Setting up IDS auditing, onaudit

Answer

BACKGROUND

IBM® Informix® Dynamic Server™ (IDS) auditing enables the recording of selected user activities on the database server.

This article briefly discusses the set up procedure and provides a demonstration for database server-managed auditing using Informix Dynamic Server for Unix without Role Separation.


AUDITING SETUP


1. Log in as user informix.

2. Auditing is turned off by default when you install the database server. To turn it on, edit the $INFORMIXDIR/aaodir/adtcfg as follows:

• Change ADTMODE from 0 (which is the default) to 1. A 1 means that database server-managed auditing is on for all sessions.

• Change ADTPATH to the full path to which you want the database server to save audit files. Ownership of the directory should be informix, Group ID should be informix and Permission 755 to prevent unauthorized use of the audit files.

For this example we will use /usr/informix/auditing for ADTPATH.

This is the resulting adtfcg file contents:

ADTMODE         1
ADTPATH         /usr/informix/auditing
ADTSIZE         50000
ADTERR          0

Here are links to a description of each parameter:

• ADTMODE configuration parameter
• ADTPATH configuration parameter
• ADTSIZE configuration parameter
• ADTERR configuration parameter
  

3. Stop and restart the engine so that the new settings take effect.

4. Run onaudit -c to confirm the audit configuration parameters are correct.

ADTMODE    = 1
ADTERR     = 0
ADTPATH    = /usr/informix/auditing
ADTSIZE    = 50000
Audit file = 0

Auditing is now turned on.

5. Create the audit mask _require which applies automatically to all users. In this example, the _require mask is created using the Informix recommended events.

onaudit -a -u _require -e +OPDB,GRDB,RVDB,GRTB,RVTB,CRRL,STRL,STSA,STOM,GRRL,RVRL,GRFR,RVFR

More information regarding audit masks or user masks can be found in the Information Center at these links:

• Audit Masks
• User Masks

For a list of all the audit event codes go here, Audit Event Codes and Fields.


AUDITING DEMONSTRATION


1. Create an individual user mask. For this example, the user mask is pat and the events to be audited will be creating and dropping databases.

onaudit -a -u pat -e +CRDB,DRDB

2. Run onaudit -o -y to show the audit events for all the defined users. The output is displayed as follows:

_require    -    GRDB,GRTB,OPDB,RVDB,RVTB,STOM,GRFR,   RVFR,CRRL,GRRL,RVRL,STRL,STSA

pat         -   CRDB,DRDB

3. Execute the following SQL commands as user pat:

CREATE DATABASE test;
CREATE TABLE tab1
 (
 col1 INT
  );

DATABASE sysmaster;
DROP DATABASE test;

4. Run onshowaudit to display the tracked events for user pat. The events are displayed here.

>onshowaudit

ONLN|2002-10-31 14:25:10.000|digger2|2684|pat|pat|0:CRDB:test:-

ONLN|2002-10-31 14:25:28.000|digger2|2684|pat|pat|0:OPDB:sysmaster:0:-

ONLN|2002-10-31 14:25:28.000|digger2|2684|pat|pat|0:DRDB:test:-

More information regarding the audit-record format go here, Audit-Record Format.

5. Repeat step #3 as user informix.

6. Run onshowaudit to display the tracked events for user informix. The events are displayed here.

>onshowaudit

ONLN|2002-10-31 14:38:35.000|digger2|2711|informix|informix|
0:OPDB:sysmaster:0:-

Note that the CRDB (create database), OPDB (open database), and DRDB (drop database) events are shown for user pat but user informix only shows OPDB.

Furthermore, note that auditing does not record the CRTB (create table) event for either user because it is not part of any of the auditing masks.