Sybase Recorder Reference Guide

eTrust AuditSybase Recorder Reference Guide1.5 Service Pack 3G002061E

This documentation and related computer software program (hereinafter referred to as the “Documentation”) is forthe end user’s informational purposes only and is subject to change or withdrawal by Computer AssociatesInternational, Inc. (“CA”) at any time.This documentation may not be copied, transferred, reproduced, disclosed or duplicated, in whole or in part, withoutthe prior written consent of CA. This documentation is proprietary information of CA and protected by the copyrightlaws of the United States and international treaties.Notwithstanding the foregoing, licensed users may print a reasonable number of copies of this documentation fortheir own internal use, provided that all CA copyright notices and legends are affixed to each reproduced copy. Onlyauthorized employees, consultants, or agents of the user who are bound by the confidentiality provisions of thelicense for the software are permitted to have access to such copies.This right to print copies is limited to the period during which the license for the product remains in full force andeffect. Should the license terminate for any reason, it shall be the user’s responsibility to return to CA the reproducedcopies or to certify to CA that same have been destroyed.To the extent permitted by applicable law, CA provides this documentation “as is” without warranty of any kind,including without limitation, any implied warranties of merchantability, fitness for a particular purpose ornoninfringement. In no event will CA be liable to the end user or any third party for any loss or damage, direct orindirect, from the use of this documentation, including without limitation, lost profits, business interruption,goodwill, or lost data, even if CA is expressly advised of such loss or damage.The use of any product referenced in this documentation and this documentation is governed by the end user’sapplicable license agreement.The manufacturer of this documentation is Computer Associates International, Inc.Provided with “Restricted Rights” as set forth in 48 C.F.R. Section 12.212, 48 C.F.R. Sections 52.227-19(c)(1) and (2) orDFARS Section 252.227-7013(c)(1)(ii) or applicable successor provisions.© 2004 Computer Associates International, Inc.All trademarks, trade names, service marks, and logos referenced herein belong to their respective companies.

Sybase Recorder Reference GuideSystem Prerequisites• Solaris 2.6, 7, 8 or 9• Thread patch 111177-02 for use with SMP Open Server• Memory requirements : 64 MB minimum, 128 MB or more is preferred• Disk free space : 20 MB• Sybase Client 11.1 or 12.5Pre-Installation Steps1. Audit Client 1.5 SP3 should be already installed. The Sybase recorder will beinstalled on the same host.2. The Audit Client 1.5 SP3 host should be installed with Sybase Client 11.1 (towork with Sybase server 11.x) or 12.5 (to work with Sybase server 12.x)3. Policy Manager, Security Monitor should be installed from the latest EZFIX.Sybase Recorder Reference Guide 1

Sybase Recorder Installation and SetupSybase Recorder Installation and SetupSolarisThe Sybase Recorder is part of the eTrust Audit Client Package. Before installingthis recorder on UNIX, refer to Appendix A: Installing The Client Componentson UNIX in the eTrust Audit Getting Started guide for pre-installationconsiderations and detailed steps.Use the following procedure to install the Client components on UNIX:1. Login to the UNIX machine as root.2. Place the eTrust Audit Installation media into the CD-ROM drive, andchange to the installation directory for the Client components for the versionof UNIX you want to install as follows:cd /CDROM_MOUNT_POINT/eTrust/Audit/Client/version_of_UNIXwhere version_of_UNIX is one of the following:• Aix• Hpux• Linux• Solaris• Tru643. Use the ls command to view the contents of that directory.You will find three files in that directory, as follows:• A tar archive that contains the product install image:_xxxxxxxxxxxxxxxxxx.tar.Zwhere xxxxxxxxxxxxxx in the above will be substituted for platform andbuild designation.• An installation shell script named Install_eAuditClient.• An installation notes file named Install.txt.4. While still logged in as root, begin installation by executing theinstall_eAuditClient shell script. From the shell prompt, enter the followingcommand:./install_eAuditClientThe installation script begins.5. Follow the instructions provided by the installation script. Duringinstallation, you will be prompted for the following information for eachSybase server:• Server logical name – enter a different section name in therecorder.ini file for each of the Sybase databases you want monitoredby the Sybase Recorder.• Sybase home path – enter the Sybase OpenClient home directory.• Server name – enter the name of Sybase server to which to connect.2 eTrust Audit

