This chapter describes how to manage auditing for information specific to Oracle Internet Directory using Oracle Enterprise Manager Fusion Middleware Control, Oracle WebLogic Scripting Tool (WLST), and LDAP command-line utilities.
For more information about audit administration tasks, see the Oracle Fusion Middleware Application Security Guide.
This chapter includes the following sections:
This introduction contains the following topics:
Section 23.1.2, "Oracle Internet Directory Audit Configuration"
Section 23.1.3, "Replication and Oracle Directory Integration Platform Audit Configuration"
Auditing is the process that collects and stores information about security requests and the outcome of those requests, thus providing an electronic trail of selected system activity for non-repudiation purposes. Auditing can be configured to track particular security events and management operations based on specific audit criteria. Audit records are kept in a centralized repository (LDAP, database, or file) that allows the creation, viewing, and storage of audit reports.As of release 11g Release 1 (11.1.1), Oracle Internet Directory uses an audit framework that is integrated with Oracle Fusion Middleware. Oracle Internet Directory uses this framework to audit its critical security related operations.The features of the framework are:
APIs for collecting audit information from AS components
Common audit record format to be used by all AS components
Audit repository database that collects audit records produced by components in the enterprise. (The customer also has an option to use the Audit vault as a repository)
Administrative interface for controlling the type of information captured by the audit facility.
Before reading this chapter, please read the auditing chapters in the Oracle Fusion Middleware Application Security Guide.
The new Oracle Internet Directory audit framework has the following advantages:
It uses the same record format as other Oracle Application Server components.
Records are stored in Oracle Database tables for better performance and security.
Records can be stored in Audit Vault for increased security.
As administrator, you can configure the type of information captured in the audit records by using Enterprise Manager.
Configuration changes are effective immediately.
An administrator can view audit records:
In Enterprise Manager
In summary reports based on XML Publisher
All audit configuration performed by the instance administrator is audited. This cannot be disabled.
See Also:
Oracle Fusion Middleware Application Security Guide for information about configuring the audit repository and audit filters.You must configure an audit store to ensure that audit records are saved in a database. See the "Configuring and Managing Auditing" chapter in Oracle Fusion Middleware Application Security Guide for complete coverage of Audit Administration Tasks, including:
Managing the Audit Store
Advanced Management of Database Store
Audit configuration for Oracle Internet Directory consists of three attributes of the instance-specific entry:
cn=componentname,cn=osdldapd,cn=subconfigsubentry
Table 23-1 describes these attributes.
Table 23-1 Oracle Internet Directory Audit Configuration Attributes
Attribute | Description |
---|---|
|
Presets are |
|
A comma-separated list of events and category names to be audited. Examples include: Authentication.SUCCESSESONLY, Authorization(Permission -eq 'CSFPermission") Custom events are only applicable when |
|
A comma separated list of users for whom auditing is always enabled, even if cn=orcladmin. |
For more information, see the Oracle Fusion Middleware Application Security Guide.
Replication and Oracle Directory Integration Platform auditing can be enabled by changing the value of the attribute orclextconfflag
in the instance-specific configuration entry. The default value is 3
, which disables both replication and Oracle Directory Integration Platform auditing. To enable both, change it to 7
. This is the only change you can make to orclextconfflag
, which is otherwise an internal attribute.
See Section 23.4.3, "Enabling Replication and Oracle Directory Integration Platform Auditing."
Audit records contain the following fields:
Event category–the class of event, such as authentication or authorization.
Event name
Initiator–the user who initiates the operation
Status–success or failure
Authentication method
Session ID–Connection ID
Target–the user on whom the operation is performed
Event date and time
Remote IP–source IP address of client
Component type–OID
ECID
Resource–entry or attribute on which operation is performed.
Audit information is held temporarily in a location called a busstop before it is written to its final location.
The file is in the directory ORACLE_INSTANCE
/auditlogs/
componentType
/
componentName
.
Audit files are permanently stored in either XML files or a database. XML files are the default storage mechanism for audit records. There is one XML repository for each Oracle instance. Audit records generated for all components running in a givenOracle instance are stored in the same repository. If using a database repository, audit records generated by all components in all Oracle instances in the domain are stored in the same repository.
