14 Managing User Accounts and Access

To manage user accounts and access, you can use both the command line and the Audit Vault Server console.

14.1 About Oracle Audit Vault and Database Firewall Administrative Accounts

Oracle Audit Vault and Database Firewall administrative accounts help you manage user access.

When administrators log in to Oracle Audit Vault and Database Firewall, they have access only to administrative functions, whereas auditors have access only to the auditing functions.

Oracle Audit Vault and Database Firewall has three types of administrative user accounts:

• Audit Vault Server Super Administrator:

  • Manages system-wide settings

  • Creates user accounts for super administrators and administrators

  • Has access to all targets and target groups

  • Grants access to targets or target groups to administrators

• Audit Vault Server Administrator: Has access to specific targets or target groups granted by a super administrator. Administrators cannot manage system-wide settings.

After installing Oracle Audit Vault and Database Firewall, a post-installation configuration page lets you create and specify passwords for one super administrator account and one super auditor account for the Audit Vault Server. This super administrator and super auditor created during post installation are Audit Vault Server database users. There is at least one Audit Vault Server database user as super administrator and one as super auditor.

Thereafter, the Audit Vault Server super administrator can create other administrative users, and the super auditor can create other auditor users, for the server.

This chapter describes managing user accounts and passwords for the Oracle Audit Vault and Database Firewall administrator user interfaces.

See Also:

• Oracle Audit Vault and Database Firewall Installation Guide for information on post-installation configuration.

• Oracle Audit Vault and Database Firewall Auditor's Guide for information on managing auditor accounts.

14.2 Security Technical Implementation Guides and Implementation for User Accounts

Oracle Audit Vault and Database Firewall follow STIG guidelines for user accounts.

Oracle Audit Vault and Database Firewall follows the Security Technical Implementation Guides (STIG) and implementation rules for user accounts.

• The default Oracle Audit Vault and Database Firewall user accounts must have custom passwords.

• The number of consecutive failed login attempts is 3.

• When a user exceeds the maximum number of unsuccessful login attempts, the account is locked until a super administrator releases it.

• Account lockouts will persist until a super administrator resets the user account.

See Also:

Security Technical Implementation Guides for more information about STIG compliance

14.3 Configuring Administrative Accounts for Oracle Audit Vault Server

Learn how to configure administrative accounts for Oracle Audit Vault Server.

14.3.1 Guidelines for Securing Oracle Audit Vault and Database Firewall User Accounts

Review the guidelines for securing Oracle Audit Vault and Database Firewall user accounts.

As a best practice, use the installed Oracle Audit Vault and Database Firewall user accounts only as back-up accounts. Add new user accounts, with unique user names and passwords, for the users who are responsible for the day-to-day Oracle Audit Vault and Database Firewall operations.

Note:

Oracle Audit Vault and Database Firewall does not accept user names with quotation marks. For example, "jsmith" is not a valid user name for an Oracle Audit Vault and Database Firewall user account, or an account created on a target for use by Oracle Audit Vault and Database Firewall.

14.3.2 Creating Administrative Accounts for Audit Vault Server

You can create Audit Vault Server administrative accounts to manage administration.

Audit Vault Server super administrators can create both super administrator and administrator user accounts.

1. Log in to the Audit Vault Server console as a super administrator.
2. Click the Settings tab.

   The Manage Admins sub tab appears by default, and displays existing users and the targets or groups to which they have access.

3. Click Add.
4. Enter the Admin Name and Password, and re-type the password in the appropriate fields.

   Oracle Audit Vault and Database Firewall does not accept user names with quotation marks, such as "jsmith".

5. In the Type menu, select Admin or Super Admin.
6. Click Save.

   The new user is listed in the Manage Admins sub tab.

   See Also:

   About Oracle Audit Vault and Database Firewall Administrative Accounts for explanation on roles.

14.3.3 Viewing the Status of Administrator User Accounts

Learn how to view the status of administrator accounts.

As a super administrator, you can view the status of administrator accounts by clicking the Settings tab. The Manage Admins sub tab lists all administrator and super administrator accounts, with their statuses, password expiry dates, the targets and target groups they have access to, etc.

14.3.4 Changing User Account Types for Audit Vault Server

You can change Audit Vault Server administrative account type from administrator to super administrator, or vice versa.

You can change an administrative account type from administrator to super administrator, or vice versa.

Note:

If you change a user's account type from administrator to super administrator, then the user will have access to all targets and target groups.

1. Log in to the Audit Vault Server as a super administrator.

2. Click the Settings tab.

   The Manage Admins section appears by default. It displays existing users and the targets or groups to which they have access.

