Example

avcli> DROP FIREWALL sample_fw;

The Database Firewall sample_fw is dropped.

A.3.5 DROP RESILIENT PAIR

Learn to use the DROP RESILIENT PAIR command to drop a resilient pair that contains the specified Oracle Database Firewall.

The DROP RESILIENT PAIR command drops the resilient pair that contains the specified Database Firewall.

Syntax

DROP RESILIENT PAIR HAVING FIREWALL firewall_name

Arguments

Argument Descriptions

firewall_name

The name of the Database Firewall.

Example

avcli> DROP RESILIENT PAIR HAVING FIREWALL sample_fw1;

The existing resilient pair that includes Database Firewall sample_fw1 is broken.

A.3.6 LIST FIREWALL

Use the LIST FIREWALL command to list all of the Oracle Database Firewall installations that are registered with an Oracle Audit Vault Server.

The LIST FIREWALL command lists all the Database Firewalls registered with the Audit Vault Server.

Syntax

LIST FIREWALL

Example

avcli> LIST FIREWALL;

A list of Oracle Database Firewalls that are registered with Oracle Audit Vault Server appears.

A.3.7 POWEROFF FIREWALL

You can use the POWEROFF FIREWALL command to turn off the power for a named Oracle Database Firewall that is registered with Oracle Audit Vault Server.

The POWEROFF FIREWALL command powers off a named Database Firewall that is already registered with the Audit Vault Server.

Syntax

POWEROFF FIREWALL firewall_name

Arguments

Argument Descriptions

firewall_name

The name of the Database Firewall.

Example

avcli> POWEROFF FIREWALL sample_fw;

The Database Firewall sample_fw switches off.

A.3.8 REBOOT FIREWALL

Use the REBOOT FIREWALL comment to reboot a named Oracle Database Firewall that is registered with Oracle Audit Vault Server.

The REBOOT FIREWALL command reboots a named Database Firewall that is already registered with the Audit Vault Server.

Syntax

REBOOT FIREWALL firewall_name

Arguments

Argument Descriptions

firewall_name

The name of the Database Firewall.

Example

avcli> REBOOT FIREWALL sample_fw;

The Database Firewall sample_fw reboots.

A.3.9 REGISTER FIREWALL

Use the REGISTER FIREWALL command to register an Oracle Database Firewall that has a specific IP address with Oracle Audit Vault Server.

The REGISTER FIREWALL command registers the Database Firewall that has the specified IP address with the Audit Vault Server.

Syntax

REGISTER FIREWALL firewall_name WITH IP ip_address

Arguments

Argument Descriptions

firewall_name

The name of the Database Firewall.

ip_address

The IP address of the Database Firewall.

Usage Notes

The Database Firewall must be installed at the given IP address location.

To specify a firewall name with a space, enclose the entire string in quotes.

Example

avcli> REGISTER FIREWALL sample_fw WITH IP 192.0.2.14;

Database Firewall sample_fw is installed at IP address 192.0.2.14.

A.3.10 SWAP RESILIENT PAIR

Learn how to use the SWAP RESILIENT PAIR command to swap Oracle Database Firewall installations that are part of a resilient pair that includes a named Oracle Database Firewall.

The SWAP RESILIENT PAIR command swaps Database Firewalls in a resilient pair that includes the named Database Firewall.

Syntax

SWAP RESILIENT PAIR HAVING FIREWALL firewall_name
 

Arguments

Argument Descriptions

firewall_name

The name of the Database Firewall.

Example

avcli> SWAP RESILIENT PAIR HAVING FIREWALL sample_fw1;

In the existing resilient pair, Database Firewall sample_fw1, the primary firewall is swapped with the secondary firewall, or the reverse.

A.3.11 SHOW STATUS FOR FIREWALL

Learn how to use the SHOW STATUS FOR FIREWALL command to show the status for an Oracle Database Firewall installation.

The SHOW STATUS command displays the status for a particular Database Firewall.

Syntax

SHOW STATUS FOR FIREWALL firewall_name

Arguments

Argument Descriptions

firewall_name

The name of the Database Firewall.

Example

avcli> SHOW STATUS FOR FIREWALL sample_fw1;

The running information for Oracle Database Firewall sample_fw1 appears.

A.4 Database Firewall Monitors AVCLI Commands

The Database Firewall monitoring points related AVCLI commands enable you to configure the Database Firewall.

A.4.1 About Database Firewall Monitors AVCLI Commands

The Database Firewall monitoring points related AVCLI commands enable you to configure the host computer on which the Audit Vault Agent resides.

A.4.2 ALTER DATABASE FIREWALL MONITOR

Use the ALTER DATABASE FIREWALL MONITOR command to alter monitoring points and their attributes.

The ALTER DATABASE FIREWALL MONITOR command alters the monitoring point and the related attributes.

Syntax


ALTER DATABASE FIREWALL MONITOR FOR TARGET <target name> USING FIREWALL <firewall name> SET <options>

Arguments

Argument Description

firewall name

The name of the Database Firewall which is associated with the monitoring point.

target name

The name of the target which is associated with the Database Firewall monitoring point.

options

Every option must be in <attribute=value> format.

The following attributes can be included in options:

MODE=Monitoring_Blocking_Proxy / Monitoring_Out_Of_Band / Monitoring_Host_Monitor

PRESERVE_CONNECTION=TRUE/FALSE

NETWORK_INTERFACE_CARD=new_network_interface_card

DATABASE_RESPONSE=TRUE/FALSE

FULL_ERROR_MESSAGE=TRUE/FALSE

DATABASE_INTERROGATION=TRUE/FALSE

DDI_DB_ADDRESS = <database_address>

DDI_DB_PORT = <port>

DDI_DB_NAME = <database_name>

DDI_DB_CREDENTIAL = <credential>

ADD_ADDRESS=<ip:port[:service name | SID]>

REMOVE_ADDRESS=<ip:port[:service name | SID]>

ADD_ADDRESS

The address of the target which needs to be monitored by the Database Firewall.

The address needs to be in the following format: ip:port:[service]

REMOVE_ADDRESS

The address of the target which needs to be removed from being monitored by the Database Firewall.

NETWORK_INTERFACE_CARD

The new network interface card (or traffic source) for the Database Firewall monitoring point.

For Monitoring_Host_Monitor (Oracle AVDF release 20.3 and later) deployment mode, provide the name of the network interface card which has an IP address configured.

MODE

The Database Firewall deployment mode. Valid modes are:

  • Monitoring (Out-of-Band)
  • Monitoring (Host Monitor)
  • Monitoring / Blocking (Proxy)

PRESERVE_CONNECTION

True or False where True indicates that when the Database Firewall starts operating in monitoring and blocking mode (either because it had been changed from monitoring only mode, or because it has restarted), any existing connections passing through the firewall are allowed to continue. This favors availability over security, because the firewall cannot enforce policy on these connections.

False indicates that any pre-existing connections are broken. The Database Firewall can then enforce the policy when clients reconnect. This is the default behavior.

DATABASE_RESPONSE

True or False indicates whether or not to activate database response monitoring function for the monitoring point.

FULL_ERROR_MESSAGE

True or False enables this option. This starts logging the error message associated with the error code.

Arguments in Release Oracle AVDF 20.5 and Earlier

Argument Description

DDI_DB_ADDRESS

The address of the database for which the native network encrypted traffic monitoring needs to be enabled.

DDI_DB_PORT

The port number of the database for which the native network encrypted traffic monitoring needs to be enabled.

DDI_DB_NAME

The name of the database for which the native network encrypted traffic monitoring needs to be enabled.

DDI_DB_CREDENTIAL

The credentials used to connect to the database for which the native network encrypted traffic monitoring option needs to be enabled. The credentials must be specified in the format <user name>/<password>.

DATABASE_INTERROGATION

True or False enables this option. This starts the native network encrypted traffic monitoring feature.

Arguments in Release Oracle AVDF 20.6 and Later

Argument Description

DB_ADDRESS_FOR_DECRYPTION

The address of the database for which the native network encrypted traffic monitoring needs to be enabled.

DB_PORT_FOR_DECRYPTION

The port number of the database for which the native network encrypted traffic monitoring needs to be enabled.

DB_NAME_FOR_DECRYPTION

The name of the database for which the native network encrypted traffic monitoring needs to be enabled.

DB_CREDENTIAL_FOR_DECRYPTION

The credentials used to connect to the database for which the native network encrypted traffic monitoring option needs to be enabled. The credentials must be specified in the format <user name>/<password>.

DECRYPT_WITH_NNE_KEY

True or False enables this option. This starts the native network encrypted traffic monitoring feature.

Usage Notes

Attributes are specified by a comma separated list of key=value/pairs. The following key values are supported:

Note:

  • The ADD_ADDRESS and REMOVE_ADDRESS attributes are applicable for a single target only. It is not applicable for a RAC monitoring point.
  • Only one network interface card or traffic source can be used.

Examples

avcli> ALTER DATABASE FIREWALL MONITOR FOR TARGET target1 USING FIREWALL fw1 SET MODE=monitoring_out_of_band;
avcli> ALTER DATABASE FIREWALL MONITOR FOR TARGET target1 USING FIREWALL fw1 SET database_response=true, full_error_message=true;
avcli> ALTER DATABASE FIREWALL MONITOR FOR TARGET target1 USING FIREWALL fw1 SET add_address=1.2.3.4:1234:dbfwfb;

A.4.3 CREATE DATABASE FIREWALL MONITOR

The CREATE DATABASE FIREWALL MONITOR command creates Database Firewall monitoring points to protect the targets.

The CREATE DATABASE FIREWALL MONITOR command creates a Database Firewall monitoring point with the specified name and protects the target with monitoring only, or monitoring and blocking mode.

Syntax

CREATE DATABASE FIREWALL MONITOR FOR TARGET <target name> USING FIREWALL <firewall name> WITH MODE <mode name> NETWORK INTERFACE CARD <network interface card name> [PROXY PORT <proxy port number>] [ADD ADDRESS <ip:port[:service name | SID]>] [FOR TARGET MODE RAC]

Arguments

Argument Descriptions

target name

The name of the target.

firewall name

The name of the Database Firewall.

network interface card name

The name of the network interface card (NIC). Only one NIC is allowed.

For Monitoring_Host_Monitor (Oracle AVDF release 20.3 and later) deployment mode, provide the name of the network interface card which has an IP address configured.

proxy port number

Proxy port number required only for Monitoring_Blocking_Proxy deployment mode.

mode name

The available deployment modes are:

  • Monitoring_Blocking_Proxy
  • Monitoring_Out_Of_Band
  • Monitoring_Host_Monitor

For Monitoring_Blocking_Proxy mode, both the network interface card and the proxy port must be specified and only one address can be added.

For Monitoring_Out_Of_Band and Monitoring_Host_Monitor mode, the network interface card needs to be set and proxy port cannot be applied. One or more addresses can be added.

address

Ip address for the first Database Firewall monitoring point. It is mandatory for the first Database Firewall monitoring point for the specific target and Database Firewall. It is not allowed for the subsequent monitoring points being created.

Format: <ip:port[:service name | SID]>

Ip

Ip address.

port

The port number

service name

The service name or SID of the Oracle Database.

FOR TARGET MODE RAC

Can be set only for Oracle Databases and if proxy port is set.

Example

create database firewall monitor for target target1 using firewall fw1 mode Monitoring_Blocking_Proxy network interface card nic1 proxy port 1234 add address 192.0.2.1:1234:srcdb for target mode rac

Creates a Database Firewall monitoring point on firewall fw1 using network interface card nic1 with port 1234 and protects target target1 in mode Monitoring_Blocking_Proxy, adds address (host = 192.0.2.1, port=1234 and service = srcdb) as a RAC instance.

A.4.4 DROP DATABASE FIREWALL MONITOR

Use the DROP DATABASE FIREWALL MONITOR command to drop monitoring points.

The DROP DATABASE FIREWALL MONITOR command drops the monitoring point.

Syntax

DROP DATABASE FIREWALL MONITOR FOR TARGET <target name> USING FIREWALL <firewall name>

Arguments

Argument Descriptions

firewall name

The name of the Database Firewall.

target name

The name of the target.

Examples

avcli> DROP DATABASE FIREWALL MONITOR FOR TARGET sample_source USING FIREWALL sample_fw;
avcli> DROP DATABASE FIREWALL MONITOR FOR TARGET target1 USING FIREWALL fw1;

The monitoring point is dropped.

A.4.5 LIST DATABASE FIREWALL MONITOR

Use the LIST DATABASE FIREWALL MONITOR command to list all of the monitoring points associated with either the Database Firewall or the target.

The LIST DATABASE FIREWALL MONITOR command lists the monitoring points associated with either the Database Firewall or the target.

Syntax

LIST DATABASE FIREWALL MONITOR FOR FIREWALL <firewall_name>
LIST DATABASE FIREWALL MONITOR FOR TARGET <target_name>

Arguments

Argument Descriptions

firewall_name

The name of the Database Firewall.

target_name

The name of the target.

Example

avcli> LIST DATABASE FIREWALL MONITOR FOR FIREWALL sample_fw;

A list of all the monitoring points associated with the Database Firewall sample_fw appears.

avcli> LIST DATABASE FIREWALL MONITOR FOR TARGET sample_source;

A list all the monitoring points associated with the target sample_source appears.

A.4.6 START DATABASE FIREWALL MONITOR

Learn how to use the START DATABASE FIREWALL MONITOR command to start a monitoring point that was previously suspended.

The START DATABASE FIREWALL MONITOR command starts a monitoring point that was previously suspended.

Syntax

START DATABASE FIREWALL MONITOR FOR TARGET <target name> USING FIREWALL <firewall name>
 

Arguments

Argument Descriptions

firewall name

The name of the Database Firewall.

target name

The name of the target.

Examples

avcli> START DATABASE FIREWALL MONITOR FOR TARGET sample_source USING FIREWALL sample_fw;
avcli> START DATABASE FIREWALL MONITOR FOR TARGET target1 USING FIREWALL fw1;

The monitoring point is started.

A.4.7 STOP DATABASE FIREWALL MONITOR

Use the STOP DATABASE FIREWALL MONITOR command to stop monitoring point.

The STOP DATABASE FIREWALL MONITOR command stops the monitoring point of the target.

