sp_audit

Description

Allows a system security officer to configure auditing options.

Syntax

sp_audit option, login_name, object_name [,setting]

Or:

sp_audit ‘restart’

Parameters

option

is the name of the auditing option to set. Table 1-3 lists the valid auditing options.

Table 1-3: Auditing options for sp_audit

Option

Description

adhoc

Allows users to use sp_addauditrecord to add their own user-defined audit records to the audit trail.

all

Audits all actions performed by a particular user or by users with a particular role. You can only use this option to specify system roles.

NoteAuditing all actions does not affect whether users can add ad hoc audit records.

alter

Audits the execution of the alter table or alter database commands.

bcp

Audits the execution of the bcp in utility.

bind

Audits the execution of sp_bindefault, sp_bindmsg, and sp_bindrule system procedures.

cluster

Audits cluster commands.

cmdtext

Audits all actions of a particular user.

NoteSystem stored procedures and command password parameters can be replaced with a fixed-length string of asterisks for security purposes. See “Hiding system stored procedure and command password parameters” for more information.

create

Audits the creation of database objects.

dbaccess

Audits access to the current database from another database.

dbcc

Audits the execution of any dbcc command.

delete

Audits the deletion of rows from a table or view.

disk

Audits the execution of disk init, disk refit, disk reinit, disk mirror, disk unmirror, and disk remirror.

drop

Audits the dropping of database objects.

dump

Audits the execution of dump database or dump transaction.

encryption_key

Audits create encryption key, sp_encryption, drop encryption key, and alter encryption key

errors

Audits errors, whether fatal or not.

exec_procedure

Audits the execution of a stored procedure.

exec_trigger

Audits the execution of a trigger.

func_dbaccess

Audits access to a database via a Transact-SQL function.

func_obj_access

Audits access to a database object via a Transact-SQL function.

grant

Audits the execution of the grant.

insert

Audits the insertion of rows into a table or view.

install

Audits the installation of Java classes.

load

Audits the execution of the load database or load transaction

login

Audits all login attempts into Adaptive Server.

login_locked

Audits the hostname and network IP address when a login account is locked due to exceeding the configured number of failed login attempts.

logout

Audits all logout attempts from Adaptive Server.

mount

Audits mount database commands.

network

Audits specific network-related events, such as listener events. The valid settings are:

  • on

  • off

  • pass

  • fail

quiesce

Audits quiesce database commands.

reference

Audits references between tables.

remove

Audits the removal of Java classes.

revoke

Audits the execution of the revoke.

rpc

Audits the execution of remote procedure calls.

security

Audits the following security-relevant events:

  • Starting up or shutting down the server

  • Activating or deactivating a role

  • Issuing any of the following commands:

    • addcert

    • connect

    • create and drop login

    • dropcert

    • create, drop, alter, grant, and revoke role

    • kill

    • online database

    • set proxy

    • set session authorization

    • sp_configure

  • The functions listed in Table 1-4.

  • Using either of the functions:

    • valid_user

    • proc_role (from within a system procedure)

  • Regenerating the SSO passwords

select

Audits the execution of the select.

setuser

Audits the execution of the setuser.

table_access

Audits access to any table by a specific user.

transfer table

Audits the execution of the transfer table command

truncate

Audits the execution of the truncate table.

unbind

Audits the execution of the sp_unbindrule, sp_unbindmsg, and sp_unbindefault.

unmount

Audits the execution of the umount database command.

update

Audits updates to rows in a table or view.

view_access

Audits access to any view by a specific user.

Table 1-4: Functions that sp_audit security audits
  • config_admin

  • attr_notify

  • ha_check_alive

  • ha_retrestrictionclass

  • ha_hacluster_verify

  • ssl_admin

  • set_password

  • ha_add_companion

  • ha_getversion

  • ha_getrcs

  • js_wakeup

  • ws_admin

  • valid_user

  • ha_remove_companion

  • ha_failback

  • ha_setrcs

  • unlock_admin_account

login_name

is the parameter that lets you specify all, a system role, or the name of a specific login to be audited. However, system roles can only be specified if you use the all option. You cannot audit individual options for a system role.

object_name

is the name of the object to be audited. Valid values, depending on the value you specified for option, are:

See the System Administration Guide for more information about the object_name values that are valid with each option value.

setting

is the level of auditing. If you do not specify a value for setting, Adaptive Server displays the current auditing setting for the option. Valid values for the setting parameter are:

  • on – activates auditing for the specified option. Adaptive Server generates audit records for events controlled by this option, whether the event passes or fails permission checks.

