Auditing in Oracle Entitlement Server (OES ) 11g

This post covers everything you must know about Auditing in Oracle Entitlement Server (OES) . With auditing enabled ON in OES, you can get information like who did what, when, how (Policy Modification, GRANT/DENY of resource etc )

1. Auditing in OES is based on Fusion Middleware Audit Framework and is DISABLED by default.

2. OES consists of OES Administration Console (aka APM) which is used to Manage Policy and OES SM (Security Module) that acts as Policy Enforcement Policy (PEP) and possibly Policy Decision Point (PDP). You must enabled auditing for OES Administration Console (APM) and in all OES SM (depending on audit requirement).

3. Audit configuration for OES Administration Console (APM) is stored in file $DOMAIN_HOME/config/fmwconfig/jps-config.xml as mentioned by

<serviceInstance name=”audit.db” provider=”audit.provider”>
<property name=”audit.loader.repositoryType” value=”File”/>
<property name=”auditstore.type” value=”db”/>
<property name=”audit.loader.jndi” value=”jdbc/AuditDB”/>
<property name=”audit.maxDirSize” value=”0″/>
<property name=”audit.filterPreset” value=”All”/>
<property name=”audit.maxFileSize” value=”104857600″/>
<property name=”audit.loader.interval” value=”15″/>
<propertySetRef ref=”props.db.1″/>
</serviceInstance>

Note : Audit configuration mentioned in OES Administration guide [part number E27153-03 ] is incorrect (look for entry mentioned above)

4. Audit Level for OES is controlled by audit.filterPreset and value can be NONE (default), LOW, MEDIUM, ALL, CUSTOM

5. Audit Configuration file at $DOMAIN_HOME/config/fmwconfig/audit-store.xml that has Filters LOW, MEDIUM that defines what events are captured when you set Audit to LOW or MEDIUM

6. To Audit OES Security Modules (SM), you must update jps-config.xml used by Security Module and update entry for serviceInstance audit.db

<serviceInstance name=”audit.db” provider=”audit.provider”>

7. As OES SM could be WebLogic with JRF, WebLogic without JRF, or Other types location of jps-config.xml for

a) WebLogic with JRF is $DOMAIN_HOME/config/fmwconfig/

b) WebLogic without JRF is $DOMAIN_HOME/config/oeswlssmconfig/AdminServer

c) Others is SM OES_CLIENT\oes_sm_instances\[SM_NAME]\config\

8. Output of Audit log file for OES Admin Console (APM) is in $DOMAIN_HOME /servers/AdminServer/logs/auditlogs/JPS/audit_[N]_[N].log

9. Output of audit log file should look like

2014-01-14 17:12:36.878  – “CheckPermission” true “Authorization check permission succeeded.” – — “0000KEHjNVA0nnWFLzvH8A1IpMzx000000,0″ “Authorization” “success” – - – - – - – - -”file:/u01/ app/oracle/ product/ iam/ modules/ com.bea.core.weblogic.security.wls_1.0.0.0_6-2-0-0.jar”- – - – - – - – - – - – - – - – - – - – - – - – - – “” “true” “JpsPermission” – - “idstore.config”- – - – - – - – - – - – - – - – - – - – - – - “[]” – - – - – - – - – - – - – - – - – - – - – - – -

- – - – - – - “1″ “0″ – - “(oracle.security.jps.JpsPermission idstore.config)” – - – - “15″ -

10. OES Audit store can be file based repository or database based repository and controlled by  <property name=”audit.loader.repositoryType” value=”File”/> or (Db for database)

More on how to configure OES Audit store to Database for later …

Related/References

• Auditing OES from Administration Guide
• 1375460.1 How to configure Database Auditing with OES11g
• 1578228.1  OES11gr2 – How To set StandaloneAuditLoader for WLS SM
• ER 17201437 – OES AUDIT LEVEL IS NOT LOGGED FOR FEW EVENT
• Bug 17167389 : OES AUDIT LEVEL IS SET TO ALL, BUT IT IS NOT LOGGING ALL THE EVENTS
• Bug 17888863 : NO ORACLE ENTITLEMENTS SERVER AUDIT DB DESCRIPTION AVAILABLE