Syntax

STOP DATABASE FIREWALL MONITOR FOR TARGET <target name> USING FIREWALL <firewall name>

Arguments

Argument Descriptions

firewall name

The name of the Database Firewall.

target name

The name of the target.

Examples

avcli> STOP DATABASE FIREWALL MONITOR FOR TARGET sample_source USING FIREWALL sample_fw;
avcli> STOP DATABASE FIREWALL MONITOR FOR TARGET target1 USING FIREWALL fw1;

The monitoring point is stopped.

A.5 Target AVCLI Commands

The AVCLI target commands enable you to configure both database and nondatabase targets for Audit Vault Server.

The terms TARGET and SECURED TARGET are generally synonymous in this release of Oracle Audit Vault and Database Firewall.

A.5.1 About the Target AVCLI Commands

The target AVCLI commands enable you to perform tasks such as registering or altering a target.

A.5.2 ALTER SECURED TARGET

Use the ALTER SECURED TARGET command to modify the attributes of targets.

The ALTER SECURED TARGET command modifies the attributes of a target.

Syntax

ALTER SECURED TARGET secured_target_name  
   SET attribute=value [, attribute=value]

Arguments

Argument Description

attribute=value

The key/value pair for the target attributes of the target to be modified. You can modify one or more target attributes at a time using a space on the command line.

See Also:

service

REQUIRED FOR ORACLE DATABASE ONLY: The service name or SID

Table A-5 lists target attributes that you can specify,

Table A-5 Target Attributes

Attribute Description

NAME

The name of the target database to be modified. The name is case-sensitive. This must not be defined already in the Audit Vault Server for another target.

Special characters (&<>"/;,*|=% --) cannot be used for target names.

See Also:

LIST SECURED TARGET to find a list of existing targets.

LOCATION

The location of the target.

Note: In case the target location was not specified during registration and if credentials are required to connect to the target, then the credentials must be specified along with the target location.

CREDENTIALS

The new username used to connect to the target. Audit Vault Server prompts for the new password.

Credentials in <new username>/<new password> format is accepted through a .av file.

DESCRIPTION

The description for this target database instance

MAXIMUM_ENFORCEMENT_POINT_THREADS

The maximum number of monitoring point threads for the target. The valid range is between 1 and 16 (inclusive). The default value is 1.

General Usage Examples

avcli> ALTER SECURED TARGET sample_source SET name=sample_source2;

The target name of sample_source changed to sample_source2.

avcli> ALTER SECURED TARGET sample_source SET credentials=scott;

The credentials used to connect to the target, sample_source, are changed.

avcli> ALTER SECURED TARGET sample_source SET description='This is a new description';

Number of monitoring point threads is set for target, sample_source.

avcli> ALTER SECURED TARGET sample_source SET maximum_enforcement_point_threads=14;

The description for the target, sample_source, is changed.

avcli> ALTER SECURED TARGET sample_source set maximum_enforcement_point_threads = 10;

Sets the maximum number of monitoring point threads for target sample_source to 10.

Oracle Example:

avcli> ALTER SECURED TARGET secured target sample_source set
 location=jdbc:oracle:thin:@//new_sample_host:1521:sample_db;

The location of the target, sample_source, changes.

A.5.3 DROP SECURED TARGET

Learn how to use the DROP SECURED TARGET command to remove the registration of a specified target from Oracle Audit Vault Server.

The DROP SECURED TARGET command removes the registration of the specified target from Audit Vault Server.

Syntax

DROP SECURED TARGET secured_target_name

Arguments

Argument Description

secured_target_name

The name of the target. To find all registered targets, see "LIST SECURED TARGET".

Usage Notes

Ensure that all trails associated with this target are in stopped state before dropping the target. Otherwise, the DROP SECURED TARGET command fails. See HELP STOP COLLECTION for an explanation of how to stop active trails.

Dropping a target stops the Audit Vault Server from monitoring it. Any audit data collected earlier continues to be available in the Audit Vault Server repository.

Examples

avcli> DROP SECURED TARGET sample_source;

Drops the sample_source target.

A.5.4 LIST ATTRIBUTE FOR SECURED TARGET

Use the LIST ATTRIBUTE FOR SECURED TARGET command to list the attributes of targets.

The LIST ATTRIBUTE FOR SECURED TARGET command lists the attributes of a given target.

Syntax

LIST ATTRIBUTE FOR SECURED TARGET secured target name;

Arguments

Argument Description

secured target name

The name of the target. To find all registered targets, see "LIST SECURED TARGET".

A.5.5 LIST METRICS

Use the LIST METRICS command to list the metrics of a given target, such as various trails.

The LIST METRICS command lists the metrics of a given target, such as various trails.

Syntax

LIST METRICS FOR SECURED TARGET secured_target_name

Arguments

Argument Description

secured_target_name

The name of the target

To find all registered targets, see "LIST SECURED TARGET".

Usage Notes

The LIST METRICS command has the same usage for all target types.

Examples

avcli> LIST METRICS FOR SECURED TARGET sample_source;

Metrics available for the target, sample_source, are listed.

A.5.6 LIST SECURED TARGET

Use the LIST SECURED TARGET command to list various active targets that are registered with Audit Vault Server.

The LIST SECURED TARGET command lists the active targets registered with the Audit Vault Server.

Syntax

LIST SECURED TARGET;

Lists the active target names registered with Audit Vault Server.

A.5.7 LIST SECURED TARGET TYPE

Use the LIST SECURED TARGET TYPE command to list various target types that are registered with Audit Vault Server.

The LIST SECURED TARGET TYPE command lists various target types currently registered in the Audit Vault Server.

Syntax

LIST SECURED TARGET TYPE

Example

avcli> list secured target type;

Lists various target type names currently registered with the Audit Vault Server.

A.5.8 REGISTER SECURED TARGET

Use the REGISTER SECURED TARGET command to register targets to be monitored by Audit Vault Server.

The REGISTER SECURED TARGET command registers a target to be monitored by Audit Vault Server.

Syntax

REGISTER SECURED TARGET secured_target_name OF SECURED TARGET TYPE 
   "secured_target_type" [AT location] [AUTHENTICATED BY username] [DEPLOYMENT MODE deployment mode]

Arguments

Argument Description

secured_target_name

Name of target. Must be unique.

Special characters (&<>"/;,*|=% --) cannot be used for target names.

secured_target_type

A valid target type, for example "Oracle".

See Also:

LIST SECURED TARGET TYPE to find a list of supported target types.

location

The target database connection information.

See Also:

ALTER SECURED TARGET

This is optional. It can be added later.

The location is an opaque string that specifies how to connect to the target, typically a JDBC connect string. The syntax that you use depends on the target type. See the database-specific Usage Notes below.

If location is not provided, certain features such as entitlement retrieval, audit settings management, SPA retrieval, and audit trail collection are disabled if applicable to this target type.

user_name

Optional. Credentials to connect to the target.

After you enter the username argument, Audit Vault Server prompts you for the password of the target user account. For target databases, this account must exist on the target database. Optional.

See the database specific usage notes in the following sections.

DEPLOYMENT MODE

Optional. Deployment mode of target. This argument is available starting with release Oracle AVDF 20.7.

For Oracle Database having Active Data Guard with Unified Auditing, specify the DEPLOYMENT MODE as ADG. For additional information, refer to Additional Information for Audit Collection from Oracle Active Data Guard.

General Examples

avcli> HELP REGISTER SECURED TARGET;

Displays detailed help for the REGISTER SECURED TARGET command.

Oracle Database Usage Notes and Examples

  • Authentication credentials must be specified along with the target location if credentials are required to connect to the target.

  • For the location argument, enter the host name, port number, and service ID (SID), separated by a colon. Use the following syntax:

    AT host:port:service
    
  • JDBC connect string format for different target types are specified below. For example:

    Oracle Database: jdbc:oracle:thin:@//<host>:<port>/<service name | SID>

    Sybase ASE and Sybase SQL Anywhere: jdbc:av:sybase://<host>:<port>

    Microsoft SQL Server: jdbc:av:sqlserver://<host>:<port>

    IBM DB2 DBARS and IBM DB2 LUW: jdbc:av:db2://<host>:<port>/<database name>

    MySQL: jdbc:av:mysql://<host>:<port>/mysql

  • If you are unsure of this connection information, then run the lsnrctl status listener_name command on the computer where you installed the target database.

  • For the AUTHENTICATED BY command, enter the user name, and Audit Vault Server prompts you for the password. AUTHENTICATED BY <username>/<password> is accepted from file input through .av file. This user account must exist in the target database.

    To find this user, query the SESSION_PRIVS and SESSION_ROLES data dictionary views.

  • For Oracle Database having Active Data Guard with Unified Auditing, specify the DEPLOYMENT MODE as ADG.

Oracle Database Examples

avcli> REGISTER SECURED TARGET sample_source OF SECURED TARGET TYPE "Oracle Database" 
   AT jdbc:oracle:thin:@//anymachinename:1521/example.com  
   AUTHENTICATED BY system DEPLOYMENT MODE ADG;

Registers an Oracle target, sample_source, of target type Oracle Database, reachable using connect string jdbc:oracle:thin:@//anymachinename: 1521/example.com using credentials system and deployment mode ADG.

SQL Server Example With DB

avcli > REGISTER SECURED TARGET sample_mssqldb OF SECURED TARGET TYPE "Microsoft SQL Server" AT jdbc:av:sqlserver://hostname:port authenticated by <user>;

SQL Server Example with Windows Authentication

avcli > REGISTER SECURED TARGET sample_mssqldb OF SECURED TARGET TYPE "Microsoft SQL Server" AT “jdbc:av:sqlserver://<Host Name>:<Port>;authenticationMethod=ntlmjava;domain=<domain name>” authenticated by <windows user>;

IBM DB2 Example

avcli> REGISTER SECURED TARGET sample_db2db OF SECURED TARGET TYPE "IBM DB2 LUW" AT jdbc:av:db2://host:port authenticated by sa;

Registers a DB2 target, sample_db2db, of target type "IBM DB2 LUW", reachable using connect string jdbc:av:db2://host:port using credentials authenticated by sa.

A.5.9 UPLOAD OR DELETE WALLET FILE

Use the UPLOAD OR DELETE WALLET FILE to upload or delete target wallet files.

This command is used to upload and delete a target wallet file.

Syntax

ALTER SECURED TARGET <Secured target name> SET WALLET_FILE=<Path of the wallet file>

ALTER SECURED TARGET <Secured target name> DROP ATTRIBUTE WALLET_FILE

Arguments

Argument Description

<Secured target name>

Name of the target.

WALLET_FILE

Name of wallet attribute (Key).

<Path of the wallet file>

Path to wallet file (Value).

Examples

alter secured target mysource set wallet_file=/dir1/dir2/wallet.sso;

Uploads the target wallet file to the specified location of the Audit Vault Server using a TCPS connection.

alter secured target mysource drop attribute wallet_file;

Deletes the target wallet from the location using a TCPS connection.

A.6 Target Group AVCLI Commands

The AVCLI target group commands enable you to alter a target group.

Table A-6

Table A-6 AVCLI Target Group Commands

Command Description

ADD TARGET

Adds a specific target to a target group.

DELETE TARGET

Deletes a specific target from a target group.

A.6.1 ADD TARGET

Use this command to add a specific target to a target group.

Syntax

ALTER TARGETGROUP <target group name> ADD TARGET <target name>
HELP ALTER TARGETGROUP

Arguments

Argument Description

help

To seek help on available options.

target name

The name of the specific target that needs to be added.

target group name

The name of the specific target group.

Example

alter targetgroup tg1 add target t1

A.6.2 ALTER TARGET GROUP

Use the ALTER TARGET GROUP command to modify the specified target group.

To add or delete targets from the specified target group. To modify the description of the target group.

Note:

This command is available starting Oracle AVDF release 20.3.

Syntax

ALTER TARGET GROUP <target group name> ADD TARGET <target name>

To add a target to an existing target group.

ALTER TARGET GROUP <target group name> DELETE TARGET <target name>

To remove the target from an existing target group.

ALTER TARGET GROUP <target group name> MODIFY DESCRIPTION <description>

To modify the description of an existing target group.

HELP ALTER TARGET GROUP

To seek help on available options.

Arguments

Argument Description

target group name

The name of the specified target group that needs to be modified.

target name

The name of the specified target that needs to be added or deleted from the target group.

description

The new description of the specified target group.

Examples

alter target group tg1 add target t1;

This command adds target t1 to the target group tg1.

alter target group tg1 delete target t1;

This command deletes target t1 from the target group tg1.

alter target group tg1 modify description 'new description';

The description of the specified target group is modified to the specified one.

A.6.3 CREATE TARGET GROUP

Use the CREATE TARGET GROUP command to create a target group with the specified name.

To create a target group with the given name. A target group can be created only by a super administrator or superauditor.

Note:

This command is available starting Oracle AVDF release 20.3.

Syntax

CREATE TARGET GROUP <target group name>

Creates a target group with the specified name.

CREATE TARGET GROUP <target group name> DESCRIPTION <description>

Optionally add a description while creating the new target group.

Arguments

Argument Description

target group name

The name of the target group being created.

Special characters (&<>"/;,*|=% -- ) cannot be used for target names.

Examples

CREATE TARGET GROUP test22

A new target group with the name test22 is created.

create target group my_group2 description 'new group for new reports';

Creates a target group my_group2 with description new group for new reports.

A.6.4 DELETE TARGET

Use this command to delete a specific target from a target group.

Syntax

ALTER TARGETGROUP <target group name> DELETE TARGET <target name>

HELP ALTER TARGETGROUP

Arguments

Argument Description

help

To seek help on available options.

target name

The name of the specific target that needs to be deleted.

target group name

The name of the specific target group.

Example

alter targetgroup tg1 delete target t1

A.6.5 DROP TARGET GROUP

Use the DROP TARGET GROUP command to remove the registration of the specified target group from Audit Vault Server.

To drop the specified target group from Audit Vault Server.

Note:

This command is available starting Oracle AVDF release 20.3.

Syntax

DROP TARGET GROUP <target group name>

Arguments

Argument Description

target group name

The name of the specified target group being dropped.

Example

DROP TARGET GROUP test22

The target group with the name test22 is dropped.

A.6.6 LIST TARGET GROUPS

Use the LIST TARGET GROUPS command to view a list of all target groups for a user.

To view a list of all target groups for a user.

Note:

This command is available starting Oracle AVDF release 20.3.

