Nonstop Database, HiRDB Version 9 System Operation Guide
By narrowing the audit trails, you can acquire only specific audit trails.
You can narrow audit trails by defining a condition in the CREATE AUDIT definition SQL statement, and then use DROP AUDIT as needed to drop audit trails.
The following table lists and describes the selection items that can be specified as audit trail narrowing conditions.
Table 24-30 Selection items that can be specified as audit trail narrowing conditions
Selection item | Specification | Description | Record items in the corresponding audit trail |
---|---|---|---|
Operation type | Required | Narrows the audit trails to be acquired to audit trails of a specified operation type. |
|
Trail type | Required | Narrows the audit trails to be acquired to audit trails of a specified trail type. |
|
Event success/failure | Required | Narrows the audit trails to be acquired on the basis of event success or failure. |
|
Executor#1 | Optional | Narrows the audit trails to be acquired to audit trails of events executed by a specific user. |
|
Object#2 | Optional | Acquires audit trails by narrowing the objects that became the target of a specific event. |
|
Table 24-31 Whether there is output from privilege checking when trails are narrowed by object
Privilege used | Whether there are objects | Objects that can be narrowed |
---|---|---|
DBA | No | None |
SCH | No | None |
CNT | No | None |
RDA | Yes (RDA) | Objects listed at left |
SEL | Yes (LST, TBL, VIW) | Objects listed at left |
INS | Yes (TBL, VIW) | Objects listed at left |
DEL | Yes (TBL, VIW) | Objects listed at left |
UPD | Yes (TBL, VIW) | Objects listed at left |
AUD | No | None# |
SYS | Yes (AUF, TBL) | -- |
OWN | Yes (FNC, IDX, PRC, SCH, SEQ, TBL, TRG, TYP, VIW) | Objects listed at left |
If you specified a data dictionary table for the target object, specify the object type, authorization identifier, and table identifier as described in the following table.
Table 24-32 Object type, authorization identifier, and table identifier when a data dictionary table is specified
Operation type | Object type | Authorization identifier | Table identifier |
---|---|---|---|
Object operation event | VIEW | MASTER | Table identifiers of the data dictionary tables, excluding the data dictionary tables used by the system |
Utility operation event | TABLE | Omitted# | Table identifiers of all data dictionary tables |
The following selections are available:
Table 24-33 Combinations of selection items in a single CREATE AUDIT statement
Selection item or items that can be specified at the same time | Operation type | Trail type | Event success/failure | Executor | Object |
---|---|---|---|---|---|
Operation type | -- | Y | Y | Y | Y |
Trail type | Y | -- | Y | Y | Y |
Event success/failure | Y | Y | -- | Y | Y |
Executor | Y | Y | Y | -- | N |
Object | Y | Y | Y | N | -- |
To acquire audit trails when the target of an object operation event is the table "USER1"."T1" and the target of the audit is the termination trail of an object definition event, define as follows:
CREATE AUDIT AUDITTYPE EVENT FOR ACCESS ON TABLE "USER1"."T1" CREATE AUDIT AUDITTYPE EVENT FOR DEFINITION |
The following describes the trails that are acquired and the trails that are not when the above audit event is defined:
Some combinations of selection items serve no purpose. For such a combination of selection items, the executed CREATE AUDIT results in an error.
An example is when the object table "USER1"."T1" is specified in CONNECT for a session security event.
The security audit facility uses the security audit information buffer. In the security audit information buffer, you specify an audit target event for each executor or object as a single entry. A definition example is described below. This example defines the following three entries: an entry related to "USER1", an entry related to "USER2"."T1", and an entry related to "USER2".
CREATE AUDIT AUDITTYPE EVENT FOR ACCESS BY AUTHORIZATION "USER1" CREATE AUDIT AUDITTYPE EVENT FOR DEFINITION BY AUTHORIZATION "USER1" CREATE AUDIT AUDITTYPE EVENT FOR SESSION BY AUTHORIZATION "USER1" CREATE AUDIT AUDITTYPE EVENT FOR ACCESS ON TABLE "USER2"."T1" CREATE AUDIT AUDITTYPE EVENT FOR PRIVILEGE ON TABLE "USER2"."T1" CREATE AUDIT AUDITTYPE EVENT FOR DEFINITION BY AUTHORIZATION "USER2" |
When the above audit target event is defined, the number of entries in the audit definition buffer is 3.
You also need to estimate the size of shared memory for the security audit information buffer. Two methods are available for making this estimate. In the first method, the user estimates a value and specifies it in the pd_audit_def_buffer_size operand of the system definition. In the second method, the system automatically calculates the size (with the pd_audit_def_buffer_size operand omitted). When the system determines the value, a margin is added to the memory size to ensure sufficient space. Since the memory size is determined by the number of entries in the security audit information buffer, either add 100 to the number of entries in the security audit information buffer already defined, or multiply the number of entries by 1.2, and select whichever is larger. The following table shows the margin value:
Number of entries for an object that has already been defined as the target of a narrowed audit | Condition | Margin value |
---|---|---|
0 | None | 100 entries in the security audit information buffer |
1 or greater | N + 100 > 1.2 | 100 entries in the security audit information buffer |
N + 100 N 1.2 | N 0.2 entries in the security audit information buffer |
If the required amount of memory cannot be allocated when the security audit information buffer is created, the actions described in Table 24-34 HiRDB operation and actions to be taken when security audit information buffer is created (during HiRDB startup) and Table 24-35 HiRDB operation and actions to be taken when security audit information buffer is created (during HiRDB operation) must be taken.
