sybsecurity database
These system tables contain the audit trail. Only one table at a time is active. The active table is determined by the value of the current audit table configuration parameter. An installation can have as many as eight audit tables. For example, if your installation has three audit tables, the tables are named sysaudits_01, sysaudits_02, and sysaudits_03. An audit table contains one row for each audit record.
The columns for sysaudits_01 – sysaudits_08 are:
Name |
Datatype |
Description |
|---|---|---|
event |
smallint |
Type of event being audited. |
eventmod |
smallint |
Further information about the event. Possible values are:
|
spid |
smallint |
Server process ID of the process that caused the audit record to be written. |
int for the Cluster Edition |
||
eventtime |
datetime |
Date and time of the audited event. |
sequence |
smallint |
Sequence number of the record within a single event; some events require more than one audit record. |
suid |
smallint |
Server login ID of the user who performed the audited event. |
dbid |
int null |
Database ID in which the audited event occurred or the object/stored procedure/trigger resides, depending on the type of event. |
objid |
int null |
ID of the accessed object or stored procedure/trigger. |
xactid |
binary(6) null |
ID of the transaction containing the audited event. For a multidatabase transaction, this is the transaction ID from the database where the transaction originated. |
loginname |
varchar(30) null |
Login name corresponding to the suid. |
dbname |
varchar(30) null |
Database name corresponding to the dbid. |
objname |
varchar(255) null |
Object name corresponding to the objid. |
objowner |
varchar(30) null |
Name of the owner of objid. |
extrainfo |
varchar(255) null |
Additional information about the audited event. This field contains a sequence of items separated by semicolons. See Table 1-2. |
nodeid |
tinyint null |
Reserved for future use (not available for cluster environments) |
instanceid |
tinyint |
ID of the instance (available only for cluster environments) |
Because of this change in the datatypes for the Cluster
Edition, Sybase strongly recommends that you archive and truncate
audit tables before you upgrade. This reduces the likelihood of
a failed upgrade because of insufficient space in the sybsecurity database.
The extrainfo column contains a sequence of items separated by semicolons as shown in Table 1-2:
Item |
Contents |
|---|---|
Roles |
Lists the roles that are active. The roles are separated by blanks. |
Keywords or options |
The name of the keyword or command option that was used for the event. For example, for the alter table command, the options add column or drop constraint might be used. Multiple keywords or options are separated by commas. |
Previous value |
The value prior to the update if the event resulted in the update of a value. |
Current value |
The new value if the event resulted in the update of a value. |
Other information |
Additional security-relevant information that is recorded for the event. |
Proxy information |
The original login name, if the event occurred while a set proxy was in effect. |
Principal information |
The principal name from the underlying security mechanism, if the user’s login is the secure default login, and the user logged in to Adaptive Server using unified login. The value of this field is NULL, if the secure default login is not being used. |
An example of an extrainfo column for the security-relevant event of changing an auditing configuration parameter might be:
sso_role;suspend auditing when full;1;0;;;;
This example indicates that a system security officer changed the configuration parameter suspend auditing when full from 1 (suspend all processes that involve an auditing event) to 0 (truncate the next audit table and make it the current audit table).