Syntax

LIST TARGET GROUPS

This command lists all the target groups for the current user.

Example

list target groups;

Lists all the target groups.

A.6.7 LIST TARGETS OF TARGET GROUP

Use the LIST TARGETS OF TARGET GROUP command to view a list of active targets in a specific target group.

To view a list of active targets in a specific target group.

Note:

This command is available starting Oracle AVDF release 20.3.

Syntax

LIST TARGETS OF TARGET GROUP <target group name>

This command lists various active targets in a specific target group. The output contains the name, location, and description for each target.

Arguments

Argument Description

target group name

The name of the target group for which the active targets are being listed.

Example

list targets of target group tg1;

Lists various active targets of the target group tg1.

A.7 Audit Trail Collection AVCLI Commands

The audit trail collection AVCLI commands enable you to perform tasks such as starting and stopping audit trail collections.

A.7.1 About Oracle Audit Trail AVCLI Commands

The AVCLI target audit trial collection commands enable you to manage the audit trail collections for the targets.

A.7.2 DROP TRAIL FOR SECURED TARGET

Use the DROP TRAIL FOR SECURED TARGET command to drop audit trails.

The DROP TRAIL FOR SECURED TARGET drops a trail that no longer needs to be monitored.

Note:

An audit trail must be in a STOPPED state in order for it to be dropped. A trail that has previously collected audit data associated with it cannot be dropped.

Syntax

DROP TRAIL FOR SECURED TARGET secured_target_name USING HOST hostname FROM location [WITH CONNECTION <connection_name>]

Arguments

Argument Description

secured_target_name

The name of the target whose audit trail you want to drop.

hostname

The name of the host where the target agent resides.

location

The location is one of following:

  • DIRECTORY directory name / mask

  • TABLE tablename

  • SYSLOG DEFAULT | filename / file mask

  • NETWORK

  • EVENT LOG eventlog name

  • TRANSACTION LOG directory name / mask

  • CUSTOM name

connection_name

Optional. Connection name. Applicable for Oracle AVDF release 20.7 and later.

For Oracle Database having Active Data Guard with Unified Auditing, the trails can connect to the current primary database using failover connection string. Or trails can connect to individual databases in Active Data Guard using connection name, specified using WITH CONNECTION directive. The WITH CONNECTION directive should be used only for Oracle Database having Active Data Guard with Unified Auditing.

The WITH CONNECTION directive should not be used for non Active Data Guard databases.

The WITH CONNECTION directive should not be used for Active Data Guard databases with Traditional Auditing.

The connection name can be either failover_connection or it can be audit collection attribute name in the format av.target.connection.<name> specified during target creation. For additional information, refer to Additional Information for Audit Collection from Oracle Active Data Guard.

See Also:

Examples

avcli> DROP TRAIL FOR SECURED TARGET sample_source USING HOST foo FROM
   DIRECTORY /opt/audit_trail;

The audit trail from the directory /opt/audit_trail for target sample_source is dropped.

avcli> DROP TRAIL FOR SECURED TARGET sample_source USING HOST foo FROM TABLE sys.aud$;

The audit trail from table trail sys.aud$ for target sample_source is dropped.

avcli> DROP TRAIL FOR SECURED TARGET sample_source USING HOST foo FROM SYSLOG DEFAULT
   /usr/syslog/syslog*;

Syslog trail /usr/syslog/syslog* for target sample_source is dropped.

avcli> DROP TRAIL FOR SECURED TARGET sample_source USING HOST foo FROM TRANSACTION LOG /extract;

The transaction log trail from the directory /extract for target sample_source is dropped.

avcli> DROP TRAIL FOR SECURED TARGET mysource USING HOST foo FROM TABLE unified_audit_trail WITH CONNECTION failover_connection;

Deletes table trail unified_audit_trail for target mysource using failover connection specified during target registration. This is applicable only for Oracle Database having Active Data Guard with Unified Auditing starting with Oracle AVDF release 20.7.

avcli> DROP TRAIL FOR SECURED TARGET mysource USING HOST foo FROM TABLE unified_audit_trail WITH CONNECTION av.target.connection.<name>;

Deletes table trail unified_audit_trail for target mysource using connection name in the format av.target.connection.<name> specified during target registration. This is applicable only for Oracle Database having Active Data Guard with Unified Auditing starting with Oracle AVDF release 20.7.

A.7.3 LIST TRAIL FOR SECURED TARGET

Use the LIST TRAIL FOR SECURED TARGET command to list audit trails that have been started with the START COLLECTION command or stopped with the STOP COLLECTION command,

The LIST TRAIL FOR SECURED TARGET command lists the available audit trails that have been started with the START COLLECTION command or stopped with the STOP COLLECTION command.

Syntax

LIST TRAIL FOR SECURED TARGET secured_target_name

Arguments

Argument Description

secured_target_name

The name of the target.

To find a list of existing targets, see "LIST SECURED TARGET".

Usage Notes

LIST TRAIL FOR SECURED TARGET does not list audit trails have been created but not yet started or stopped.

Examples

avcli> LIST TRAIL FOR SECURED TARGET sample_source;

The trails available for the target sample_souce are listed.

A.7.4 START COLLECTION FOR SECURED TARGET

Learn how to use the START COLLECTION FOR SECURED TARGET command to begin the collection of specified audit trail data from targets.

The START COLLECTION FOR SECURED TARGET command starts the collection of specified audit trail data from a given target, optionally using the specified collection plug-in.

Note:

In case the audit trail does not already exist, then it is created and started.

Syntax

START COLLECTION FOR SECURED TARGET secured_target_name USING HOST host FROM location
   [USING PLUGIN plugin id] [WITH CONNECTION <connection_name>]

Arguments

Argument Description

secured_target_name

The name of the target whose audit trail collection you want to begin.

host

The name of the host where the target agent resides.

location

The location is one of following:

  • DIRECTORY directory name / mask

  • TABLE tablename

  • SYSLOG DEFAULT | filename / file mask

  • NETWORK

  • EVENT LOG eventlog_name

  • TRANSACTION LOG directory name / mask

  • CUSTOM name

plugin id

The collection plug-in id being used. Required if there is more than one possible plug-in. Optional if there is only one plug-in.

connection_name

Optional. Connection name.

For Oracle Database having Active Data Guard with Unified Auditing, the trails can connect to the current primary database using failover connection string. Or trails can connect to individual databases in Active Data Guard using the connection name specified using WITH CONNECTION directive.

The WITH CONNECTION directive should be used only for Oracle Database having Active Data Guard with Unified Auditing starting with Oracle AVDF release 20.7.

The WITH CONNECTION directive should not be used for non Active Data Guard databases.

The WITH CONNECTION directive should not be used for Active Data Guard databases with Traditional Auditing.

The connection name can be either failover_connection or it can be audit collection attribute name in the format av.target.connection.<name> specified during target creation. For additional information, refer to Additional Information for Audit Collection from Oracle Active Data Guard.

See Also:

General Usage Notes

To start the trail, the agent process which manages the trail should also be in running state. If the collection process connects to the target, the target must up and running. When multiple plug-ins can process audit data from a target, use the optional USING PLUGIN directive to disambiguate the collection process.

A trail starts in the START_REQUESTED state and transitions to a starting state, followed by a running state. If there is no outstanding audit data to process from the given trail, the collection process switches to an idle state. The current state can be viewed using the LIST TRAIL command.

If a trail must be authenticated, the Audit Vault Server uses the credentials provided in the AUTHENTICATED BY argument of the REGISTER SECURED TARGET command.

After you run the START COLLECTION command, the Audit Vault Server begins to collect audit data from the configured targets. If you want to stop the collection, then run the STOP COLLECTION command.

Windows Systems Usage Notes

On Windows systems, enter directory and file name locations in either double-quoted strings or as a nonquoted string using forward slashes. For example:

... FROM DIRECTORY "c:\app\oracle\product\11.1\av";

... FROM DIRECTORY c:/app/oracle/product/11.1/av;

General Examples

avcli> START COLLECTION FOR SECURED TARGET sample_source USING HOST foo FROM
   directory /opt/audit_trail;

Audit data collection from trail /opt/audit_trail for target sample_source starts.

avcli> START COLLECTION FOR SECURED TARGET sample_source USING HOST foo FROM TABLE sys.aud$;

Audit data collection from table trail sys.aud$ for target sample_source starts.

avcli> START COLLECTION FOR SECURED TARGET sample_source USING HOST foo FROM syslog
   /usr/syslog/syslog*;

Collecting syslog trail /usr/syslog/syslog* for target sample_source starts.

avcli> START COLLECTION FOR SECURED TARGET sample_source USING HOST foo FROM event
  log application;

Collecting application event log trail for target sample_source starts.

avcli> START COLLECTION FOR SECURED TARGET sample_source USING HOST foo FROM transaction log /extract;

Audit data collection from trail /extract for target sample_source.

Collecting transaction log data from trail location /extract for target sample_source starts.

avcli> START COLLECTION FOR SECURED TARGET sample_source USING HOST foo
  FROM TABLE sys.aud$ USING PLUGIN com.sample_plugin;

Audit data collection from table trail sys.aud$ for the target sample_source, using the com.sample_plugin, plug-in starts.

avcli> START COLLECTION FOR SECURED TARGET mysource USING HOST foo FROM TABLE unified_audit_trail WITH CONNECTION failover_connection;

Starts collecting audit data from table trail unified_audit_trail for target mysource using failover connection specified during target registration. This is applicable only for Oracle Database having Active Data Guard with Unified Auditing starting with Oracle AVDF release 20.7.

avcli> START COLLECTION FOR SECURED TARGET mysource USING HOST foo FROM TABLE unified_audit_trail WITH CONNECTION av.target.connection.<name>;

Starts collecting audit data from table trail unified_audit_trail for target mysource using connection name in the format av.target.connection.<name> specified during target registration. This is applicable only for Oracle database having Active Data Guard with Unified Auditing starting with Oracle AVDF release 20.7.

Oracle Database Target Usage Notes

Audit Trail Settings

For the operating system type of audit trail, use the following settings:

Type of Audit Trail trail_type Setting audit_trail Setting

Operating system directory

DIRECTORY

directory_location

Syslog file

SYSLOG

file_name

Windows event log

EVENTLOG

N/A

SQL Server Target Usage Notes

Audit Trail Settings

You can write the SQL Server audit trail to the Windows event log, C2 trace files, or server side trace files. The FROM trail_type audit_trail arguments are as follows:

Type of Audit Trail trail_type Setting audit_trail Setting

Windows event log

EVENTLOG

N/A

C2 trace file

DIRECTORY

file_wildcard

Server-side trace files

DIRECTORY

file_wildcard

SQLAUDIT files

DIRECTORY

file_wildcard

Best Practice:

The user must have admin privileges to access the security event log collector system. The user has an option to choose the following properties as the maximum event log size.

Event Log Properties To Accomplish

Overwrite event as needed

To delete the oldest event first. It automatically clears events.

Do not overwrite events

To avoid overwriting of existing events. In this case the user has to manually clear the event log.

Sybase ASE Target Usage Notes and Examples

For the Sybase ASE audit trail, set the trail_type audit_trail setting to TABLE SYSAUDITS.

Sybase ASE Example

avcli> START COLLECTION FOR SECURED TARGET hr_syb_db USING HOST sybserver 
FROM TABLE SYSAUDITS;

MySQL Usage Notes

The trail location is the path to the directory where converted XML files are created by running the MySQL XML transformation utility.

IBM DB2 Usage Notes and Examples

For the IBM DB2 audit trail, set the trail_type audit_trail setting to DIRECTORY directory_location.

IBM DB2 Example

avcli> START COLLECTION FOR SECURED TARGET hr_db2_db USING HOST db2server
FROM DIRECTORY "d:\temp\trace";

Oracle Solaris Target Usage Notes

For an Oracle Solaris target, the trail location used in this command must be in the format:

hostname:path_to_trail

where hostname matches the hostname in the audit log names, which look like this:

timestamp1.timestamp2.hostname

Windows Target Usage Notes

For a Windows target, the event log audit trail type collects data from the Windows Security Event Log. The trail location used in this command must be security.

Best Practice:

The user must have admin privileges to access the security event log collector system. The user has an option to choose the following properties as the maximum event log size.

Event Log Properties To Accomplish

Overwrite event as needed

To delete the oldest event first. It automatically clears events.

Do not overwrite events

To avoid overwriting of existing events. In this case the user has to manually clear the event log.

Active Directory Target Usage Notes

For Active Directory target, the event log audit trail type collects data from the security and directory service. The trail location used in this command must be security or directory service.

Best Practice:

Event Log Properties When Maximum Event Log Size Is Reached To Accomplish

Overwrite event as needed

It is recommended to select Overwrite event as needed (Oldest event first) or Do not overwrite events.

To delete the oldest event first. It automatically clears events.

Do not overwrite events

To avoid overwriting of existing events. In this case the user has to manually clear the event log.

A.7.5 Create Audit Trail for a Secured Target

Learn how to create and start an audit trail.

To create a new audit trail, use the command syntax mentioned in START COLLECTION FOR SECURED TARGET. In case the audit trail does not already exist, then it is created and started.

A.7.6 STOP COLLECTION FOR SECURED TARGET

Use the STOP COLLECTION FOR SECURED TARGET command to stop audit trail collections.

The STOP COLLECTION FOR SECURED TARGET command stops the audit trail collection.

Syntax

STOP COLLECTION FOR SECURED TARGET secured_target_name USING HOST hostname FROM location
 [USING PLUGIN plugin_id]] [WITH CONNECTION <connection_name>]

Arguments

Argument Description

secured_target_name

The name of the target for the trail collection you want to stop.

hostname

The name of the host where the target agent resides.

location

The location is one of following:

  • DIRECTORY directory name / mask

  • TABLE tablename

  • SYSLOGDEFAULT | filename / file mask

  • NETWORK

  • EVENT LOG eventlog name

  • TRANSACTION LOG directory name / mask

  • CUSTOM name

plugin_id

The collection plug-in id being used. Required if there is more than one possible plug-in. Optional if there is only one plug-in.

connection_name

Optional. Connection name.

For Oracle Database having Active Data Guard with Unified Auditing, the trails can connect to the current primary database using failover connection string. Or trails can connect to individual databases in Active Data Guard using connection name, specified using WITH CONNECTION directive.

