Access to the Audit Trail

Standard users should not be able to view or alter audit files. The audit trail (that is, the audit files) should be accessed only with the onshowaudit utility, which has its own protection, as follows:

• With role separation on, only an AAO can run onshowaudit.
• With role separation off on UNIX, only user informix, a member of the informix group, or user root can run onshowaudit.

Access to Audit Files on UNIX

The following characteristics control access to audit files in a UNIX environment and protect them from being accidentally read or destroyed:

Ownership:

informix

Group ID:

same as $INFORMIXDIR/aaodir

Permissions:

660

The following examples show the security configuration for UNIX audit files with no role separation:

aaodir

Ownership:

informix

Group ID:

informix

Permissions:

775

aaodir/adtcfg.std

Ownership:

informix

Group ID:

informix

Permissions:

644

The following examples show the UNIX security configuration with role separation:

aaodir

Ownership:

informix

Group ID:

<aao_group>

Permissions:

775

aaodir/adtcfg.std

Ownership:

informix

Group ID:

<aao_group>

Permissions:

644

Access to Audit Records on Windows

The following examples show how to control access to the Windows audit file:

aaodir

Ownership:

informix

Group ID:

Administrator

aaodir\adtcfg.std

Ownership:

database server administrator

Group ID:

Administrator