23 Managing Auditing

This chapter describes how to manage auditing for information specific to Oracle Internet Directory using Oracle Enterprise Manager Fusion Middleware Control, Oracle WebLogic Scripting Tool (WLST), and LDAP command-line utilities.

For more information about audit administration tasks, see the Oracle Fusion Middleware Application Security Guide.

This chapter includes the following sections:

23.1 Introduction to Auditing

This introduction contains the following topics:

Auditing is the process that collects and stores information about security requests and the outcome of those requests, thus providing an electronic trail of selected system activity for non-repudiation purposes. Auditing can be configured to track particular security events and management operations based on specific audit criteria. Audit records are kept in a centralized repository (LDAP, database, or file) that allows the creation, viewing, and storage of audit reports.As of release 11g Release 1 (11.1.1), Oracle Internet Directory uses an audit framework that is integrated with Oracle Fusion Middleware. Oracle Internet Directory uses this framework to audit its critical security related operations.The features of the framework are:

  • APIs for collecting audit information from AS components

  • Common audit record format to be used by all AS components

  • Audit repository database that collects audit records produced by components in the enterprise. (The customer also has an option to use the Audit vault as a repository)

  • Administrative interface for controlling the type of information captured by the audit facility.

Before reading this chapter, please read the auditing chapters in the Oracle Fusion Middleware Application Security Guide.

The new Oracle Internet Directory audit framework has the following advantages:

  • It uses the same record format as other Oracle Application Server components.

  • Records are stored in Oracle Database tables for better performance and security.

  • Records can be stored in Audit Vault for increased security.

  • As administrator, you can configure the type of information captured in the audit records by using Enterprise Manager.

  • Configuration changes are effective immediately.

  • An administrator can view audit records:

    • In Enterprise Manager

    • In summary reports based on XML Publisher

All audit configuration performed by the instance administrator is audited. This cannot be disabled.

See Also:

Oracle Fusion Middleware Application Security Guide for information about configuring the audit repository and audit filters.

23.1.1 Configuring the Audit Store

You must configure an audit store to ensure that audit records are saved in a database. See the "Configuring and Managing Auditing" chapter in Oracle Fusion Middleware Application Security Guide for complete coverage of Audit Administration Tasks, including:

  • Managing the Audit Store

  • Advanced Management of Database Store

23.1.2 Oracle Internet Directory Audit Configuration

Audit configuration for Oracle Internet Directory consists of three attributes of the instance-specific entry:

cn=componentname,cn=osdldapd,cn=subconfigsubentry

Table 23-1 describes these attributes.

Table 23-1 Oracle Internet Directory Audit Configuration Attributes

Attribute Description

orclAudFilterPreset

Presets are None, Low, Medium, All, and Custom, where Low specifies Account Management, Change Password and ModifyDataItemAttributes events and Medium specifies all events in Low plus Failed authentication events.

orclAudCustEvents

A comma-separated list of events and category names to be audited. Examples include:

Authentication.SUCCESSESONLY,
Authorization(Permission -eq 'CSFPermission") 

Custom events are only applicable when orclAudFilterPreset is Custom.

orclAudSplUsers

A comma separated list of users for whom auditing is always enabled, even if orclAudFilterPreset is None. For example:

cn=orcladmin.

For more information, see the Oracle Fusion Middleware Application Security Guide.

23.1.3 Replication and Oracle Directory Integration Platform Audit Configuration

Replication and Oracle Directory Integration Platform auditing can be enabled by changing the value of the attribute orclextconfflag in the instance-specific configuration entry. The default value is 3, which disables both replication and Oracle Directory Integration Platform auditing. To enable both, change it to 7. This is the only change you can make to orclextconfflag, which is otherwise an internal attribute.

See Section 23.4.3, "Enabling Replication and Oracle Directory Integration Platform Auditing."

23.1.4 Audit Record Fields

Audit records contain the following fields:

  • Event category–the class of event, such as authentication or authorization.

  • Event name

  • Initiator–the user who initiates the operation

  • Status–success or failure

  • Authentication method

  • Session ID–Connection ID

  • Target–the user on whom the operation is performed

  • Event date and time

  • Remote IP–source IP address of client

  • Component type–OID

  • ECID

  • Resource–entry or attribute on which operation is performed.

23.1.5 Audit Record Storage

Audit information is held temporarily in a location called a busstop before it is written to its final location.

The file is in the directory ORACLE_INSTANCE/auditlogs/componentType/componentName.