The WITH CONNECTION directive should be used only for Oracle Database having Active Data Guard with Unified Auditing starting with Oracle AVDF release 20.7.

The WITH CONNECTION directive should not be used for non Active Data Guard databases.

The WITH CONNECTION directive should not be used for Active Data Guard databases with Traditional Auditing.

The connection name can be either failover_connection or it can be audit collection attribute name in the format av.target.connection.<name> specified during target creation. For additional information, refer to Additional Information for Audit Collection from Oracle Active Data Guard.

See Also:

General Usage Notes

Since the command is sent to the trail directly, the agent process does not need to be in running state. When multiple plug-ins process audit data from a target, use the optional USING PLUGIN directive to disambiguate the process.

A trail will be in a STOP_REQUESTED state when stopped and transitions to a stopping state, followed by a stopped state.

Windows Systems Usage Notes

On Windows systems, enter directory and file name locations in either double-quoted strings or as a nonquoted string using forward slashes. For example:

... FROM DIRECTORY "c:\app\oracle\product\11.1\av";

... FROM DIRECTORY c:/app/oracle/product/11.1/av;

General Examples

avcli> STOP COLLECTION FOR SECURED TARGET sample_source USING HOST sample_host FROM directory /opt/audit_trail;

Audit data collection from trail /opt/audit_trail for target sample_source stops.

avcli> STOP COLLECTION FOR SECURED TARGET sample_source USING HOST sample_host FROM TABLE sys.aud$;

Audit data collection from table trail sys.aud$ for target sample_source stops.

avcli> STOP COLLECTION FOR SECURED TARGET sample_source USING HOST sample_host FROM syslog
  /usr/syslog/syslog*;

Collecting syslog trail /usr/syslog/syslog* for target sample_source stops.

avcli> STOP COLLECTION FOR SECURED TARGET sample_source USING HOST sample_host FROM event log application;

Collecting application event log trail for target sample_source stops

avcli> STOP COLLECTION FOR SECURED TARGET sample_source USING HOST sample_host FROM transaction log /extract;

Collecting transaction log data from trail location /extract for target sample_source stops

avcli> STOP COLLECTION FOR SECURED TARGET sample_source USING HOST sample_host FROM TABLE sys.aud$ USING PLUGIN com.sample_plugin;

Audit data collection from table sys.aud$ for the target, sample_source, using the com.sample_plugin, plug-in stops

avcli> STOP COLLECTION FOR SECURED TARGET mysource USING HOST foo FROM TABLE unified_audit_trail WITH CONNECTION failover_connection;

Stops collecting audit data from table trail unified_audit_trail for target mysource using failover connection specified during target registration. This is applicable only for Oracle Database having Active Data Guard with Unified Auditing starting with Oracle AVDF release 20.7.

avcli> STOP COLLECTION FOR SECURED TARGET mysource USING HOST foo FROM TABLE unified_audit_trail WITH CONNECTION av.target.connection.<name>;

Stops collecting audit data from table trail unified_audit_trail for target mysource using connection name in the format av.target.connection.<name> specified during target registration. This is applicable only for Oracle Database having Active Data Guard with Unified Auditing starting with Oracle AVDF release 20.7.

Oracle Database Usage Notes and Examples

Audit Trail Settings

For the operating system type of audit trail, use the following settings:

Oracle Database Examples

Operating system directory example:

avcli> STOP COLLECTION FOR SECURED TARGET hr_sql_db USING HOST hrdb.example.com 
FROM DIRECTORY $ORACLE_HOME/logs;

Operating system syslog file example:

avcli> STOP COLLECTION FOR SECURED TARGET hr_sql_db USING HOST hrdb.example.com 
FROM SYSLOG /etc/syslog.conf;

Operating system Windows event log example:

avcli> STOP COLLECTION FOR SECURED TARGET hr_sql_db USING HOST hrdb.example.com 
FROM EVENTLOG;

Database audit trail example:

avcli> START COLLECTION FOR SECURED TARGET hr_sql_db USING HOST hrdb.example.com 
FROM TABLE sys.aud$;

TRANSACTION LOG example:

avcli> START COLLECTION FOR SECURED TARGET hr_sql_db USING HOST hrdb.example.com FROM TRANSACTION LOG /extract;

SQL Server Usage Notes and Example

The SQL Server audit trail can be in the Windows event log, C2 trace files, or server side trace files. The FROM trail_type audit_trail arguments are as follows:

Type of Audit Trail trail_type Setting audit_trail Setting

Windows event log

EVENTLOG

n/a

C2 trace file

C2TRACE

file_wildcard

Server-side trace files

SERVERSIDETRACE

file_wildcard

SQL Server Examples

Windows event log example:

avcli> STOP COLLECTION FOR SECURED TARGET hr_sql_db USING HOST mssqlserver 
FROM EVENTLOG;

C2 trace example:

avcli> STOP COLLECTION FOR SECURED TARGET hr_sql_db USING HOST mssqlserver 
FROM DIRECTORY "c:\SQLAuditFile*.trc";

Server-side trace example:

avcli> STOP COLLECTION FOR SECURED TARGET hr_sql_db USING HOST mssqlserver 
FROM DIRECTORY "c:\SQLAuditFile*.trc";

Sybase ASE Usage Notes and Example

For the Sybase ASE audit trail, set the trail_type audit_trail setting to TABLE SYSAUDITS.

Sybase ASE Example

avcli> STOP COLLECTION FOR SECURED TARGET hr_syb_db USING HOST sybserver 
FROM TABLE SYSAUDITS;

MySQL Usage Notes

The trail location is the path to the directory where converted XML files are created by running the MySQL XML transformation utility.

IBM DB2 Usage Notes and Example

For the IBM DB2 audit trail, set the trail_type audit_trail setting to DIRECTORY directory_location.

IBM DB2 Example

avcli> STOP COLLECTION FOR SECURED TARGET hr_db2_db USING HOST db2server
FROM DIRECTORY "d:\temp\trace";

Oracle Solaris Usage Notes

For Oracle Solaris, the trail location must be in the format:

hostname:path_to_trail

where hostname matches the hostname in the audit log names, which look like this:

timestamp1.timestamp2.hostname

Windows Target Usage Notes

For a Windows target, the event log audit trail type collects data from the Windows Security Event Log. The trail location used in this command must be security.

A.8 SMTP Connection AVCLI Commands

The AVCLI SMTP commands enable you to manage SMTP email notifications for Audit Vault Server reports and alert.

A.8.1 About the SMTP Connection AVCLI Commands

The AVCLI SMTP connection commands enable you to perform tasks such as registering and modifying SMTP connections.

A.8.2 ALTER SMTP SERVER

Use the ALTER SMTP SERVER command to modify SMTP server configurations and states.

The ALTER SMTP SERVER command modifies the SMTP server configuration and state.

Syntax

ALTER_SMTP SERVER AT host:[port] | [SENDER ID sender_id]| 
  [SENDER EMAIL sender_email] | [AUTHENTICATED BY username]
  

Arguments

Argument Description

host:[port]

The name, and optionally, the outgoing port number of the SMTP server. The port defaults to 25.

sender_id

The user ID of the person responsible for sending the email (that is, the email address that appears after From).

sender_email

The email address of the person whose ID you entered for the SENDER ID, in Request For Comments (RFC) 822 format.

username

Optional. The authentication credentials for the recipient user.

If the SMTP server runs in authenticated mode and needs a valid user name to connect to send emails, use the AUTHENTICATED BY clause to specify those credentials. Audit Vault Server prompts for the password. AUTHENTICATED BY username/password is accepted from file input through .av file.

Usage Notes

  • After you complete the SMTP server configuration, it is enabled and ready to use.

  • If the SMTP server is a secure server, then run the ALTER SYSTEM SMTP SECURE MODE ON command after you run REGISTER SMTP SERVER.

  • To test the configuration, run the TEST SMTP SERVER command.

  • If you omit an argument, then Audit Vault Server uses the previously configured setting.

Example

avcli> ALTER SMTP SERVER AT new_sample_host:465;

The host and port configuration information of the SMTP server is changed.

avcli> ALTER SMTP SERVER SENDER ID new-do-not-reply;

The sender ID configuration information of the SMTP server is changed.

avcli> ALTER SMTP SERVER AT new_sample_host:465 sender id new-do-not-reply;

The host and port as well as the sender ID of the SMTP server is changed.

A.8.3 ALTER SMTP SERVER DISABLE

Use the ALTER SMTP SERVER DISABLE COMMAND to disable SMTP server configurations.

The ALTER SMTP SERVER DISABLE command disables the SMTP server configuration.

Syntax

ALTER SMTP SERVER DISABLE

Usage Notes

  • After you disable the configuration, Audit Vault Server preserves the most recent configuration. So, when you re-enable the configuration, this configuration is made active again.

  • To find details about the most recent service configuration, see "LIST ATTRIBUTE OF SMTP SERVER".

  • This command may be useful when the SMTP Server is down for system maintenance.

Example

avcli> ALTER SMTP SERVER DISABLE;

SMTP integration is disabled.

Disables the integration between the Audit Vault and SMT Server.

A.8.4 ALTER SMTP SERVER ENABLE

Use the ALTER SMTP SERVER ENABLE command to enable SMTP server configurations for servers that you have registered with the REGISTER SMTP SERVER command or that you modified with the ALTER SMTP SERVER command.

The ALTER SMTP SERVER ENABLE command enables SMTP server configurations for servers registered with the REGISTER SMTP SERVER command or modified with the ALTER SMTP SERVER command.

Syntax

ALTER SMTP SERVER ENABLE

Usage Notes

  • When you enable the configuration, Audit Vault Server uses the configuration that was in place when you last disabled the SMTP configuration.

  • To find details about the most recent service configuration, see "LIST ATTRIBUTE OF SMTP SERVER".

Example

avcli> ALTER SMTP SERVER ENABLE;

SMTP integration is enabled.

Enables the integration between the Audit Vault and SMTP server.

A.8.5 ALTER SMTP SERVER SECURE MODE OFF

Use the ALTER SMTP SERVER SECURE MODE OFF command to disable the secure mode in secure SMTP servers.

The ALTER SMTP SERVER SECURE MODE OFF command disables secure mode in an existing secure SMTP server.

Syntax

ALTER SMTP SERVER SECURE MODE OFF

Usage Notes

Run this command after you run either the REGISTER SMTP SERVER or ALTER SMTP SERVER command.

Example

avcli> ALTER SMTP SERVER SECURE MODE OFF;

Updated SMTP server configuration to not use secure protocol.

Sets the SMTP Server registered with Oracle Audit Server to non-secure mode.

A.8.6 ALTER SMTP SERVER SECURE MODE ON

Use the ALTER SMTP SERVER SECURE MODE ON command to enable SMTP server configurations and specify the secure protocol mode that is in use.

The ALTER SMTP SERVER SECURE MODE ON command enables the SMTP server configuration and specifies the secure protocol mode used.

Syntax

ALTER SMTP SERVER SECURE MODE ON PROTOCOL [SSL | TLS ] [TRUSTSTORE location]

Arguments

Argument Description

PROTOCOL

Optional: One of the following types of protocol:

  • SSL: Secure Sockets Layer (default)

  • TLS: Transport Layer Security

location

The path to the truststore file used to validate the server certificates. Optional.

Usage Notes

Run this command after you run either the REGISTER SMTP SERVER or ALTER SMTP SERVER command.

Only run this command if the SMTP server that you are configuring is a secure server.

Examples

avcli> ALTER SMTP SERVER SECURE MODE ON PROTOCOL ssl TRUSTSTORE /sample_tstore;

This command acknowledges that the SMTP Server registered with Oracle Audit Vault Server is in secure mode, that is, supports SSL or TLS, and uses the file /sample_tstore to validate the certificate obtained from the SMTP Server during connects.

avcli> ALTER SMTP SERVER SECURE MODE ON PROTOCOL tls TRUSTSTORE /sample_tstore;

This example sets TLS protocol instead of SSL.

A.8.7 DROP SMTP SERVER

Use the DROP SMTP SERVER command to unregister the SMTP server that is registered with Oracle Audit Vault Server and remove associated configuration metadata.

The DROP SMTP SERVER command unregisters the SMTP Server registered with the Audit Vault Server and removes any associated configuration metadata.

Syntax

DROP SMTP SERVER

Example

avcli> DROP SMTP SERVER;

SMTP server unregistered successfully.

The SMTP Server is unregistered and any associated configuration metadata is removed.

A.8.8 LIST ATTRIBUTE OF SMTP SERVER

Use the LIST ATTRIBUTE OF SMTP SERVER command to dislay the current SMTP configuration details the Oracle Audit Vault Server uses.

The LIST ATTRIBUTE OF SMTP SERVER command displays the current SMTP configuration details used by Audit Vault Server.

Syntax

LIST ATTRIBUTE OF SMTP SERVER

Usage Notes

To reconfigure the SMTP service connection, run the ALTER SMTP SERVER ("ALTER SMTP SERVER") command.

Example

avcli> LIST ATTRIBUTE OF SMTP SERVER;

The configuration data/attributes for the SMTP server appear.

A.8.9 REGISTER SMTP SERVER

Use the REGISTER SMTP SERVER command to register SMTP server configurations with Audit Vault Server.

The REGISTER SMTP SERVER command registers the SMTP server configuration with the Audit Vault Server.

Syntax

REGISTER SMTP SERVER AT host:[port] SENDER ID sender_id SENDER EMAIL sender_email 
[AUTHENTICATED BY username]

Arguments

Argument Description

host:[port]

The name, and optionally, the outgoing port number of the SMTP server. The port defaults to 25, if unspecified.

sender_id

The user ID of the person responsible for sending the email (that is, the email address that appears after From).

sender_email

The email address of the person whose ID you entered for the SENDER ID, in Request For Comments (RFC) 822 format.

username

Optional. The authentication credentials for the recipient user.

If the SMTP server runs in authenticated mode and needs a valid username and password to connect to send emails, use the AUTHENTICATED BY clause to specify those credentials.

Audit Vault Server prompts for the password. AUTHENTICATED BY username/password is accepted from file input through .av file.

Usage Notes

  • Right after you create the SMTP server configuration, it is enabled and ready to use.

  • If the SMTP server is a secure server, then run the ALTER SYSTEM SMTP SECURE MODE ON command after you run REGISTER SMTP SERVER.

  • To test the configuration, run the TEST SMTP SERVER command.

