11-6 Oracle Fusion Middleware Application Security Guide Figure 11–1 Audit Event Flow Audit Flow The process can be illustrated by looking at the actions taken in the framework when an event say, login occurs at a component like Oracle HTTP Server or Oracle Virtual Directory within an application server instance: 1. Oracle Fusion Middleware Audit Framework is activated for a component when the component starts up. 2. The component calls an audit function to audit the event. 3. The framework checks if events of this type, status, and with certain attributes need to be audited. 4. If so, the audit function is invoked to create the audit event structure and collect event information like the status, initiator, resource, ECID, and so on. 5. The event is stored on a local file in an intermediate location known as the bus-stop; each component has its own bus-stop. 6. The next component in the flow is the Audit Loader, a which is module of the Oracle WebLogic Server instance and provides process control for that instance. The audit loader is responsible for collecting the audit records for all components running in that instance. If a database is configured for an audit store, the audit loader pulls the events from the bus-stops and moves the data to the audit store. Note: The architecture shown in Figure 11–1 contains a data store; if your site did not configure a data store for auditing, the audit records reside in the bus-stop files. Introduction to Oracle Fusion Middleware Audit Framework 11-7 7. Reports can also be generated from the audit data using Oracle BI Publisher. A set of pre-defined reports are available. See Chapter 13, Using Audit Analysis and Reporting . Application Behavior in Case of Audit Failure It is important to note that an application does not stop execution if it is unable to record an audit event for any reason.

11.3.2 Key Technical Concepts

This section introduces key concepts in the Oracle Fusion Middleware Audit Framework. Audit-Aware Components The term audit-aware refers to components that are integrated with the Oracle Fusion Middleware Audit Framework so that audit policies can be configured and events can be audited for those components. Oracle Internet Directory is an example of an audit-aware component. Stand-alone applications can be integrate d with the Oracle Fusion Middleware Audit Framework through configuration with the jps-config.xml file. Audit Policy An audit policy is a declaration of the type of events to be captured by the audit framework for a particular component. For Java components, the audit policy is defined at the domain level. For system components, the audit policy is managed at the component instance level. Oracle Fusion Middleware Audit Framework provides several pre-defined policy types: ■ None ■ Low audits fewer events, definition is component-dependent ■ Medium audits many events, definition is component-dependent ■ Custom implements filters to narrow the scope of audited events Audit Policy Component Type This refers to the component type to be audited; for example, Oracle Internet Directory is a source of auditable events during authentication. For lists of the events that can be audited for each component, see Section C.1, Audit Events . Event Filters Certain audit events implement filters to control when the event is logged. For example, a successful login event for the Oracle Internet Directory component may be filtered for specific users. For details, see Section 12.3, Managing Audit Policies . Oracle Platform Security Services Oracle Platform Security Services, a key component of the Oracle Fusion Middleware 11g, is the Oracle Fusion Middleware security implementation for Java features such as Java Authentication and Authorization Service JAAS and Java EE security.