The onaudit utility: Configure auditing

Use the onaudit utility to start, stop, and configure auditing.


Element	Purpose	Key Considerations
-c	Shows the current audit configuration as the values of the auditing configuration parameter in the ADTCFG file.	None.
-e `error_mode`	Specifies the error-handling method for auditing when a record cannot be written to the audit file or event log: `0` = Continue processing the thread and record the error in the message log. Errors for subsequent attempts to write to the audit file are also sent to the message log. `1` = Suspend processing a thread when the database server cannot write a record to the current audit file. The database server attempts to write the record until it succeeds. `3` = Shut down the server.	This option sets the ADTERR configuration parameter in the ADTCFG file. You can use this option only when auditing is enabled.
-h	Prints a help message — the command line summary and a brief explanation of the options.	None
-l `audit_mode`	Specifies the audit mode: `0` = Disable auditing `1` = Audit all sessions `3` = Audit DBSSO actions `5` = Audit database server administrator actions `7` = Audit DBSSO and database server administrator actions	This option sets the ADTMODE configuration parameter in the ADTCFG file. This parameter is deprecated; you should use the newer ADT_CLASSIC_ENABLED, ADT_DBSA, and ADT_DBSSO parameters instead.
-n	Starts a new audit file.	You can use this option only when auditing is enabled.
-p `auditdir`	Specifies a new directory in which the database server creates audit files. The change occurs with the next write attempt. The database server creates a new audit file in the new directory, beginning with the first available number that is equal to or greater than 0.	This option sets the ADTPATH configuration parameter in the ADTCFG file. You can use this option only when auditing is enabled.
-q	Suppresses the banner line which is written to standard error.	None
-s `maxsize`	Specifies the maximum size (in bytes) of an audit file. Can be any value between 10,240 bytes and approximately 2 gigabytes (the maximum value of a 32-bit integer). If you specify a size that is less than the minimum, the size is set automatically to the minimum value. When an audit file reaches or exceeds the maximum size, the database server closes the current file and starts a new audit file.	This option sets the ADTSIZE configuration parameter in the ADTCFG file. You can use this option only when auditing is enabled.
-A `flag`	Option for classic and ASL auditing. Enables or disables the mandatory auditing for the DBSA group. 0, OFF, FALSE, DISABLE, NO = Disable mandatory auditing for the DBSA group 1, ON, TRUE, ENABLE, YES = Enable mandatory auditing for the DBSA group	This option sets the ADT_DBSA configuration parameter in the ADTCFG file.
-E `flag`	Option for ASL auditing. Enables or disables the Audit to Syslog (ASL) functionality. 0, OFF, FALSE, DISABLE, NO = Turns ASL off 1, ON, TRUE, ENABLE, YES = Turns ASL on	This option sets the ADT_SYSLOG_ENABLED configuration parameter in the ADTCFG file.
-F `facility`	Option for ASL auditing. Helps with filtering messages in the syslog configuration. LOG_USER (the default) LOG_LOCAL0..LOG_LOCAL7 LOG_AUTH or LOG_AUTHPRIV Other named facilities are for other subsystems and should not be used. The facility can be written with or without the LOG_prefix and in upper or lower-case or mixed case. The LOG_prefix and all upper-case is used when options are written to the ADTCFG file.	This option sets the ADT_SYSLOG_FACILITY configuration parameter in the ADTCFG file.
-I `identifier`	Option for ASL auditing. Helps to choose the identifier name to be used in syslog messages. The maximum allowed length is 128 characters; the recommended maximum length is 32 characters. The default is the DBSERVERNAME from ONCONFIG file.	This option sets the ADT_SYSLOG_IDENTIFIER configuration parameter in the ADTCFG file.
-L `flag`	Option for classic auditing. Enables or disables classical (as opposed to syslog auditing) auditing. 0, OFF, FALSE, DISABLE, NO = Turn classic auditing off 1, ON, TRUE, ENABLE, YES = Turn classic auditing on	This option sets the ADT_CLASSIC_ENABLED configuration parameter in the ADTCFG file.
-O `options`	Option for ASL auditing. Specifies options to openlog(). LOG_NDELAY, LOG_NOWAIT = the default option LOG_NDELAY, LOG_ODELAY = mutually exclusive options LOG_PERROR, LOG_CONS, LOG_PID The options can be written with or without the LOG_prefix and in upper or lower-case or mixed case. The LOG_prefix and all upper-case is used when options are written to the ADTCFG file.	This option sets the ADT_SYSLOG_OPTIONS configuration parameter in the ADTCFG file.
-P `priority`	Option for ASL auditing. Specify a priority while filtering messages in the syslog daemon. LOG_INFO LOG_NOTICE LOG_WARNING LOG_DEBUG LOG_ALERT LOG_EMERG -should not be used. The priority can be written with or without the LOG_prefix and in upper or lower-case or mixed case. The LOG_prefix and all upper-case is used when options are written to the ADTCFG file.	This option sets the ADT_SYSLOG_PRIORITY configuration parameter in the ADTCFG file.
-R `row_ mode`	Controls selective row-level auditing: `0` = Selective row-level auditing is disabled. `1` = Selective row-level auditing is enabled for tables that are set with the AUDIT flag. `2` = Selective row-level auditing is enabled for tables that are set with the AUDIT flag. The primary key, if it is an integer data type, is included in the audit records.	This option sets the ADTROWS configuration parameter in the ADTCFG file.
-S `flag`	Option for ASL auditing. Enables or disables the mandatory auditing for the DBSSO group. 0, OFF, FALSE, DISABLE, NO = Disable mandatory auditing for the DBSSO group 1, ON, TRUE, ENABLE, YES = Enable mandatory auditing for the DBSSO group	This option sets the ADT_DBSSO configuration parameter in the ADTCFG file.