Table 24-34 HiRDB operation and actions to be taken when security audit information buffer is created (during HiRDB startup)
pd_audit_def_buffer_size operand specification | Allocation of shared memory | HiRDB operation | Action |
---|---|---|---|
Specified | Failure | Does not start. In this case, HiRDB displays the KFPD00031-E message. | Take one of the following actions:
|
Success | Starts. If the definition information for all the audit events is not stored in the security audit information buffer, HiRDB displays the KFPD00032-W message. | Because performance might decline, re-estimate the pd_audit_def_buffer_size operand value. | |
Omitted | Failure | Starts, but does not create the security audit information buffer. In this case, HiRDB displays the KFPD00032-W message. | Because performance might decline, take one of the following actions:
|
Success | Starts. | No action is required. |
Table 24-35 HiRDB operation and actions to be taken when security audit information buffer is created (during HiRDB operation)
pd_audit_def_buffer_size operand specification | Overflow of definition information for audit event in security audit information buffer | HiRDB operation | Action |
---|---|---|---|
Specified | Yes | Stores as much definition information for audit events as possible in the security audit information buffer and then resumes processing. In this case HiRDB displays the KFPD00032-W message. | Re-estimate the value of the pd_audit_def_buffer_size operand according to the displayed KFPD00032-W message. If no action is taken, performance might decline. |
No | Stores the definition information for all the audit events in the security audit information buffer and then resumes processing. | No action is required. | |
Omitted | Yes | Stores as much definition information for audit events as possible in the security audit information buffer and then resumes processing. In this case HiRDB displays the KFPD00032-W message. | Restart HiRDB. The system re-calculates the size and creates a security audit information buffer. If the KFPD00032-W message is displayed when HiRDB restarts, take one of the following actions:
|
No | Stores the definition information for all the audit events in the security audit information buffer and then resumes processing. | No action is required. |
When the pd_audit_def_buffer_size operand is omitted, the specification value is determined automatically by the system. If definitions of audit events increase during HiRDB operation, the size of the security audit information buffer increases the next time HiRDB starts. This means that the size of the security audit information buffer might increase each time HiRDB is started.
This subsection describes HiRDB's operation in the event of an error in the security audit information buffer.
The security audit information buffer is created when HiRDB starts. If an error occurs, the HiRDB operation depends on whether the size of the security audit information buffer is being determined automatically by the system or manually by the user.
The following table describes the causes of errors that occur during HiRDB startup and the corresponding HiRDB operations.
Table 24-36 Causes of errors during HiRDB startup and HiRDB operations
Cause of error | HiRDB operation | ||
---|---|---|---|
pd_audit_def_buffer_size operand is omitted | pd_audit_def_buffer_size operand is specified | ||
Area allocation error | Shared memory for buffer | Starts with size 0 | Cannot start |
Process private memory for dictionary search | Starts with size 0 | Allocates shared memory and then resumes processing | |
Communication error | Starts with size 0 | Allocates shared memory and then resumes processing | |
Dictionary access error | Rollback is not required | Starts with size 0 | Allocates shared memory and then resumes processing |
Rollback is required | Cannot start# | Allocates shared memory and then resumes processing |
If an error occurs while HiRDB is checking the definition information for audit events, HiRDB outputs the corresponding audit trail regardless of the definition of audit events.
If an error occurs during SQL execution, HiRDB also outputs audit trails. In this case, an error might also occur when the definition information for an audit event is acquired during output of an audit trail. The following table describes combinations of errors, the SQL codes to be set, and whether rollback is required. If an error occurs during output of audit trails, HiRDB ignores that error and resumes processing.
Table 24-37 Combinations of errors, SQL codes to be set, and whether rollback is required
Status before acquisition of audit event definition | Status during acquisition of audit event definition | SQL code to be set | Whether rollback is required |
---|---|---|---|
Normal | Normal | 0 | No |
Error requiring rollback | SQL code during acquisition of audit event definition | Yes | |
Error not requiring rollback | SQL code before acquisition of audit event definition | No | |
Error requiring rollback | Normal | SQL code before acquisition of audit event definition | Yes |
Error requiring rollback | SQL code before acquisition of audit event definition | Yes | |
Error not requiring rollback | SQL code before acquisition of audit event definition | Yes | |
Error not requiring rollback | Normal | SQL code before acquisition of audit event definition | No |
Error requiring rollback | SQL code before acquisition of audit event definition | Yes | |
Error not requiring rollback | SQL code before acquisition of audit event definition | No |
When an event occurs, the status of the security audit information buffer changes, such as from disabled to enabled. The following table shows the changes in the security audit information buffer status when an event occurs:
Event | Status of security audit information buffer | |||
---|---|---|---|---|
Initial status (before HiRDB start) |
Disabled status (no information has been set) |
Enabled status (information has been set) |
Disabled status (old information remains) |
|
1 | 2 | 3 | 4 | |
Completion of HiRDB startup processing | 2 | -- | -- | -- |
Access to security audit information buffer | -- | 3 | 3 | 3 |
Change to audit event definition (execution of CREATE AUDIT or DROP AUDIT) |
-- | 2 | 4 | 4 |
All Rights Reserved. Copyright (C) 2011, 2015, Hitachi, Ltd.