See theOracle Fusion Middleware Application Security Guide chapter on audit analysis and reporting for information about generating audit reports. There are Oracle Internet Directory examples in the "Configuring and Managing Auditing" chapter of Oracle Fusion Middleware Application Security Guide.
The Oracle Fusion Middleware Audit Framework, which was introduced in 11g Release 1 (11.1.1), provides a centralized audit framework for Oracle middleware products, including system components such as Oracle Internet Directory.
You can use Oracle Enterprise Manager Fusion Middleware Control to manage auditing. The interface is basically the same for all Oracle Fusion Middleware components, as documented in the Oracle Fusion Middleware Application Security Guide.
To manage Oracle Internet Directory auditing.
Login to Oracle Enterprise Manager Fusion Middleware Control.
From the Oracle Internet Directory menu, select Security, then Audit Policy Settings.
From the Audit Policy list, select Custom to configure your own filters, or one of the filter presets, None, Low, or Medium. (You cannot set All
from Fusion Middleware Control.)
If you want to audit only failures, click Select Failures Only. (You can only do this if you selected Custom in the previous step.
To configure a filter, click the Edit icon next to its name. The Edit Filter dialog for the filter appears.
Specify the filter condition using the buttons, selections from the menus, and strings that you enter. Condition subjects include HostID, HostNwaddr, InitiatorDN, TargetDN, Initiator, Remote IP, and Roles. Condition tests include -contains, -contains_case, endswith, endswith_case, -eq, -ne, -startswith, and -startswith-case. Enter values for the tests as strings. Parentheses are used for grouping and AND and OR for combining.
To add a condition, click the Add icon.
When you have completed the filter, click Apply to save the changes or Revert to discard the changes.
Oracle Internet Directory stores its audit configuration in the three instance-specific configuration entry attributes described in Table 23-1, "Oracle Internet Directory Audit Configuration Attributes". The correspondence between the fields on the Audit Policy Page and the attributes is shown in Table 23-2.
Table 23-2 Audit Configuration Attributes in Fusion Middleware Control
Field or Heading | Configuration attribute |
---|---|
Audit Policy |
|
Name, Select Failures Only, Enable Audit, Filter |
|
Users to always audit |
|
Using the Oracle Fusion Middleware Audit Framework, you can define a custom Oracle Internet Directory audit policy to monitor the attributes associated with sensitive data such as access control, user credentials, and configuration.
For example, to audit changes to access control policy points (ACPs), you can configure an audit policy to capture the ModifyDataItemAttributes
event type for attributes such as orclaci
and orclentrylevelaci
.
The ModifyDataItemAttributes
event type is generated by ldapmodify
operations. The initiator attribute for this event is the DN of the user performing the LDAP operation, and resource attribute is the entry DN of the LDAP attribute on which the operation is performed.
By capturing the ModifyDataItemAttributes
event type, you can monitor all ACP changes to attributes. For example, you can determine if any changes are made to the orclaci
and orclentrylevelaci
attributes.
To create an audit policy to monitor changes to the orclaci
and orclentrylevelaci
attributes:
Login to Oracle Enterprise Manager Fusion Middleware Control.
In the left panel, right-click the Oracle Internet Directory instance you want to audit. For example: oid1
From the Oracle Internet Directory component menu, navigate to Security and then Audit Policy. The Audit Policy Settings page appears.
From the drop-down list for Audit Level, select Custom.
Check Enable Audit for the DataAccess event category and the ModifyDataItemAttributes event type.
Depending on whether you want to audit successful or failing changes (or both), click the appropriate check box in the Enable Audit column.
To add a filter for the audit policy, click the Edit Filter pencil icon and then configure the filter:
Set the Condition to Resource.
Set the operator to -eq.
Specify the Resource attribute as orclaci.
Click the Add icon. Your filter should be:
Resource -eq "orclaci"
To add the orclentrylevelaci
attribute to the filter, click OR, define a new condition (Resource, -eq, orclentrylevelaci), and then click Add. Your filter should now be:
Resource -eq "orclaci" -or Resource -eq "orclentrylevelaci"
Click Apply to save the audit policy (or Revert to discard it.)