  • This command associates the sender id and sender email with this configuration data so that all generated emails are sent with this sender id and sender email.

Examples

avcli> REGISTER SMTP SERVER AT sample_mail.example.com sender id "do-not-reply";

For an SMTP server running in non-authentication mode at sample_mail.example.com, all email is generated and sent from the address: do-not-reply<donotreply@example.com>.

avcli> REGISTER SMTP SERVER AT sample_mail.example.com:455 SENDER ID av-alerts  SENDER
  EMAIL avalerts@example.com AUTHENTICATED BY smtpuser

For an SMTP server running in authentication mode at sample_mail.example.com, port 455; all email is generated and sent from the address: av-alerts<avalerts@example.com>. The credentials smtpuser connect to this server to send emails. The password has to be entered in the next step by following the prompt.

A.8.10 TEST SMTP SERVER

Use the TEST SMTP SERVER command to test the SMTP integration with Oracle Audit Vault Server by sending a test email.

The TEST SMTP SERVER command tests SMTP integration with the Audit Vault Server by sending a test email.

Syntax

TEST SMTP SERVER SEND EMAIL TO email_address 

Arguments

Argument Description

email_address

Recipient of the test email notification

Usage Notes

  • If the test fails, then check the configuration by running the LIST ATTRIBUTE OF SMTP SERVER command.

  • You can recreate the configuration by running the ALTER_SMTP SERVER command.

  • If there are no errors, a test email appears in the mail box of the user specified by the e-mail address argument.

  • You can provide a list of comma-separated email addresses to this command.

  • A SMTP Server must first be registered with the Audit Vault Server before this command can be used.

Example

avcli> TEST SMTP SERVER SEND EMAIL TO me@example.com;

To test the SMTP integration, a test email is sent to the email address, me@example.com.

avcli> TEST SMTP SERVER SEND EMAIL TO abc@example1.com,xyz@example2.com;

To test the SMTP integration, a test email is sent to the email address list, abc@example1.com,xyz@example2.com.

A.9 Security Management AVCLI Commands

The AVCLI security management commands enable you to manage various administrator and super administrator privileges.

A.9.1 About the Security Management AVCLI Commands

The security management AVCLI commands enable you to perform tasks such as registering and modifying SMTP connections.

A.9.2 ALTER DATA ENCRYPTION

Use the ALTER DATA ENCRYPTION command to change Transparent Data Encryption (TDE) configuration to rekey or to reset the repository encryption password.

The ALTER DATA ENCRYPTION command enables super administrators to change the Transparent Data Encryption (TDE) configuration in an Oracle Audit Vault Server repository. A super administrator can use this command to rekey the master encryption key, or to reset the repository encryption (wallet) password.

Syntax

ALTER DATA ENCRYPTION REKEY

ALTER DATA ENCRYPTION CHANGE WALLET PASSWORD

Examples

avcli> ALTER DATA ENCRYPTION REKEY;

This command rekeys the master encryption key for the Audit Vault Server repository.

avcli> ALTER DATA ENCRYPTION CHANGE WALLET PASSWORD;

This commands gives prompts to change the repository encryption (wallet) password.

A.9.3 ALTER USER

Use the ALTER USER command to unlock user accounts.

The ALTER USER command unlocks a user account. Only super administrators can run this command.

Syntax:

ALTER USER username ACCOUNT UNLOCK

Example:

avcli> ALTER USER scott ACCOUNT UNLOCK;

The account for user scott is unlocked.

Note:

To unlock super administrator or super auditor, follow these steps:

  1. Connect to the Audit Vault Server as root user.
  2. Switch user to dvaccountmgr: su dvaccountmgr
  3. Run sqlplus /.
  4. Run the command: ALTER USER <super administrator/auditor username> ACCOUNT UNLOCK

A.9.4 GRANT ACCESS

Use the GRANT ACCESS command to grant access to target names or target group names for specified users.

The GRANT ACCESS command grants access to a target name or target group name to a specified user.

Syntax

GRANT ACCESS ON SECURED TARGET secured_target_name TO username

GRANT ACCESS ON SECURED TARGET GROUP secured_target_group name TO username

Arguments

Argument Description

username

The specified user.

secured_target_name

The name of the target.

secured_target_group_name

The name of the target group.

Example

avcli> GRANT ACCESS ON SECURED TARGET sample_source TO scott;

User scott granted access to target sample_source.

avcli> GRANT ACCESS ON SECURED TARGET GROUP hr_db_group TO hr;

User hr granted access to group of targets specified by the group hr_db_group.

A.9.5 GRANT ADMIN

Use the GRANT ADMIN command to grant administrator privileges to specified users.

The GRANT ADMIN command grants administrator privileges to specified user.

Syntax

GRANT ADMIN TO username

Arguments

Argument Description

username

The specified user.

Example

avcli> GRANT ADMIN TO scott;

Administrator privileges granted to user scott.

A.9.6 GRANT AUDITOR

Use the GRANT AUDITOR command to grant auditor privileges to the specified user.

The GRANT AUDITOR command grants auditor privileges to the specified user.

Note:

This command is available starting Oracle AVDF release 20.4.

Syntax

GRANT AUDITOR TO <username>

Arguments

Argument Description

username

The specified user.

Example

avcli> GRANT AUDITOR TO scott;

Auditor privileges granted to user scott.

A.9.7 GRANT SUPERADMIN

Use the GRANT SUPERADMIN command to grant super administrator privileges to users who are specified by username.

The GRANT SUPERADMIN command grants super administrator privileges to the user specified by username.

Syntax

GRANT SUPERADMIN TO username

Arguments

Argument Description

username

The specified user.

Usage Notes

This user automatically receives regular administrator rights as well.

Example

avcli> GRANT SUPERADMIN TO scott;

Super administrator (and administrator) privileges granted to user scott.

A.9.8 GRANT SUPERAUDITOR

Use the GRANT SUPERAUDITOR command to grant super auditor privileges to a specific user.

The GRANT SUPERAUDITOR command grants super auditor privileges to the specified user.

Note:

This command is available starting Oracle AVDF release 20.4.

Syntax

GRANT SUPERAUDITOR TO <username>

Arguments

Argument Description

username

The specified user.

Usage Notes

This user automatically receives regular auditor rights as well.

Example

avcli> GRANT SUPERAUDITOR TO scott;

Super auditor (and auditor) privileges granted to user scott.

A.9.9 REVOKE ACCESS

Use the REVOKE ACCESS command to revoke access to targets or target group names for specified users.

The REVOKE ACCESS command revokes access to a target or target group name from a specified user.

Syntax

REVOKE ACCESS ON SECURED TARGET secured_target_name FROM username

REVOKE ACCESS ON SECURED TARGET GROUP secured_target_group_name FROM username

Arguments

Argument Description

username

The specified user.

secured_target_name

The name of the target.

secured_target_group_name

The name of the target group.

Example

avcli> REVOKE ACCESS ON SECURED TARGET sample_source FROM scott;

Access to target sample_source revoked from user scott.

avcli> REVOKE ACCESS ON SECURED TARGET GROUP hr_db_group FROM hr;

Access to a group of targets specified by the group hr_db_group revoked from user hr.

A.9.10 REVOKE ADMIN

Use the REVOKE ADMIN command to revoke administrator privileges from specified users.

The REVOKE ADMIN command revokes administrator privileges from specified user.

Syntax:

REVOKE ADMIN FROM username

Arguments

Argument Description

username

The specified user.

Example:

avcli> REVOKE ADMIN FROM scott;

Administrator privileges revoked from user scott.

A.9.11 REVOKE AUDITOR

Use the REVOKE AUDITOR command to revoke auditor privileges from specified users.

The REVOKE AUDITOR command revokes auditor privileges from specified user.

Note:

This command is available starting Oracle AVDF release 20.4.

Syntax:

REVOKE AUDITOR FROM <username>

Arguments

Argument Description

username

The specified user.

Example

avcli> REVOKE AUDITOR FROM scott;

Auditor privileges revoked from user scott.

A.9.12 REVOKE SUPERADMIN

Use the REVOKE SUPERADMIN command to revoke super administrator privileges from users who are specified by username.

The REVOKE SUPERADMIN command revokes super administrator privileges from users specified by username.

Syntax:

REVOKE SUPERADMIN FROM username

Arguments

Argument Description

username

The specified user.

Usage Notes

The user continues to retain regular administrator rights.

Example:

avcli> REVOKE SUPERADMIN FROM scott;

Super administrator privileges are revoked from user scott.

A.9.13 REVOKE SUPERAUDITOR

Use the REVOKE SUPERAUDITOR command to revoke super auditor privileges from a specific user.

The REVOKE SUPERAUDITOR command revokes super auditor privileges from a specific user.

Note:

This command is available starting Oracle AVDF release 20.4.

Syntax

REVOKE SUPERAUDITOR FROM <username>

Arguments

Argument Description

username

The specified user.

Usage Notes

The user continues to retain regular auditor rights.

Example

avcli> REVOKE SUPERAUDITOR FROM scott;

Super auditor privileges are revoked from user scott. User scott continues to be a normal auditor.

A.9.14 SHOW DATA ENCRYPTION STATUS

Use the SHOW DATA ENCRYPTION STATUS command to show whether data encryption is enabled for Oracle Audit Vault Server repositories.

The SHOW DATA ENCRYPTION STATUS command shows whether encryption is enabled or disabled. Encryption is automatically enabled on new installations.

Syntax

SHOW DATA ENCRYPTION STATUS

Example

avcli> SHOW DATA ENCRYPTION STATUS;

This command shows the encryption status (enabled or disabled).

A.10 SAN Storage AVCLI Commands

You can manage SAN servers with SAN storage AVCLI commands.

A.10.1 About the SAN Storage AVCLI Commands

The AVCLI SAN storage commands enable you to perform tasks such as registering and altering SAN servers.

A.10.2 ALTER DISKGROUP

Use the ALTER DISK GROUP command to alter a diskgroup by adding or dropping disks.

The ALTER DISKGROUP command alters a disk group by adding or dropping disks from the group.

Syntax:

ALTER DISKGROUP SYSTEMDATA|EVENTDATA|RECOVERY ADD DISK disk_name 
   [ON SECONDARY]

ALTER DISKGROUP SYSTEMDATA|EVENTDATA|RECOVERY DROP DISK disk_name 
   [ON SECONDARY]

Use the [ON SECONDARY] option in a high availability configuration to apply this command to secondary Audit Vault Server.

Arguments

Argument Description

disk_name

Name of the disk to add or drop. When adding a disk, the disk must be available in the system, and not previously added to a disk group. To display all disks available in the system, use the command "LIST DISK".

Examples:

avcli> ALTER DISKGROUP SYSTEMDATA ADD DISK disk1;

Adds disk1 to the SYSTEMDATA disk group.

avcli> ALTER DISKGROUP RECOVERY DROP DISK disk2;

Drops disk2 from the RECOVERY disk group.

A.10.3 ALTER SAN SERVER

Use the ALTER SAN SERVER command to alter SAN servers that are registered with Audit Vault Server by logging into or logging out of a target that is available on the SAN server.

The ALTER SAN SERVER command alters a SAN server registered with the Audit Vault Server by logging in or logging out of a target available on the SAN server.

Syntax

ALTER SAN SERVER server_name LOGIN target_name ADDRESS address  [PORT port][AUTHENTICATED BY username] [ON SECONDARY]
ALTER SAN SERVER server_name LOGOUT target_name ADDRESS address  [PORT port][AUTHENTICATED BY username] [ON SECONDARY]

Use the [ON SECONDARY] option in a high availability configuration to apply this command to secondary Audit Vault Server.

Arguments

Argument Description

server_name

Name of the SAN server registered with the Audit Vault Server.

target_name

Name of the target on the SAN server. To get a list of targets, use the command "LIST TARGET FOR SAN SERVER".

address

IP address or hostname of the target on the SAN server

port

Optional. Default is 3260.

username

If needed, credential used to log in to the target.

The user name and password is accepted from file input through .av file.

Example

avcli> ALTER SAN SERVER testServer1 LOGIN target1 ADDRESS sample_target.example.com   AUTHENTICATED BY username1;

Alter the SAN server testServer1 by logging into target1 at address sample_target.example.com using credentials username1. The default port number 3260 will be used.

avcli> ALTER SAN SERVER testServer2 LOGOUT target2 ADDRESS sample_target.example.com;

Alter the SAN server testServer2 by logging out of target2 at address sample_target.example.com.

A.10.4 DROP SAN SERVER

Use the DROP SAN SERVER command to drop SAN servers that are registered with Oracle Audit Vault Server.

The DROP SAN SERVER command removes a SAN server registered with the Audit Vault Server.

Syntax:

DROP SAN SERVER server_name [ON SECONDARY]

Use the [ON SECONDARY] option in a high availability configuration to apply this command to secondary Audit Vault Server.

Arguments

Argument Description

server_name

Name of the SAN server registered with the Audit Vault Server.

Example:

avcli> DROP SAN SERVER testServer1;

Removes SAN server testServer1 from the Audit Vault Server.

A.10.5 LIST DISK

Use the LIST DISK commant to see details of disks that are available on your system.

The LIST DISK command displays details of all disks available in the system, or disks in a specific disk group.

Syntax:

LIST DISK [FOR DISKGROUP SYSTEMDATA|EVENTDATA|RECOVERY] [ON SECONDARY]

Use the [ON SECONDARY] option in a high availability configuration to apply this command to secondary Audit Vault Server.

Examples:

avcli> LIST DISK;

Displays the details of all disks in the system.

avcli> LIST DISK FOR DISKGROUP SYSTEMDATA;

Displays the details of the SYSTEMDATA disk group.

A.10.6 LIST DISKGROUP

Use the LIST DISKGROUP command to see the details of all disk groups in your system.

The LIST DISKGROUP command displays details of a disk group in the Audit Vault Server.

Syntax:

LIST DISKGROUP [ON SECONDARY]

Use the [ON SECONDARY] option in a high availability configuration to apply this command to secondary Audit Vault Server.

Example:

avcli> LIST DISKGROUP;

Displays details for all disk groups in the system, for example, name, total space, and free space. To see details of disk in a specific disk group, use the command "LIST DISK".

A.10.7 LIST SAN SERVER

Use the LIST SAN SERVER command to display the details of SAN servers that are registered with Oracle Audit Vault Server.

