22.1.7 Audited events

Actions that are collected in the audit trail are called audit events. Table 22-2 lists the audit events.

When the security audit facility is enabled, audit trails are output automatically by the system for some events. For other events, the auditor can select whether or not audit trails are to be collected.

Table 22-2 Audit events

Event typeExplanation and audited eventsSelectability
System administrator security events
  1. Security events performed by the HiRDB administrator or users with DBA privilege are audited.
  2. Modifications of the setting values of the connection security facility are audited.
  3. Security events performed automatically by the system are audited.
An audit trail is output when the following events occur:
  • HiRDB startup (pdstart command)1
  • HiRDB termination (pdstop command)1,2
  • Auditor registration (pdmod command)
  • Audit trail table creation (pdmod command)
  • Audit trail file deletion (pdaudrm command)3
  • Audit trail collection startup5
  • Audit trail collection termination6
  • Start of audit trail file overwriting
  • Transition to consecutive certification failure account lock state
  • Release of consecutive certification failure account lock state
    Applicable in the following cases:
    [Figure]During CONNECT after the account lock period has passed
    [Figure]During execution of DROP CONNECTION SECURITY
    [Figure] During execution of the pdacunlck command
  • Transition to password-invalid account lock state
  • Release of password-invalid account lock state
  • Modification of a setting value of the connection security facility:
    [Figure]Permitted number of consecutive certification failures
    [Figure]Account lock period
    [Figure]Items to be set up for character string restrictions for passwords (including an advance check)
  • Execution of the pdacnlck command
N (an audit trail is always output).
Auditor security eventsThese are audits of events performed by the auditor. An audit trail is output when the following events occur:
  • Data loading into an audit trail table (pdload command)
  • Swapping of audit trail files (pdaudswap command)
  • Defining events to be audited (CREATE AUDIT)4
  • Deleting events to be audited (DROP AUDIT)4
  • Changing the auditor password (GRANT AUDIT)4
N (an audit trail is always output).
Session security eventsThese are audits of user authentication by authorization identifier and password.
An audit trail is output when the following events occur:
  • Connection to HiRDB (CONNECT statement)
  • User change (SET SESSION AUTHORIZATION statement)
Y
Privilege management eventsThese are audits of addition or deletion of user privileges. An audit trail is output when the following events occur:
  • User privilege addition (GRANT statement)
  • User privilege deletion (REVOKE statement)
Y7
Object definition eventsThese are audits of object definitions, deletions, or modifications. An audit trail is output when the following events occur:
  • Object definition; this applies to the following SQL statements:
    CREATE ALIAS
    CREATE FOREIGN INDEX
    CREATE FOREIGN TABLE
    CREATE FUNCTION
    CREATE INDEX
    CREATE PROCEDURE
    CREATE PUBLIC VIEW
    CREATE SCHEMA
    CREATE SERVER
    CREATE TABLE
    CREATE TRIGGER
    CREATE TYPE
    CREATE USER MAPPING
    CREATE VIEW
  • Object deletion; this applies to the following SQL statements:
    DROP ALIAS
    DROP DATA TYPE
    DROP FOREIGN INDEX
    DROP FOREIGN TABLE
    DROP FUNCTION
    DROP INDEX
    DROP PROCEDURE
    DROP PUBLIC VIEW
    DROP SCHEMA
    DROP SERVER
    DROP TABLE
    DROP TRIGGER
    DROP USER MAPPING
    DROP VIEW
  • Object modification; this applies to the following SQL statements:
    ALTER PROCEDURE
    ALTER ROUTINE
    ALTER TABLE
    ALTER TRIGGER
    COMMENT
Y7
Object manipulation eventsThese are audits of object manipulations. An audit trail is output when the following events occur:
  • Table reference (SELECT statement)
  • Table row insertion (INSERT statement)
  • Table row update (UPDATE statement)
  • Table row deletion (DELETE statement)
  • Table deletion of all rows (PURGE TABLE statement)
  • Stored procedure execution (CALL statement)
  • Table lock control (LOCK TABLE statement)
  • List creation (ASSIGN LIST statement)
Y7
Utility operation eventSecurity events related to object operations performed by a utility or command are audited. An audit trail is output when any of the following is executed:
  • Database load utility (pdload command)
    Target object: TABLE
  • pddefrev command
    Target objects: ALIAS, PROCEDURE, TABLE, TRIGGER, and VIEW
  • Database reorganization utility (pdrorg command)
    Target object: TABLE
  • Dictionary import/export utility (pdexp command)
    Target objects: ALIAS, PROCEDURE, TABLE, TRIGGER, and VIEW
  • Integrity check utility (pdconstck command):
    TABLE
Y7, 8
Legend:
Y: Can be selected
N: Cannot be selected
1 HiRDB/Parallel Server server unit startup and termination are not regarded as audit events.
2 Normal termination and planned termination are regarded audit events. Forced termination and abnormal termination are not regarded as audit events. To audit forced termination or abnormal termination, use the messages output by HiRDB or the OS.
The following termination commands are not audited:
  • pdstop -f
  • pdstop -f -q
  • pdstop -f -x host-name
  • pdstop -f -u unit-identifier
  • pdstop -f -s server-name
  • pdstop -f -u unit-identifier -s server-name
  • pdstop -z
  • pdstop -z -q
  • pdstop -z -c
  • pdstop -z -s server-name
3 Creation of an audit trail file is not regarded as an audit event. To audit creation of audit trail files, use the OS's audit facility.
4 An output trail is also output when the database definition utility (pddef command) or the interactive SQL execution utility (pdsql command) is executed.
5 An audit trail is output when an audit trail is to be collected because the pdaudbegin command is executed, or when HiRDB is started.
6 An audit trail is output when HiRDB is terminated normally or by a planned termination when the pdaudend command is executed or an audit trail is collected.
7 If the event-target object in a privilege control event, object definition event, object operation event, or utility operation event is an audit trail table, a view table that uses an audit trail as the base table, or a list that uses an audit trail as the base table, an audit trail is output unconditionally when the event terminates. You can select whether to output an audit trail during privilege checking. However, because the database load utility (pdload command) executed for an audit trail table is included as an auditor security event, the audit trail at event termination and during privilege checking is output unconditionally.
8 When the database reorganization utility (pdrorg command) is used to reload a dictionary table, an audit trail is output unconditionally.