Usage

Before you try to run the onaudit utility, ensure that the server is running, that an audit mask with defined audit events has been added, and that you hold the AAO role.

All the option letters of this utility must be entered as shown because they are case-sensitive.

The onaudit command takes effect immediately for all new user sessions.

To enable auditing for a high-availability cluster, you must enable auditing on the primary server and on every secondary server in the cluster. The audit mask must be created on the primary server. All of the servers in the cluster use the audit mask set on the primary server. Audit records for insert, update, and delete operations are created only on the primary server.

onaudit -h output:

onaudit <action> [-q] [-f file] [-u name] [-r bmsk] [-e eset] [-y]
onaudit [-h] [-q] [-c] [-n] [-l lev] [-e err] [-p path] [-s size] \
               [-R fga] [-E {on|off}] [-F facility] [-I identifier] \
               [-O options] [-P priority] [-L level] [-A {on|off}] \
               [-S {on|off}]

 -h          -- print help message and exit
 -q          -- quiet mode

DBSSO options:
action: one of
    -a       -- add a mask
    -d       -- delete a mask
    -m       -- modify a mask
    -o       -- output a mask
 -e eset     -- event set added to (+) or removed from (-) mask
 -f file     -- include instruction file
 -r bmsk     -- name of basemask
 -u mask     -- name of target/mask
 -y          -- respond yes to all prompts

DBSA options:
 -c          -- print audit configuration
 -e err      -- set ADTERR
 -l lev      -- set ADTMODE (obsolescent: use -A, -L, -S)
 -n          -- start new log file
 -p path     -- set ADTPATH
 -s size     -- set ADTSIZE
 -A flag     -- enable/disable mandatory auditing of DBSA
 -L flag     -- enable/disable classic audit
 -R flag      -- set ADTROWS for Fine-Grained Auditing (0,1,2)
 -S flag     -- enable/disable mandatory auditing of DBSSO
                (NB: The -A, -L, -S options supersede obsolescent -l option.)

ASL (Audit-to-Syslog) options:
 -E flag     -- Enable/disable Audit-to-Syslog (ASL) (0,1, true, false, on, off)
 -F facility -- Set ASL facility (default: LOG_USER):
                (suggested: LOG_USER, LOG_LOCAL0..LOG_LOCAL7, LOG_AUTH,
                 LOG_AUTHPRIV;
                 not recommended: LOG_CRON, LOG_DAEMON, LOG_FTP, LOG_KERN,
                 LOG_LPR, LOG_MAIL, LOG_NEWS, LOG_SYSLOG, LOG_UUCP)
 -I identity -- Set ASL identity (default: DBSERVERNAME)
 -O options  -- Set ASL options (default: LOG_NDELAY, LOG_NOWAIT):
                (LOG_CONS, LOG_NDELAY, LOG_ODELAY, LOG_NOWAIT, LOG_PERROR,
                 LOG_PID)
 -P priority -- Set ASL priority (aka level; default: LOG_INFO):
                (LOG_EMERG, LOG_ALERT, LOG_CRIT, LOG_ERR, LOG_WARNING,
                 LOG_NOTICE, LOG_INFO, LOG_DEBUG)

The distributed adtcfg and adtcfg.std template files contain ADT_ENABLED, ADT_DBSA, ADT_DBSSO settings, and only mention ADTMODE in comments.

Example 1: Start auditing

The following command starts classic auditing all sessions specified by audit masks (without mandatory auditing for DBSA or DBSSO users):

onaudit -L 1

Example 2: Stop auditing

The following command stops classic auditing for sessions started after the command is:

onaudit -L 0

Example 3: Change the audit configuration

The following command changes the error mode to 3 (shut down the server), the auditing mode to 3 (shut down the server if an error occurs while writing audit log records), enables classic auditing, sets the mandatory DBSSO auditing mode on, and starts a new audit file:

onaudit -e 3 -n -L 1 -S 1

Example 4: Audit selected tables

The following command continues auditing all tables that have the AUDIT flag and stops auditing all other tables:

onaudit -R 1

Example 5: Enable Audit to Syslog

The following command enables ASL auditing and enables both, the mandatory DBSSO auditing mode and the mandatory DBSA auditing mode, without changing whether classic auditing is enabled. Note that the mandatory auditing affects both classic and ASL auditing.

onaudit -E on -S on -A on