The LIST SAN SERVER command displays details of SAN servers registered with Oracle Audit Vault Server.

Syntax:

LIST SAN SERVER [ON SECONDARY]

Use the [ON SECONDARY] option in a high availability configuration to apply this command to secondary Audit Vault Server.

Example:

avcli> LIST SAN SERVER;

Displays details of SAN servers registered in the system, for example, storage name, storage type, etc.

A.10.8 LIST TARGET FOR SAN SERVER

Use the LIST TARGET FOR SAN SERVER command to alter SAN servers that are registered with Oracle Audit Vault Server by logging into or logging out of a target that is available on the SAN server

The LIST TARGET FOR SAN SERVER command displays details of the targets available on a specified SAN server.

Syntax:

LIST TARGET FOR SAN SERVER server_name [ON SECONDARY]

Use the [ON SECONDARY] option in a high availability configuration to apply this command to secondary Audit Vault Server.

Arguments

Argument Description

server_name

Name of the SAN server registered with the Audit Vault Server.

Example:

avcli> LIST TARGET FOR SAN SERVER testServer1;

Displays the details of targets available on SAN server testServer1.

A.10.9 REGISTER SAN SERVER

Use the REGISTER SAN SERVER to register SAN servers of a specified storage type with Audit Vault Server.

The REGISTER SAN SERVER command registers a SAN server with the Audit Vault Server.

Syntax

REGISTER SAN SERVER SAN_server_name OF TYPE storage_type ADDRESS address [PORT port] [METHOD discovery_method] [ON SECONDARY]

Use the [ON SECONDARY] option in a high availability configuration to apply this command to secondary Audit Vault Server.

Arguments

Argument Description

SAN_server_name

Name of the SAN server. Must be unique.

storage_type

Storage type. Currently, only iSCSI is supported (case-insensitive).

address

IP address SAN server

port

Optional. Port number. Default is 3260.

discovery_method

Optional. Method used to discover targets. Possible values are:

SENDTARGETS [AUTHENTICATED BY <username>]
ISNS

AUTHENTICATED BY <username>/<password> is accepted from file input through .av file.

Default is SENDTARGETS.

Examples

avcli> REGISTER SAN SERVER testServer1 OF TYPE iSCSI ADDRESS 192.0.2.1;

Registers a SAN server testServer1 of storage type iSCSI at address 192.0.2.1. The default port number 3260 and the default discovery method sendtargets will be used.

avcli> REGISTER SAN SERVER testServer2 Of Type iSCSI ADDRESS 192.0.2.1 METHOD sendtargets AUTHENTICATED BY username2;

Registers a SAN server testServer2 of storage type iSCSI at address 192.0.2.1 using the discover method sendtargets with credentials username2.

A.10.10 SHOW iSCSI INITIATOR DETAILS FOR SERVER

Use the SHOW iSCSI INITIATOR DETAILS FOR SERVER command to see the iSCSI initiator details for Oracle Audit Vault Server.

The SHOW ISCSI INITIATOR DETAILS FOR SERVER command displays iSCSI initiator details for Oracle Audit Vault Server. These initiator details are used in the SAN server configuration to allow it to connect to the Audit Vault Server.

Syntax:

SHOW ISCSI INITIATOR DETAILS FOR SERVER [ON SECONDARY]

Use the [ON SECONDARY] option in a high availability configuration to apply this command to secondary Audit Vault Server.

Example:

avcli> SHOW ISCSI INITIATOR DETAILS FOR SERVER;

Displays the iSCSI initiator details for the Audit Vault Server.

A.11 Remote File System AVCLI Commands

Use the remote file system AVCLI commands to mange remote file systems. These commands support registering and managing connections to NFS file systems that are used as archive locations.

A.11.1 About the Remote File System AVCLI Commands

Use the remote file system AVCLI commands to configure remote file systems to work with Oracle Audit Vault and Database Firewall.

A.11.2 ALTER REMOTE FILESYSTEM

Use the ALTER REMOTE FILESYSTEM command to alter remote file systems that are registered with Oracle Audit Vault Server.

The ALTER REMOTE FILESYSTEM command alters a remote filesystem registered with Oracle Audit Vault Server.

Syntax:

ALTER REMOTE FILESYSTEM filesystem_name SET {key=value [,key=value...]}

ALTER REMOTE FILESYSTEM filesystem_name MOUNT

ALTER REMOTE FILESYSTEM filesystem_name UNMOUNT [FORCE]

Arguments

Argument Description

filesystem_name

Name of the remote filesystem

key

For an NFS remote filesystem, the key NAME is supported.

Examples:

avcli> ALTER REMOTE FILESYSTEM sample_filesystem SET NAME=newfilesystem;

Changes the name of the remote filesystem sample_filesystem to newfilesystem.

avcli> ALTER REMOTE FILESYSTEM sample_filesystem MOUNT;

Mounts the remote filesystem sample_filesystem.

avcli> ALTER REMOTE FILESYSTEM sample_filesystem UNMOUNT;

Unmounts remote filesystem sample_filesystem.

avcli> ALTER REMOTE FILESYSTEM sample_filesystem UNMOUNT FORCE;

Unmounts remote filesystem sample_filesystem and forces this operation.

A.11.3 DROP REMOTE FILESYSTEM

Use the DROP REMOTE FILESYSTEM command to drop remote file sytems that are registered with Oracle Audit Vault Server.

The DROP REMOTE FILESYSTEM command drops a remote filesystem registered with the Audit Vault Server.

Syntax:

DROP REMOTE FILESYSTEM file_system_name

Arguments

Argument Description

filesystem_name

Name of the remote filesystem.

Examples:

avcli> DROP REMOTE FILESYSTEM filesystem1;

Drops the remote filesystem filesystem1.

A.11.4 LIST EXPORT

Use the LIST EXPORT command to display the list of exports that are available on an NFS server.

The LIST EXPORT command displays the list of exports available on a NFS server.

Syntax:

LIST EXPORT OF TYPE NFS ON HOST address

Arguments

Argument Description

address

Hostname or IP address of the NFS server.

Example:

avcli> LIST EXPORT OF TYPE NFS ON HOST example_server.example.com;

Lists the exports available on the NFS server example_server.example.com.

A.11.5 LIST REMOTE FILESYSTEM

Use the LIST REMOTE FILESYSTEM command to list all of the remote file systems that are registered with Oracle Audit Vault Server.

The LIST REMOTE FILESYSTEM command lists all of the remote file systems that are registered with Oracle Audit Vault Server.

Syntax:

LIST REMOTE FILESYSTEM

Example:

avcli> LIST REMOTE FILESYSTEM;

Lists all remote filesystems registered with Oracle Audit Vault Server.

A.11.6 REGISTER REMOTE FILESYSTEM

Use the REGISTER REMOTE FILESYSTEM command to register remote file systems with Oracle Audit Vault Server.

The REGISTER REMOTE FILESYSTEM command registers a remote filesystem with the Audit Vault Server. This command currently supports registering an NFS filesystem. After registering a remote filesystem, an administrator can select it when specifying an archive location.

Syntax:

REGISTER REMOTE FILESYSTEM filesystem_name OF TYPE NFS ON HOST NFS_server_address USING EXPORT export [MOUNT]

Arguments

Argument Description

filesystem_name

A unique name for the remote filesystem

NFS_server_address

Hostname or IP address of the NFS server

export

Name of the export directory on the NFS server. This directory must be created in etc/exports file of the NFS server.

Note:

  1. Log in as Oracle user 503 to register the remote filesystem. Use the same user name on the NFS Server and the Audit Vault Server.

  2. If this is any different, then edit the /etc/passwd/ file in the NFS Server and change the USER ID of Oracle user to 503.

Examples:

avcli> REGISTER REMOTE FILESYSTEM sample_Filesystem OF TYPE NFS ON HOST example_host.example.com USING EXPORT /export/home1;

Registers a remote NFS filesystem named sample_Filesystem on the host example_host.example.com using the export directory /export/home1. This will mount the registered remote filesystem.

avcli> REGISTER REMOTE FILESYSTEM sample_Filesystem OF TYPE NFS ON HOST example_host.example.com USING EXPORT /export/home1 MOUNT;

Registers a remote NFS filesystem named sample_Filesystem on the host example_host.example.com using the export directory /export/home1. This will also mount the registered remote filesystem.

A.11.7 SHOW STATUS OF REMOTE FILESYSTEM

Use the SHOW STATUS OF REMOTE FILESYSTEM command to show the status of remote file systems that are registered with Oracle Audit Vault Server.

The SHOW STATUS OF REMOTE FILESYSTEM command shows the status of a specified remote file system.

Syntax:

SHOW STATUS OF REMOTE FILESYSTEM filesystem_name

Arguments

Argument Description

filesystem_name

Name of the remote filesystem

Examples:

avcli> SHOW STATUS OF REMOTE FILESYSTEM filesystem1;

Shows the status of remote filesystem filesystem1.

A.12 Server Management AVCLI Commands

The server management AVCLI commands enable you to manage the server, such as checking certificates and downloading log files.

A.12.1 About the Server Management AVCLI Commands

The AVCLI server management commands manage aspects of Oracle Audit Vault and Database Firewall such as altering the system set.

A.12.2 ALTER SYSTEM SET

Use the ALTER SYSTEM SET command to modify system configuration data.

The ALTER SYSTEM command modifies system configuration data.

Syntax:

ALTER SYSTEM SET {attribute=value [,attribute=value...]}

Arguments

Argument Description

attribute

System attributes as key/value pairs. See Table A-7.

Usage Notes

Typically, system configuration data affects all components system-wide.

Multiple component log levels can be changed by delimiting them using the | symbol.

Modify system configuration data by altering the attributes associated with the data using key=value pairs and multiple attributes by specifying comma-separated pairs.

Log files are in the $Oracle_Home/av/log directory in the Audit Vault Server.

The following attributes are supported:

Table A-7 System Attributes

Parameter Description

LOGLEVEL

The log level of components running on this host.

The LOGLEVEL attribute takes a two part value, separated by a colon, as follows:

component_name:loglevel_value

See Table A-8 for component names and log level values.

Multiple components' log levels can be changed by delimiting them using the | symbol.

SYS.HEARTBEAT_INTERVAL

Sets the system heartbeat interval to a numerical value in seconds.

SYS.AUTOSTART_INTERVAL

The interval in seconds before the system will try to restart failed audit trails. Default: 1800

SYS.AUTOSTART_RETRY_COUNT

The number of times the system attempts to start failed audit trails.

Oracle AVDF release 20.1 to 20.6: 5 times (default)

Oracle AVDF release 20.7 and onwards: 20 times (default)

Table A-8 shows valid values for component_name and loglevel_value for the LOGLEVEL attribute:

Table A-8 Logging component names and values

Logging component name Values

AlertLog

Alert

AgentLog

Agent

ARLog

Archive and Retrieve

DWLog

Data Warehouse

FWLog

Database Firewall

GUIlog

Web Concole UI

JfwkLog

Java Server Process

NotifyLog

Notification

PfwkLog

Plug-in Management

PolicyLog

Policy Management

ReportLog

Report Generation

SanLog

SAN Storage

TransLog

Transaction Log Trail

All

All components. Valid only with ERROR and WARNING log level values.

Table A-9 Logging level and values

Parameter Description

ERROR

The ERROR log level

WARNING

The WARNING log level (not supported for GUIlog)

INFO

The INFO log level

DEBUG

The DEBUG log level

Be aware that DEBUG generates many files and that this can affect the performance of your system. Only use it when you are trying to diagnose problems.

Examples

avcli> ALTER SYSTEM SET SYS.HEARTBEAT_INTERVAL=10;

The SYS.HEARTBEAT_INTERVAL system configuration setting changes to 10 seconds.

avcli> ALTER SYSTEM SET LOGLEVEL=JfwkLog:DEBUG|PfwkLog:INFO;

The log levels of the JfwkLog and PfwkLog components running on the system change.

avcli> ALTER SYSTEM SET SYS.AUTOSTART_INTERVAL=900;

The system will restart failed audit trails after 900 seconds.

See Also:

Downloading Detailed Diagnostics Reports for Oracle Audit Vault Server for information about generating a diagnostics report that captures Audit Vault Server appliance information.

A.12.3 DOWNLOAD LOG FILE

Use the DOWNLOAD LOG FILE to download Oracle Audit Vault Server log files to perform diagnostics,

The DOWNLOAD LOG FILE command downloads the diagnostics log file (as a .zip file) from the Audit Vault Server and saves it in the following directory:

AVCLI_installation_path/av/log

Syntax

DOWNLOAD LOG FILE FROM SERVER

Example

avcli> DOWNLOAD LOG FILE FROM SERVER;

The Audit Vault Server log file is downloaded.

A.12.4 SHOW CERTIFICATE

Use the SHOW CERTIFICATE command to display Oracle Audit Vault Server certificates.

The SHOW CERTIFICATE command displays the certificate for the Audit Vault Server.

Syntax

SHOW CERTIFICATE FOR SERVER

Example

avcli> SHOW CERTIFICATE FOR SERVER;

The Oracle Audit Vault Server certificate appears.

A.13 Collection Plug-In AVCLI Commands

Use the AVCLI collection plug-in commands to manage the deployment of collection plug-ins.

A.13.1 About the Collection Plug-In AVCLI Commands

Use the AVCLI collection plug-in commands to work with plug-ins, such as downloading and listing plug-ins.

A.13.2 DEPLOY PLUGIN

Use the DEPLOY PLUGIN command to deploy plug-ins into Oracle Audit Vault Server homes from a given archive file.

The DEPLOY PLUGIN command deploys a plug-in into the Audit Vault Server home from a given archive file.

Syntax

DEPLOY PLUGIN plugin archive

Arguments

Argument Description

plugin archive

The plug-in archive.

Archive files have an .zip extension, specifying custom plug-ins that third-party vendors or partners develop to add functionality to Audit Vault Server.

Usage Notes

No action is required after this command.

The DEPLOY PLUGIN command updates the agent archive with the contents of this plug-in for future Agent deployments.

When a newer version of the plug-in is available, use the DEPLOY PLUGIN command to update the plug-in artifacts. Multiple plug-ins can support a single target type.

Example

avcli> DEPLOY PLUGIN /opt/avplugins/sample_plugin.zip;

Deploys the plug-in at /opt/avplugins/sample_plugin.zip into the Audit Vault Server and updates the agent archive by adding the plug-in to its contents.

