By narrowing the audit trails, you can acquire only specific audit trails.
You can narrow audit trails by defining a condition in the CREATE AUDIT definition SQL statement, and then use DROP AUDIT as needed to drop audit trails.
Table 22-24 lists and describes the selection items that can be specified as audit trail narrowing conditions.
Table 22-24 Selection items that can be specified as audit trail narrowing conditions
Selection item | Specification | Description | Record items in the corresponding audit trail |
---|---|---|---|
Operation type | Required | Narrows the audit trails to be acquired to audit trails of a specified operation type. |
|
Trail type | Required | Narrows the audit trails to be acquired to audit trails of a specified trail type. |
|
Event success/failure | Required | Narrows the audit trails to be acquired on the basis of event success or failure. |
|
Object* | Optional | Acquires audit trails by narrowing the objects that became the target of a specific event. |
|
Table 22-25 Whether or not there is output from privilege checking when trails are narrowed by object
Privilege used | Whether or not there are objects | Objects that can be narrowed |
---|---|---|
DBA | No | None |
SCH | No | None |
CNT | No | None |
RDA | Yes (RDA) | Objects listed at left |
SEL | Yes (FTB, LST, TBL, VIW) | Objects listed at left |
INS | Yes (FTB, TBL, VIW) | Objects listed at left |
DEL | Yes (FTB, TBL, VIW) | Objects listed at left |
UPD | Yes (FTB, TBL, VIW) | Objects listed at left |
AUD | No | None* |
SYS | Yes (AUF, TBL) | -- |
OWN | Yes (FID, FNC, FSV, FTB, IDX, PRC, SCH, TBL, TRG, TYP, VIW) | Objects listed at left |
If you have specified a data dictionary table for the target object, specify the object type, authorization identifier, and table identifier as described in Table 22-26.
Table 22-26 Object type, authorization identifier, and table identifier when a data dictionary table is specified
Operation type | Object type | Authorization identifier | Table identifier |
---|---|---|---|
Object operation event | VIEW | MASTER | Table identifiers of the data dictionary tables, excluding the data dictionary tables used by the system |
Utility operation event | TABLE | Omitted* | Table identifiers of all data dictionary tables |
The following selections are available:
To acquire audit trails when the target of an object operation event is the table "USER1"."T1" and the target of the audit is the termination trail of an object definition event, define as follows:
CREATE AUDIT AUDITTYPE EVENT FOR ACCESS ON TABLE "USER1"."T1" |
The following describes the trails that are acquired and the trails that are not when the above audit event is defined:
Some combinations of selection items serve no purpose. For such a combination of selection items, the executed CREATE AUDIT results in an error.
An example is when the object table "USER1"."T1" is specified in CONNECT for a session security event.
To use the security audit facility, a security audit information buffer is required. Therefore, you must estimate the shared memory requirement for the security audit information buffer.
You can do this by estimating manually the specification value and then specifying the value in the pd_audit_def_buffer_size operand, or by having the system determine the value automatically (omit the pd_audit_def_buffer_size operand). When the system determines the value, a margin is added to the memory size to ensure sufficient space. The memory size required is determined by the number of entries of the object that is the target of the narrowed audit. Thus, to determine the size of memory to allocate, the system both adds the value 100 to the number of entries for the object that has been defined, and also multiplies this number of entries by 1.2. It then applies the higher of the two results as the size of memory to allocate. The following shows the margin value:
Number of entries for an object that has already been defined as the target of a narrowed audit | Condition | Margin value |
---|---|---|
0 | None | Value for 100 entries for the object that is the target of the narrowed audit |
1 or greater | N + 100 > ![]() | Value for 100 entries for the object that is the target of the narrowed audit |
N + 100 ![]() ![]() | Value for N![]() |
If the required amount of memory cannot be allocated when the security audit information buffer is created, the actions described in Tables 22-27 and 22-28 must be taken.
