Security Alarms

Security alarms allow you to specify the events to be recorded in the security audit log for individual tables and databases. Using them, you can place triggers on important databases and tables to detect when users attempt to perform access operations that are not normally expected.

For tables, you can monitor the success or failure of any of the following events:

• select
• delete
• insert
• update

For databases, you can monitor the success or failure of these events:

• connect
• disconnect

Security alarm events are considered successful if the user succeeds in performing the specified type of access. If a particular query triggers a security alarm event, however, it does not necessarily mean that the query completed successfully. It simply means that the security access tests for the specified types of events (for example, select, delete, insert, and update) were passed.

Failure of a security alarm event means that the user attempted to perform the associated operation and failed for some security-related reason. For example, a user can fail to gain access to a table or a database because he or she lacks the required permissions. A query or database operation might fail for other reasons, unrelated to security, but these failures do not trigger the associated security alarm event.

Security alarms can be assigned to specific authorization identifiers (individual users or the public, and groups and roles) so that you can limit monitoring to certain users. You can also specify a database event to be raised when a security alarm is triggered. Database Event Grants describes the database event permissions that you need to raise an event.

Ways to Work with Security Alarm Objects

In VDBA, security alarms are implemented using security alarm objects. Using the Security Alarm branch in the Database Object Manager window, you can:

• Create security alarm objects of various types for specific tables and databases
• View existing security alarm objects, including the detailed properties of each individual object
• Drop security alarm objects

For the detailed steps for performing these procedures, see the Procedures section of online help.

You can also accomplish these tasks using the create security_alarm, help security_alarm, and drop security_alarm SQL statements. For more information, see the SQL Reference Guide.

Implement a Security Alarm

To implement a security alarm, you need to follow these basic steps:

1. Create the security alarm using the appropriate Security Alarm branch in the Database Object Manager window of VDBA. For complete details, see online help.
2. Have an authorized user (such as the system administrator, DBA, or security administrator) issue the enable security_audit alarm statement to enable auditing of security alarms. You can also use enable security_audit to specify other types of auditing.

Then, whenever access to the specified database or table triggers the alarm, a record is written into the audit log and the associated database event, if any is defined, is raised.

Example: Define Security Alarm for a Table for Delete, Insert, and Update

To define a security alarm for the addresses table for all delete, insert, and update attempts, follow these basic steps.

1. In VDBA, open the Create Security Alarm dialog for the addresses table. For details, see the online help.
2. In the If group box, enable Success and Failure.
3. In the When group box, enable Delete, Insert, and Update.
4. Under On Table, ensure that the appropriate table is enabled. (The addresses table is enabled if its Security Alarms branch was selected when you opened the dialog.)
5. In the By group box, enable Public.
6. Click OK.

Example: Define Security Alarm for a Table No Longer in Use

This example shows how to create a security alarm for the all_summary table, which is no longer being used. In this case, all successful accesses to the table are to be audited, to allow a decision as to its possible archiving and deletion.

1. In VDBA, open the Create Security Alarm dialog for the all_summary table. For details, see the online help.
2. In the If group box, enable Success.
3. In the When group box, enable Select, Delete, Insert, and Update.
4. Under On Table, ensure that the appropriate table is enabled. (The all_summary table is enabled if its Security Alarms branch was selected when you opened the dialog.)
5. In the By group box, enable Public.
6. Click OK.

In each case, the appropriate security alarm objects are created and can be displayed by expanding the various Security Alarms sub-branches.