A.13.3 LIST PLUGIN FOR SECURED TARGET TYPE

Use the LIST PLUGIN FOR SECURED TARGET TYPE command to list all of the plug-ins in Audit Vault Server installations.

The LIST PLUGIN FOR SECURED TARGET TYPE command lists all the plug-ins that support a particular target type.

Syntax

LIST PLUGIN FOR SECURED TARGET TYPE secured target type name

Arguments

Argument Description

secured target type name

The name of the target type

Usage Notes

To find a list of available target types, see "LIST SECURED TARGET TYPE".

Examples

avcli> LIST PLUGINS FOR SECURED TARGET TYPE "Oracle Database";

The plug-ins that support the target type "Oracle Database" are listed.

A.13.4 UNDEPLOY PLUGIN

Use the UNDEPLOY PLUGIN command to undeploy plug-ins from Oracle Audit Vault Server homes.

The UNDEPLOY PLUGIN command deletes a plug-in from an Audit Vault Server home.

Syntax

UNDEPLOY PLUGIN plugin_id

Arguments

Argument Description

plugin_id

The ID of the plug-in that you want to undeploy.

Usage Notes

UNDEPLOY PLUGIN attempts to identify dependent plug-ins or packages prior to deleting the plug-in.

This command undeploys a plug-in specified by the plug-in ID from the Audit Vault Server. It also updates the agent archive removing this plug-in, so that it is not deployed in future agent deployments.

Examples

avcli> UNDEPLOY PLUGIN com.abc.sample_plugin;

The plug-in, com.abc.sample_plugin, is undeployed from Oracle Audit Vault Server and the agent archive is updated by removing the plug-in.

A.14 General Usage AVCLI Commands

You can find general information, such as help, from the general usage AVCLI commands.

A.14.1 About the General Usage AVCLI Commands

The AVCLI general usage commands enable you to perform tasks such as connecting to servers or identifying users.

A.14.2 CLEAR LOG

Use the CLEAR LOG command to clear a system's diagnostic logs.

The CLEAR LOG command deletes all log files in the directory $ORACLE_HOME/av/log on the Audit Vault Server.

Syntax

CLEAR LOG

Example

avcli> CLEAR LOG;

A.14.3 CONNECT

Use the CONNECT command to connect the current AVCLI user as a different user.

The CONNECT command enables you to connect as a different user in AVCLI.

Syntax

CONNECT [username]

Usage Notes

  • If you have logged into to AVCLI without specifying a username and password, then you must use the CONNECT command to connect as a valid user.

  • For additional ways to connect to AVCLI, see "Using the Audit Vault Command Line Interface".

Example 1

avcli> CONNECT psmith;
Enter password: password

Connected.

Example 2

avcli> CONNECT;
Enter user name: username
Enter password: password

Connected.

A.14.4 HELP

Use the HELP command to list the AVCLI commands with their categories.

The HELP command lists all available AVCLI commands and their categories.

Syntax

HELP

Example

avcli> HELP;

A.14.5 -HELP

Use the -HELP command to display help information for all of the AVCLI utility commands.

The -HELP command displays version number and help information about the AVCLI commands. Run the -HELP command from outside of AVCLI.

Syntax

avcli -h
avcli -H
avcli -help
avcli -HELP

Example

avcli -help:
 
[oracle@slc02vjp ~]$ avcli -help
 
 
AVCLI : Release 12.2.0.0.0 - Production on Thu Nov 8 00:53:54 UTC 2012
 
 
Copyright (c) 1996, 2015 Oracle.  All Rights Reserved.
 
 
Usage 1: avcli -{h|H} | -{v|V}
 
    -{h|H}             Displays the AVCLI version and the usage help
 
    -{v|V}             Displays the AVCLI version.
 
Usage 2: avcli [ [<option>] [<logon>] [<start>] ]
 
   <option> is: [-{l|L} <log level>]
 
    -{l|L} <log level>   Sets the log level to the level specified.
                         Supported log levels: INFO, WARNING, ERROR, DEBUG
 
   <logon> is: -{u|U} <username>
     Specifies the database account username for the database
     connection
 
   <start> is: -{f|F} <filename>.<ext>
     Runs the specified AVCLI script from the local file system
     (filename.ext). Valid AVCLI script files should have
     their file extension as '.av' (e.g. sample_script.av)
 

A.14.6 QUIT

Use the QUIT command to exit AVCLI.

The QUIT command exits AVCLI.

Syntax

QUIT

Example

avcli> QUIT;

A.14.7 SHOW USER

Use the SHOW USER command to display the currently logged in AVCLI user.

The SHOW USER command displays the currently logged in AVCLI user.

Syntax

SHOW USER

Example

avcli> SHOW USER;

A.14.8 STORE CREDENTIALS

Use the STORE CREDENTIALS command to store administrator credentials in AVCLI wallet, or to overwrite previously stored credentials.

The STORE CREDENTIALS command lets you store credentials for one Oracle Audit Vault and Database Firewall administrator in the Oracle AVCLI wallet, or update existing credentials in the wallet.

Syntax

STORE CREDENTIALS [FOR USER username]

Example 1

avcli> STORE CREDENTIALS FOR USER admin1;
Enter password: password
Re-enter password: password

Example 2

avcli> STORE CREDENTIALS;
Enter user name: admin1
Enter password: password
Re-enter password: password

A.14.9 -VERSION

Use the -VERSION command to display the AVCLI version number.

The -VERSION command displays the version number for AVCLI. Run the -VERSION command from outside of AVCLI.

Syntax

avcli -v
avcli -V
avcli -version
avcli -VERSION

Example

avcli -v;

AVCLI : Release 12.2.0.0.0 - Production on Tue Apr 26 14:25:31 PDT 2011
 
Copyright (c) 2014, Oracle.  All Rights Reserved.

A.15 Retention Policy AVCLI Commands

You can find general information on retention policy (or Information Lifecycle Management) related AVCLI commands.

A.15.1 APPLY RETENTION POLICY

Use the APPLY RETENTION POLICY command to apply a retention policy to a target. This can be applied only by a super auditor.

To apply a retention policy to a target.

Note:

This command is available starting Oracle AVDF release 20.3.

Syntax

APPLY RETENTION POLICY <policy name> TO TARGET <target name>

This command applies a specific retention policy to a specified target.

Arguments

Argument Description

policy name

The name of the policy on which the retention policy needs to be applied.

target name

The name of specified target for which the policy needs to be applied.

Example

apply retention policy test_policy1 to target test_target1;

Applies policy test_policy1 to target test_target1.

A.15.2 CREATE RETENTION POLICY

Use the CREATE RETENTION POLICY command to create a retention (or lifecycle) policy. This can be created only by a super administrator.

To create a retention policy.

Note:

This command is available starting Oracle AVDF release 20.3.

Syntax

CREATE RETENTION POLICY <policy name> ONLINE MONTHS <month number> ARCHIVED MONTHS <month number>

This command creates a retention policy with the specified name and specifies the number of online months and archived months. A policy name cannot be null, start with reserved name, or be the same as an existing policy name. Only alphanumeric, underscore (_), dollar sign ($), and pound sign (#) are allowed for the policy name.

Arguments

Argument Description

policy name

The name of the policy to be created.

month number

The number of months to be online or to be archived.

The number of months for online, must be between 1 and 9000.

The number of months to be archived, must be between 0 and 9000.

Note: In case the above guidelines for the number of months (online and to be archived) are not followed, then an error may be observed.

Example

create retention policy test_policy1 online months 2 archived months 3;

Creates a retention policy with the name test_policy1 and sets 2 months online and 3 months as the archival period.

A.15.3 DELETE RETENTION POLICY

Use the DELETE RETENTION POLICY command to delete a retention policy.

To delete a retention policy.

Note:

This command is available starting Oracle AVDF release 20.3.

Syntax

DELETE RETENTION POLICY <policy name>

This command deletes the specified retention policy.

Arguments

Argument Description

policy name

The name of the retention policy to be deleted.

Example

delete retention policy test_policy1;

Deletes test_policy1.

A.15.4 LIST RETENTION POLICIES

Use the LIST RETENTION POLICIES command to view all the retention policies.

To view all the retention policies.

Note:

This command is available starting Oracle AVDF release 20.3.

Syntax

LIST RETENTION POLICIES

This command lists all retention policies.

Example

list retention policies;

Lists all the retention policies.

A.15.5 SHOW RETENTION POLICY FOR TARGET

Use the SHOW RETENTION POLICY FOR TARGET command to display the current retention policy defined for the specified target.

To view the lifecycle policy defined for the specified target.

Note:

This command is available starting Oracle AVDF release 20.3.

Syntax

SHOW RETENTION POLICY FOR TARGET <target name>

This command displays the current retention policy for the specified target.

Arguments

Argument Description

target name

The name of specified target for which the policy needs to be viewed.

Example

show retention policy for target test_target1;

Displays the current policy for test_target1.

A.16 Alert Policy Management AVCLI Commands

You can find general information on alert policy management related AVCLI commands.

A.16.1 DELETE ALERT POLICY

Use the DELETE ALERT POLICY command to delete an alert policy.

To delete an alert policy.

Note:

This command is available starting Oracle AVDF release 20.3.

Syntax

DELETE ALERT POLICY <alert policy name>

This command deletes the alert policy with the specified name.

Arguments

Argument Description

alert policy name

The name of the alert policy to be deleted.

Example

delete alert policy test_alert1;

Deletes alert policy with the specified name test_alert1.

A.16.2 DISABLE ALERT POLICY

Use the DISABLE ALERT POLICY command to disable an alert policy.

To disable an alert policy.

Note:

This command is available starting Oracle AVDF release 20.3.

Syntax

DISABLE ALERT POLICY <alert policy name>

This command disables the alert policy with the specified name.

Arguments

Argument Description

alert policy name

The name of the alert policy to be disabled.

Example

disable alert policy test_alert1;

Disables the alert policy with the name test_alert1.

A.16.3 ENABLE ALERT POLICY

Use the ENABLE ALERT POLICY command to enable an alert policy.

To enable an alert policy.

Note:

This command is available starting Oracle AVDF release 20.3.

Syntax

ENABLE ALERT POLICY <alert policy name>

Arguments

Argument Description

alert policy name

The name of the alert policy to be enabled.

Example

enable alert policy test_alert1;

Enables alert policy with the name test_alert1.

A.16.4 LIST ALERT POLICIES

Use the LIST ALERT POLICIES command to list all the active alert policies.

Lists all the active alert policies.

Note:

This command is available starting Oracle AVDF release 20.3.

Syntax

LIST ALERT POLICIES

This command lists all the active alert policies.

Example

list alert policies;

A.17 Unified Audit Policy AVCLI Commands

You can find general information on unified audit policy related AVCLI commands.

A.17.1 DISABLE UNIFIED AUDIT POLICY

Use the DISABLE UNIFIED AUDIT POLICY command to disable a unified audit policy.

To disable a unified audit policy. This command provisions the unified audit policy specified on the target and turns it off. The policy name must be specified properly.

Note:

This command is available starting Oracle AVDF release 20.3.

Syntax

DISABLE UNIFIED AUDIT POLICY <policy name> ON TARGET <target name>

Arguments

Argument Description

policy name

The name of policy to be disabled.

target name

The name of specific target for which the unified audit policies is to be disabled.

Examples

disable unified audit policy tp1 on target t1;

Disables the policy tp1 on t1.

A.17.2 ENABLE UNIFIED AUDIT POLICY

Use the ENABLE UNIFIED AUDIT POLICY command to enable a unified audit policy.

To enable a unified audit policy for a target. This command provisions the unified audit policy specified on the target.

Note:

This command is available starting Oracle AVDF release 20.3.

Syntax

ENABLE UNIFIED AUDIT POLICY <policy name> [EXCLUDE USERS <user names>] [LIST OF USERS <user names>] ON TARGET <target name>

This command provisions the unified audit policy with the specified policy name on the specific target. The policy name must be specified with the actual name.

Arguments

Argument Description

policy name

The name of policy to be provisioned or enabled.

user names

A list of users separated by comma. This is optional.

target name

The name of specific target for which the unified audit policies is to be enabled.

EXCLUDE USERS

Optional parameter required for LOGON EVENTS and USER ACTIVITY. The list of user names must be separated by comma.

LIST OF USERS

Optional parameter required for LOGON EVENTS and USER ACTIVITY. The list of user names must be separated by comma.

Examples

enable unified audit policy tp1 on target t1;

Toggles policy tp1 of target t1 to ON.

enable unified audit policy 'User Activity' list of users 'BOB,JOHN' on target t1;

Enables User Activity policy for users BOB and JOHN on target t1.

enable unified audit policy 'Logon Events' exclude users 'BOB,JOHN' on target t1;

Enables LOGON EVENTS policy for users BOB and JOHN on target t1.

Edit Unified Audit Policy

Starting Oracle AVDF 20.4, Custom and Oracle Predefined Unified policies can be enforced on users, roles, and on specific event conditions (successful, unsuccessful, or both).

Syntax

ENABLE UNIFIED AUDIT POLICY <policy name> ON TARGET <target name> [WHENEVER SUCCESSFUL | WHENEVER NOT SUCCESSFUL]
ENABLE UNIFIED AUDIT POLICY <policy name> ON TARGET <target name> FOR USERS EXCEPT <user names> [WHENEVER SUCCESSFUL] [WHENEVER NOT SUCCESSFUL]
ENABLE UNIFIED AUDIT POLICY <policy name> ON TARGET <target name> { [FOR USERS <user names> WHENEVER SUCCESSFUL] [FOR USERS <user names> WHENEVER NOT SUCCESSFUL] [FOR USERS <user names>] [FOR USERS WITH ROLES <role names> WHENEVER SUCCESSFUL] [FOR USERS WITH ROLES <role names> WHENEVER NOT SUCCESSFUL] [FOR USERS WITH ROLES <role names>]}

Arguments

Argument Description

policy name

The name of policy to be provisioned or enabled.

target name

The name of the specific target for which the unified audit policies have to be enabled.

FOR USERS EXCEPT

Optional parameter. The list of user names must be separated by comma.

FOR USERS

Optional parameter. The list of user names must be separated by comma.

FOR USERS WITH ROLES

Optional parameter. The list of roles must be separated by comma.

WHENEVER SUCCESSFUL

Optional parameter. The policy is enabled for success events.

