sysauditoptions  syscharsets

Chapter 1: System Tables

sysaudits_01 – sysaudits_08

sybsecurity database

Description

These system tables contain the audit trail. Only one table at a time is active. The active table is determined by the value of the current audit table configuration parameter. An installation can have as many as eight audit tables. For example, if your installation has three audit tables, the tables are named sysaudits_01, sysaudits_02, and sysaudits_03. An audit table contains one row for each audit record.

Columns

The columns for sysaudits_01 – sysaudits_08 are:

Name

Datatype

Description

event

smallint

Type of event being audited.

eventmod

smallint

Further information about the event. Possible values are:

  • 0 = no modifier for this event.

  • 1 = the event passed permission checking.

  • 2 = the event failed permission checking.

spid

smallint

Server process ID of the process that caused the audit record to be written.

eventtime

datetime

Date and time of the audited event.

sequence

smallint

Sequence number of the record within a single event; some events require more than one audit record.

suid

smallint

Server login ID of the user who performed the audited event.

dbid

int null

Database ID in which the audited event occurred or the object/stored procedure/trigger resides, depending on the type of event.

objid

int null

ID of the accessed object or stored procedure/trigger.

xactid

binary(6) null

ID of the transaction containing the audited event. For a multidatabase transaction, this is the transaction ID from the database where the transaction originated.

loginname

varchar(30) null

Login name corresponding to the suid.

dbname

varchar(30) null

Database name corresponding to the dbid.

objname

varchar(255) null

Object name corresponding to the objid.

objowner

varchar(30) null

Name of the owner of objid.

extrainfo

varchar(255) null

Additional information about the audited event. This field contains a sequence of items separated by semicolons. See Table 1-2.

nodeid

tinyint null

Reserved for future use.

The extrainfo column contains a sequence of items separated by semicolons as shown in Table 1-2:

Table 1-2: Items in the extrainfo column

Item

Contents

Roles

Lists the roles that are active. The roles are separated by blanks.

Keywords or options

The name of the keyword or command option that was used for the event. For example, for the alter table command, the options add column or drop constraint might be used. Multiple keywords or options are separated by commas.

Previous value

The value prior to the update if the event resulted in the update of a value.

Current value

The new value if the event resulted in the update of a value.

Other information

Additional security-relevant information that is recorded for the event.

Proxy information

The original login name, if the event occurred while a set proxy was in effect.

Principal information

The principal name from the underlying security mechanism, if the user’s login is the secure default login, and the user logged in to Adaptive Server using unified login. The value of this field is NULL, if the secure default login is not being used.

An example of an extrainfo column for the security-relevant event of changing an auditing configuration parameter might be:

sso_role;suspend auditing when full;1;0;;;;

This example indicates that a System Security Officer changed the configuration parameter suspend auditing when full from 1 (suspend all processes that involve an auditing event) to 0 (truncate the next audit table and make it the current audit table).




Copyright © 2005. Sybase Inc. All rights reserved. syscharsets

View this book as PDF