Nonstop Database, HiRDB Version 9 System Operation Guide

[Contents][Index][Back][Next]

24.9 Narrowing the audit trails

By narrowing the audit trails, you can acquire only specific audit trails.

You can narrow audit trails by defining a condition in the CREATE AUDIT definition SQL statement, and then use DROP AUDIT as needed to drop audit trails.

Organization of this section
(1) Selection items
(2) Available selections
(3) Combinations of selection items
(4) Security audit information buffer
(5) HiRDB operation in the event of an error in the security audit information buffer
(6) Change of security audit information buffer status

(1) Selection items

The following table lists and describes the selection items that can be specified as audit trail narrowing conditions.

Table 24-30 Selection items that can be specified as audit trail narrowing conditions

Selection item Specification Description Record items in the corresponding audit trail
Operation type Required Narrows the audit trails to be acquired to audit trails of a specified operation type.
  • Event type
  • Event subtype
Trail type Required Narrows the audit trails to be acquired to audit trails of a specified trail type.
  • Audit trail type
Event success/failure Required Narrows the audit trails to be acquired on the basis of event success or failure.
  • Event success or failure
Executor#1 Optional Narrows the audit trails to be acquired to audit trails of events executed by a specific user.
  • Event executor
Object#2 Optional Acquires audit trails by narrowing the objects that became the target of a specific event.
  • Object owner
  • Object name
  • Object type

#1
The following rules apply to specification of an executor:
  • You can define an audit target event even for a non-existent executor.
  • Even when the executor specified in the audit target event definition is deleted, the audit target event definition is not changed.

#2
The following rules apply to object specification:
  • Definition of an audit event can be specified even for a nonexistent object name (so that the trails can be narrowed down when an object is created by CREATE).
  • The definition of an audit event cannot be changed even if the object specified in the audit event definition is deleted by another SQL statement, or if one of its attributes (such as its name) is changed. The following are examples:
    Example 1: An audit event definition is specified for table T1, but the table is renamed from T1 to T2. The specification of T1 remains unchanged in the audit event definition.
    Example 2: An audit event definition is specified for table T1, but table T1 is dropped by DROP TABLE. The audit event definition remains as is.
  • In the case of privilege checking trails, trails are acquired only when the target object for privilege checking matches the target object for the event. If you acquire audit trails by narrowing down by object, we recommend that you acquire audit trails at the time of event termination. The following table shows whether there is output from privilege checking when trails are narrowed down by object.

    Table 24-31 Whether there is output from privilege checking when trails are narrowed by object

    Privilege used Whether there are objects Objects that can be narrowed
    DBA No None
    SCH No None
    CNT No None
    RDA Yes (RDA) Objects listed at left
    SEL Yes (LST, TBL, VIW) Objects listed at left
    INS Yes (TBL, VIW) Objects listed at left
    DEL Yes (TBL, VIW) Objects listed at left
    UPD Yes (TBL, VIW) Objects listed at left
    AUD No None#
    SYS Yes (AUF, TBL) --
    OWN Yes (FNC, IDX, PRC, SCH, SEQ, TBL, TRG, TYP, VIW) Objects listed at left

Legend:

--: If the audit facility is executing, audit trails are always output regardless of the audit event definition.

Note:
For details about the privileges that are used and the symbols for indicating whether there is an object, see Table 24-20 Audit trail table columns.

#
In the case of an auditor's security event, if the security audit facility is executing, audit trails are always output regardless of the audit event definition.

If you specified a data dictionary table for the target object, specify the object type, authorization identifier, and table identifier as described in the following table.

Table 24-32 Object type, authorization identifier, and table identifier when a data dictionary table is specified

Operation type Object type Authorization identifier Table identifier
Object operation event VIEW MASTER Table identifiers of the data dictionary tables, excluding the data dictionary tables used by the system
Utility operation event TABLE Omitted# Table identifiers of all data dictionary tables

#
Even when the authorization identifier is omitted, (Data dictionary) is stored in the object owner column in the data dictionary table SQL_AUDITS.

(2) Available selections

The following selections are available:

Legend:
Y: Can be combined.
N: Cannot be combined.
--: Cannot be specified at the same time.