  • off – deactivates auditing for the specified option.

  • pass – activates auditing for events that pass permission checks.

  • fail – activates auditing for events that fail permission checks.

If you specify pass for an option and later specify fail for the same option, or vice versa, the result is equivalent to specifying on. Adaptive Server generates audit records regardless of whether events pass or fail permission checks.

Settings of:

  • on or off – apply to all auditing options

  • pass and fail – apply to all options except cmdtext, errors, and adhoc. For these options, only on or off applies. The initial, default value of all options is off. If you select the cmdtext option to either pass or fail, Adaptive Server replaces the value with on.

restart

If the audit process is forced to terminate due to an error, sp_audit can be manually restarted by entering:

sp_audit restart

The audit process can be restarted provided that no audit was currently running, but that the audit process has been configured to run by entering sp_configure “auditing” 1.

Examples

Example 1

Sets the login_locked audit option to initiate auditing of hostname and network IP addresses when a login account is locked due to exceeding the configured number of failed login attempts:

sp_audit "login_locked","all","all","ON"

If the audit tables are full and the event cannot be logged, a message with the information is sent to the errorlog.

Monitoring the audit logs for the Locked Login event (112) helps to identify attacks on login accounts.

Example 2

Initiates auditing for SSL security-relevant events. Both successful and failed events are audited:

sp_audit "security", "all", "all", "on"
sample records added:

To view the events from sybsecurity:

select * from sybsecurity..sysaudits_01 where event=99

Example 3

Displays the setting of the security auditing option:

sp_audit "security", "all", "all"

Example 4

Initiates auditing for the creation of objects in the master database, including create database.

sp_audit "create", "all", master, "on"

Example 5

Audits commands in the pubs2 database:

sp_audit "encryption_key", "all", "pubs2", "on"

Example 6

Initiates auditing for the creation of all objects in the db1database:

sp_audit "create", "all", db1, "on"

Example 7

Initiates auditing for all failed executions by a system administrator.

sp_audit "all", "sa_role", "all", "fail"

Example 8

Initiates auditing for all updates to future tables in the current database. For example, if the current database is utility, all new tables created in utility will be audited for updates. The auditing for existing tables is not affected.

sp_audit "update", "all", "default table", "on"

Example 9

Initiates auditing for all transfer table commands entered for the titles table:

sp_audit "transfer table", "all", "titles", "on"

Usage


Hiding system stored procedure and command password parameters

When auditing is configured and enabled, and the sp_audit option 'cmdtext' is set, system stored procedure and command password parameters are replaced with a fixed length string of asterisks in the audit records contained in the audit logs.

For example, execute the following when auditing is enabled and sp_audit cmdtext is set:

sp_password 'oldpassword', 'newpassword'

This results in output similar to:

sp_password '******', '******'

This protects passwords from being seen by other with access to the audit log.

Permissions

The permission checks for sp_audit differ based on your granular permissions settings.

Granular permissions enabled

With granular permissions enabled, you must be a user with manage auditing privilege.

Granular permissions disabled

With granular permissions disabled, you must be a user with sso_role.

Auditing

Values in event and extrainfo columns from the sysaudits table are:

Event

Audit option

Command or access audited

Information in extrainfo

38

exec_procedure

Execution of a procedure

  • Roles – Current active roles

  • Keywords or options – NULL

  • Previous value – NULL

  • Current value – NULL

  • Other information – All input parameters

  • Proxy information – Original login name, if set proxy in effect

See also

Documents For more information about configuring Adaptive Server for auditing, see sp_configure in the System Administration Guide.

System procedures sp_addauditrecord, sp_configure, sp_addaudittable

Utility commands bcp