Configuring and Managing Audit
All operations performed by Enterprise Manager users such as creating users, granting privileges, starting a remote job like patching or cloning, need to be audited to ensure compliance with the Sarbanes-Oxley Act of 2002 (SAS 70). This act defines standards an auditor must use to assess the contracted internal controls of a service organization. Auditing an operation enables an administrator to monitor, detect, and investigate problems and enforce enterprise wide security policies.
Irrespective of how the user has logged into Enterprise Manager, when auditing is enabled, each user action is audited and the audit details are stored in a record.
Auditing Credentials
For Enterprise Manager, BASIC auditing is enabled by default, thus creating an audit trail of credentials being created, edited, accessed, associated and deleted. Named credentials are first-class security objects on which privileges can be granted or revoked. This means that multiple Enterprise Manager administrators will be able to use and modify the credential objects. Because credentials are sensitive data that can be used to perform various operations on the systems, there is a need to audit the operations on credentials.
Enterprise Manger supports auditing all credential operation, but first needs to be enabled. The auditing information includes, but is not limited to, the current username, credential name, operation performed, operation status success or failure. The audit logs contain information about the credential owner, action initiator, credential name, user name, and target name, job names along with the date time of the operation. Credential fields like password, private keys are never logged.
The following operations are audited:
-
Creating a Named Credential: Creating new Enterprise Manager credentials will be audited.
-
Editing a Named Credential: Editing a credential may consist of changing the username and/or the sensitive credential attributes. Credential edits may also include changing the authentication scheme for the credential.
-
Delete a Named Credential: Deleting a credential from Enterprise Manager will be audited.
-
Associating a Named Credential: A named credential can be set as a preferred credential for a credential set at the target level or at target type level. The named credential can also be reference directly from a job. All operations involving the setting of the named credentials as preferred credentials and using it in a job or deployment procedure will be audited.
-
Accessing a Named Credential: Enterprise Manager subsystems request credentials from the credential store to perform various system management tasks
Default Audit Actions
By default, whenever a user logs in or out of Enterprise Manager, the action is audited. The following list shows the Enterprise Manager infrastructure operations that are also audited by default.
-
Apply Update
-
Change MGMT_VIEW User Password
-
Change Repository Password
-
Configure Authentication
-
Copy EM Key to Repository
-
Remove EM Key from Repository
-
Create Custom CA
-
Remove Update
-
Secure Console
-
Secure Lock
-
Secure OMS
Configuring the Enterprise Manager Audit System
You can configure the Enterprise Manager Audit System by using the following EM CLI commands:
-
enable_audit: Enables auditing for all user operations. -
disable_audit: Disables auditing for all user operations. -
show_operations_list: Shows a list of the user operations being audited. -
show_audit_settings: Shows the audit status, operation list, externalization service details, and purge period details. -
update_audit_settings: Updates the current audit settings in the repository.
Configuring the Audit Data Export Service
Audit data needs to be protected and maintained for several years. The volume of audit data may become very large and impact the performance of the system. To limit the amount of data stored in the repository, the audit data must be externalized or archived at regular intervals. The archived audit data is stored in an XML file complying with the ODL format. To externalize the audit data, the EM_AUDIT_EXTERNALIZATION API is used. Records of the format <file-prefix>.NNNNN.xml, where NNNN is a number, are generated. The numbers start with 00001 and continue to 99999.
You can set up the audit externalization service for exporting audit data into the file system by using the update_audit_setting -externalization_switch command.
The externalization of audit system data is performed by the EM Audit Externalization Service job. By default, this job is scheduled to run once daily. You can view current status of this job from the Repository Scheduler Jobs Status area in the Enterprise Manager console, as shown in the following graphic.
To access this page, from the Setup menu, select Manage, and then Repository.
Updating the Audit Settings
The update_audit_settings command updates the current audit settings in the repository and restarts the Management Service.
-
-audit_switch: Enables auditing across Enterprise Manager. The possible values areENABLE/DISABLE. Default value isDISABLE. -
-operations_to_enable: Enables auditing for specified operations. Enter All to enable all operations. -
-operations_to_disable: Disables auditing for specified operations. Enter All to disable all operations. -
-externalization_switch: Enables the audit data export service. The possible values areENABLE/DISABLE. Default value isDISABLE. -
-directory: The database directory that is mapped to the OS directory where the export service archives the audit data files. -
-file_prefix: The file prefix to be used by the export service to create the file in which audit data is to be stored. -
-file_size: The size of the file on which the audit data is to be stored. The default value is 5000000 bytes. -
data_retention_period: The period for which the audit data is to be retained inside the repository. The default value is 365 days.
Example 2-22 Usage of the update_audit_setting command
emcli update_audit_settings
-audit_switch="ENABLE/DISABLE"
-operations_to_enable="name of the operations to enable, for all oprtations
use ALL"
-operations_to_disable="name of the operations to disable, for all
oprtations use ALL"
-externalization_switch="ENABLE/DISABLE"
-directory="directory_name (DB Directory)"
-file_prefix="file_prefix"
-file_size="file_size (Bytes)"
-data_retention_period="data_retention_period (Days)"
Searching the Audit Data
You can search for audit data that has been generated over a specified period. You can also search for the following:
-
Audit details of a specific user operation or all user operations.
