disk init name = "auditdev",
physname = "d:\Sybase\example\sybaud.dat",
vdevno = 8, size = 5120
disk init name = "auditlogdev",
physname = "d:\Sybase\example\syblg.dat",
vdevno = 9, size = 1024
2、 安装审计(创建审计数据库)
create database sybsecurity on auditdev
log on auditlogdev
3、 安装审计(运行安装脚本)
c:\> isql -Usa -Ppassword -Sserver_name -iinstsecu
4、 安装审计(重新启动Sybase Adaptive Server)
安装审计后,直到系统管理员或安全管理员通过审计系统过程启用了审计时,才会进行审计。
5、 安装审计(在sybsecurity中创建多个sysaudits表)
disk init name = "auditdev3",
physname = "d:\sybase\example\auditdevw3.dat",
vdevno = 11, size = 5120
alter database sybsecurity on auditdev3 = 2
use sybsecurity
sp_addaudittable auditdev3
(注:为每个sybaudit表重复上述步骤)
6、 设置阈值过程
启用审计之前,建立一个阈值过程,以在当前表时切换审计表。
create proc audit_thresh
as
declare @audit_table_number int
/*
** Select the value of the current audit table
*/
select @audit_table_number = value
from master.dbo.sysconfigures
where name = "current audit table"
/*
** Set the next audit table to be current.
** When the next audit table is specified as 0,
** the value is automatically set to the next one.
*/
exec sp_configure "current audit table", 0, "with truncate"
/*
** Copy the audit records from the audit table
** that became full into another table.
*/
if @audit_table_number = 1
begin
insert aud_db.dbo.audit_data
select * from sysaudits_01
truncate table sysaudits_01
end
else if @audit_table_number = 2
begin
insert aud_db.dbo.audit_data
select * from sysaudits_02
truncate table sysaudits_02
end
else if @audit_table_number = 3
begin
insert aud_db.dbo.audit_data
select * from sysaudits_03
truncate table sysaudits_03
end
return(0)
7、 将阈值过程添加到每个审计段
use sybsecurity
go
sp_addthreshold sybsecurity, aud_seg_01, 250,
audit_thresh
sp_addthreshold sybsecurity, aud_seg_02, 250,
audit_thresh
sp_addthreshold sybsecurity, aud_seg_03, 250,
audit_thresh
go
到此,启用审计后,Adaptive Server将所有审计数据写入最初的当前审计表sysaudits_01中。
Sysaudits_01中还有250页便会充满时,阈值过程audit_thresh触发。此过程切换当前审计表
为sysaudits_02,并且Adaptive Server立即开始将新的审计纪录写入sysaudits_02,此过程还将
sysaudit_01中的所有审计数据复制到audit_db数据库中。
查询审计跟踪示例
1) 假设审计数据位于audit_db数据库中名为audit_data的表中。
要选择由“bob”于1999年7月5日所执行的审计记录
use audit_db
go
select * from audit_data
where loginname = "bob"
and eventtime like "Jul 5% 93"
go
2) 下面的命令请求aca_db数据库中由具有sso_role角色的用户所执行命令的审计记录
select * from audit_data
where extrainfo like "%sso_role%
and dbname = "pubs2"
go
3) 下面的命令请求所有表截断(事件64)的审计记录
select *from audit_data where event=64
go