Creating Audit Masks

Home | Previous Page | Next Page Audit Administration > Audit Mask Maintenance >

Creating Audit Masks

You can create masks that more closely match the types of activities that individual users perform than do default and global masks. To create individual user masks, specify user IDs as mask names. To create template masks, preface the name of a mask with an underscore (_). Overview of Auditing describes template masks and user masks.

You specify events in the mask when you create it, using the audit events from the alphabetical listing in the table Audit-Event Mnemonics for IBM Informix Dynamic Server. You specify events for customized (template and user) audit masks the same way that you do for the _default, _require, and _exclude audit masks.

For example, you might want to create three template masks with different levels of security: _low, _medium, and _high. Alternatively, you might need just two templates for familiar and unfamiliar users that you copy to individual user masks: _guest and _trusted.

Creating a Template Mask

Use the onaudit utility to create template audit masks; Utility Syntax shows the syntax. The following example shows how to create a template mask called _guest with the audit events Create Database, Grant Database Access, and Grant Table Access:

onaudit -a -u _guest -e +CRDB,GRDB,GRTB

Creating a User Mask from a Template Mask

A mask that is used as the foundation for one or more other masks is referred to as a base mask. Once you create a template mask for a given user category, you can use it as the basis of masks for individual users, adding or removing only the audit events that differ for each user.

The following example creates a user mask for the user terry, based on the _guest template mask:

onaudit -a -u terry -r _guest -e -CRDB

The terry mask has the same audit events as the _guest mask, except for the CRDB (Create Database) audit event, which was removed.

Instead of template masks, you can also use existing user _default, _require, and _exclude masks as base masks.

Tip:

If you use a template or user mask as a base mask for another mask, the new mask inherits the events in the base mask. The new mask does not refer to the base mask dynamically. Future changes to the base mask are not reflected in other masks that might have been created or modified with that mask as a base.

Creating a User Mask Without a Template Mask

You can create user masks without a template mask. The following example creates a mask for the user pat with the Show Table Statistics event and the failed attempts of the Alter Table event:

onaudit -a -u pat -e +SSTB,FALTB

For the syntax for creating a user mask and another example, see Utility Syntax.

Adding One or More Masks Using an Input File

You can use the onaudit utility to add one or more masks to the mask table with instructions from a file that has the same format as the output of onaudit -o. The following command reads a file in /work/audit_up and adds audit masks to the mask table according to the instructions in that file:

onaudit -f /work/audit_up

Figure 6 shows an example of an input file. The syntax for the input file is explained in Utility Syntax.

Figure 6. Example Input File

kickt         _secure1
jacks         -         +ADCK,SRDRW,GRDB,OPDB
pat         _secure2          +ALTB -CRTB,CRIX,STSN
jaym         -
johns         akee         -SALIX

The example input file in Figure 6 includes the following information:

In the first line, the instructions specify auditing for user kickt in the new template _secure1.
The second line creates a new mask called jacks, which contains the events Add Chunk (ADCK), successful attempts at Read Row (SRDRW), and all attempts at Grant Database Access (GRDB) and Open Database (OPDB).
In the third line, the user pat is audited for all events that are specified in the template _secure2, and also for all attempts at Alter Table (ALTB), but not for attempts at Create Table (CRTB), Create Index (CRIX), and Start New Session (STSN).
No template is specified for the target mask jaym in the fourth line, and no events are indicated; the mask is empty. (This prevents the _default mask from being applied to jaym.)
In the fifth line, the target mask johns audits the same events as the mask akee, minus all successful attempts at Alter Index (SALIX).

Important:

Future changes to a base mask are not reflected in other masks that might have been created or modified with that mask as a base.

An example of an audit mask input file, adtmasks.std, is provided in the $INFORMIXDIR/aaodir UNIX directory or in the %INFORMIXDIR%\aaodir Windows directory. The adtmasks.std file is intended only to serve as a guide to the DBSSO for how to set up an audit mask.

Audit masks do not work the same way as audit configuration parameters during initialization of the database server. (See Audit Configuration and the ADTCFG File.) Specifically, audit masks are not automatically read from a file and initialized.