3. Click the name of the user account that you want to change.

4. In the Modify Admin dialog, click the edit icon against the Type field.

5. You can change the type from Admin to Super Admin. If you want to change the type from Super Admin to Admin.

6. You can also grant or revoke access to any targets or groups as necessary for this user.

   Release Oracle AVDF 20.1 and 20.2	Release Oracle AVDF 20.3 and later
   Select the targets or groups to which you want to grant or revoke access. Click Grant or Revoke button. A green check mark indicates access granted. A red cross mark (X) indicates access revoked.	Select the targets or groups to which you want to grant or revoke access. You can also search for the targets or groups in the field under Targets & Target Groups. Choose the access rights in the Available column and move them to the Selected column, to grant access. Choose the access rights in the Selected column and move them to the Available column, to revoke access.

7. Click Save.

14.3.5 Unlocking User Accounts

This procedure explains how to unlock user accounts.

An Oracle Audit Vault and Database Firewall administrator account is locked after at least 3 failed login attempts. A super administrator must unlock user accounts.

1. Log in to the Audit Vault Server console as a super administrator.
2. Click the Settings tab.

   The Manage Admin sub tab is selected by default. It displays a list of existing users.

3. Click the name of the user account you want to unlock.
4. In the dialog, click Unlock.

   See Also:

   ALTER USER

14.3.6 Deleting Oracle Audit Vault Server Administrator Accounts

You may need to delete Oracle Audit Vault Server Administrator accounts with this procedure.

1. Log in to the Audit Vault Server as a super administrator.
2. Click the Settings tab.

   The Manage Admin page appears by default, and displays existing users and the targets or groups to which they have access.

3. Select the users you want to delete, and then click Delete.

14.4 Configuring sudo Access for Users

Learn about configuring sudo access for users.

14.4.1 About Configuring sudo Access

Learn about configuring sudo access.

The sudo command enables trusted users to have administrative access to systems without having to log in using root user passwords.

When users have sudo access, they can precede an administrative command with sudo, and then be prompted to enter their password. After authentication is complete, and assuming that the command is permitted, the command is processed as if it had been run by the root user.

14.4.2 Configuring sudo Access for Users

Learn about configuring sudo access for users.

You need root privileges to configure sudo access for users.

1. Log in to the system as the root user.

2. Create a normal user account using the useradd command.

   For example, to create a normal user account for the user psmith:

   # useradd psmith
   

3. Set a password for the user using the passwd command.

   For example:

   # passwd psmith
   Changing password for user psmith.
   New password: new_password
   Retype new password: new_password
   passwd: all authentication tokens updated successfully
   

4. Run the visudo utility to edit the /etc/sudoers file.

   # visudo
   

   The sudoers file defines the policies that the sudo command applies.

5. Find the lines in the sudoers file that grant access to users in the wheel group when enabled.

   ## Allows people in group wheel to run all commands
   # %wheel        ALL=(ALL)       ALL
   

6. Remove the comment character (#) at the start of the second line, which begins with %wheel.

   This enables the configuration option.

7. Save your changes and exit the editor.

8. Add the user account that you created earlier to the wheel group using the usermod command.

   For example:

   usermod -aG wheel psmith
   

9. Test that the updated configuration enables the user that you created to run commands using sudo.

   1. Use the su command to switch to the new user account that you created.

      # su psmith
      

   2. Use the groups command to verify that the user is in the wheel group.

      $ groups
      psmith wheel
      

   3. Use the sudo command to run the whoami command.

      Because this is the first time that you have run a command using sudo from this user account, the banner message is displayed. You will be prompted to enter the password for the user account.

      $ sudo whoami
      

      The following output should appear:

      We trust you have received the usual lecture from the local System
      Administrator. It usually boils down to these three things:
        #1) Respect the privacy of others.
        #2) Think before you type.
        #3) With great power comes great responsibility.
      

      Enter the password when prompted:

      [sudo] password for psmith: password
      root
      

      The last line of the output is the user name that is returned by the whoami command. If sudo access has been configured correctly, then this value is root.

14.5 Managing User Access Rights to Targets and Groups

Learn about managing users access rights to targets and groups.

14.5.1 About Managing User Access Rights

Learn about managing user access rights.

Super administrators have access to all targets and target groups and can grant access to specific targets and groups to administrators.

You control access to targets or groups in two ways:

• Modify a target or group to grant or revoke access for one or more users.

• Modify a user account to grant or revoke access to one or more targets or groups.

14.5.2 Controlling Access Rights by User

Learn about controlling access rights by user.

