Operations that are collected in audit trails are called audit events. The following table lists and describes audit events.
Table 9-3 Audit events
Event type |
Description and list of audit events |
Selectable? |
System administrator security event |
- Audits security events generated by HiRDB administrators and DBA privilege holders.
- Audits changes to connection security facility settings.
- Audits security events generated automatically by the system.
An audit trail is output when any of the following events is generated:
- HiRDB startup (pdstart command)#1
- HiRDB termination (pdstop command)#1, #2
- Auditor registration (pdmod command)
- Audit trail table creation (pdmod command)
- Audit trail file deletion (pdaudrm command)#3
- Start of audit trail collection#5
- End of audit trail collection#6
- Start of audit trail file overwrite
- Transition to consecutive certification failure account lock state
- Release of consecutive certification failure account lock state
This occurs at the following times:
When CONNECT is executed after the account lock period expires
When DROP CONNECTION SECURITY is executed
When the pdacunlck command is executed
- Transition to password invalid account lock state
- Release of password invalid account lock state
- Change in a connection security facility setting:
Permitted number of consecutive certification failures
Account lock period
Items set with password character string restrictions (including pre-checking)
- Execution of the pdacunlck command
|
No (an audit trail is always output) |
Auditor security event |
Audits security events generated by the auditor. An audit trail is output when any of the following events is generated:
- Loading of data into an audit trail table (pdload command)
- Swapping of audit trail files (pdaudswap command)
- Definition of an audit event (CREATE AUDIT)#4
- Deletion of an audit trail event (DROP AUDIT)#4
- Changing an auditor password (GRANT AUDIT)#4
- Output of data to the audit log output file of JP1/NETM/Audit (pdaudput command)
|
No (an audit trail is always output) |
Session security event |
Audits events generated by user authentication based on an authorization identifier and password. An audit trail is output when either of the following events is generated:
- Connection to HiRDB (CONNECT statement)
- Changing users (SET SESSION AUTHORIZATION statement)
- Disconnection from HiRDB (DISCONNECT statement)#9
|
Yes |
Privilege control event |
Audits events generated by granting and revoking user privileges. An audit trail is output when either of the following events is generated:
- Granting a user privilege (GRANT statement)
- Revoking a user privilege (REVOKE statement)
|
Yes#7 |
Object definition event |
Audits events generated by definition, deletion, or modification of objects. An audit trail is output when any of the following events is generated:
- Definition of an object; audits the following SQL statements:
CREATE FUNCTION
CREATE INDEX
CREATE PROCEDURE
CREATE PUBLIC VIEW
CREATE SCHEMA
CREATE SEQUENCE
CREATE TABLE
CREATE TRIGGER
CREATE TYPE
CREATE VIEW
- Deletion of an object; audits the following SQL statements:
DROP DATA TYPE
DROP FUNCTION
DROP INDEX
DROP PROCEDURE
DROP PUBLIC VIEW
DROP SCHEMA
DROP SEQUENCE
DROP TABLE
DROP TRIGGER
DROP VIEW
- Modification of an object; audits the following SQL statements:
ALTER INDEX
ALTER PROCEDURE
ALTER ROUTINE
ALTER TABLE
ALTER TRIGGER
COMMENT
|
Yes#7 |
Object operation event |
Audits events generated by object manipulation. An audit trail is output when any of the following events is generated:
- Searching a table (SELECT statement)
- Insertion of rows in a table (INSERT statement)
- Updating of rows in a table (UPDATE statement)
- Deletion of rows from a table (DELETE statement)
- Deletion of all rows from a table (PURGE TABLE statement)
- Execution of a stored procedure (CALL statement)
- Locking a table (LOCK TABLE statement)
- Creation of a list (ASSIGN LIST statement)
- Return of values generated by the sequence generator (NEXT VALUE expression)
|
Yes#7 |
Utility operation event |
Audits security events generated from operations on objects by utilities or commands. An audit trail is output when any of the following events is generated:
- Database load command (pdload command)
Object: TABLE, SEQUENCE
- pddefrev command
Object: PROCEDURE, TABLE, TRIGGER, and VIEW
- Database reorganization utility (pdrorg command)
Object: TABLE
- Dictionary import/export utility (pdexp command)
Object: PROCEDURE, TABLE, TRIGGER, and VIEW
- Integrity check utility (pdconstck command)
Object: TABLE
|
Yes#7, #8 |
#1: In the case of a HiRDB parallel server configuration, startup and termination of a single server are not audit events.
#2: Normal termination and planned termination are audit events; forced termination and abnormal termination are not audit events. For these cases, check the messages output by HiRDB or the operating system.
The following termination commands are not monitored:
- pdstop -f
- pdstop -f -q
- pdstop -f -x host-name
- pdstop -f -u unit-identifier
- pdstop -f -s server-name
- pdstop -f -u unit-identifier -s server-name
- pdstop -z
- pdstop -z -q
- pdstop -z -c
- pdstop -z -s server-name
#3: Creation of an audit trail file is not an audit event. To audit creation of audit trail files, use the audit facility provided by the OS.
#4: You can also output an audit trail by executing the database definition utility (pddef command) or HiRDB SQL Executer.
#5: An audit trail is output when the pdaudbegin command is executed or when an audit trail is collected at HiRDB startup.
#6: An audit trail is output when the pdaudend command is executed or when an audit trail is collected during performance of normal or planned termination of HiRDB.
#7: An audit trail is output unconditionally when the event terminates in the case of privilege control events, object definition events, object operation events, and utility operation events that target an audit trail table, a view base table of an audit trail table, or a list base table of an audit trail table. You can select whether to collect an audit trail when a privilege check is performed.
#8: An audit trail is output unconditionally when the database reorganization utility (pdrorg command) is used to reload a dictionary table.
#9: Audit trail events include the following:
- The server process of a single server or front-end server detects a DISCONNECT statement.
- The server process of a single server or front-end server internally executes a DISCONNECT statement.
All Rights Reserved. Copyright (C) 2015, Hitachi, Ltd.