Auditing User Activity

4 Auditing User Activity

This chapter auditing in EDQ.

The chapter includes the following sections:

Enabling Audit Logging Using Oracle Fusion Middleware Framework
You can configure EDQ to log audit events using the Oracle Fusion Middleware Audit Framework when EDQ is installed with an Oracle WebLogic Server domain.
Enabling Audit Logging to Files
You can enable audit logs to be written to files on disk when EDQ is installed in Apache Tomcat, or if you do not want to use the Oracle Fusion Middleware Audit Framework.

Enabling Audit Logging Using Oracle Fusion Middleware Framework

You can configure EDQ to log audit events using the Oracle Fusion Middleware Audit Framework when EDQ is installed with an Oracle WebLogic Server domain.

For detailed information on the framework see Introduction to Oracle Fusion Middleware Audit Framework in Oracle Fusion Middleware Securing Applications with Oracle Platform Security Services.

To enable audit event logging, follow the steps below:

Open the Oracle Enterprise Manager Fusion Middleware Control14c application using the path:
http://[servername]:[weblogic server admin port, e.g. 7001]/em
Navigate to the EDQ domain in the Target Navigation Tree on the left of the window.
Right-click the domain and select Security > Audit Policy.
Select EDQ in the Audit Component Name field.
Select Custom in the Audit Level field.
Select the categories to log, and the events within those categories.
Click Apply.
To abandon the changes, you must click Revert.

Configuring the EDQ Audit Events in Fusion Middleware Framework

Parent topic: Auditing User Activity

Configuring the EDQ Audit Events in Fusion Middleware Framework

Set the directory property in the audit.properties file in any directory (that exists), relative to your local config home.

For example, add the following line to your new file:

directory = myAudits

where myAudits is a folder that exists at the same level as your new audit.properties file.

Table 4-1 EDQ Event Category and Types

Event Category	Event Types
Asset Transfer	Import Package
Case Management	Bulk Delete, Bulk Update, Bulk Assignment, Display Data edited, Export, Edit, Assignment updated, State changed, Comment added, Comment deleted, Comment edited, Attachment added, Attachment deleted
Case Management Admin	Case Source Added, Case Source Imported, Case Source Deleted, Permission Added, Permission Modified, Permission Deleted, Workflow Added, Workflow Imported, Workflow Deleted, Parameter Added, Parameter Modified, Parameter Deleted, Reception Action Added, Reception Action Modified, Reception Action Deleted, Reception Transition Added, Reception Transition Modified, Reception Transition Deleted, State Transition Added, State Transition Modified, State Transition Deleted, Workflow State Added, Workflow State Modified, Workflow State Deleted
Group Permission Management	Join group, Leave group, Leave all groups, Create group, Delete group, Change permissions.
Launchpad Management	Extension Add, Extension Delete, Front Page Update
Object Management	Create, Update, Delete.
User Management	Login, Logout, Password Change, Password Expire, User Blocked, User Blocked Temporarily, User Unblocked, User Created, User Updated, User Deleted, Security Configuration Updated.

Table 4-2 Event Attributes and Custom Attribute Slot

Event Attribute	Description	Custom Attribute Slot
Affected user	The name of the user for the logged event.	IAU_STRING_001
Login application	The name of the application that has been logged into.	IAU_STRING_002
Project Name	The name of the project containing the affected object. This attribute is left blank for system-level objects.	IAU_STRING_003
Item Type	The type of object created, modified or deleted.	IAU_STRING_004
Item Name	The name of the object created, modified or deleted.	IAU_STRING_005
Affected user	The name of the user affected by changes made by an administrator.	IAU_STRING_006
Affected group	The name of the group affected by changes made by an administrator.	IAU_STRING_007
Added Permissions	List of permissions added to a group.	IAU_LONGSTRING_001
Removed Permissions	List of permissions removed from a group.	IAU_LONGSTRING_002

The events that can be logged and their corresponding file-based auditing name are listed in the following table. Please note that this is not a complete list.

Table 4-3 Attributes Logged by User Management Event

Weblogic Display Name	File-Based Event Name
Login	login
Logout	logout
Password Change	pwchange
Password Expire	pwexpire
User Blocked	userblock
User Temporarily Blocked	usertempblock
User Unblocked	userunblock
User Created	usercreate
User Updated	userupdate
User Deleted	userdelete
Security Configuration Updated	secconfig

Table 4-4 Attributes Logged by Group Permission Management Event

Weblogic Display Name	File-Based Event Name
Join group	joingroup
Leave group	leavegroup
Leave all groups	leaveallgroups
Create group	creategroup
Delete group	deletegroup
Change permissions	changepermissions

Table 4-5 Attributes Logged by Object Management Event

Weblogic Display Name	File-Based Event Name
Create	create
Update	update
Delete	delete

Custom attributes are stored in the iau_custom table. For more information, see "Audit Reporting with the Dynamic Metadata Model" in Oracle Fusion Middleware Securing Applications with Oracle Platform Security Services. The generic attributes for the event are stored in the iau_common table. Both of these are in the IAU schema ([RCUPREFIX]_IAU).

After the audit logs are enabled, EDQ audits events by calling the central Oracle Fusion Middleware Audit Framework APIs. The audit events can then be stored either as files or in a database for compliance reporting purposes. For more information on how to store and report on the results of auditing, see Oracle Fusion Middleware Securing Applications with Oracle Platform Security Services.

Parent topic: Enabling Audit Logging Using Oracle Fusion Middleware Framework

Enabling Audit Logging to Files

You can enable audit logs to be written to files on disk when EDQ is installed in Apache Tomcat, or if you do not want to use the Oracle Fusion Middleware Audit Framework.

To enable audit logging, create a file named audit.properties in the local configuration directory and add the following line:

enabled = true

You can then either create a directory named audit in your local configuration directory, or specify a path to an existing directory using the directory property in audit.properties. This path is specified relative to the local configuration directory.

Configuring the EDQ Audit Events on Disk

Parent topic: Auditing User Activity

Configuring the EDQ Audit Events on Disk

For fine-grained control over specific categories and events that are audited, you can turn certain categories off by adding the following line to audit.properties:

category.<category name>. enabled = false

You can turn the individual events back on, for that category, or turn them off if the category has not been disabled, using the following command:

category.<category name>.<event name>.enabled = <true/false>

After the audit events are generated, they are placed in per-category files within the configured audit directory. These files contain entries as comma-separated values; the first line contains column headers.

Parent topic: Enabling Audit Logging to Files