1. Log in to the Audit Vault Server as a super administrator.
2. Click the Settings tab.

   Click the Manage Admins sub tab. It displays existing users and the targets or groups to which they have access.

3. Click the name of the user account you want to modify.

   The Modify Admin dialog appears.

4. In the Targets & Target Groups section:

   Release Oracle AVDF 20.1 and 20.2	Release Oracle AVDF 20.3 and later
   Select the access rights to which you want to grant or revoke access. Click Grant or Revoke button. A green check mark indicates access granted. A red cross mark (X) indicates access revoked.	Select the access rights to which you want to grant or revoke access. You can also search for the access rights in the field under Targets & Target Groups. Choose the access rights in the Available column and move them to the Selected column, to grant access. Choose the access rights in the Selected column and move them to the Available column, to revoke access.

5. Click Save.

14.5.3 Controlling Access Rights by Target or Group

You can control access rights by targets or groups.

1. Log in to the Audit Vault Server as a super administrator.
2. Click the Settings tab, and then click Security (which should be selected by default).
3. Under Manage Admins sub tab, select the name of the administrator whose target access you want to change.
   The Modify Admin window appears.
4. Click on the edit icon against Type. Select the appropriate type in the list.
5. In the Targets & Target Groups section:

   Release Oracle AVDF 20.1 and 20.2	Release Oracle AVDF 20.3 and later
   Select the target or target groups to which you want to grant or revoke access. Click Grant or Revoke button. A green check mark indicates access granted. A red cross mark (X) indicates access revoked.	Select the target or target groups to which you want to grant or revoke access. You can also search for the targets or groups in the field under Targets & Target Groups. Choose the target or target groups in the Available column and move them to the Selected column, to grant access. Choose the target or target groups in the Selected column and move them to the Available column, to revoke access.

6. Click Save.

14.6 Changing User Passwords in Oracle Audit Vault and Database Firewall

Learn how to manage password changes.

14.6.1 Password Requirements

There are several password requirements that you must meet for Oracle Audit Vault and Database Firewall.

You should have a policy in place for changing passwords for Oracle Audit Vault and Database Firewall user accounts. For example, you may require that users change their passwords on a regular basis, such as every 120 days, and that they create passwords that are not easily guessed.

Requirements for Passwords Containing Unicode Characters

If your password contains unicode characters (such as non-English characters with accent marks), then the password requirement is that it:

• Be between 8 and 30 characters long.

Requirements for English-Only (ASCII) Passwords

If you are using English-only ASCII printable characters, then Oracle AVDF requires that passwords:

• Be between 8 and 30 characters long.

• Contain at least one of each of the following:

  • Lowercase letters: a-z.

  • Uppercase letters: A-Z.

  • Digits: 0-9.

  • Punctuation marks: comma (,), period (.), plus sign (+), colon(:), exclamation mark (!), and underscore (_)

• Not contain double quotes ("), back space, or control characters.

In addition, Oracle recommends that passwords:

• Not be the same as the user name.

• Not be an Oracle reserved word.

• Not be an obvious password (such as welcome, account, database, and user).

• Not contain any repeating characters.

14.6.2 Changing the Audit Vault Server Administrator Password

Learn how to change the password of an administrator.

Administrators can change their own password. A super administrator can also change the password of other administrators. If a super administrator changes the password of another administrator, then the password automatically expires immediately after it is changed.

14.6.2.1 Changing Your Own Password

Learn how to change your own password as an administrator.

1. Log in to the Audit Vault Server as an administrator.
2. In the upper right corner, to the right of your login name, select the menu icon.
3. Select Change Password from this menu.
4. In the Change Password window, enter the following fields:
   • Current Password
   • New Password
   • Re-enter New Password
5. Click Save.

14.6.2.2 Changing the Password of Another Administrator

Learn how to change the password of another administrator as a super administrator.

A super administrator can change the passwords of other administrators. However, the password automatically expires immediately after it is changed by the super administrator. The administrator must follow the instructions in the topic Changing the Expired Password of an Administrator.

1. Log in to the Audit Vault Server as super administrator.
2. Click the Settings tab and then if necessary, select Security in the left navigational menu.
3. Under Manage Admins, select the name of the administrator whose password you want to change.
4. In the Modify Admin window, click Change Password.
5. In the Change Password window, enter the following fields:
   • New Password
   • Re-enter New Password
6. Click Save.

14.6.2.3 Changing the Expired Password of an Administrator

Your password might be expired if a super administrator changes your password, or if it passes the password expiry date.

For Oracle AVDF release 20.4 or earlier, follow these steps:

1. Log in to the Audit Vault Server through SSH and switch to the root user.

   See Logging In to Oracle AVDF Appliances Through SSH.