Audit files are permanently stored in either XML files or a database. XML files are the default storage mechanism for audit records. There is one XML repository for each Oracle instance. Audit records generated for all components running in a givenOracle instance are stored in the same repository. If using a database repository, audit records generated by all components in all Oracle instances in the domain are stored in the same repository.

23.1.6 Generating Audit Reports

See theOracle Fusion Middleware Application Security Guide chapter on audit analysis and reporting for information about generating audit reports. There are Oracle Internet Directory examples in the "Configuring and Managing Auditing" chapter of Oracle Fusion Middleware Application Security Guide.

23.2 Managing Auditing by Using Fusion Middleware Control

The Oracle Fusion Middleware Audit Framework, which was introduced in 11g Release 1 (11.1.1), provides a centralized audit framework for Oracle middleware products, including system components such as Oracle Internet Directory.

You can use Oracle Enterprise Manager Fusion Middleware Control to manage auditing. The interface is basically the same for all Oracle Fusion Middleware components, as documented in the Oracle Fusion Middleware Application Security Guide.

To manage Oracle Internet Directory auditing.

  1. Login to Oracle Enterprise Manager Fusion Middleware Control.

  2. From the Oracle Internet Directory menu, select Security, then Audit Policy Settings.

  3. From the Audit Policy list, select Custom to configure your own filters, or one of the filter presets, None, Low, or Medium. (You cannot set All from Fusion Middleware Control.)

  4. If you want to audit only failures, click Select Failures Only. (You can only do this if you selected Custom in the previous step.

  5. To configure a filter, click the Edit icon next to its name. The Edit Filter dialog for the filter appears.

  6. Specify the filter condition using the buttons, selections from the menus, and strings that you enter. Condition subjects include HostID, HostNwaddr, InitiatorDN, TargetDN, Initiator, Remote IP, and Roles. Condition tests include -contains, -contains_case, endswith, endswith_case, -eq, -ne, -startswith, and -startswith-case. Enter values for the tests as strings. Parentheses are used for grouping and AND and OR for combining.

  7. To add a condition, click the Add icon.

  8. When you have completed the filter, click Apply to save the changes or Revert to discard the changes.

Oracle Internet Directory stores its audit configuration in the three instance-specific configuration entry attributes described in Table 23-1, "Oracle Internet Directory Audit Configuration Attributes". The correspondence between the fields on the Audit Policy Page and the attributes is shown in Table 23-2.

Table 23-2 Audit Configuration Attributes in Fusion Middleware Control

Field or Heading Configuration attribute

Audit Policy

orclAudFilterPreset

Name, Select Failures Only, Enable Audit, Filter

orclAudCustEvents

Users to always audit

orclAudSplUsers


23.2.1 Auditing Oracle Internet Directory Sensitive Data Attributes

Using the Oracle Fusion Middleware Audit Framework, you can define a custom Oracle Internet Directory audit policy to monitor the attributes associated with sensitive data such as access control, user credentials, and configuration.

For example, to audit changes to access control policy points (ACPs), you can configure an audit policy to capture the ModifyDataItemAttributes event type for attributes such as orclaci and orclentrylevelaci.

The ModifyDataItemAttributes event type is generated by ldapmodify operations. The initiator attribute for this event is the DN of the user performing the LDAP operation, and resource attribute is the entry DN of the LDAP attribute on which the operation is performed.

By capturing the ModifyDataItemAttributes event type, you can monitor all ACP changes to attributes. For example, you can determine if any changes are made to the orclaci and orclentrylevelaci attributes.

To create an audit policy to monitor changes to the orclaci and orclentrylevelaci attributes:

  1. Login to Oracle Enterprise Manager Fusion Middleware Control.

  2. In the left panel, right-click the Oracle Internet Directory instance you want to audit. For example: oid1

  3. From the Oracle Internet Directory component menu, navigate to Security and then Audit Policy. The Audit Policy Settings page appears.

  4. From the drop-down list for Audit Level, select Custom.

  5. Check Enable Audit for the DataAccess event category and the ModifyDataItemAttributes event type.

  6. Depending on whether you want to audit successful or failing changes (or both), click the appropriate check box in the Enable Audit column.

  7. To add a filter for the audit policy, click the Edit Filter pencil icon and then configure the filter:

    1. Set the Condition to Resource.

    2. Set the operator to -eq.

    3. Specify the Resource attribute as orclaci.

    4. Click the Add icon. Your filter should be:

      Resource -eq "orclaci"
      
    5. To add the orclentrylevelaci attribute to the filter, click OR, define a new condition (Resource, -eq, orclentrylevelaci), and then click Add. Your filter should now be:

      Resource -eq "orclaci" -or Resource -eq "orclentrylevelaci"
      
  8. Click Apply to save the audit policy (or Revert to discard it.)

If required by your deployment, you can add other attributes to this policy, or create other policies to audit attributes, operations, and activities. For more information, see "Manage Audit Policies for System Components with Fusion Middleware Control" in the Oracle Fusion Middleware Application Security Guide.

