14 Managing User Accounts and Access

To manage user accounts and access, you can use both the command line and the Audit Vault Server console.

14.1 About Oracle Audit Vault and Database Firewall Administrative Accounts

Oracle Audit Vault and Database Firewall administrative accounts help you manage user access.

When administrators log in to Oracle Audit Vault and Database Firewall, they have access only to administrative functions, whereas auditors have access only to the auditing functions.

Oracle Audit Vault and Database Firewall has three types of administrative user accounts:

  • Audit Vault Server Super Administrator:

    • Manages system-wide settings

    • Creates user accounts for super administrators and administrators

    • Has access to all targets and target groups

    • Grants access to targets or target groups to administrators

  • Audit Vault Server Administrator: Has access to specific targets or target groups granted by a super administrator. Administrators cannot manage system-wide settings.

  • Database Firewall Administrator: Has access to the Database Firewall administrative interface. The Database Firewall has only one administrator.

After installing Oracle Audit Vault and Database Firewall, a post-installation configuration page lets you create and specify passwords for one super administrator account and one super auditor account for the Audit Vault Server, and one administrator account for the Database Firewall.

Thereafter, the Audit Vault Server super administrator can create other administrative users, and the super auditor can create other auditor users, for the server.

This chapter describes managing user accounts and passwords for the Oracle Audit Vault and Database Firewall administrator user interfaces.

See Also:

14.2 Security Technical Implementation Guides and Implementation for User Accounts

Oracle Audit Vault and Database Firewall follow STIG rules for user accounts.

Oracle Audit Vault and Database Firewall follows the Security Technical Implementation Guides (STIG) and implementation rules for user accounts.

  • The default Oracle Audit Vault and Database Firewall user accounts must have custom passwords.

  • The number of consecutive failed login attempts is 3.

  • When a user exceeds the maximum number of unsuccessful login attempts, the account is locked until a super administrator releases it.

  • Account lockouts will persist until a super administrator resets the user account.

See Also:

Security Technical Implementation Guides for more information about STIG compliance

14.3 Configuring Administrative Accounts for Oracle Audit Vault Server

Learn how to configure administrative accounts for Oracle Audit Vault Server.

14.3.1 Guidelines for Securing Oracle Audit Vault and Database Firewall User Accounts

Review the guidelines for securing Oracle Audit Vault and Database Firewall user accounts.

As a best practice, use the installed Oracle Audit Vault and Database Firewall user accounts only as back-up accounts. Add new user accounts, with unique user names and passwords, for the users who are responsible for the day-to-day Oracle Audit Vault and Database Firewall operations.

Note:

Oracle Audit Vault and Database Firewall does not accept user names with quotation marks. For example, jsmith is not a valid user name for an Oracle Audit Vault and Database Firewall user account, or an account created on a target for use by Oracle Audit Vault and Database Firewall.

14.3.2 Creating Administrative Accounts for Oracle Audit Vault Server

You can create Oracle Audit Vault Server administrative accounts to manage administration.

Oracle Audit Vault Server super administrators can create both super administrator and administrator user accounts.
  1. Log in to the Audit Vault Server console as a super administrator.
  2. Click the Settings tab.

    The Manage Admins page appears by default, and displays existing users and the targets or groups to which they have access.

  3. Click Add.
  4. Enter the Admin Name and Password, and re-type the password in the appropriate fields.

    Oracle Audit Vault and Database Firewall does not accept user names with quotation marks, such as "jsmith".

  5. In the Type menu, select Admin or Super Admin.
  6. Click Save.

    The new user is listed in the Manage Admins page.

14.3.3 Viewing the Status of Administrator User Accounts

Learn how to view the status of administrator accounts.

As a super administrator, you can view the status of administrator accounts by clicking the Settings tab. The Manage Admins page lists all administrator and super administrator accounts, their statuses, and password expiry dates.

14.3.4 Changing User Account Types for Audit Vault Server

You can change Audit Vault Server administrative account type from administrator to super administrator, or vice versa.

You can change an administrative account type from administrator to super administrator, or vice versa.

Note:

If you change a user's account type from administrator to super administrator, then the user will have access to all targets and target groups.
  1. Log in to the Audit Vault Server as a super administrator.