-
Audit details of operations with a Success or Failure status or All operations.
From the Setup menu, select Security and then Audit Data. The Audit Data page is displayed. Specify the search criteria in the fields and click Go. The results are displayed in the Summary table.
To view the details of each record that meets the search criteria, select Detailed in the View drop-down list. To drill down to the full record details, click on the Timestamp.
List of Operations Audited
For a complete list of audit operations supported by Enterprise Manager, use the EM CLI show_operations_list verb.
Example 2-23 EM CLI show_operations_list
> emcli show_operations_list
Operation ID Operation Name Infrastructure Operation ADD_AGENT_REGISTRATION_PASSWORD Add Registration Password NO ADD_CS_TARGET_ASSOC Add Standard-Target Association NO SECURITY_AUTH_CONFIG Configure Authentication YES
.
.
.
UPDATE_PASSWORD Update Password NO
Auditing the Infrastructure
Basic and Infrastructure auditing is enabled by default for Enterprise Manager. In Enterprise Manager, there are over 150 options for auditing. Audit infrastructure operations are always enabled and cannot be turned off. An enhanced Auditing page makes it easy to quickly view the privilege grants on a regular basis and also keep track of which users exercised what privileges, this improves user accountability. Infrastructure activities are audited out of the box, these include updates, downloads, OMS password changes and emkey copy and removes from the Repository.
Also, the search capability of all Audit actions have been enhanced to improved, via the Enterprise Manager console, you can search for a subset of Audited operations and filter to see operations from specific client hosts and client types(browser or CLI). This provides more efficient ways for audit officers to locate specific operations of interest.
The following table lists all auditable events. Those auditable events shown as enabled are Infrastructure audit events and are turned on out-of-box and cannot be disabled.
| Event | Enabled/Disabled (By Default) |
|---|---|
|
Apply Update |
Enabled |
|
Change MGMT_VIEW User Password |
Enabled |
|
Change Repository Password |
Enabled |
|
Configure Authentication |
Enabled |
|
Copy Enterprise Manager Key to Repository |
Enabled |
|
Create Custom CA |
Enabled |
|
Enterprise Manager Login |
Enabled |
|
Enterprise Manager Logout |
Enabled |
|
Remove Enterprise Manager Key from Repository |
Enabled |
|
Remove Update |
Enabled |
|
Secure Console |
Enabled |
|
Secure Lock |
Enabled |
|
Secure OMS |
Enabled |
|
Secure WebLogic Server |
Enabled |
|
Access Named Credential |
Disabled |
|
Add Registration Password |
Disabled |
|
Add Software Library Storage |
Disabled |
|
Add Standard-Target Association |
Disabled |
|
Add entity to Template Collection |
Disabled |
|
Apply Monitoring Template |
Disabled |
|
Associate Template Collection to Admin Group |
Disabled |
|
Attach Metric Extension |
Disabled |
|
Audit Export Settings |
Disabled |
|
Audit Settings |
Disabled |
|
Change Connector Settings |
Disabled |
|
Change Password |
Disabled |
|
Change Preferred Credentials |
Disabled |
|
Clear Manual Rule Violation |
Disabled |
|
Configure Connector |
Disabled |
|
Create Administration Groups |
Disabled |
|
Create Change Management Setting |
Disabled |
|
Create Connector |
Disabled |
|
Create Credential Set |
Disabled |
|
Create Custom Configuration Specification |
Disabled |
|
Create Custom Configuration Specification Parser |
Disabled |
|
Create Custom Target Type |
Disabled |
|
Create Facet |
Disabled |
|
Create Facet Parameter |
Disabled |
|
Create Facet Pattern |
Disabled |
|
Create Framework |
Disabled |
|
Create Metric Extension |
Disabled |
|
Create Monitoring Template |
Disabled |
|
Create Named Credential |
Disabled |
|
Create Real-time Monitoring Rule |
Disabled |
|
Create Resolution state |
Disabled |
|
Create Role |
Disabled |
|
Create Rule |
Disabled |
|
Create Rule Set |
Disabled |
|
Create Standard |
Disabled |
|
Create Template Collection |
Disabled |
|
Create User |
Disabled |
|
Database Login |
Disabled |
|
Database Logout |
Disabled |
|
Database Restart |
Disabled |
|
Database Shutdown |
Disabled |
|
Database Startup |
Disabled |
|
Delete Administration Groups |
Disabled |
|
Delete Credential Set |
Disabled |
|
Delete Custom Configuration Specification |
Disabled |
|
Delete Custom Configuration Specification Parser |
Disabled |
|