2. Switch to the dvaccountmgr user.

   su - dvaccountmgr

3. Start SQL*Plus without the user name and password.

   sqlplus /

4. If the account is locked, run the following command to unlock the account:

   alter user <user name> account unlock;

5. Run the following command to change the password:

   alter user <user name> identified by <new_password>;

For Oracle AVDF release 20.5 or later, follow these steps:

1. Log in to AVCLI with your user name.
2. AVCLI prompts to enter the password. Enter the expired password.

   The following message is displayed:

   The password has expired. Enter the new password:

3. Enter the new password of your choice. Follow the password requirements.

   The following message is displayed:

   Re-enter password:

4. Re-enter the new password.
5. If the following message is displayed, then you have successfully logged in to AVCLI with the new password, and your account is active again:

   
   Connected to: 
           Oracle Audit Vault Server - Version : 20.x.0.0.0
   

   Note:

   If your attempt to log in fails for 3 times or more, then your account gets locked. You need to unlock your account and retry the above mentioned steps.

14.7 Unlocking and Locking the AVSYS User

When installing or administering Oracle Audit Vault and Database Firewall (Oracle AVDF), you sometimes need to unlock and relock the AVSYS user.

14.7.1 Unlocking the AVSYS User

Use these steps to temporarily unlock the AVSYS user to complete an installation or administration task.

Prerequisite

Log in to the Audit Vault Server through SSH and switch to the root user.

See Logging In to Oracle AVDF Appliances Through SSH.

Procedure

1. Switch to the dvaccountmgr user.

   su - dvaccountmgr

2. Start SQL*Plus without the user name and password.

   sqlplus /

3. Run the following command to unlock avsys:

   alter user avsys identified by <password> account unlock;

4. Exit SQL*Plus.

   exit

14.7.2 Locking the AVSYS User

Use these steps to lock the AVSYS user after you've unlocked it to complete an installation or administration task.

Prerequisite

Log in to the Audit Vault Server through SSH and switch to the root user.

See Logging In to Oracle AVDF Appliances Through SSH.

Procedure

1. Switch to the dvaccountmgr user.

   su - dvaccountmgr

2. Start SQL*Plus without the user name and password.

   sqlplus /

3. Run the following command to lock avsys:

   alter user avsys account lock;

4. Exit SQL*Plus.

   exit

14.8 Integrating Oracle Audit Vault and Database Firewall with Microsoft Active Directory or OpenLDAP

You can use Microsoft Active Directory or OpenLDAP to control access to Oracle Audit Vault and Database Firewall.

14.8.1 About Microsoft Active Directory or OpenLDAP Integration

You can integrate a Microsoft Active Directory or OpenLDAP server to authenticate users who connect to the Audit Vault Server console.

When users log in to the Audit Vault Server console, they're prompted to select a group from a list of groups. Users are authorized from the group to which they belong and select. After a user is authenticated, access is granted based on the Microsoft Active Directory or OpenLDAP groups to which the user belongs and selects.

A super user can assign the roles to the groups on Oracle Audit Vault Database Firewall. For example, super administrator, super auditor, administrator, or auditor. Oracle Audit Vault and Database Firewall release 20.1 and later supports Microsoft Active Directory and OpenLDAP.

Note:

• While other LDAP servers may work, they are not tested or certified with Oracle Audit Vault and Database Firewall release 20.1.
• Oracle AVDF does not support the default local accounts of Microsoft Active Directory (for example administrator). Refer to Microsoft documentation for complete information on default local accounts in Active Directory.
• Microsoft Active Directory and OpenLDAP users and groups must belong to the domain specified in the topic Configuring an LDAP Server.

14.8.2 Configuring an LDAP Server

You can configure an LDAP server to authenticate users by using Microsoft Active Directory or OpenLDAP.

Prerequisite: The LDAP user must have access to the Microsoft Active Directory or OpenLDAP groups that are being provisioned for access to Oracle AVDF.

1. Get the SSL/TLS certificate to connect to Microsoft Active Directory or OpenLDAP. This can be sourced from Microsoft Active Directory or OpenLDAP administrator. Using the command certutil -ca.cert client.crt is a common way to generate Active Directory client SSL/TLS certificate.
2. Copy the SSL/TLS certificate in Base64 encoding format.
3. Launch the Audit Vault Server console.
4. Log in to the console as a super administrator.
5. Click the Settings tab.
6. Click the LDAP Configuration tab (or Active Directory/LDAP Configuration tab starting with Oracle AVDF release 20.8) in the main page.
7. Click the Add button.
8. Enter the Microsoft Active Directory or OpenLDAP server details. In the Active Directory/LDAP Configuration dialog, select either Active Directory (AD) or LDAP radio button.
9. Provide a new Name for the LDAP server.
10. Enter the AD/LDAP Host Name / IP Address.
11. Enter the Port number for the SSL/TLS connection.
12. Enter the Active Directory/LDAP Username and Password.

