The onaudit utility: Configure audit masks
Use the onaudit utility to add, modify, delete and display audit masks.
Syntax
Element | Purpose | Key Considerations |
---|---|---|
-a | Adds an audit mask. | None. |
-f | Loads an input file containing a list of audit masks to be added to the audit trail. | The file must use the correct input-file format. |
-d | Specifies that an audit mask will be deleted. | None. |
-m | Modifies an existing audit mask. | None. |
-o | Outputs a list of all the audit masks that have been configured in the database server. | None. |
-r basemask | Specifies the name of an existing basemask from which you can derive events to apply to a new targetmask. | Subsequent changes to the basemask are not be reflected in the target audit masks. If no basemask is specified and no events are specified with the -e option an empty target mask is created. |
-e | Indicates that audit events are to be added or removed from the specified targetmask. | Events specified as arguments to -e override events listed in any base mask specified with the -r option. |
-u usermask | Names a specific mask. | _default, _require,
and _exclude are keywords in the system, and can
be one of these names for your template or user mask. The server processes
the audit mask in the predefined order. The usermask is limited to 32 or fewer bytes. |
-y | Automatically responds yes to the confirmation prompt. | None. |
event | Specifies an event to audit, whether the event execution succeeds or fails. | The event must be listed in Audit event codes and fields. |
Fevent | Specifies that only failed event attempts are to be audited. | The event must be listed in Audit event codes and fields. |
Sevent | Specifies that only successful event attempts are to be audited. | The event must be listed in Audit event codes and fields. |
Usage
Before you try to run the onaudit utility to manipulate audit masks, ensure that the server is running, and that you hold the DBSSO role.
All the options of this utility must be entered as shown because they are case-sensitive.
For a high-availability cluster, the audit mask must be created on the primary server. All of the servers in the cluster use the audit mask on the primary server.
Run the onaudit command with the -a option when you want to add one or more audit masks to an audit trail. Note that _default, _require, and _exclude are keywords that the server understands and processes in a particular order.
Run the onaudit command with the -f option to load an existing input file that contains a listing of audit masks. The format of this input file's contents is:
<mask_name> <base_mask> <event_list>
A hyphen (-) is used in places where the base mask is unavailable.
Run the -d option of the onaudit command to delete a specified audit mask. When you select the -d option of the onaudit utility:
- The -y option is used to respond yes to all prompts.
- If the -u mask option is omitted, all masks are deleted, including the _default, _require, and _exclude masks.
- If the -y or the -u options are omitted, the onaudit utility requests confirmation that this is intentional so that you do not accidentally delete all user masks.
Use the -m option of the onaudit command when you must modify an existing audit mask. Use a plus (+) sign to add an event to an audit mask or use the hyphen (-) sign to delete an event from a mask. Use a comma (,) to separate multiple events that are being added to the mask. Do not add any spaces between the comma and the event mnemonics.
If no sign is specified before an event mnemonic, the event is added to the mask.
The -o option of the onaudit command
sends information about the mask to standard output. When you select
the -o
option of the onaudit utility:
- The -y option is used to respond yes to all prompts.
- If the -u mask option is omitted, all masks are displayed.
- If the -y or the -u options are omitted, onaudit requests confirmation before it displays all the masks because it can result in the display of large amounts of data.
<mask_name> <base_mask> <event_list>
A
hyphen (-) is used in places where the base mask is unavailable.Run the command with the -r option to copy all of the events associated with the specified base mask (which can be a system mask) to a new target mask.
The -u option of the onaudit command can be used in combination with the -a, -d, -m, and -o options.
Example 1: Add an audit mask
The following
example creates a template mask named pat
with events CRTB
(CREATE
TABLE) and RVLB
(REVOKE SECURITY LABEL) defined.
The -a option is used to create the mask. The -u option
is used to identify the mask name. The -e option
is used to list the events defined in the mask.
onaudit -a -u pat -e +CRTB,RVLB
Example 2: Load a file containing one or more audit masks
The following example loads the masks defined in the input file entitled, masks_feb.
onaudit -f /work/masks_feb
Example 3: Delete an audit mask
The following
example shows how to delete the _default
audit mask:
onaudit -d -u _default
Example 4: Modify an audit mask
The following
example modifies the _default
audit mask by adding
the GRXM
(GRANT EXEMPTION) event and deleting the
CRTB (CREATE TABLE) event:
onaudit -m -u _default -e +GXRM, -e -CRTB
Example 5: Display an audit mask
pat
,
indicating that the individual user mask contains the audit events LKTB
(LOCK
TABLE), CRTB
(CREATE TABLE), and failed attempts
to ADCK
(ADD CHUNK): onaudit -o -u pat
The
following example is the output of the sample command:pat - LKTB,CRTB,FADCK
Example 6: Derive an audit mask
pat
. The new
mask derives the events specified in the _secureL template mask, but
excludes RDRW
(READ ROW) and includes LKTB
(LOCK
TABLE), successful attempts to ADCK
(ADD CHUNK),
and all attempts to CRTB
(CREATE TABLE):onaudit -a -u pat -r _secureL -e -RDRW, -e +LKTB,SADCK,CRTB