To acquire audit trails when the target of an object operation event is the table "USER1"."T1" and the target of the audit is the termination trail of an object definition event, define as follows:

CREATE AUDIT AUDITTYPE EVENT FOR ACCESS ON TABLE "USER1"."T1"
CREATE AUDIT AUDITTYPE EVENT FOR DEFINITION

The following describes the trails that are acquired and the trails that are not when the above audit event is defined:

Trails that are acquired:
  • Event termination trail when the table "USER1"."T1" is searched
  • Event termination trail when the CREATE statement is executed

Trails that are not acquired:
  • Trail when a table other than "USER1"."T1" is searched
  • Trail of a connection event
  • Trail of a utility operation event

(3) Combinations of selection items

Some combinations of selection items serve no purpose. For such a combination of selection items, the executed CREATE AUDIT results in an error.

An example is when the object table "USER1"."T1" is specified in CONNECT for a session security event.

(4) Security audit information buffer

The security audit facility uses the security audit information buffer. In the security audit information buffer, you specify an audit target event for each executor or object as a single entry. A definition example is described below. This example defines the following three entries: an entry related to "USER1", an entry related to "USER2"."T1", and an entry related to "USER2".

CREATE AUDIT AUDITTYPE EVENT FOR ACCESS BY AUTHORIZATION "USER1"
CREATE AUDIT AUDITTYPE EVENT FOR DEFINITION BY AUTHORIZATION "USER1"
CREATE AUDIT AUDITTYPE EVENT FOR SESSION BY AUTHORIZATION "USER1"
CREATE AUDIT AUDITTYPE EVENT FOR ACCESS ON TABLE "USER2"."T1"
CREATE AUDIT AUDITTYPE EVENT FOR PRIVILEGE ON TABLE "USER2"."T1"
CREATE AUDIT AUDITTYPE EVENT FOR DEFINITION BY AUTHORIZATION "USER2"

When the above audit target event is defined, the number of entries in the audit definition buffer is 3.

You also need to estimate the size of shared memory for the security audit information buffer. Two methods are available for making this estimate. In the first method, the user estimates a value and specifies it in the pd_audit_def_buffer_size operand of the system definition. In the second method, the system automatically calculates the size (with the pd_audit_def_buffer_size operand omitted). When the system determines the value, a margin is added to the memory size to ensure sufficient space. Since the memory size is determined by the number of entries in the security audit information buffer, either add 100 to the number of entries in the security audit information buffer already defined, or multiply the number of entries by 1.2, and select whichever is larger. The following table shows the margin value:

Number of entries for an object that has already been defined as the target of a narrowed audit Condition Margin value
0 None 100 entries in the security audit information buffer
1 or greater N + 100 > [Figure] 1.2 100 entries in the security audit information buffer
N + 100 [Figure] N [Figure] 1.2 N [Figure] 0.2 entries in the security audit information buffer

Legend:
N: Number of entries in the security audit information buffer already defined

If the required amount of memory cannot be allocated when the security audit information buffer is created, the actions described in Table 24-34 HiRDB operation and actions to be taken when security audit information buffer is created (during HiRDB startup) and Table 24-35 HiRDB operation and actions to be taken when security audit information buffer is created (during HiRDB operation) must be taken.

Note
If the security audit information buffer cannot store definition information for all audit events, processing might slow down because accesses must be made to the data dictionary table.

Table 24-34 HiRDB operation and actions to be taken when security audit information buffer is created (during HiRDB startup)

pd_audit_def_buffer_size operand specification Allocation of shared memory HiRDB operation Action
Specified Failure Does not start. In this case, HiRDB displays the KFPD00031-E message. Take one of the following actions:
  • Increase the OS's shared memory size.
  • Provide free space in the OS's shared memory.
  • Decrease the pd_audit_def_buffer_size operand value.
Success Starts. If the definition information for all the audit events is not stored in the security audit information buffer, HiRDB displays the KFPD00032-W message. Because performance might decline, re-estimate the pd_audit_def_buffer_size operand value.
Omitted Failure Starts, but does not create the security audit information buffer. In this case, HiRDB displays the KFPD00032-W message. Because performance might decline, take one of the following actions:
  • Increase the OS's shared memory size.
  • Provide free space in the OS's shared memory.
If neither of the above actions can be taken, specify a value in the pd_audit_def_buffer_size operand that is less than the value determined automatically by the system.
Success Starts. No action is required.

