OEM Auditing

All operations performed by Enterprise Manager users such as creating users, granting
privileges, starting a remote job like patching or cloning, need to be audited to ensure
compliance with the Sarbanes-Oxley Act of 2002 (SAS 70). This act defines standards an
auditor must use to assess the contracted internal controls of a service organization. Auditing an
operation enables an administrator to monitor, detect, and investigate problems and enforce
enterprise wide security policies.

Irrespective of how the user has logged into Enterprise Manager, when auditing is enabled,
each user action is audited and the audit details are stored in a record.

The following operations are audited:

 Creating a Named Credential: Creating new Enterprise Manager Credentials will be

audited.
 Editing a Named Credential: Editing a credential may consist of changing the
username and/or the sensitive credential attributes. Credential edits may also include
changing the authentication scheme for the credential.
 Delete a Named Credential: Deleting a credential from Enterprise Manager will be
audited.
 Associating a Named Credential: A named credential can be set as a preferred
credential for a credential set at the target level or at target type level. The named
credential can also be reference directly from a job. All operations involving the setting of
the named credentials as preferred credentials and using it in a job or deployment
procedure will be audited.
 Accessing a Named Credential: Enterprise Manager subsystems request credentials
from the credential store to perform various system management tasks

Enabling Audit
To enable audit for a subset of audited operations, please use the following EMCLI verb:

$emcli update_audit_settings -audit_switch="ENABLE/DISABLE" -operations_to_enable="name

of the operations to enable, for all operations use ALL" -operations_to_disable="name of the
operations to disable, for all operations use ALL"

For example to audit only logon/logoff you would issue:

$emcli update_audit_settings –audit_switch=”ENABLE” –

operations_to_enable=”LOGIN;LOGOUT”
Once audit is enabled, the audit records are kept in MGMT$AUDIT_LOG view in the Repository.
Use Enterprise Manager Cloud Control Console to monitor the audit data as user with Super
Administrator; click Setup -> Security -> Audit Data

The externalization service via EMCLI verb update_audit_settings externalizes the audit data
from the Repository to an external file system on a regular basis. Make sure there is enough
space in the directory for the audit log files.

$ emcli update_audit_settings -file_prefix=<file_prefix> -directory_name=<directory_name>

-file_size = <file size> -data_retention_period=<period in days>

The following example shows that the audit data will be retained in the Repository for 14 days
and once exported the data will be stored in the OS directory that corresponds to database
directory AUDIT with filenames prefixed with gc12_audit, and the file size will be 50M bytes
each:

$ emcli update_audit_settings -externalization_switch=ENABLE -file_prefix=gc12_audit

-directory=AUDIT -file_size=50000000 -data_retention_period=14

Achieve separation of duties by restricting the access to the directory where the externalized
audit data is stored. No Enterprise Manager users should have access to the externalized audit
data.

Updating the Audit Settings

The update_audit_settings command updates the current audit settings in the repository and
restarts the Management Service.

Example 2-21 Usage of the update_audit_setting command

emcli update_audit_settings

-audit_switch="ENABLE/DISABLE"
-operations_to_enable="name of the operations to enable, for all operations
use ALL"
-operations_to_disable="name of the operations to disable, for all
operations use ALL"
-externalization_switch="ENABLE/DISABLE"
-directory_name="directory_name (DB Directory)"
-file_prefix="file_prefix"
-file_size="file_size (Bytes)"
-data_retention_period="data_retention_period (Days)"
  -audit_switch: Enables auditing across Enterprise Manager. The possible values are
ENABLE/DISABLE. Default value is DISABLE.
 -operations_to_enable: Enables auditing for specified operations. Enter All to enable all
operations.
 -operations_to_disable: Disables auditing for specified operations. Enter All to disable all
operations.
 -externalization_switch: Enables the audit data export service. The possible values are
ENABLE/DISABLE. Default value is DISABLE.
 -directory: The database directory that is mapped to the OS directory where the export
service archives the audit data files.
 -file_prefix: The file prefix to be used by the export service to create the file in which
audit data is to be stored.
 -file_size: The size of the file on which the audit data is to be stored. The default value is
5000000 bytes.
 data_retention_period: The period for which the audit data is to be retained inside the
repository. The default value is 365 days.

Operations List
The following is the list of operations:

[oemora@usncx189 ~]$ emcli show_operations_list

....................................

Operation Name

....................................

