Event auditing
If you choose a custom setup, you can enable event auditing. Event auditing tracks selected activities that users perform. You can improve the security of your event-auditing procedures by configuring role separation, which provides members of certain group identifiers (group IDs) on your system the privileges to manage and examine auditing records. Role separation provides increased database security because the database server separates administrative tasks into mutually exclusive roles.
- Role separation is not supported in a non-root installation.
- You must select custom installation setup to enable role separation.
- If you enable role separation, you cannot turn it off after the database server is installed. To remove role separation, you must uninstall the database server and reinstall it without role separation.
UNIX, Linux®, Mac OS X: Role separation
If you do not enable role separation, the informix group has privileges to perform all administrative tasks.
- Database System Security Officer (DBSSO)
- Controls what the auditing subsystem monitors and which actions database users can perform.
- Auditing Analysis Officer (AAO)
- Controls whether auditing occurs, maintains the audit log files, and analyzes the audit records.
The informix group is the default group that is associated with the two roles. During installation, you can replace the default groups with existing groups.
After installation is complete, establish an audit-only user account for each individual who acts as a DBSSO or AAO. For example, a person with DBSSO responsibilities can have the user DBSSO1 account, and also have the user garcia5 account for general database server access.
Windows: Role separation
If you do not enable role separation, the Informix®-Admin group has privileges to perform all administrative tasks.
If you enable role separation during installation, you are prompted to create groups and users and add the users to the corresponding groups. During installation, you can replace the default users and groups with existing users or groups.
Header | Header | Header |
---|---|---|
Informix-Admin | General Database Administration | Performs general administrative tasks, such as archiving and restoring data, monitoring use and performance, and tuning the system. |
ix_dbsso | Database System Security Officer | Maintains the security of the database server. Functions of this role include audit adjustment and changing security characteristics of storage objects. Creation of this user role requires selection of a password during installation. |
ix_aao | Auditing Analysis Officer | Audits the records of specific types of database activities. If someone attempts to circumvent or corrupt the security mechanism of the database, these actions can be traced. Creation of this user role requires selection of a password during installation. |
ix_users | Database Users | Accesses the database to perform user tasks. Only users who are designated as members of the ix_users group can access the database. |