Audit masks

Audit masks specify those events that the database server must audit. You can include any event in a mask. The masks are associated with user IDs, so that specified actions that a user ID takes are recorded. Global masks _default, _require, and _exclude are specified for all users in the system.

Before you use auditing, you must specify which audit events to audit. To specify audited events, add the events to the masks. You must also perform other tasks, which Audit administration, describes.

The database server does not provide auditing for objects or processes. For example, you cannot ask the database server to audit all access attempts on a certain object. You can, however, filter audit records from the audit trail based on objects with the audit-analysis tools, which Audit analysis, describes.

Audit masks after installation represents a set of audit masks. The actual masks and their features are explained in Audit masks and audit instructions.
Figure 1: Audit masks after installation

This figure shows three audit masks inside the database server: _require, _exclude_ and _default.

After installation is complete, you can create the audit masks and turn on auditing.

Important: If auditing is off, the database server does not audit any events, even if events are specified in the masks.

In addition to the three masks that Audit masks after installation shows, you can specify user masks for individual users. You can use user masks to audit some users more than others and target different types of activities for different users. Except for the audit administrator who maintains the masks, a user cannot tell which events are being audited. For a description of user masks, see User masks.

You can also create template masks for creating new user masks. For a description of template masks, see Template masks.

Masks and their events are called auditing instructions, as The auditing instructions shows. You have significant flexibility regarding the auditable facets of HCL OneDB™. You can select anything from minimal audit instructions, in which no events are audited, to maximal audit instructions, in which all security-relevant database server events are audited for all users.
Figure 2: The auditing instructions

This figure shows global audit masks and user audit masks surrounded by auditing instructions.

After you define the auditing instructions and turn on auditing, you can modify one or more audit masks as requirements change and you identify potential security threats. For information about how to change audit masks, see Audit administration.