ADD_AGENT_REGISTRATION_PASSWORD

ADD_CS_TARGET_ASSOC

AGENT_REGISTRATION_PASSWORD_USAGE

AGENT_RESYNC

AG_AUD_CREATE

AG_AUD_DELETE

AG_AUD_MODIFY

APPLY_TEMPLATE
APPLY_UPDATE

ATTACH_MEXT

AUDIT_EXPORT_SETTINGS

AUDIT_SETTINGS

CCS_CREATE_CUSTOM_TARGET_TYPE

CCS_CREATE_MD

CCS_CREATE_PARSER

CCS_DELETE_MD

CCS_DELETE_PARSER

CCS_DEPLOY

CCS_UNDEPLOY

CCS_UPDATE_MD

CHANGE_CONNECTOR_SETTINGS

CHANGE_PASSWORD

CHANGE_PREFERRED_CREDENTIAL

CONFIG_CONNECTOR

CREATE_CCC_RULE

CREATE_CHANGE_MANAGEMENT_SETTING

CREATE_CONNECTOR

CREATE_CREDENTIAL_SET

CREATE_CS

CREATE_CSG

CREATE_FACET

CREATE_FACET_PARAMETER

CREATE_FACET_PATTERN

CREATE_MEXT
CREATE_NAMED_CREDENTIAL

CREATE_ROLE

CREATE_RULE

CREATE_RULE_SET

CREATE_TEMPLATE

CREATE_USER

DB_LOGIN

DB_LOGOUT

DB_RESTART

DB_SHUTDOWN

DB_START

DELETE_AGENT_REGISTRATION_PASSWORD

DELETE_CCC_RULE

DELETE_CONNECTOR

DELETE_CREDENTIAL_SET

DELETE_CS

DELETE_CSG

DELETE_FACET

DELETE_FACET_PARAMETER

DELETE_FACET_PATTERN

DELETE_JOB

DELETE_MEXT

DELETE_NAMED_CREDENTIAL

DELETE_ROLE

DELETE_RULE

DELETE_RULE_SET
DELETE_TARGET

DELETE_TEMPLATE

DELETE_UPDATE

DELETE_USER

DETACH_MEXT

DISABLE_CS_TARGET_ASSOC

DISABLE_RULE

DISABLE_RULE_SET

DOWNLOAD_UPDATE

EDIT_AGENT_REGISTRATION_PASSWORD

EDIT_CS

EDIT_CSG

EDIT_CS_TARGET_ASSOC

EDIT_JOB

EDIT_RULE

EDIT_RULE_SET

EDIT_TEMPLATE

ENABLE_CS_TARGET_ASSOC

ENABLE_RULE

ENABLE_RULE_SET

FILE_TRANSFER

GET_FILE

GET_NAMED_CREDENTIAL

GRANT_JOB_PRIVILEGE

GRANT_PRIVILEGE

GRANT_ROLE
GRANT_SYSTEM_PRIVILEGE

GRANT_TARGET_PRIVILEGE

IMPORT_CCC_RULE

IMPORT_CS

IMPORT_CSG

IMPORT_FACET

IMPORT_RULE

INCLUDE_ACTION_TO_MONITOR

INCLUDE_FILTER_FACET

INCLUDE_MONITORING_FACET

INSERT_UPDATE

JOB_OUTPUT

LOGIN

LOGOUT

MARK_INFO_UPDATE_AS_READ

MODIFY_CCC_RULE

MODIFY_CHANGE_MANAGEMENT_SETTING

MODIFY_FACET

MODIFY_FACET_CONTENT

MODIFY_FACET_PARAMETER

MODIFY_FACET_PATTERN

MODIFY_METRIC_SETTINGS

MODIFY_ROLE

MODIFY_USER

PERFORM_OPERATION_AS_AGENT

PUBLISH_MEXT
PUT_FILE

PUT_FILE_AS_AGENT

REFRESH_UPDATE

REMOTE_OPERATION_JOB

REMOVE_ACTION_FROM_MONITOR

REMOVE_CHANGE_MANAGEMENT_SETTING

REMOVE_CS_TARGET_ASSOC

REMOVE_FILTER_FACET

REMOVE_MONITORING_FACET

REMOVE_PRIVILEGE_DELEGATION_SETTING

REMOVE_UPDATE

REORDER_RULE

REORDER_RULE_SET

REPOSITORY_RESYNC

RESUME_JOB

RES_STATE_CREATE_OP

RES_STATE_DELETE_OP

RES_STATE_MODIFY_OP

RETRY_JOB

REVOKE_JOB_PRIVILEGE

REVOKE_PRIVILEGE

REVOKE_ROLE

REVOKE_SYSTEM_PRIVILEGE

REVOKE_TARGET_PRIVILEGE

SAVE_MONITORING_SETTINGS

SET_PRIVILEGE_DELEGATION_SETTING
 STOP_JOB

SUBMIT_JOB

SUBSCRIBE_UPDATE

SUSPEND_JOB

SWLIBADDLOCATION

SWLIBDELETEENTITY

SWLIBDELETEFOLDER

SWLIBDELETELOCATION

SWLIBMOVEENTITY

SWLIBPURGELOCATION

TCAUD_ADD_TEMPLATE_ENTITY

TCAUD_ASSOC_TO_AG

TCAUD_CREATE

TCAUD_DEASSOC_FROM_AG

TCAUD_DELETE

TCAUD_EDIT

TCAUD_REMOVE_TEMPLATE_ENTITY

TCAUD_RENAME

UNSUBSCRIBE_UPDATE

UPDATE_DB_PASSWORD

UPDATE_MEXT

UPDATE_NAMED_CREDENTIAL

UPDATE_PASSWORD

References
http://docs.oracle.com/cd/E24628_01/doc.121/e36415/sec_features.htm#EMSEC12907