Table 24-35 HiRDB operation and actions to be taken when security audit information buffer is created (during HiRDB operation)

pd_audit_def_buffer_size operand specification Overflow of definition information for audit event in security audit information buffer HiRDB operation Action
Specified Yes Stores as much definition information for audit events as possible in the security audit information buffer and then resumes processing. In this case HiRDB displays the KFPD00032-W message. Re-estimate the value of the pd_audit_def_buffer_size operand according to the displayed KFPD00032-W message. If no action is taken, performance might decline.
No Stores the definition information for all the audit events in the security audit information buffer and then resumes processing. No action is required.
Omitted Yes Stores as much definition information for audit events as possible in the security audit information buffer and then resumes processing. In this case HiRDB displays the KFPD00032-W message. Restart HiRDB. The system re-calculates the size and creates a security audit information buffer. If the KFPD00032-W message is displayed when HiRDB restarts, take one of the following actions:
  • Increase the OS's shared memory size.
  • Provide free space in the OS's shared memory.
If neither of the above actions can be taken, specify a value in the pd_audit_def_buffer_size operand that is less than the value determined automatically by the system.
No Stores the definition information for all the audit events in the security audit information buffer and then resumes processing. No action is required.

When the pd_audit_def_buffer_size operand is omitted, the specification value is determined automatically by the system. If definitions of audit events increase during HiRDB operation, the size of the security audit information buffer increases the next time HiRDB starts. This means that the size of the security audit information buffer might increase each time HiRDB is started.

(5) HiRDB operation in the event of an error in the security audit information buffer

This subsection describes HiRDB's operation in the event of an error in the security audit information buffer.

(a) At HiRDB startup

The security audit information buffer is created when HiRDB starts. If an error occurs, the HiRDB operation depends on whether the size of the security audit information buffer is being determined automatically by the system or manually by the user.

The following table describes the causes of errors that occur during HiRDB startup and the corresponding HiRDB operations.

Table 24-36 Causes of errors during HiRDB startup and HiRDB operations

Cause of error HiRDB operation
pd_audit_def_buffer_size operand is omitted pd_audit_def_buffer_size operand is specified
Area allocation error Shared memory for buffer Starts with size 0 Cannot start
Process private memory for dictionary search Starts with size 0 Allocates shared memory and then resumes processing
Communication error Starts with size 0 Allocates shared memory and then resumes processing
Dictionary access error Rollback is not required Starts with size 0 Allocates shared memory and then resumes processing
Rollback is required Cannot start# Allocates shared memory and then resumes processing

#
For a HiRDB parallel server configuration, if the error cannot be corrected after the specified number of restart attempts, HiRDB places the front-end server in SUSPEND status.
For a HiRDB single server configuration, HiRDB immediately terminates abnormally.
(b) During HiRDB operation

If an error occurs while HiRDB is checking the definition information for audit events, HiRDB outputs the corresponding audit trail regardless of the definition of audit events.

If an error occurs during SQL execution, HiRDB also outputs audit trails. In this case, an error might also occur when the definition information for an audit event is acquired during output of an audit trail. The following table describes combinations of errors, the SQL codes to be set, and whether rollback is required. If an error occurs during output of audit trails, HiRDB ignores that error and resumes processing.

Table 24-37 Combinations of errors, SQL codes to be set, and whether rollback is required

Status before acquisition of audit event definition Status during acquisition of audit event definition SQL code to be set Whether rollback is required
Normal Normal 0 No
Error requiring rollback SQL code during acquisition of audit event definition Yes
Error not requiring rollback SQL code before acquisition of audit event definition No
Error requiring rollback Normal SQL code before acquisition of audit event definition Yes
Error requiring rollback SQL code before acquisition of audit event definition Yes
Error not requiring rollback SQL code before acquisition of audit event definition Yes
Error not requiring rollback Normal SQL code before acquisition of audit event definition No
Error requiring rollback SQL code before acquisition of audit event definition Yes
Error not requiring rollback SQL code before acquisition of audit event definition No

(6) Change of security audit information buffer status

When an event occurs, the status of the security audit information buffer changes, such as from disabled to enabled. The following table shows the changes in the security audit information buffer status when an event occurs:

Event Status of security audit information buffer
Initial status
(before HiRDB start)		 Disabled status
(no information has been set)		 Enabled status
(information has been set)		 Disabled status
(old information remains)
1 2 3 4
Completion of HiRDB startup processing [Figure]2 -- -- --
Access to security audit information buffer -- [Figure]3 [Figure]3 [Figure]3
Change to audit event definition
(execution of CREATE AUDIT or DROP AUDIT)		 -- [Figure]2 [Figure]4 [Figure]4

Legend:
[Figure]n: When the event occurs, the security audit information buffer is placed in the status indicated by the number n.
--: Not applicable

[Contents][Back][Next]

[Trademarks]

All Rights Reserved. Copyright (C) 2011, 2015, Hitachi, Ltd.