  2. Click the Settings tab.

    The Manage Admins section appears by default. It displays existing users and the targets or groups to which they have access.

  3. Click the name of the user account that you want to change.

  4. In the Modify Admin dialog, click the edit icon against the Type field.

  5. You can change the type from Admin to Super Admin. If you want to change the type from Super Admin to Admin.

  6. You can also grant or revoke access to any targets or groups as necessary for this user.

  7. Click Save.

14.3.5 Unlocking User Accounts

This procedure explains how to unlock user accounts.

An Oracle Audit Vault and Database Firewall administrator account is locked after at least 3 failed login attempts. A super administrator must unlock user accounts.
  1. Log in to the Audit Vault Server console as a super administrator.
  2. Click the Settings tab.

    The Manage Admin page appears by default, and displays existing users.

  3. Click the name of the user account you want to unlock.
  4. In the Modify Admin page, click Unlock.

14.3.6 Deleting Oracle Audit Vault Server Administrator Accounts

You may need to delete Oracle Audit Vault Server Administrator accounts with this procedure.

  1. Log in to the Audit Vault Server as a super administrator.
  2. Click the Settings tab.

    The Manage Admin page appears by default, and displays existing users and the targets or groups to which they have access.

  3. Select the users you want to delete, and then click Delete.

14.4 Configuring sudo Access for Users

Learn about configuring sudo access for users.

14.4.1 About Configuring sudo Access

Learn about configuring sudo access.

The sudo command enables trusted users to have administrative access to systems without having to log in using root user passwords.

When users have sudo access, they can precede an administrative command with sudo, and then be prompted to enter their password. After authentication is complete, and assuming that the command is permitted, the command is processed as if it had been run by the root user.

14.4.2 Configuring sudo Access for Users

Learn about configuring sudo access for users.

You need root privileges to configure sudo access for users.

  1. Log in to the system as the root user.

  2. Create a normal user account using the useradd command.

    For example, to create a normal user account for the user psmith:

    # useradd psmith
    
  3. Set a password for the user using the passwd command.

    For example:

    # passwd psmith
    Changing password for user psmith.
    New password: new_password
    Retype new password: new_password
    passwd: all authentication tokens updated successfully
    
  4. Run the visudo utility to edit the /etc/sudoers file.

    # visudo
    

    The sudoers file defines the policies that the sudo command applies.

  5. Find the lines in the sudoers file that grant access to users in the wheel group when enabled.

    ## Allows people in group wheel to run all commands
    # %wheel        ALL=(ALL)       ALL
    
  6. Remove the comment character (#) at the start of the second line, which begins with %wheel.

    This enables the configuration option.

  7. Save your changes and exit the editor.

  8. Add the user account that you created earlier to the wheel group using the usermod command.

    For example:

    usermod -aG wheel psmith
    
  9. Test that the updated configuration enables the user that you created to run commands using sudo.

    1. Use the su command to switch to the new user account that you created.

      # su psmith
      
    2. Use the groups command to verify that the user is in the wheel group.

      $ groups
      psmith wheel
      
    3. Use the sudo command to run the whoami command.

      Because this is the first time that you have run a command using sudo from this user account, the banner message is displayed. You will be prompted to enter the password for the user account.

      $ sudo whoami
      

      The following output should appear:

      We trust you have received the usual lecture from the local System
      Administrator. It usually boils down to these three things:
        #1) Respect the privacy of others.
        #2) Think before you type.
        #3) With great power comes great responsibility.
      

      Enter the password when prompted:

      [sudo] password for psmith: password
      root
      

      The last line of the output is the user name that is returned by the whoami command. If sudo access has been configured correctly, then this value is root.

14.5 Managing User Access Rights to Targets and Groups

Learn about managing users access rights to targets and groups.

14.5.1 About Managing User Access Rights

Learn about managing user access rights.

Super administrators have access to all targets and target groups and can grant access to specific targets and groups to administrators.

You control access to targets or groups in two ways:

  • Modify a target or group to grant or revoke access for one or more users.

  • Modify a user account to grant or revoke access to one or more targets or groups.

14.5.2 Controlling Access Rights by User

Learn about controlling access rights by user.

  1. Log in to the Audit Vault Server as a super administrator.
  2. Click the Settings tab.

    Click the Manage Admins sub tab. It displays existing users and the targets or groups to which they have access.

