12.7.3 Environment setup

The following explains how to set up the environment for the audit trail facility based on the policies and operation methods determined in 12.7.2 Design.

Organization of this subsection

(1) Creating the directories used by the audit trail facility
(2) Adding operands related to the audit trail facility to the server definition
(3) Starting the HADB server in offline mode
(4) Creating auditors
(5) Enabling the audit trail facility
(6) Defining audit targets
(7) Changing the HADB server operation mode

(1) Creating the directories used by the audit trail facility

Create the following directories for use by the audit trail facility:

Audit trail directory (/mnt/audittrail/outputarea/audit)
Audit trail storage directory (/mnt/audittrail/savearea/audit_bak)

For details about the permissions required for each directory, see 12.2.2 Preparing the directories used by the audit trail facility.

Important: The DB administrator creates these directories after logging in to the OS using the account of the HADB administrator.

To Page Top

(2) Adding operands related to the audit trail facility to the server definition

Add the adb_audit_log_path operand to the server definition. As the value of the adb_audit_log_path operand, specify the audit trail directory created in (1) Creating the directories used by the audit trail facility.

Specification example of operand added to server definition

set adb_audit_log_path = /mnt/audittrail/outputarea/audit

Because the default values can be applied, the following operands related to the audit trail facility are not specified:

adb_audit_log_max_size
adb_audit_log_max_num

Important

The DB administrator performs this operation after logging in to the OS using the account of the HADB administrator.
If the HADB server is running, terminate the HADB server normally before amending the server definition.

To Page Top

(3) Starting the HADB server in offline mode

Execute the adbstart command to start the HADB server in offline mode. By starting the HADB server in offline mode, you can prevent unauthorized access while setting up the environment for the audit trail facility.

Command execution example

adbstart --offline

Important: The DB administrator performs this operation after logging in to the OS using the account of the HADB administrator.

To Page Top

(4) Creating auditors

The following describes how to create the auditor accounts (HADB users with audit privileges) used by the audit trail facility administrator and DB person responsible for auditing.

Creating auditors

Create a new HADB user (ADBAUDITADMIN) to be used by the audit trail facility administrator, and grant the audit admin privilege to this HADB user.

Example of creating an HADB user with the audit admin privilege

CREATE USER "ADBAUDITADMIN" IDENTIFIED BY '@udi+@dmin'
GRANT AUDIT ADMIN,CONNECT TO "ADBAUDITADMIN"

Create a new HADB user (ADBAUDITVIEWER) to be used by the DB person responsible for auditing, and grant the audit viewer privilege to this HADB user.

Example of creating an HADB user with the audit viewer privilege

CREATE USER "ADBAUDITVIEWER" IDENTIFIED BY '@udi+viewer'
GRANT AUDIT VIEWER,CONNECT TO "ADBAUDITVIEWER"

Important: The DB administrator performs this operation after connecting to the HADB server using the authorization identifier (ADBADMIN) of an HADB user who has the DBA privilege.

Changing the passwords of auditors

After creating the auditor account, the DB administrator notifies the audit trail facility administrator of the authorization identifier and password of the HADB user who was granted the audit admin privilege. The DB administrator also notifies the DB person responsible for auditing of the authorization identifier and password of the HADB user who was granted the audit viewer privilege. Each auditor must now connect to the HADB server using the authorization identifier of the associated HADB user, and change their password from the default.

Example of changing password of HADB user with audit admin privilege
```
ALTER USER "ADBAUDITADMIN" IDENTIFIED BY '@uditDDD'
```
Execute the preceding SQL statement after connecting to the HADB server as the HADB user with the authorization identifier ADBAUDITADMIN.
Example of changing password of HADB user with audit viewer privilege
```
ALTER USER "ADBAUDITVIEWER" IDENTIFIED BY '@uditVVV'
```
Execute the preceding SQL statement after connecting to the HADB server as the HADB user with the authorization identifier ADBAUDITVIEWER.

Note: The password of an auditor (an HADB user with audit privileges) can only be changed by that auditor.

To Page Top

(5) Enabling the audit trail facility

Enable the audit trail facility by executing the adbaudittrail --start command.

Command execution example

adbaudittrail -u "ADBAUDITADMIN" -p '@uditDDD' --start --write-error DOWN

Explanation

In the -u option and the -p option, specify the authorization identifier and password of an HADB user who has the audit admin privilege.
The --start option specifies that the audit trail facility is to be enabled.
In the --write-error option, specify the processing method selected in (5) Selecting an approach for when attempts to write to the audit trail file fail under 12.7.2 Design. In this example, DOWN is specified (the processing method whereby the HADB server is terminated abnormally when an attempt to write to the audit trail file fails).

Important: The audit trail facility administrator performs this operation after logging in to the OS using the account of a user who belongs to the HADB administrators group.

After executing the adbaudittrail --start command, execute the adbaudittrail -d command to confirm that the audit trail facility is enabled.

Command execution example

adbaudittrail -u "ADBAUDITADMIN" -p '@uditDDD' -d

Command execution result

audit  write-error audit-directory-path             audit-file-max-size audit-file-number
ACTIVE DOWN        /mnt/audittrail/outputarea/audit 256                 0

Explanation

If the audit trail facility is enabled, ACTIVE is displayed in the audit column.
The write-error column displays the value specified for the --write-error option (the behavior when an attempt to write to an audit trail file fails).

To Page Top

(6) Defining audit targets

Based on the design policy established in (2) Determining the events for which to output audit trails under 12.7.2 Design, the audit trail facility is configured to also output audit trails for optional audit events. Define the audit targets by executing the CREATE AUDIT statement.

Execution example of CREATE AUDIT statement

CREATE AUDIT AUDITTYPE EVENT FOR ANY OPERATION

Important: The audit trail facility administrator performs this operation after connecting to the HADB server using the authorization identifier (ADBAUDITADMIN) of an HADB user who has the audit admin privilege.

To Page Top

(7) Changing the HADB server operation mode

Execute the adbchgsrvmode command to change the HADB server operation mode to normal mode. When the HADB server operation mode has changed to normal mode, the HADB server will begin accepting connection requests from clients.

Command execution example

adbchgsrvmode --normal

Important: The DB administrator performs this operation after logging in to the OS using the account of the HADB administrator.

To Page Top