sybsecurity database
These system tables contain the audit trail. Only one table at a time is active. The active table is determined by the value of the current audit table configuration parameter. An installation can have up to eight audit tables. For example, if your installation has three audit tables, the tables are named sysaudits_01, sysaudits_02, and sysaudits_03. An audit table contains one row for each audit record.
The columns for sysaudits_01 – sysaudits_08 are:
Name |
Datatype |
Description |
|---|---|---|
event |
smallint |
Type of event being audited. See Table 12-2. |
eventmod |
smallint |
Further information about the event. Possible values are:
|
spid |
smallint |
Server process ID of the process that caused the audit record to be written. |
eventtime |
datetime |
Date and time of the audited event. |
sequence |
smallint |
Sequence number of the record within a single event; some events require more than one audit record. |
suid |
smallint |
Server login ID of the user who performed the audited event. |
dbid |
int null |
Database ID in which the audited event occurred or the object/stored procedure/trigger resides, depending on the type of event. |
objid |
int null |
ID of the accessed object or stored procedure/trigger. |
xactid |
binary(6) null |
ID of the transaction containing the audited event. For a multi-database transaction, this is the transaction ID from the database where the transaction originated. |
loginname |
varchar(30) null |
Login name corresponding to the suid. |
dbname |
varchar(30) null |
Database name corresponding to the dbid. |
objname |
varchar(30) null |
Object name corresponding to the objid. |
objowner |
varchar(30) null |
Name of the owner of objid. |
extrainfo |
varchar(255) null |
Additional information about the audited event. This field contains a sequence of items separated by semicolons. See Table 12-1. |
The extrainfo column contains a sequence of items separated by semicolons as shown in Table 12-1:
Item |
Contents |
|---|---|
Roles |
Lists the roles that are active. The roles are separated by blanks. |
Subcommand |
The name of the subcommand or command option that was used for the event. For example, for the alter table command, the options add column or drop constraint might be used. Multiple subcommands or options are separated by commas. |
Previous value |
The value prior to the update if the event resulted in the update of a value. |
Current value |
The new value if the event resulted in the update of a value. |
Other information |
Additional security-relevant information that is recorded for the event. |
Proxy information |
The original login name, if the event occurred while a set proxy was in effect. |
Principal information |
The principal name from the underlying security mechanism, if the user’s login is the secure default login, and the user logged into Adaptive Server via unified login. The value of this field is NULL, if the secure default login is not being used. |
An example of an extrainfo column for the security-relevant event of changing an auditing configuration parameter might be:
sso_role;suspend auditing when full;1;0;;;;
This extrainfo column indicates that a System Security Officer changed the configuration parameter suspend auditing when full from 1 (suspend all processes that involve an auditing event) to 0 (truncate the next audit table and make it the current audit table). The other columns in the audit record give other pertinent information. For example, the record contains the server user id (suid) and the login name (loginname).
The event column values that pertain to each audit event are listed in Table 12-2.
Event |
Audit option |
Command or access audited |
extrainfo |
|---|---|---|---|
1 |
adhoc |
User-defined audit record |
extrainfo is filled by the text parameter of sp_addauditrecord |
2 |
alter |
alter database |
|
3 |
alter |
alter table |
|
4 |
bcp |
bcp in |
|
6 |
bind |
sp_bindefault |
|
7 |
bind |
sp_bindmsg |
|
8 |
bind |
sp_bindrule |
|
9 |
create |
create database |
|
10 |
create |
create table |
|
11 |
create |
create procedure |
|
12 |
create |
create trigger |
|
13 |
create |
create rule |
|
14 |
create |
create default |
|
15 |
create |
sp_addmessage |
|
16 |
create |
create view |
|
17 |
dbaccess |
Any access to the database by any user |
|
18 |
delete |
delete from a table |
|
19 |
delete |
delete from a view |
|
20 |
disk |
disk init |
|
21 |
disk |
disk refit |
|
22 |
disk |
disk reinit |
|
23 |
disk |
disk mirror |
|
24 |
disk |
disk unmirror |
|
25 |
disk |
disk remirror |
|
26 |
drop |
drop database |
|
27 |
drop |
drop table |
|
28 |
drop |
drop procedure |
|
29 |
drop |
drop trigger |
|
30 |
drop |
drop rule |
|
31 |
drop |
drop default |
|
32 |
drop |
sp_dropmessage |
|
33 |
drop |
drop view |
|
34 |
dump |
dump database |
|
35 |
dump |
dump transaction |
|
36 |
errors |
Fatal error |
|
37 |
errors |
Non-fatal error |
|
38 |
exec_procedure |
Execution of a procedure |
|
39 |
exec_trigger |
Execution of a trigger |
|
40 |
grant |
grant |
|
41 |
insert |
insert into a table |
|
42 |
insert |
insert into a view |
|
43 |
load |
load database |
|
44 |
load |
load transaction |
|
45 |
login |
Any login to Adaptive Server |
|
46 |
logout |
Any logouts from Adaptive Server |
|
47 |
revoke |
revoke |
|
48 |
rpc |
Remote procedure call from another server |
|
49 |
rpc |
Remote procedure call to another server |
|
50 |
security |
Server start |
|
51 |
security |
Server shutdown |
|
55 |
security |
Role toggling |
|
61 |
table_access |
Table access |
|
62 |
select |
select from a table |
|
63 |
select |
select from a view |
|
64 |
truncate |
truncate table |
|
67 |
unbind |
sp_unbindefault |
|
68 |
unbind |
sp_unbindrule |
|
69 |
unbind |
sp_unbindmsg |
|
70 |
update |
update to a table |
|
71 |
update |
update to a view |
|
73 |
|
Turning the auditing parameter on with sp_configure |
|
74 |
|
Turning the auditing parameter off with sp_configure |
|
76 |
security |
Regeneration of a password by a System Security Officer (SSO) |
|
80 |
security |
proc_role within a system procedure |
|
81 |
dbcc |
dbcc |
|
82 |
security |
sp_configure |
|
83 |
security |
online database |
|
84 |
setuser |
setuser |
|
85 |
func_obj_access, func_dbaccess |
Accesses to objects and databases via Transact-SQL functions |
|
85 |
security |
valid_user |
|
88 |
security |
set proxy or set session authorization |
|
92 |
cmdtxt |
All actions of a particular user, or by users with a particular role |
|
This event is audited automatically.
It is not controlled by an audit option.