Installation Validation• Sybase userid – enter the name of the user that logs into the Sybaseserver.• Password – enter the password corresponding to the above userid.• OpenCS – enter the Sybase OpenClient directory:For Sybase OpenClient 11.1, specify the Sybase OpenClient homedirectory where the OpenClient is installed.For Sybase OpenClient 12.5, specify the Sybase OpenClient 12.5 OCSdirectory.For Sybase server 11.03 (only), set in the corresponding section ofrecorder.ini MPFile = cfg/sybase1103.mp.Note: Sybase OpenClient 11.1 can only run on Solaris 2.6 and 2.7Installation Validation1. Check that corresponding configuration section was created in the file/usr/eaudit/ini/recorder.ini (see example below)Example of Sybase Recorder section in /usr/eaudit/ini/recorder.inisybase1{DWORD:Active = 1ModuleName = sybaseLibraryPrefix = SYMDDWORD:SleepInterval = 1DWORD:SendInterval = 10DWORD:MaxSeqNoSleep = 50DWORD:ConnectAttemptsNum = 5DWORD:ConnectStartInterval = 300DWORD:ConnectMaxInterval = 3600DWORD:ConnectIntervalIncrem = 2Parameters{SYBASE = /work/sybase/sybase12.5OpenCS = /work/sybase/sybase12.5/OCS-12_5Server = audit1BINARY:Username = *BpWHe6h6XYCyyrMyl7MXny3K*9BINARY:Password = *BpWHe6h6Xswz3SRQi8hDGckY88wnqQBu9aXYwMPFile = cfg/sybase.mpDatFilePath = dat/recorders/sybase1.datSybase Recorder Reference Guide 3

Installation Validation}}sybase2{DWORD:Active = 1ModuleName = sybaseLibraryPrefix = SYMDDWORD:SleepInterval = 1DWORD:SendInterval = 10DWORD:MaxSeqNoSleep = 50DWORD:ConnectAttemptsNum = 5DWORD:ConnectStartInterval = 300DWORD:ConnectMaxInterval = 3600DWORD:ConnectIntervalIncrem = 2Parameters{SYBASE = /work/sybase/sybase12.5OpenCS = /work/sybase/sybase12.5/OCS-12_5Server = audit_serverBINARY:Username = *BpWHe6h6X9CyyTMw44hB&2iDMe5nqQBu9aXYwBINARY:Password = q4K0OOVuJav3Ax0RMLom3RS&7aQMPFile = cfg/sybase.mpDatFilePath = dat/recorders/sybase2.dat}}2. Check that recorder daemon is runningps -ef | grep acrecorderd3. Check possible error messages in syslog (or/and Self-Monitor) to ensure thatconnection was establishedPost-InstallationAt bootup, Sybase server is by default started at run level 3 while Audit Recorderstartup scrip, S77acrecorde, is started at run level 2. To avoid delayedreconnection (see next section “Reconnection to the Sybase Server”), AuditRecorder startup script must be started after Sybase. This can be done usingeTrust Audit provided shell script, recorder_chglvl. Following is a description ofhow to use recorder_chglvl:4 eTrust Audit

Reconnection to the Sybase ServerIt is recommended to move Audit Recorder startup script to run level 3. Simplyenter the following command at the root’s prompt to move it to run level 3:recorder_chglvlIt is also possible to move to a different run level. i.e. a different rc.d directory, byentering the following command at the root’s prompt:recorder_chglvl from_level to_levelAfter moving the Audit Recorder startup script to an appropriate level, futuresystem reboots will run the recorder startup script after Sybase server has beenstarted. Apart from slow database recovery which delays logical databasestartup, the Sybase recorder should connect to Sybase database(s) as soon as itcomes up.To use the Sybase recorder, make sure the recorder daemon is running on theAudit Client host. Next create and distribute Sybase policy (if it wasn’t alreadydistributed). The recorder will now send events to eTrust Audit according toSybase policy set forth.For Policy creation refer to Chapter 4 of the eTrust Audit Getting Started guide.Reconnection to the Sybase ServerIf the connection to the Sybase server is broken, the Sybase Recorder willautomatically attempt to reconnect to the server. The number of attempts(ConnectAttemptsNum) is set by default to 5. The wait time will be set first to 5minutes (ConnectStartInterval). The recorder will wait for this amount of timebefore trying to connect. If the first attempt fails, the wait time will be multipliedby a backoff factor called ConnectIntervalIncr. By default this factor is set to 2,which means the wait time will be doubled every time an attempt to connectfails. However the wait time will be limited by ConnectMaxInterval, set bydefault to one hour.The parameters, ConnectAttemptsNum, ConnectStartInterval, ConnectMaxIntervaland ConnectIntervalIncr, are defined in the recorder.ini file for each server, andcan be changed as needed.For example, using the default values in the three parameters, after theconnection is severed, the recorder will wait for 5 minutes (ConnectStartInterval)before trying to re-connect (1 st attempt). If the 1 st attempt fails, the wait time willbe multiplied by 2 (ConnectIntervalIncr). In this case, the recorder will wait for 10minutes and then tries to connect again (2 nd attempt). For the 3 rd attempt, it willwait for 20 minutes and try to re-connect. Etc.Sybase Recorder Reference Guide 5