23.3 Managing Auditing by Using WLST

You can use wlst to manage auditing, as described in "Manage Audit Policies with WLST" in the Oracle Fusion Middleware Application Security Guide. You use the commands getAuditPolicy(), setAuditPolicy(), or listAuditEvents().

For component that manage their audit policy locally, such as Oracle Internet Directory, you must include an MBean name as an argument to the command. The name for an Audit MBean is of the form:

oracle.as.management.mbeans.register:type=component.auditconfig,name=auditconfig1,instance=INSTANCE,component=COMPONENT_NAME

For example:

oracle.as.management.mbeans.register:type=component.auditconfig,name=auditconfig1,instance=instance1,component=oid1

Another wlst command you must use is invoke(). As described in Section 9.3, "Managing System Configuration Attributes by Using WLST," before you make any changes to attributes, you must ensure that the MBean has the current server configuration. To do that, you must use the invoke() command to load the configuration from Oracle Internet Directory server to the mbean. After making changes, you must use the invoke() command to save the MBean configuration to the Oracle Internet Directory server. In order to use invoke() in this way, you must navigate to the Root Proxy MBean in the tree. The name for a Root Proxy MBean is of the form:

oracle.as.management.mbeans.register:type=component,name=COMPONENT_NAME,instance=INSTANCE

For example:

oracle.as.management.mbeans.register:type=component,name=oid1,instance=instance1

Here is an example of a wlst session using setAuditPolicy() and invoke():

ORACLE_COMMON_HOME/common/bin/wlst.sh
connect('username', 'password', 'protocol://localhost:7001', 'localhost:7001')
custom()
cd('oracle.as.management.mbeans.register')
cd('oracle.as.management.mbeans.register:type=component,name=oid1,instance=instance1')
invoke('load',jarray.array([],java.lang.Object),jarray.array([],java.lang.String)) 
setAuditPolicy(filterPreset='None',
 on='oracle.as.management.mbeans.register:type=component.auditconfig,
 name=auditconfig1,instance=instance1,component=oid1')
invoke('save',jarray.array([],java.lang.Object),jarray.array([],java.lang.String))

23.4 Managing Auditing from the Command Line

You can manage auditing by using LDAP tools.

23.4.1 Viewing Audit Configuration from the Command Line

You can use ldapsearch to view audit configuration. For example:

ldapsearch -p 3060 -h myhost.example.com -D cn=orcladmin -q \ 
  -b "cn=oid1,cn=osdldapd,cn=subconfigsubentry" \
  -s base "objectclass=*" > /tmp/oid1-config.txt
grep orclaud oid1-config.txt
orclaudsplusers=cn=orcladmin
orclaudcustevents=UserLogin.FAILURESONLY, UserLogout, CheckAuthorization, 
 ModifyDataItemAttributes, CompareDataItemAttributes, ChangePassword.FAILURESONLY
orclaudfilterpreset=custom

23.4.2 Configuring Oracle Internet Directory Auditing from the Command Line

You can use ldapmodify commands to manage auditing. You must create an LDIF file to make the required changes to the attributes orclAudFilterPreset, orclAudCustEvents, and orclAudSplUsers.

The command is:

ldapmodify -D cn=orcladmin -q -p portNum -h hostname -f ldifFile

For example to enable auditing for user login events only, use this LDIF file with the preceding ldapmodify command:

dn: cn=componentname,cn=osdldapd,cn=subconfigsubentry
changetype: modify
replace: orclaudFilterPreset
orclaudFilterPreset: Custom
-
replace: orclaudcustevents
orclaudcustevents: UserLogin 

For more information, see the Oracle Fusion Middleware Application Security Guide.

23.4.3 Enabling Replication and Oracle Directory Integration Platform Auditing

The following LDIF file enables both replication and Oracle Directory Integration Platform auditing.

dn: cn=oid1,cn=osdldapd,cn=subconfigsubentry
changetype: modify
replace: orclextconfflag
orclextconfflag: 7
 

The following LDIF file disables both:

dn: cn=oid1,cn=osdldapd,cn=subconfigsubentry
changetype: modify
replace: orclextconfflag
orclextconfflag: 3
 

Use a command line similar to this:

ldapmodify -h host -p port -D "cn=orcladmin" -q -f ldiffile