Case description :
about KingbaseES V8R3 database , The default user has no permission to delete audit records , Only after dumping the audit records will the audit records be automatically cleared .
Applicable version : KingbaseES V8R3
This case database version :
SECURITY=> select version();
VERSION
-------------------------------------------------------------------------------------------------------------------------
Kingbase V008R003C002B0290 on x86_64-unknown-linux-gnu, compiled by gcc (GCC) 4.1.2 20080704 (Red Hat 4.1.2-46), 64-bit
(1 row)1、 Database configuration audit parameters
[[email protected] data]$ cat kingbase.conf |grep audit
shared_preload_libraries = 'passwordcheck,sysaudit' # (change requires restart)
sysaudit.enable = on2、 Configure and enable auditing
# View audit parameters
[[email protected] bin]$ ./ksql -U SYSSAO -W 12345678ab TEST
ksql (V008R003C002B0290)
Type "help" for help.
TEST=> \c SECURITY
You are now connected to database "SECURITY" as user "SYSSAO".
SECURITY=> show sysaudit.enable;
sysaudit.enable
-----------------
on
(1 row)
# Configure audit rules :
SECURITY=> SELECT sysaudit.set_audit_stmt('select table', 'system', null, null);
SET_AUDIT_STMT
----------------
(1 row)
# View audit rules
SECURITY=> select * from sysaudit.all_audit_rules;
AUDIT_ID | AUDIT_TARGET | AUDIT_TYPE | AUDIT_USERS | AUDIT_SCHEMA | AUDIT_OBJNAME | AUDIT_OBJOID | CREATOR_NAME
----------+--------------+--------------+-------------+--------------+---------------+--------------+--------------
16530 | SQL | select table | SYSTEM | | | | SYSSAO
(1 row)3、 View audit records (SYSSSO user )
[[email protected] bin]$ ./ksql -U SYSSSO -W 12345678ab TEST
ksql (V008R003C002B0290)
Type "help" for help.
TEST=> \c SECURITY
You are now connected to database "SECURITY" as user "SYSSSO".
SECURITY=> select * from sysaudit_record_sso;
SESSION_ID | PROC_ID | VXID | XID | USER_ID | USERNAME | REMOTE_ADDR | DB_ID | DB_NAME | RULE_ID | RULE_TYPE | OPR_TYPE | OBJ_TYPE | SCHM_ID | SCHM_NAME | OBJ_ID | OBJ_NAME | SQLTEXT | PARAMS | ERRCODE | ERRMSG | AUDIT_TS | RESULT | RECORD_TYPE | AUD_CLIENT | SERVER_TYPE
---------------+---------+-------+-----+---------+----------+-------------+-------+----------+---------+-----------+----------+-----
62b585a3.29c9 | 10697 | 5/457 | 0 | 9202 | SYSSAO | [local] | 0 | TEST | | EVENT | LOGIN | | | | | | | | | connection authorized | 2022-06-24 17:36:35.256000+08 | success | 600 | ksql | M
62b585ab.29e4 | 10724 | 4/146 | 0 | 9202 | SYSSAO | [local] | 0 | SECURITY | | EVENT | LOGIN | | | | | | | | | connection authorized | 2022-06-24 17:36:43.439000+08 | success | 600 | ksql | M
62b585a3.29c9 | 10697 | 5/0 | 0 | 9202 | SYSSAO | [local] | 14928 | TEST | | EVENT | LOGOFF | | | | | | | | | | 2022-06-24 17:36:43.440000+08 | success | 600 | ksql | M
62b585ab.29e4 | 10724 | 4/151 | 0 | 9202 | SYSSAO | [local] | 15371 | SECURITY | | EVENT | SEMANTIC | | | | | | delete from sysaudit.all_audit_rules; | | 55000 | cannot delete from view "ALL_AUDIT_RULES" | 2022-06-24 17:40:01.111000+08 | failure | 600 | ksql | M
62b585ab.29e4 | 10724 | 4/0 | 0 | 9202 | SYSSAO | [local] | 15371 | SECURITY | | EVENT | LOGOFF | | | | | | | | | | 2022-06-24 17:43:53.438000+08 | success | 600 | ksql | M
(5 rows)4、 Delete audit record ( No permission includes syssao user )
SECURITY=> delete from sysaudit_record_sso;
ERROR: permission denied for relation SYSAUDIT_RECORD5、 Configure audit dump auditlog_dump_dir( Directories need to be created manually )
Reference resources :https://help.kingbase.com.cn/stage-api/profile/document/kes/v8r3/html/safety/safety-guide/safety-audit.html#id12 《kingbaseES Official documents 》
[[email protected] bin]$ cat ../data/kingbase.conf|grep audit
shared_preload_libraries = 'passwordcheck,sysaudit'
sysaudit.enable = on
sysaudit.auditlog_dump_dir='/home/kingbase/audit_dump'6、 Perform audit dump manually
[[email protected] bin]$ ./ksql -U SYSSAO -W 123456ab TEST
ksql (V008R003C002B0290)
Type "help" for help.
TEST=> show sysaudit.auditlog_dump_dir ;
sysaudit.auditlog_dump_dir
----------------------------
/home/kingbase/audit_dump
(1 row)
TEST=> \c SECURITY;
You are now connected to database "SECURITY" as user "SYSSAO".
SECURITY=> SELECT sysaudit.dump_auditlog(0);
DUMP_AUDITLOG
---------------
(1 row)
SECURITY=> SELECT sysaudit.show_audlog_dump_file();
SHOW_AUDLOG_DUMP_FILE
----------------------------------------------------
(AUDIT_DUMP_FILE-2022-06-24_175144,"665564 bytes")
(1 row)
# View dump file :
[[email protected] bin]$ cd ~/audit_dump/
[[email protected] audit_dump]$ ls -lh
total 652K
-rw-r--r-- 1 kingbase kingbase 650K Jun 24 17:51 AUDIT_DUMP_FILE-2022-06-24_1751447、 View audit records ( The original audit records have been cleared )
SECURITY=> select * from sysaudit_record_sso;
SESSION_ID | PROC_ID | VXID | XID | USER_ID | USERNAME | REMOTE_ADDR | DB_ID | DB_NAME | RULE_ID | RULE_TYPE | OPR_TYPE | OBJ_TYPE | SCHM_ID | SCHM_NAME | OBJ_ID | OBJ_NAME | SQLTEXT | PARAMS | ERRCODE | ERRMSG | AUDIT_TS | RESULT | RECORD_TYPE | AUD_CLIENT | SERVER_TYPE
---------------+---------+------+-----+---------+----------+-------------+-------+----------+---------+-----------+----------+------
62b58921.5255 | 21077 | 6/0 | 0 | 9202 | SYSSAO | [local] | 15371 | SECURITY | | EVENT | LOGOFF | | | | | | | | | | 2022-06-24 17:52:44.144000+08 | success | 600 | ksql | M
(1 row)
SECURITY=> select now();
NOW
-------------------------------
2022-06-24 17:53:33.509074+08
(1 row)