WHENEVER NOT SUCCESSFUL

Optional parameter. The policy is enabled for fail events.

Examples

enable unified audit policy tp1 on target t1;

Toggles policy tp1 of target t1 to ON.

enable unified audit policy on target t1 'User Activity' for users 'BOB,JOHN';

Enables 'User Activity' policy for users BOB and JOHN on target t1.

enable unified audit policy on target t1 'Logon Events' for users except 'BOB,JOHN';

Enables 'Logon Events' policy for users BOB and JOHN on target t1.

enable unified audit policy tp2 on target t1 for users 'SCOTT' whenever successful for users with roles 'DBA' whenever not successful;

Enables policy tp2 for users SCOTT whenever it is successful and for users with granted roles dba whenever is not successful on target t1.

enable unified audit policy tp3 on target t1 for users 'HR';

Enables policy tp2 for users HR for both success/failure events on target t1.

Enabling Security Technical Implementation Guidelines (STIG) Compliance

Starting Oracle AVDF 20.5, a new category Security Technical Implementation Guidelines (STIG) is available for Unified audit policy. Security Technical Implementation Guidelines (STIG) category can be enabled on Oracle Database targets to make the target STIG compliant. Security Technical Implementation Guidelines (STIG) category is available for Oracle Database target starting with version 21.

Syntax

ENABLE UNIFIED AUDIT POLICY "Security Technical Implementation Guidelines (STIG)" ON TARGET <target name>;

This command enables the following predefined policies available in Oracle Database version starting with 21.

Predefined Audit Policies Name Can be enabled for users Event Condition

ORA_STIG_RECOMMENDATIONS

All users

  • Success
  • Failure

ORA_LOGON_LOGOFF

All users

  • Success
  • Failure

ORA_ALL_TOPLEVEL_ACTIONS

Privileged users

  • Success
  • Failure

Privileged users are users retrieved from the user entitlement job.

In case the user entitlement job was never retrieved, then the audit provisioning job will retrieve the user entitlement first to get the privileged users before enabling the above policies in target database.

ENABLE UNIFIED AUDIT POLICY "Security Technical Implementation Guidelines (STIG)" ON TARGET <target name> FOR USERS <user names>;

This command enables following Oracle Predefined policies available in Oracle Database version starting with 21:

  • ORA_STIG_RECOMMENDATIONS audit policy will be enabled for all users for both successful and failed events.
  • ORA_LOGON_LOGOFF audit policy will be enabled for all users for both successful and failed events.
  • ORA_ALL_TOPLEVEL_ACTIONS will be enabled for users provided in the enable statement for both successful and failed events.

Arguments

Argument Description

target name

The name of the specific target for which the unified audit policies have to be enabled.

FOR USERS

Optional parameter. The list of user names must be separated by comma.

A.17.3 LIST UNIFIED AUDIT POLICIES

Use the LIST UNIFIED AUDIT POLICIES command to list all the various unified core, oracle pre-defined, custom, and all the unified policies of a specific target.

To view all the various unified core, Oracle pre-defined, custom, and all the unified policies of a specific target. The output is displayed in the format |Unified Policy Name|Enabled (Yes/No)|.

Note:

This command is available starting Oracle AVDF release 20.3.

Syntax

LIST UNIFIED AUDIT CORE POLICIES FOR TARGET <target name>

This command lists all the core policies for the specified target.

LIST UNIFIED AUDIT ORACLE PREDEFINED POLICIES FOR TARGET <target name>

This command lists all the Oracle pre-defined policies for the specified target.

LIST UNIFIED AUDIT CUSTOM POLICIES FOR TARGET <target name>

This command lists all the custom policies for the specified target.

LIST UNIFIED AUDIT POLICIES FOR TARGET <target name>

This command lists all the unified policies for the specified target.

Arguments

Argument Description

target name

The name of specified target for which the unified audit policies need to be viewed.

Examples

list unified audit policies for target tg1;

Lists all the unified audit policies (for example core, custom, and others) for tg1.

list unified audit oracle predefined policies for target tg1;

Lists all the Oracle pre-defined policies for tg1.

list unified audit custom policies for target tg1;

Lists all the custom policies for tg1.

list unified audit policies for target tg1;

Lists all the unified policies for tg1.

A.18 AVCLI User Commands

You can run AVCLI user commands to create users, assign roles, reset passwords, and delete users.

A.18.1 About the User AVCLI Commands

The AVCLI general user commands enable you to perform tasks such as creating and dropping Oracle Audit Vault users.

A.18.2 ALTER ADMIN

Use the ALTER ADMIN command to reset the password for an admin or superadmin user. Only a superadmin can reset the password for an admin or superadmin user.

The ALTER ADMIN command resets the password of the user with admin role. A superadmin can modify the password of the user with admin role.

Syntax

ALTER ADMIN <user name>

Arguments

Argument Description

user name

The existing user with admin role who requires a password reset.

password

The command prompts a password for modifying the password of the user with admin role. The password must have at least one uppercase letter, one lowercase letter, one digit(0-9), and one special character(.,+:_!). A password must be at least 8 characters and at most 30 bytes in length.

Example

alter admin myadmin

This command resets the password of the existing user myadmin. The password for myadmin is taken from the prompt.

Oracle AVDF 20.3 and later

This command is used to modify an ADMIN user type or reset an ADMIN user's password. This command can be run only by a SUPERADMIN user.

Syntax

ALTER ADMIN <username> ADMIN TYPE <type>

This command changes the ADMIN user's type.

ALTER ADMIN <username> CHANGE PASSWORD

This command resets the password of the specified user name. The user password is taken from the prompt.

Arguments

Argument Description

user name

The existing user with ADMIN role who requires a password reset.

type

Type specifies the particular type of ADMIN role being created. The type can only be either ADMIN or SUPERADMIN.

password

The command prompts a password for modifying the password of the user with ADMIN role. The password must have at least one uppercase letter, one lowercase letter, one digit(0-9), and one special character(.,+:_!). A password must be at least 8 characters and at most 30 bytes in length.

Examples

alter admin myadmin admin type admin;

Changes the type of user myadmin to ADMIN role.

alter admin myadmin change password;

Resets the password of user myadmin. The password for myadmin is taken from the prompt.

A.18.3 ALTER AUDITOR

Use the ALTER AUDITOR command to reset the password for existing auditors or superauditor users. Only a superauditor can reset the password for auditors or superauditor users.

The ALTER AUDITOR command resets the password of the user with auditor role. A superauditor can modify the password of the user with auditor role.

Syntax

ALTER AUDITOR <user name>

Arguments

Argument Description

user name

The existing user with auditor role who requires a password reset.

password

The command prompts a password for modifying the password of the user with auditor role. The password must have at least one uppercase letter, one lowercase letter, one digit(0-9), and one special character(.,+:_!). A password must be at least 8 characters and at most 30 bytes in length.

Example

alter auditor myauditor

This command resets the password of the existing user myauditor. The password for myauditor is taken from the prompt.

Oracle AVDF 20.3 and later

This command is used to modify an AUDITOR user type or reset an AUDITOR user's password. This command can be run only by a SUPERAUDITOR user.

Syntax

ALTER AUDITOR <username> AUDITOR TYPE <type>

This command changes the AUDITOR user's type.

ALTER AUDITOR <username> CHANGE PASSWORD

This command resets the password of the specified user name. The user password is taken from the prompt.

Arguments

Argument Description

user name

The existing user with AUDITOR role who requires a password reset.

type

Type specifies the particular type of AUDITOR role being created. The type can only be either AUDITOR or SUPERAUDITOR.

password

The command prompts a password for modifying the password of the user with AUDITOR role. The password must have at least one uppercase letter, one lowercase letter, one digit(0-9), and one special character(.,+:_!). A password must be at least 8 characters and at most 30 bytes in length.

Examples

alter auditor myauditor auditor type superauditor;

Modify the type of user myauditor to SUPERAUDITOR role.

alter auditor myauditor change password;

Resets the password of user myauditor. The password for myauditor is taken from the prompt.

A.18.4 CREATE ADMIN

Use the CREATE ADMIN command to create users with the admin role. Only a superadmin can create a user with admin role.

The CREATE ADMIN command creates a user with admin role. A superadmin can create a user with admin role.

Syntax

CREATE ADMIN user name

Arguments

Argument Description

user name

The name of the user being created with admin role. The user name cannot be null, start with any reserved user name, or be the same as any of the existing user role. It must be alphanumeric only and can contain underscore (_), dollar sign ($), and pound sign (#).

password

The command prompts a password before creating a user with admin role. The password must have at least one uppercase letter, one lowercase letter, one digit(0-9), and one special character(.,+:_!). A password must be at least 8 characters and at most 30 bytes in length.

Example

create admin myadmin

This command creates a user myadmin with admin role. The user password is taken from the prompt.

Oracle AVDF 20.3 and later

This command creates a user with administrator privileges. A super administrator can create a user with admin role.

Syntax

CREATE ADMIN <user name> ADMIN TYPE <type>

This command prompts a password and creates a user with the specified user name and assigns ADMIN or SUPERADMIN privileges.

Arguments

Argument Description

user name

The name of the user being created with ADMIN role. The user name cannot be null, start with any reserved user name, or be the same as any of the existing user role. It must be alphanumeric only and can contain underscore (_), dollar sign ($), and pound sign (#). It can have a maximum of 30 characters in length.

password

The command prompts a password before creating a user with ADMIN role. The password must have at least one uppercase letter, one lowercase letter, one digit(0-9), and one special character(.,+:_!). A password must be at least 8 characters and at most 30 bytes in length.

type

Type specifies the particular type of administrator role being created. The type can only be either ADMIN or SUPERADMIN. ADMIN gives administrator privileges, while SUPERADMIN gives super administrator privileges.

Example

create admin myadmin admin type superadmin

Creates user myadmin with SUPERADMIN type. The user password is taken from the prompt.

A.18.5 CREATE AUDITOR

Use the CREATE AUDITOR command to create users with the auditor role. Only superauditors can create users with the auditor role.

The CREATE AUDITOR command creates a user with the auditor role. A superauditor can create a user with auditor role.

Syntax

CREATE AUDITOR user name

Arguments

Argument Description

user name

The name of the user being created with auditor role. The user name cannot be null, start with any reserved user name, or the same as any of the existing user role. It must be alphanumeric only and can contain underscore (_), dollar sign ($), and pound sign (#).

password

The command prompts a password before creating a user with auditor role. The password must have at least one uppercase letter, one lowercase letter, one digit(0-9), and one special character(.,+:_!). A password must be at least 8 characters and at most 30 bytes in length.

Example

create auditor myauditor

This command creates a user myauditor with auditor role. The user password is taken from the prompt.

Oracle AVDF 20.3 and later

This command creates a user with AUDITOR privileges. A super auditor can create a user with auditor role.

Syntax

CREATE AUDITOR <username> AUDITOR TYPE <type>

This command prompts a password and creates a user with the specified user name and assigns AUDITOR privileges.

Arguments

Argument Description

user name

The name of the user being created with auditor role. The user name cannot be null, start with any reserved user name, or the same as any of the existing user role. It must be alphanumeric only and can contain underscore (_), dollar sign ($), and pound sign (#). It can have a maximum of 30 characters in length.

password

The command prompts a password before creating a user with auditor role. The password must have at least one uppercase letter, one lowercase letter, one digit(0-9), and one special character(.,+:_!). A password must be at least 8 characters and at most 30 bytes in length.

type

Type specifies the particular type of auditor role being created. The type can only be either AUDITOR or SUPERAUDITOR. AUDITOR gives auditor privileges, while SUPERAUDITOR gives super auditor privileges.

Example

create auditor myauditor auditor type superauditor;

Creates user myauditor with SUPERAUDITOR type. The user password is taken from the prompt.

A.18.6 DROP ADMIN

Use the DROP ADMIN command to drop or delete admin or superadmin users. Only a superadmin can drop an admin or superadmin user.

The DROP ADMIN command drops or deletes a user with admin role. A superadmin can drop a user with admin role.

Syntax

DROP ADMIN user name

Arguments

Argument Description

user name

The existing user with admin role who needs to be dropped or deleted.

Example

drop admin myadmin

This command drops the existing user myadmin. The command performs a cleanup, expire the password, lock the account, terminate any existing sessions for the user, and drop the user completely from the database.

A.18.7 DROP AUDITOR

Use the DROP AUDITOR command to drop or delete auditors or superauditor users. Only superauditors can drop an auditor or superauditor user.

The DROP AUDITOR command drops or deletes a user with auditor role. A superauditor can drop a user with auditor role.

Syntax

DROP AUDITOR user name

Arguments

Argument Description

user name

The existing user with auditor role who needs to be dropped or deleted.

Example

drop auditor myauditor

This command drops the existing user myauditor. The command performs a cleanup, expire the password, lock the account, terminate any existing sessions for the user, and drop the user completely from the database.

A.18.8 LIST ADMIN

Use the LIST ADMIN command to see administrator privileges for a specific user.

The LIST ADMIN command lists administrator privileges for a specific user.

Note:

This command is available starting Oracle AVDF release 20.4.

Syntax

LIST ADMIN <username>

This command lists the administrator privileges for a specific user.

Argument

Argument Description

username

The specified user.

Example

list admin scott;

Lists the administrator privileges of a specific user scott.

A.18.9 LIST ADMINS

Use the LIST ADMINS command to view or get a list of all users with administrator privileges.

The LIST ADMINS command lists all users with administrator privileges.

Note:

This command is available starting Oracle AVDF release 20.4.

Syntax

LIST ADMINS

Example

list admins;

List all users with administrator privileges.

A.18.10 LIST AUDITOR

Use the LIST AUDITOR command to see auditor privileges for a specific user.

The LIST AUDITOR command lists auditor privileges for a specific user.

Note:

This command is available starting Oracle AVDF release 20.4.

Syntax

LIST AUDITOR <username>

This command lists the auditor privileges for a specific user.

Argument

Argument Description

username

The specified user.

Example

list auditor scott;

Lists the auditor privileges of a specific user scott.

A.18.11 LIST AUDITORS

Use the LIST AUDITORS command to view or get a list of all users with auditor privileges.

The LIST AUDITORS command lists all users with auditor privileges.

Note:

This command is available starting Oracle AVDF release 20.4.

Syntax

LIST AUDITORS

Example

list auditors;

List all users with auditor privileges.