Delete Facet |
Disabled |
|
Delete Facet Parameter |
Disabled |
|
Delete Facet Pattern |
Disabled |
|
Delete Framework |
Disabled |
|
Delete Job |
Disabled |
|
Delete Management Connector |
Disabled |
|
Delete Metric Extension |
Disabled |
|
Delete Monitoring Template |
Disabled |
|
Delete Named Credential |
Disabled |
|
Delete Real-time Monitoring Rule |
Disabled |
|
Delete Registration Password |
Disabled |
|
Delete Resolution state |
Disabled |
|
Delete Role |
Disabled |
|
Delete Rule |
Disabled |
|
Delete Rule Set |
Disabled |
|
Delete Software Library Entity |
Disabled |
|
Delete Software Library Folder |
Disabled |
|
Delete Standard |
Disabled |
|
Delete Target |
Disabled |
|
Delete Template Collection |
Disabled |
|
Delete Update |
Disabled |
|
Delete User |
Disabled |
|
Deploy Custom Configuration Specification |
Disabled |
|
Detach Metric Extension |
Disabled |
|
Disable Rule |
Disabled |
|
Disable Rule Set |
Disabled |
|
Disable Standard-Target Association |
Disabled |
|
Disassociate Template Collection from Admin Group |
Disabled |
|
Download Update |
Disabled |
|
Edit Framework |
Disabled |
|
Edit Job |
Disabled |
|
Edit Monitoring Template |
Disabled |
|
Edit Registration Password |
Disabled |
|
Edit Rule |
Disabled |
|
Edit Rule Set |
Disabled |
|
Edit Standard |
Disabled |
|
Edit Standard-Target Association |
Disabled |
|
Edit Template Collection |
Disabled |
|
Enable Rule |
Disabled |
|
Enable Rule Set |
Disabled |
|
Enable Standard-Target Association |
Disabled |
|
Execute Command As Agent |
Disabled |
|
File Transfer Job |
Disabled |
|
Get File Job |
Disabled |
|
Grant Privilege |
Disabled |
|
Grant Role |
Disabled |
|
Import Facet |
Disabled |
|
Import Framework |
Disabled |
|
Import Real-time Monitoring Rule |
Disabled |
|
Import Rule |
Disabled |
|
Import Standard |
Disabled |
|
Include Action To Monitor |
Disabled |
|
Include Filter Facet |
Disabled |
|
Include Monitoring Facet |
Disabled |
|
Job Execution |
Disabled |
|
Mark informational update as read |
Disabled |
|
Modify Administration Groups |
Disabled |
|
Modify Change Management Setting |
Disabled |
|
Modify Custom Configuration Specification |
Disabled |
|
Modify Facet |
Disabled |
|
Modify Facet Content |
Disabled |
|
Modify Facet Parameter |
Disabled |
|
Modify Facet Pattern |
Disabled |
|
Modify Metric Settings |
Disabled |
|
Modify Named Credential |
Disabled |
|
Modify Real-time Monitoring Rule |
Disabled |
|
Modify Resolution state |
Disabled |
|
Modify Role |
Disabled |
|
Modify User |
Disabled |
|
Move Software Library Entity |
Disabled |
|
Publish Metric Extension |
Disabled |
|
Purge Software Library Storage |
Disabled |
|
Put File As Agent |
Disabled |
|
Put File Job |
Disabled |
|
Refresh from Enterprise Manager Store |
Disabled |
|
Registration Password Usage |
Disabled |
|
Remote Operation Job |
Disabled |
|
Remove Action From Monitor |
Disabled |
|
Remove Change Management Setting |
Disabled |
|
Remove Filter Facet |
Disabled |
|
Remove Monitoring Facet |
Disabled |
|
Remove Privilege Delegation Setting |
Disabled |
|
Remove Software Library Storage |
Disabled |
|
Remove Standard-Target Association |
Disabled |
|
Remove entity from Template Collection |
Disabled |
|
Rename Template Collection |
Disabled |
|
Reorder Rule |
Disabled |
|
Reorder Rule Set |
Disabled |
|
Resume Job |
Disabled |
|
Resync Agent |
Disabled |
|
Resync Repository |
Disabled |
|
Retry Job |
Disabled |
|
Revoke Privilege |
Disabled |
|
Revoke Role |
Disabled |
|
Save Monitoring Settings |
Disabled |
|
Set Privilege Delegation Setting |
Disabled |
|
Stop Job |
Disabled |
|
Submit Job |
Disabled |
|
Subscribe Update Type |
Disabled |
|
Suppress Violation |
Disabled |
|
Suspend Job |
Disabled |
|
Target Login |
Disabled |
|
Target Logout |
Disabled |
|
Undeploy Custom Configuration Specification |
Disabled |
|
Unsubscribe Update Type |
Disabled |
|
Unsuppress Violation |
Disabled |
|
Update Database Password |
Disabled |
|
Update Metric Extension |
Disabled |
|
Update Password |
Disabled |
|
Update is available |
Disabled |
WebLogic Server Auditable Events
The following WebLogic Server events can be audited:
-
Domain update
-
Domain login
-
Domain logout
To audit these events, enter the following EM CLI command:
emcli update_audit_settings
-operations_to_enable="WEBLOGIC_DOMAIN_UPDATE_INVOKE;WEBLOGIC_DOMAIN
_LOGIN;WEB_LOGIC_DOMAIN_LOGOUT" Note:
only super administrators have permission to view the audited WebLogic Server data.