The onaudit utility: Configure audit masks

Use the onaudit utility to add, modify, delete and display audit masks.

Syntax


1  onaudit
1 
2.1  -m
2.1  -a
1 %Audit mask specification
1   -f mask
2.1 basemask
2.1  - 
1? %Audit mask specification
2? 
3.1  -o
3.1  -d
3.1   -u usermask
3.1  -y
Audit mask specification

1   -u mask?   -r basemask +   -e
2.1!  + 
2.1  - 
2.1+ ,
2.1 event
2.1 Fevent
2.1 Sevent
Element Purpose Key Considerations
-a Adds an audit mask. None.
-f Loads an input file containing a list of audit masks to be added to the audit trail. The file must use the correct input-file format.
-d Specifies that an audit mask will be deleted. None.
-m Modifies an existing audit mask. None.
-o Outputs a list of all the audit masks that have been configured in the database server. None.
-r basemask Specifies the name of an existing basemask from which you can derive events to apply to a new targetmask. Subsequent changes to the basemask are not be reflected in the target audit masks. If no basemask is specified and no events are specified with the -e option an empty target mask is created.
-e Indicates that audit events are to be added or removed from the specified targetmask. Events specified as arguments to -e override events listed in any base mask specified with the -r option.
-u Fusermask Names a specific mask. _default, _require, and _exclude are keywords in the system, and can be one of these names for your template or user mask. The server processes the audit mask in the predefined order.

The usermask is limited to 32 or fewer bytes.

-y Automatically responds yes to the confirmation prompt. None.
event Specifies an event to audit, whether the event execution succeeds or fails. The event must be listed in Audit event codes and fields.
Fevent Specifies that only failed event attempts are to be audited. The event must be listed in Audit event codes and fields.
Sevent Specifies that only successful event attempts are to be audited. The event must be listed in Audit event codes and fields.

Usage

Before you try to run the onaudit utility to manipulate audit masks, ensure that the server is running, and that you hold the DBSSO role.

All the options of this utility must be entered as shown because they are case-sensitive.

For a high-availability cluster, the audit mask must be created on the primary server. All of the servers in the cluster use the audit mask on the primary server.

Run the onaudit command with the -a option when you want to add one or more audit masks to an audit trail. Note that _default, _require, and _exclude are keywords that the server understands and processes in a particular order.

Attention: Even though_default, _require, and _exclude are stored as keywords in the system they are not automatically defined. You must explicitly create and add events to them before trying to use these audit masks.

Run the onaudit command with the -f option to load an existing input file that contains a listing of audit masks. The format of this input file's contents is:

<mask_name> <base_mask> <event_list>

A hyphen (-) is used in places where the base mask is unavailable.

Run the -d option of the onaudit command to delete a specified audit mask. When you select the -d option of the onaudit utility:

  • The -y option is used to respond yes to all prompts.
  • If the -u mask option is omitted, all masks are deleted, including the _default, _require, and _exclude masks.
  • If the -y or the -u options are omitted, the onaudit utility requests confirmation that this is intentional so that you do not accidentally delete all user masks.

Use the -m option of the onaudit command when you must modify an existing audit mask. Use a plus (+) sign to add an event to an audit mask or use the hyphen (-) sign to delete an event from a mask. Use a comma (,) to separate multiple events that are being added to the mask. Do not add any spaces between the comma and the event mnemonics.

If no sign is specified before an event mnemonic, the event is added to the mask.

The -o option of the onaudit command sends information about the mask to standard output. When you select the -o option of the onaudit utility:

  • The -y option is used to respond yes to all prompts.
  • If the -u mask option is omitted, all masks are displayed.
  • If the -y or the -u options are omitted, onaudit requests confirmation before it displays all the masks because it can result in the display of large amounts of data.
The output file is displayed in the following format, which is identical to the format of input files:
<mask_name> <base_mask> <event_list>
A hyphen (-) is used in places where the base mask is unavailable.

Run the command with the -r option to copy all of the events associated with the specified base mask (which can be a system mask) to a new target mask.

The -u option of the onaudit command can be used in combination with the -a, -d, -m, and -o options.

Example 1: Add an audit mask

The following example creates a template mask named pat with events CRTB (CREATE TABLE) and RVLB (REVOKE SECURITY LABEL) defined. The -a option is used to create the mask. The -u option is used to identify the mask name. The -e option is used to list the events defined in the mask.

onaudit -a -u pat -e +CRTB,RVLB

Example 2: Load a file containing one or more audit masks

The following example loads the masks defined in the input file entitled, masks_feb.

onaudit -f /work/masks_feb

Example 3: Delete an audit mask

The following example shows how to delete the _default audit mask:

onaudit -d -u _default

Example 4: Modify an audit mask

The following example modifies the _default audit mask by adding the GRXM (GRANT EXEMPTION) event and deleting the CRTB (CREATE TABLE) event:

onaudit -m -u _default -e +GXRM, -e -CRTB

Example 5: Display an audit mask

The following example shows how to display the audit mask for the user pat, indicating that the individual user mask contains the audit events LKTB (LOCK TABLE), CRTB (CREATE TABLE), and failed attempts to ADCK (ADD CHUNK):
onaudit -o -u pat
The following example is the output of the sample command:
pat              -        LKTB,CRTB,FADCK

Example 6: Derive an audit mask

The following example creates a new user mask named pat. The new mask derives the events specified in the _secureL template mask, but excludes RDRW (READ ROW) and includes LKTB (LOCK TABLE), successful attempts to ADCK (ADD CHUNK), and all attempts to CRTB (CREATE TABLE):
onaudit -a -u pat -r _secureL -e -RDRW, -e +LKTB,SADCK,CRTB