Audit events

Operations that are collected in audit trails are called audit events. Table 9-3 lists and describes audit events.

Event type	Description and list of audit events	Selectable?
System administrator security event	Audits security events generated by HiRDB administrators and DBA privilege holders. Audits changes to connection security facility settings. Audits security events generated automatically by the system. An audit trail is output when any of the following events is generated: HiRDB startup (pdstart command)¹ HiRDB termination (pdstop command)^{1, 2} Auditor registration (pdmod command) Audit trail table creation (pdmod command) Audit trail file deletion (pdaudrm command)³ Start of audit trail collection⁵ End of audit trail collection⁶ Start of audit trail file overwrite Transition to consecutive certification failure account lock state Release of consecutive certification failure account lock state This occurs at the following times: When CONNECT is executed after the account lock period expires When DROP CONNECTION SECURITY is executed When the pdacunlck command is executed Transition to password invalid account lock state Release of password invalid account lock state Change in a connection security facility setting: Permitted number of consecutive certification failures Account lock period Items set with password character string restrictions (including pre-checking) Execution of the pdacnlck command	No (an audit trail is always output)
Auditor security event	Audits security events generated by the auditor. An audit trail is output when any of the following events is generated: Loading of data into an audit trail table (pdload command) Swapping of audit trail files (pdaudswap command) Definition of an audit event (CREATE AUDIT)⁴ Deletion of an audit trail event (DROP AUDIT)⁴ Changing an auditor password (GRANT AUDIT)⁴	No (an audit trail is always output)
Session security event	Audits events generated by user authentication based on an authorization identifier and password. An audit trail is output when either of the following events is generated: Connection to HiRDB (CONNECT statement) Changing users (SET SESSION AUTHORIZATION statement)	Yes
Privilege control event	Audits events generated by granting and revoking user privileges. An audit trail is output when either of the following events is generated: Granting a user privilege (GRANT statement) Revoking a user privilege (REVOKE statement)	Yes⁷
Object definition event	Audits events generated by definition, deletion, or modification of objects. An audit trail is output when any of the following events is generated: Definition of an object; audits the following SQL statements: CREATE ALIAS CREATE FOREIGN INDEX CREATE FOREIGN TABLE CREATE FUNCTION CREATE INDEX CREATE PROCEDURE CREATE PUBLIC VIEW CREATE SCHEMA CREATE SERVER CREATE TABLE CREATE TRIGGER CREATE TYPE CREATE USER MAPPING CREATE VIEW Deletion of an object; audits the following SQL statements: DROP ALIAS DROP DATA TYPE DROP FOREIGN INDEX DROP FOREIGN TABLE DROP FUNCTION DROP INDEX DROP PROCEDURE DROP PUBLIC VIEW DROP SCHEMA DROP SERVER DROP TABLE DROP TRIGGER DROP USER MAPPING DROP VIEW Modification of an object; audits the following SQL statements: ALTER PROCEDURE ALTER ROUTINE ALTER TABLE ALTER TRIGGER COMMENT	Yes⁷
Object operation event	Audits events generated by object manipulation. An audit trail is output when any of the following events is generated: Searching a table (SELECT statement) Insertion of rows in a table (INSERT statement) Updating of rows in a table (UPDATE statement) Deletion of rows from a table (DELETE statement) Deletion of all rows from a table (PURGE TABLE statement) Execution of a stored procedure (CALL statement) Locking a table (LOCK TABLE statement) Creation of a list (ASSIGN LIST statement)	Yes⁷
Utility operation event	Audits security events generated from operations on objects by utilities or commands. An audit trail is output when any of the following events is generated: Database load command (pdload command) Object: TABLE pddefrev command Object: ALIAS, PROCEDURE, TABLE, TRIGGER, and VIEW Database reorganization utility (pdrorg command) Object: TABLE Dictionary import/export utility (pdexp command) Object: ALIAS, PROCEDURE, TABLE, TRIGGER, and VIEW Integrity check utility (pdconstck command) Object: TABLE	Yes^{7, 8}

¹ In the case of a HiRDB/Parallel Server, startup and termination of a single server are not audit events.

² Normal termination and planned termination are audit events; forced termination and abnormal termination are not audit events. For these cases, check the messages output by HiRDB or the operating system.

The following termination commands are not monitored:

pdstop -f
pdstop -f -q
pdstop -f -x host-name
pdstop -f -u unit-identifier
pdstop -f -s server-name
pdstop -f -u unit-identifier -s server-name
pdstop -z
pdstop -z -q
pdstop -z -c
pdstop -z -s server-name

³ Creation of an audit trail file is not an audit event. To audit creation of audit trail files, use the audit facility provided by the OS.

⁴ You can also output an audit trail by executing the database definition utility (pddef command) or the interactive SQL execution utility (pdsql command).

⁵ An audit trail is output when the pdaudbegin command is executed or when an audit trail is collected at HiRDB startup.

⁶ An audit trail is output when the pdaudend command is executed or when an audit trail is collected during performance of normal or planned termination of HiRDB.

⁷ An audit trail is output unconditionally when the event terminates in the case of privilege control events, object definition events, object operation events, and utility operation events that target an audit trail table, a view base table of an audit trail table, or a list base table of an audit trail table. You can select whether or not to collect an audit trail when a privilege check is performed.

⁸ An audit trail is output unconditionally when the database reorganization utility (pdrorg command) is used to reload a dictionary table.

9.2.2 Audit events