Table 22-27 HiRDB operation and actions to be taken when security audit information buffer is created (during HiRDB startup)
pd_audit_def_buffer_size operand specification | Allocation of shared memory | HiRDB operation | Action |
---|---|---|---|
Specified | Failure | Does not start. In this case, HiRDB displays the KFPD00031-E message. | Take one of the following actions:
|
Success | Starts. If the definition information for all the audit events is not stored in the security audit information buffer, HiRDB displays the KFPD00032-W message. | Because performance may decline, re-estimate the pd_audit_def_buffer_size operand value. | |
Omitted | Failure | Starts, but does not create the security audit information buffer. In this case, HiRDB displays the KFPD00032-W message. | Because performance may decline, take one of the following actions:
|
Success | Starts. | No action is required. |
Table 22-28 HiRDB operation and actions to be taken when security audit information buffer is created (during HiRDB operation)
pd_audit_def_buffer_size operand specification | Overflow of definition information for audit event in security audit information buffer | HiRDB operation | Action |
---|---|---|---|
Specified | Yes | Stores as much definition information for audit events as possible in the security audit information buffer and then resumes processing. In this case HiRDB displays the KFPD00032-W message. | Re-estimate the value of the pd_audit_def_buffer_size operand according to the displayed KFPD00032-W message. If no action is taken, performance may decline. |
No | Stores the definition information for all the audit events in the security audit information buffer and then resumes processing. | No action is required. | |
Omitted | Yes | Stores as much definition information for audit events as possible in the security audit information buffer and then resumes processing. In this case HiRDB displays the KFPD00032-W message. | Restart HiRDB. The system re-calculates the size and creates a security audit information buffer. If the KFPD00032-W message is displayed when HiRDB restarts, take one of the following actions:
|
No | Stores the definition information for all the audit events in the security audit information buffer and then resumes processing. | No action is required. |
When the pd_audit_def_buffer_size operand is omitted, the specification value is determined automatically by the system. If definitions of audit events increase during HiRDB operation, the size of the security audit information buffer increases the next time HiRDB starts. This means that the size of the security audit information buffer may increase each time HiRDB is started.
This subsection describes HiRDB's operation in the event of an error in the security audit information buffer.
The security audit information buffer is created when HiRDB starts. If an error occurs, the HiRDB operation depends on whether the size of the security audit information buffer is being determined automatically by the system or manually by the user.
Table 22-29 describes the causes of errors during HiRDB startup and the HiRDB operations.
Table 22-29 Causes of errors during HiRDB startup and HiRDB operations
Cause of error | HiRDB operation | ||
---|---|---|---|
pd_audit_def_buffer_size operand is omitted | pd_audit_def_buffer_size operand is specified | ||
Area allocation error | Shared memory for buffer | Starts with size 0 | Cannot start |
Process private memory for dictionary search | Starts with size 0 | Allocates shared memory and then resumes processing | |
Communication error | Starts with size 0 | Allocates shared memory and then resumes processing | |
Dictionary access error | Rollback is not required | Starts with size 0 | Allocates shared memory and then resumes processing |
Rollback is required | Cannot start* | Allocates shared memory and then resumes processing |
If an error occurs while HiRDB is checking the definition information for audit events, HiRDB outputs the corresponding audit trail regardless of the definition of audit events.
If an error occurs during SQL execution, HiRDB also outputs audit trails. In this case, an error may also occur when the definition information for an audit event is acquired during output of an audit trail. Table 22-30 describes the combinations of errors, the SQL codes to be set, and whether or not rollback is required. If an error occurs during output of audit trails, HiRDB ignores that error and resumes processing.
Table 22-30 Combinations of errors, SQL codes to be set, and whether or not rollback is required
Status before acquisition of audit event definition | Status during acquisition of audit event definition | SQL code to be set | Whether or not rollback is required |
---|---|---|---|
Normal | Normal | 0 | No |
Error requiring rollback | SQL code during acquisition of audit event definition | Yes | |
Error not requiring rollback | SQL code before acquisition of audit event definition | No | |
Error requiring rollback | Normal | SQL code before acquisition of audit event definition | Yes |
Error requiring rollback | SQL code before acquisition of audit event definition | Yes | |
Error not requiring rollback | SQL code before acquisition of audit event definition | Yes | |
Error not requiring rollback | Normal | SQL code before acquisition of audit event definition | No |
Error requiring rollback | SQL code before acquisition of audit event definition | Yes | |
Error not requiring rollback | SQL code before acquisition of audit event definition | No |
When an event occurs, the status of the security audit information buffer changes, such as from disabled to enabled. The following table shows the changes in the security audit information buffer status when an event occurs.
Event | Status of security audit information buffer | |||
---|---|---|---|---|
Initial status (before HiRDB start) | Disabled status (no information has been set) | Enabled status (information has been set) | Disabled status (old information remains) | |
1 | 2 | 3 | 4 | |
Completion of HiRDB startup processing | ![]() | -- | -- | -- |
Access to security audit information buffer | -- | ![]() | ![]() | ![]() |
Change to audit event definition (execution of CREATE AUDIT or DROP AUDIT) | -- | ![]() | ![]() | ![]() |