  3. Click the name of the user account you want to modify.

    The Modify Admin dialog appears.

  4. In the Targets & Target Groups section:
  5. Click Save.

14.5.3 Controlling Access Rights by Target or Group

You can control access rights by targets or groups.

  1. Log in to the Audit Vault Server as a super administrator.
  2. Click the Settings tab, and then click Security (which should be selected by default).
  3. Under Manage Admins sub tab, select the name of the administrator whose target access you want to change.
    The Modify Admin window appears.
  4. Click on the edit icon against Type. Select the appropriate type in the list.
  5. In the Targets & Target Groups section:
  6. Click Save.

14.6 Changing User Passwords in Oracle Audit Vault and Database Firewall

Learn how to manage password changes and Active Directory for authentication.

14.6.1 Password Requirements

There are several password requirements that you must meet for Oracle Audit Vault and Database Firewall.

You should have a policy in place for changing passwords for Oracle Audit Vault and Database Firewall user accounts. For example, you may require that users change their passwords on a regular basis, such as every 120 days, and that they create passwords that are not easily guessed.

Requirements for Passwords Containing Unicode Characters

If your password contains unicode characters (such as non-English characters with accent marks), then the password requirement is that it:

  • Be between 8 and 30 characters long.

Requirements for English-Only (ASCII) Passwords

If you are using English-only ASCII printable characters, then Oracle AVDF requires that passwords:

  • Be between 8 and 30 characters long.

  • Contain at least one of each of the following:

    • Lowercase letters: a-z.

    • Uppercase letters: A-Z.

    • Digits: 0-9.

    • Punctuation marks: comma (,), period (.), plus sign (+), colon(:), exclamation mark (!), and underscore (_)

  • Not contain double quotes ("), back space, or control characters.

In addition, Oracle recommends that passwords:

  • Not be the same as the user name.

  • Not be an Oracle reserved word.

  • Not be an obvious password (such as welcome, account, database, and user).

  • Not contain any repeating characters.

14.6.2 Changing the Audit Vault Server Administrator User Password

You can change both your own password and that of other administrators.

14.6.2.1 Changing Your Own Password

You can change your own password any time.

  1. Log in to the Audit Vault Server as an administrator.
  2. In the upper right corner, to the right of your login name, select the menu icon.
  3. Select Change Password from this menu.
  4. In the Change Password window, enter the following fields:
    • Current Password
    • New Password
    • Re-enter New Password
  5. Click Save.
14.6.2.2 Changing the Password of Another Administrator

You can change the passwords of other administrators.

  1. Log in to the Audit Vault Server as an administrator.
  2. Click the Settings tab and then if necessary, select Security in the left navigational menu.
  3. Under Manage Admins, select the name of the administrator whose password you want to change.
  4. In the Modify Admin window, click Change Password.
  5. In the Change Password window, enter the following fields:
    • New Password
    • Re-enter New Password
  6. Click Save.

14.6.3 Integrating Oracle Audit Vault and Database Firewall with Microsoft Active Directory or OpenLDAP

You can use Microsoft Active Directory or OpenLDAP to control access to Oracle Audit Vault and Database Firewall.

14.6.3.1 About Microsoft Active Directory or OpenLDAP Integration

Learn about integrating Microsoft Active Directory or OpenLDAP with Audit Vault Server.

You can integrate Microsoft Active Directory or OpenLDAP server to authenticate users connecting to the Audit Vault Server console. A user is prompted during log in to select a group from a list of groups. The user is authorized from the group to which they belong and select. After the user is authenticated, access is granted based on the Microsoft Active Directory or OpenLDAP groups to which the user belongs and selects.

A super user can assign the roles to the groups on Oracle Audit Vault Database Firewall. For example, super administrator, super auditor, administrator, or auditor. Oracle Audit Vault and Database Firewall release 20.1 and later supports Microsoft Active Directory and OpenLDAP.

Note:

  • While other LDAP servers may work, they are not tested or certified with Oracle Audit Vault and Database Firewall release 20.1.
  • Oracle AVDF does not support the default local accounts of Microsoft Active Directory (for example administrator). Refer to Microsoft documentation for complete information on default local accounts in Active Directory.
14.6.3.2 Configuring an LDAP Server

You can configure LDAP server to authenticate users using Microsoft Active Directory or OpenLDAP.

