1. Administrative Security Guide
  2. Audit Log
  3. Configure SFTP Audit Log Transfer

Configure SFTP Audit Log Transfer

Prior to using SFTP-enabled file transfer you must import a copy of each SFTP server’s host key to the OCSBC. The host key identifies the server as a trusted entity when the OCSBC is operating as an SSH or SFTP client.

The SSH protocol requires the server to present its host key to a client during the SSH handshake. The client validates the offered key against the previously obtained trusted copy of the key to identify and authenticate the server.

You must also generate an SSH public and private key pair for the OCSBC in support of its operations as an SSH client. Just as the host key authenticates the SSH server to the SSH client, the generated public key authenticates the SSL client to the SSH server. After generating the SSH key pair, you copy the public key to each configured SFTP server. During the authentication process, the server validates the offered client key against this trusted copy to identify and authenticate the client.

To provide needed keys:

  1. Use the procedure described in Importing a Host Key to import the host key of each SFTP server.
  2. Use the procedure described in Generating an SSH Key Pair to generate an SSH public and private key.
  3. Use the procedure described in Copying a Client Key to an SSH or SFTP Server to copy the public key to the SFTP server.

Configuring SFTP Servers

The multi-instance push-receiver configuration element identifies remote SFTP servers that receive audit log transfers.

  1. Access the audit-logging configuration element. 
    ORACLE# configure terminal
ORACLE(configure)# security
ORACLE(security)# admin-security
ORACLE(admin-security)# audit-logging
ORACLE(audit-logging)# push-receiver
ORACLE(push-receiver)#
  2. Select the push-receiver object to edit. 
    ORACLE(push-receiver)# select
<server>:<port>:
1: 192.168.54.55:22 server = 192.168.54.55, port = 22

selection: 1
ORACLE(push-receiver)#
  3. server—in conjunction with port, specifies an SFTP server IP address:port pair

    Provide the IP address of an SFTP server that receives transferred audit logs. For example, 

    ORACLE(push-receiver)# server 192.0.2.100
ORACLE(push-receiver)#
  4. port—in conjunction with server, specifies an SFTP server IP address:port pair

    Provide the port number monitored by server for incoming audit log transfers. This parameter defaults to port 22, the well-known Secure Shell (SSH) port. Retain the default value, or identify the monitored port with an integer within the range from 1 through 65535. 

    ORACLE(push-receiver)# port 2222
ORACLE(push-receiver)#
  5. remote-path—specifies the absolute file path to the remote directory that stores transferred audit log file

    Provide the file path to the remote directory. For example, 

    ORACLE(push-receiver)# remote-path /home/acme/auditLogs
ORACLE(push-receiver)#
  6. filename-prefix—specifies an optional prefix that can be appended to the audit log file name when transferred to an SFTP server

    Provides an optional prefix which is appended to the audit log filename. For example, 

    ORACLE(push-receiver)# filename-prefix auvik
ORACLE(push-receiver)#
  7. auth-type—specifies the authentication type required by this remote SFTP server

    Two authentication types are supported — simple password, or public keys.

    Refer to SSH Configuration for more information on SSH authentication.

    Enter either password (the default) or publickey. For example, 

    ORACLE(push-receiver)# auth-type publickey
ORACLE(push-receiver)#
  8. username—specifies the username used to authenticate to this SFTP server

    Provide the username used to authenticate/login to this server. For example, 

    ORACLE(push-receiver)# username acme1
ORACLE(push-receiver)#
  9. password—required when auth-type is password, and otherwise ignored, specifies the password used in conjunction with username to authenticate the SSH client to this SFTP server

    Provide the username used to authenticate/login to this server. For example, 

    ORACLE(push-receiver)# password =yetAnotherPW!
ORACLE(push-receiver)#
  10. public-key—required when auth-type is publickey, and otherwise ignored, identifies the certificate used in conjunction with username to authenticate the SSH client to this SFTP server

    Identify the certificate used to authenticate/login to this server. For example, 

    ORACLE(push-receiver)# publickey certSFTP-1
ORACLE(push-receiver)#
  11. Type done to save your configuration.

Audit Log Alarms and Traps

Three audit log alarms and traps are provided to report significant or anomalous audit log activity.

The ALARM_AUDIT_LOG_FULL trap/alarm is generated in response to (1) the expiration of the file-transfer-time interval, (2) the crossing of the percentage-full threshold, or (3) the crossing of the max-file-size threshold. This trap/alarm is cleared when storage apace becomes available, generally upon successful transfer of the audit log to a remote SFTP server or servers.

The ALARM_ADMIN_AUDIT_PUSH_FAIL trap/alarm is generated in response to failure to transfer the audit log to a designated SFTP server. This trap/alarm is cleared when a subsequent transfer to the same recipient succeeds.

The ALARM_AUDIT_WRITE_FAILED trap/alarm is generated in response to failure to record an auditable event in the audit log. This trap/alarm is cleared when a subsequent write succeeds.