    The user must be able to retrieve all groups from the AD/LDAP server.

13. Enter the Domain Name. For example, foobar.example.com.
14. Provide the AD/LDAP Server Certificate (SSL/TLS) in Base64 encoding format that was sourced earlier in the initial step.
15. Enter a new password as the Wallet Password for Storing Certificate. This wallet stores the SSL/TLS certificate you provided for LDAP SSL/TLS connection earlier.
16. Enter the password again in Re-enter Wallet Password field.
17. Click Test Connection to verify the details. Fix any errors encountered and proceed to the next step.
18. Click Save.

    Note:

    Click Delete to delete the Microsoft Active Directory or OpenLDAP configuration. Starting Oracle AVDF 20.4, a dialog appears and prompts for your confirmation.

14.8.3 Creating New Users

Create new users for Microsoft Active Directory or OpenLDAP authentication.

1. Log in to the Audit Vault Server console as a super administrator or super auditor.
2. Click the Settings tab.

   The Manage Admins or Manage Auditors subtab on the main page is selected by default.

3. Click Add in the top, right corner.
4. In the Add Admin (or Add Auditor) dialog box, select Active Directory/LDAP Group or Local AVDF User.
5. For Local AVDF User, enter the details to create a database administrator or auditor.
   1. Enter the newly created Admin Name or Auditor Name.
   2. Select the Admin Type or Auditor Type.
   3. Enter the Password and Re-type Password.
6. For Active Directory/LDAP Group, select the Import Mode.

   OpenLDAP or Active Directory users and groups have to exist in the LDAP server before you can create the admin or auditor on the Audit Vault Server for the same.

   1. If you have selected import mode as Fetch, then provide an LDAP User Name and Password. Alternatively, you can register an Microsoft Active Directory or OpenLDAP group in Oracle Audit Vault Database Firewall that corresponds to an existing group by providing the distinguished name. The LDAP user needs the correct access privileges to view all the groups that exist on the LDAP server.

      Note:

      The user credentials are not stored. Therefore, each time that you choose the Fetch option, you must enter the credentials.
   2. In the Group Name Like field, enter a keyword to search in order to fetch details from a group that has a similar name. Click Fetch at the bottom of the dialog. For example, enter admin keyword to fetch AD or OpenLDAP groups containing admin string in the group name.

      Note:

      A user can be added to a group. A group can have administrator or auditor privileges, but not both. For example, a group with the name AdminAndAuditor can have administrator privileges assigned. However, the same group cannot have auditor privileges. In case there is an attempt to add both the privileges, then it fails. The user SpecialUser can be part of both, the Admin group and the Auditor group. This user SpecialUser may choose to connect with Admin group as administrator, or with Auditor group as auditor.
   3. Select the Domain.
   4. Click the Fetch button at the bottom of the dialog. The values in the Group and User Type fields are populated.
   5. Select the right Group from the drop down menu.
   6. Select the User Type from the drop-down menu, such as, Admin, Super Admin, Auditor, or Super Auditor.
   7. If you have selected the import mode as Manual, then enter the Group Name as distinguished name.
7. Click Save.

14.8.4 Logging In as an OpenLDAP or Microsoft Active Directory User

After OpenLDAP or Microsoft Active Directory is configured, users can log in to the Audit Vault Server console.

1. Open the Audit Vault Server console.
2. Select Active Directory/LDAP Group or Local AVDF User.
3. Enter the user name and password.
   For database users, enter the user name and password. For Microsoft Active Directory users, enter the user name (sAMAccountName) and password. Select the domain name from the drop-down list.

   Note:

   The domain name is appended to the user name. This may cause issues if a user has been created with a domain in the user name.

   For example, if you attempt to login as user user@example.com and select the domain company.example.com, then the Audit Vault Server will attempt to look for the user user@example.com@company.example.com.

   Note:

   You must add the user to the Microsoft Active Directory or OpenLDAP group and register the group with the Audit Vault Server. See Creating New Users.
4. On the following page, select a Group from the drop-down list.
5. Click Save to log in and complete the authorization.

Note:

Microsoft Active Directory and OpenLDAP users can connect to the Audit Vault Server only through the Audit Vault Server console. They cannot connect to the Audit Vault Server through AVCLI or SQL*Plus.