  1. Get the SSL certificate to connect to Microsoft Active Directory or OpenLDAP. This can be sourced from Microsoft Active Directory or OpenLDAP administrator. Copy the SSL certificate.
  2. Launch the Audit Vault Server console.
  3. Log in to the console as super administrator.
  4. Click the Settings tab.
  5. Click the LDAP Configuration tab in the main page.
  6. Click the Add button.
  7. Enter the Microsoft Active Directory or OpenLDAP server details. In the LDAP Configuration dialog, select Active Directory User or LDAP User.
  8. Provide a Name for the LDAP server.
  9. Enter the Server Name or the IP address.
  10. Enter the Port number for the SSL connection.
  11. Enter the Domain Name.
  12. Provide the Microsoft Active Directory or OpenLDAP SSL certificate sourced earlier in the initial step.
  13. If you have selected LDAP User, then enter the Username (distinguished name) and Password. The user must be able to retrieve all groups from OpenLDAP.
  14. Click Test Connection to verify the details. Fix any errors encountered and proceed to the next step.
  15. Click Save.
14.6.3.3 Creating New Users

Create new users for Microsoft Active Directory or OpenLDAP authentication.

  1. Log in to the Audit Vault Server console as a super administrator or super auditor.
  2. Click on Settings tab.
  3. The Manage Admins or Manage Auditors sub tab on the main page is selected by default.
  4. Click on Add button in the top right corner.
  5. In the Add Admin (or Add Auditor) dialog select the Authentication type, Audit Vault User or Active Directory User.
  6. For Audit Vault User, enter the details to create a database administrator or auditor. Enter the newly created Admin Name or Auditor Name.
    1. Select the Admin Type or Auditor Type.
    2. Enter the Password and Re-type Password.
  7. For Active Directory User or LDAP User, select the Import Mode.

    OpenLDAP or Active Directory users and groups have to exist in the LDAP server before you can create the admin or auditor on the Audit Vault Server for the same.

    1. If you have selected import mode as Fetch, then provide an LDAP User Name and Password. Alternatively, you can register an Microsoft Active Directory or OpenLDAP group in Oracle Audit Vault Database Firewall that corresponds to an existing group by providing the distinguished name. The LDAP user needs the correct access privileges to view all the groups that exist on the LDAP server.

      Note:

      The user credentials are not stored. Therefore, each time that you choose the Fetch option, you must enter the credentials.
    2. In the Group Name Like field, enter a keyword to search in order to fetch details from a group that has a similar name. Click Fetch at the bottom of the dialog. For example, enter admin keyword to fetch AD or OpenLDAP groups containing admin string in the group name.
    3. Select the Domain.
    4. Click the Fetch button at the bottom of the dialog. The values in the Group and User Type fields are populated.
    5. Select the right Group from the drop down menu.
    6. Select the User Type from the drop-down menu, such as, Admin, Super Admin, Auditor, or Super Auditor.
    7. If you have selected the import mode as Manual, then enter the Group Name as distinguished name.
  8. Click Save.
14.6.3.4 Log in as an OpenLDAP or Microsoft Active Directory User

After OpenLDAP or Microsoft Active Directory is configured, the user can log in to the Audit Vault Server console.

  1. Launch the Audit Vault Server console.
  2. Select the appropriate radio button to log in. The following are the available options:
    • Microsoft Active Directory User or Audit Vault User
    • LDAP User or Audit Vault User

    You can log in as Audit Vault User. If you have configured Microsoft Active Directory, then you can log in as Microsoft Active Directory User. If you have configured OpenLDAP, then you can log in as LDAP User.

  3. Enter details of the user. For database user, enter the user name and password. For Microsoft Active Directory user, enter the username (sAMAccountName). Enter the password. Select the domain name from the drop-down. The drop down contains one entry for OpenLDAP.

    Note:

    You must add the Microsoft Active Directory or OpenLDAP user to the groups on the Microsoft Active Directory or OpenLDAP server. Add this group to administrator or auditor. After you complete this step, the LDAP user can log in.
  4. In the following page, select a Group from the drop-down.
  5. Click Save to log in and complete the authorization.