Security Audit of Informix database (1)

The Informix Dynamic Server provides two levels of access privileges to ensure database security. Database privileges control the access to the database and the right to create tables and indexes on the database. TABLE privileges specify the actions that a user can perform on a specific table.

The Informix Dynamic Server supports table-level modification, insertion, and deletion security, while enhancing column-level update and query security. Exclusive statements are used to grant users the appropriate access base-level privileges or revoke them. Because Informx is secure at the user level, separate database logon is not required.

Stored Procedures provide additional security mechanisms by establishing their own permissions that are different from database permissions. The owner of a stored procedure grants the user the permission to execute the stored procedure, allowing the user to execute all SQL operations in the stored procedure, but restrict access to other databases. Database administrators can improve system security by using stored procedures to restrict users from performing operations on certain databases.
Security Audit

The security audit function provided by the INFORMIX Dynamic Server provides tracking and operation records for each database object used for operation. This function complies with the C2-level security requirements model proposed by the National Computer Security Center.
With the help of the INFORMIX dynamic server, you can selectively monitor user activities in the system. The security audit interface is driven by the command line or is controlled by parameter adjustment. It allows you to specify to monitor specific activities of a specific user.

Security Audit allows you to create event records for user activities in the database. These records can be used to check unusual or suspicious database activities.
Events that can be recorded include:
Successful or failed operations. You can only record successful operations, only failed operations, or both.
Online system connection. You can record the connection with the online system, including who established the connection and at what time.
System and database management events. Any management events such as adding dbspaces and chunks, archiving, granting, revoking permissions, or the current transaction log can be audited.
Database and table operations. Select, insert, update, or delete statements can be audited, but only operations on a table cannot be audited.
How does audit work?
The Administrator first needs to create an audit masks audit mask). An audit masks is like a filter to check whether your activities should be audited. Audit masks are stored in the sysaudit table of the sysmaster database.
If you perform a database operation and the operation is under audit, online will automatically insert a record in the audit log. An audit log is a UNIX file that stores audit records. This file may become very large, mainly because of the number and type of operations included in audit masks.
Each database user can have a separate user mask ). In addition, the administrator can set a default mask so that users without a user mask can use this default mask.
Audit mask

The audit mask tells online what events need to be audited. The audit mask types are as follows:
Independent audit mask indiviual masks ). A separate audit mask is a mask created for each user. It audits the activities of each user.

The default User mask (_ default masks ). The Default User mask is used by any user who does not separately set the mask.
Required User mask (_ require masks ). The mandatory user mask ignores the content in the separate user mask and Default User mask. Any events set in the _ require user mask will be audited, regardless of whether these events are set in the user's separate mask.
Exclusive masks ). The user mask also overwrites the separate user mask and Default User mask. Events contained in the event are not audited, even if they exist in a separate user mask and Default User mask. These events do not overwrite the events in the _ require mask.

You may want to audit few experienced users and more experienced users. To achieve this, create a separate audit mask for experienced users, including fewer events. Create a default audit mask for all other users to list more comprehensive audit events. The Administrator must create all masks; _ default, _ require, _ exclude, and separate user masks.
Audit role

After 7.10.UD1, the audit role can implement independent audit among users.
Database System Security Officer DBSSO) is responsible for maintaining the audit mask.
Audit Analysis Officer AAO) analyzes audit records to identify security issues.
For higher security, DBSSO, AAO, and ONLINE administrators should be assigned different roles.
To set role-based access control, the ONLINE system administrator should set two environment variables. $ DBSSOOWNER environment variables should be included in the DBSSO login script. $ AAOWNER environment variables should be set in the AAO logon script. If these two variables are set:
Only AAO can enable or disable the audit function.
Only DBSSO can use the onaudit tool to maintain the audit mask.
Set security audit

To set up security audit:
1. Open security audit.
2. Set audit parameters.
3. Create an audit mask and Audit Event.
Enable Audit
There are two ways to enable security audit: Use the onaudit tool or configure parameters. Before 7.10UD1, these parameters are set in the $ ONCONFIG file. After 7.10UD1, these parameters are set in the $ INFORMIXDIR/aaodir/adtcfg file.
Security Audit takes effect when you initialize, shut down, and restart online for the first time. You must enable the audit function explicitly:
As an informix user, run the following command: onaudit-1 1
The audit function immediately takes effect for any new connections. This command also modifies the ADTMODE configuration parameters, which will automatically take effect the next online startup.
You can also enable security audit by modifying the ADTMODE parameter to 1. After modifying this configuration parameter, you must restart online for the change to take effect. Before ONLINE7.10.UD1, this parameter is configured in the $ ONCONFIG file. After this version, this parameter is set in the $ INFORMIXDIR/aaodir/adtcfg file, and more functions are added:
ADTMODE = 1 is written to the informix audit record. DBSSO and DBSA activities are not automatically audited.
ADTMODE = 2 is written to the audit record of the operating system. This option takes effect only when the operating system supports audit. DBSSO and DBSA activities are not automatically audited.
ADTMODE = 3 is written to the INFORMIX audit record. Automatically audits all DBSSO activities.
ADTMODE = 4 is written to the operating system audit record. Automatically audits all DBSSO activities.
ADTMODE = 5 is written to the INFORMIX audit record. Automatically audits DBSA activities.
ADTMODE = 6 is written to the operating system audit record. Automatically audits DBSA activities.
ADTMODE = 7 is written to INFORMIX audit records. Automatically audits all DBSSO and DBSA activities
Set audit file Parameters
1. Specify the audit file directory:
Onaudit-p/work/audit
Or ADTPATH/work/audit
2. specify the size of the audit file: onaudit-s 50000
Or
ADTSIZE 50000
Before creating an audit mask, you must set two other audit parameters:
The Directory of the audit file. Audit files store audit records of all users. First, create a directory. Make sure that the permission for this directory is only accessible by the INFORMIX account.
When online is started, you can run the following command to modify the Audit Directory: onaudit-p path.
The path name is the path name of the audit file to be placed. The onaudit command also modifies the value of the ADTPATH configuration parameter.
You can manually modify the value of the ADTPATH parameter. In this way, you must disable and restart ONLINE to make the change take effect.
Default file size. ONLINE limits the size of audit files in the ADTSIZE configuration parameters. When the size of the audit file reaches ADTSIZE, a new audit file will be created under the ADTPATH path.
You can use the onaudit tool to modify the size of the audit file, and modify the ADTSIZE configuration parameter, in bytes:
Onaudit-s 50000
You can manually modify the value of the ADTSIZE parameter. In this way, you must disable and restart ONLINE to make the change take effect.
By limiting the size of audit files, you can periodically archive or delete old audit files. You can also automatically start a new audit file when the current audit file is not full by executing the following command: onaudit-n