Managing Audit

This section explains the main administration tasks and tools you use to manage the audit store, audit policies, and bus-stop files.

This section includes the following topics:

Audit Administration Tasks

Setting up audit in your environment involves the following major tasks:

• Planning the type of store to use for audit records and the store configuration details. For information about audit store management, see Managing the Audit Store in Fusion Middleware Securing Applications with Oracle Platform Security Services .

• Configuring and maintaining audit policies so that audit events are generated. For information about audit policies, see Managing Audit Policies in Fusion Middleware Securing Applications with Oracle Platform Security Services .

• Configuring audit reports and queries. For information about reporting, see Using Audit Analysis and Reporting in Fusion Middleware Securing Applications with Oracle Platform Security Services.

• Registering applications. For information about application registration, see Registering the Application with the Service in Fusion Middleware Securing Applications with Oracle Platform Security Services.

• Migrating audit information. For information about audit data migration, see Migrating Audit Data in in Fusion Middleware Securing Applications with Oracle Platform Security Services.

• Administering the audit database, including increasing the database size that stores the generated audit data, and backing up and purging that data. For information about audit administration, see Audit Database Administration in Fusion Middleware Securing Applications with Oracle Platform Security Services.

About Audit Data Sources

When you create a domain, the process generates the audit schema, a data structure required to store audit records in the database. It also sets up an audit data source in the server that uses the audit schema. If your environment is not set up with a database to store records, then audit records are kept in bus-stop files.

For more information, see Bus-Stop Files.

Managing Bus-Stop Files

After the bus-stop file reaches a certain size and all the data was uploaded to the database, the audit loader deletes the file from the file system. Specify the location and maximum size of bus-stop files, so that bus-stop files are automatically deleted. Deleting audit files manually is not recommended.

Bus-Stop File Locations

Bus-stop files for Java components are located in the following directory:

$DOMAIN_HOME/servers/$SERVER_NAME/logs/auditlogs/Component_Type 

Bus-stop files for system components are located in the following directory:

$ORACLE_INSTANCE/auditlogs/Component_Type/Component_Name

Bus-Stop File Size

In Java components, the maximum size of a bus-stop file is set with the audit.maxFileSize property.

In system components, the maximum size of a bus-stop file is set in the auditconfig.xml file:

<serviceInstance name="audit" provider="audit.provider">
  <property name="audit.maxFileSize" value="10240" />      
  <property name=" audit.loader.repositoryType " value="Db" />      
</serviceInstance>

When you switch from a file to a database store for audit data, all the events collected in the files are moved to the database tables and the audit files are deleted.

Configuring Standalone Audit Loader

The standalone audit loader moves records from bus-stop files to the audit store periodically. The mechanism driving the audit loader depends on the application environment:

• Java EE components and applications use the audit loader functionality provided by OPSS runtime. The standalone audit loader is not needed in these environments.

• System components and non-Java applications use the audit loader functionality provided by the StandAloneAuditLoader command.

• Java SE applications also use the standalone audit loader depending on where the bus-stop files are written. For information about audit for Java SE applications, see Common Audit Scenarios in Java SE Applications in Oracle Fusion Middleware Securing Applications with Oracle Platform Security Services .

The following sections explain how to set up and run the standalone audit loader:

Configuring the Environment

The following settings apply only to non-Java applications and system components.

Before you run the standalone audit loader, set the following audit loader parameters:

• ORACLE_HOME, the full path to the home directory

• COMMON_COMPONENTS_HOME, the full path to the Java Required Files (JRF) directory

• ORACLE_INSTANCE, the full path of an Oracle instance directory

• auditloader.jdbcString, the Java Database Connectivity (JDBC) connection string for the database where the audit data is stored

• auditloader.username, the name of the user who runs the audit loader

In addition, make sure that the password for the database schema user is available and stored. This password is specified once.

To specify the database schema user password, use the java StandAloneAuditLoader command with the -Dstore.password=true property:

$JDK_HOME/bin/java 
    -classpath $COMMON_COMPONENTS_HOME/modules/oracle.jps_12.2.1/jps-manifest.jar
    -Doracle.home=$ORACLE_INSTANCE -Doracle.instance=$ORACLE_INSTANCE
    -Dauditloader.jdbcString=jdbc:oracle:thin:@host:port:sid
    -Dauditloader.username=username
    -Dstore.password=true
    oracle.security.audit.ajl.loader.StandaloneAuditLoader

which will prompt you to enter a password. The command generates the cwallet.sso file containing the password you entered.

Running Standalone Audit Loader

To run the loader, use the StandAloneAuditLoader command:

$JDK_HOME/bin/java 
    -classpath $COMMON_COMPONENTS_HOME/modules/oracle.jps_12.2.1/jps-manifest.jar
    -Doracle.home=$ORACLE_INSTANCE -Doracle.instance=$ORACLE_INSTANCE
    -Dauditloader.jdbcString=jdbc:oracle:thin:@host:port:sid
    -Dauditloader.username=username
    oracle.security.audit.ajl.loader.StandaloneAuditLoader

This command is typically scheduled to run automatically so that audit records are periodically uploaded to the audit store.