If required by your deployment, you can add other attributes to this policy, or create other policies to audit attributes, operations, and activities. For more information, see "Manage Audit Policies for System Components with Fusion Middleware Control" in the Oracle Fusion Middleware Application Security Guide.
You can use wlst
to manage auditing, as described in "Manage Audit Policies with WLST" in the Oracle Fusion Middleware Application Security Guide. You use the commands getAuditPolicy()
, setAuditPolicy()
, or listAuditEvents()
.
For component that manage their audit policy locally, such as Oracle Internet Directory, you must include an MBean name as an argument to the command. The name for an Audit MBean is of the form:
oracle.as.management.mbeans.register:type=component.auditconfig,name=auditconfig1,instance=INSTANCE,component=COMPONENT_NAME
For example:
oracle.as.management.mbeans.register:type=component.auditconfig,name=auditconfig1,instance=instance1,component=oid1
Another wlst
command you must use is invoke()
. As described in Section 9.3, "Managing System Configuration Attributes by Using WLST," before you make any changes to attributes, you must ensure that the MBean has the current server configuration. To do that, you must use the invoke()
command to load the configuration from Oracle Internet Directory server to the mbean. After making changes, you must use the invoke()
command to save the MBean configuration to the Oracle Internet Directory server. In order to use invoke()
in this way, you must navigate to the Root Proxy MBean in the tree. The name for a Root Proxy MBean is of the form:
oracle.as.management.mbeans.register:type=component,name=COMPONENT_NAME,instance=INSTANCE
For example:
oracle.as.management.mbeans.register:type=component,name=oid1,instance=instance1
Here is an example of a wlst
session using setAuditPolicy()
and invoke()
:
ORACLE_COMMON_HOME/common/bin/wlst.sh connect('username', 'password', 'protocol://localhost:7001', 'localhost:7001') custom() cd('oracle.as.management.mbeans.register') cd('oracle.as.management.mbeans.register:type=component,name=oid1,instance=instance1') invoke('load',jarray.array([],java.lang.Object),jarray.array([],java.lang.String)) setAuditPolicy(filterPreset='None', on='oracle.as.management.mbeans.register:type=component.auditconfig, name=auditconfig1,instance=instance1,component=oid1') invoke('save',jarray.array([],java.lang.Object),jarray.array([],java.lang.String))
You can manage auditing by using LDAP tools.
You can use ldapsearch
to view audit configuration. For example:
ldapsearch -p 3060 -h myhost.example.com -D cn=orcladmin -q \ -b "cn=oid1,cn=osdldapd,cn=subconfigsubentry" \ -s base "objectclass=*" > /tmp/oid1-config.txt grep orclaud oid1-config.txt orclaudsplusers=cn=orcladmin orclaudcustevents=UserLogin.FAILURESONLY, UserLogout, CheckAuthorization, ModifyDataItemAttributes, CompareDataItemAttributes, ChangePassword.FAILURESONLY orclaudfilterpreset=custom
You can use ldapmodify
commands to manage auditing. You must create an LDIF file to make the required changes to the attributes orclAudFilterPreset, orclAudCustEvents, and orclAudSplUsers.
The command is:
ldapmodify -D cn=orcladmin -q -p portNum -h hostname -f ldifFile
For example to enable auditing for user login events only, use this LDIF file with the preceding ldapmodify
command:
dn: cn=componentname,cn=osdldapd,cn=subconfigsubentry
changetype: modify
replace: orclaudFilterPreset
orclaudFilterPreset: Custom
-
replace: orclaudcustevents
orclaudcustevents: UserLogin
For more information, see the Oracle Fusion Middleware Application Security Guide.
The following LDIF file enables both replication and Oracle Directory Integration Platform auditing.
dn: cn=oid1,cn=osdldapd,cn=subconfigsubentry changetype: modify replace: orclextconfflag orclextconfflag: 7
The following LDIF file disables both:
dn: cn=oid1,cn=osdldapd,cn=subconfigsubentry changetype: modify replace: orclextconfflag orclextconfflag: 3
Use a command line similar to this:
ldapmodify -h host -p port -D "cn=orcladmin" -q -f ldiffile