Resuming Audit Log ProcessingResuming Audit Log ProcessingWhen Sybase recorder is first installed on a system, it will process the audit logfrom the beginning. If the audit log is huge (hundreds of thousands of records),the recorder may spend some time to process earlier events before auditingrecent events. It is recommended to truncate the audit log to start auditing newevents immediately.If the Sybase recorder is restarted, it will resume from the last event processed inthe audit log. The last event position, called bookmark or anchor, is saved inAUDIT_INSTALLDIR/dat/recorders/.dat.AUDIT_INSTALLDIR is the directory where Audit is installed, by default/usr/eaudit. is the Sybase server name configuredduring installation of the recorder.If the .dat file is deleted or there is no event at thebookmark (because the log has been truncated), the recorder will restart from thebeginning of the audit log.Sybase PolicyThe following standard policy rules are provided with Sybase recorder.They consist of two main rules “Suspicious Events” and “Collection Events”:The rule “Collection Events” will catch all events that Sybase recorder is sending.The rule “Suspicious Events” is a collection of rules and subrules to filter any orall of the following events:• Account Management• Administration Events• Critical Object Access• Logon and Logoff6 eTrust Audit

Sybase Policy• Network• Policy Change• Security System“Suspicious Events” rule filters events based on the eTrust Audit field eventCategory (see eTrust Audit Field Mapping section below). Events can be furtherfiltered by subrules based on additional eTrust Audit fields.Example 1: To catch every Logon\Logoff event, user would select subrule“Logon and Logoff” of rule “Suspicious Events”:•Example 2: To catch Drop Table events, expand subrule “Critical Object Access”,and select corresponding rule:Sybase Recorder Reference Guide 7

Some useful Sybase CommandsSome useful Sybase CommandsTo connect to isql:su - serverusernameisql -Udbuser -Pdbpassword -SservernameAs a result of successful connection you will get prompt ‘>’ for input SQLcommand.Number of audit tables "sysaudits_01", ...>select count(*) from sybsecurity.dbo.sysobjects where name like 'sysaudits%'8 eTrust Audit

eTrust Audit Field Mapping>goNumber of current Sybase audit table:>select value from master.dbo.sysconfigures where name = "current audit table">goNumber of records in audit table sysaudits_01:>select count(*) from sybsecurity.dbo.sysaudits_01>goSybase server system time +1 sec:>select (convert(char(10),getdate(),112) +convert(char(8),dateadd(ss,1,getdate()),108)>goeTrust Audit Field MappingThis section describes Audit fields and Sybase-specific fields. Since policy rulesdefine actions based on values of specific event fields, this section can be used tofacilitate the creation or maintenance of policy rules for Sybase events.Sybase Event TypesSybase events are logged in table sysaudits_xx (where xx = 01, 02, …, 08). Here isthe list of the fields from this table:event, eventmod, spid, eventtime, sequence, suid, dbid, objid, xactid, loginname,dbname, objname, objowner, extrainfoThe table below describes Sybase event types. Each event type is mapped toAudit field ‘ Event ID’.Each type is associated with Audit ‘Category’, ‘ObjClass’ and ‘Operation’ asdefined in the table below:Sybase Event Tableevent Category ObjClass Operation1 Security Systems DATABASE sp_addauditrecord2 Administration DATABASE Alter3 Object Access TABLE Alter4 Object Access TABLE bcp6 Object Access TABLE sp_bindefault7 Object Access TABLE sp_bindmsg9

eTrust Audit Field Mapping8 Object Access TABLE sp_bindrule9 Administration DATABASE Create10 Object Access PROCEDURE Create11 Object Access TRIGGER Create12 Object Access TRIGGER Create13 Object Access RULE Create14 Object Access TABLE create default15 Object Access MESSAGE sp_addmessage16 Object Access VIEW Create17 Object Access DATABASE Access18 Object Access TABLE Delete From19 Object Access VIEW Delete From20 Object Access DISK Init21 Object Access DISK Refit22 Object Access DISK Reinit23 Object Access DISK Mirror24 Administration DISK Unmirror25 Administration DISK Remirror26 Administration DATABASE Drop27 Object Access TABLE Drop28 Object Access PROCEDURE Drop29 Object Access TRIGGER Drop30 Object Access RULE Drop31 Object Access TABLE drop default32 Object Access MESSAGE Drop33 Object Access VIEW Drop34 Administration DATABASE Dump35 Administration TRANSACTION Dump36 General MESSAGE Create37 General MESSAGE Create38 Object Access PROCEDURE Execute39 Object Access TRIGGER Execute40 Account Management ROLE Grant41 Object Access TABLE Insert Into42 Object Access VIEW Insert Into43 Administration DATABASE Load44 Administration TRANSACTION Load45 System Access SERVER Logon46 System Access SERVER Logoff47 Administration ROLE Revoke48 Network SERVER RPC From49 Network SERVER RPC To50 Physical Security SERVER Start51 Physical Security SERVER Shutdown10 eTrust Audit

eTrust Audit Field Mapping55 Account Management ROLE Role Toggling62 Object Access TABLE Select From63 Object Access VIEW Select From64 Object Access TABLE Truncate67 Object Access TABLE sp_unbindefault68 Object Access TABLE sp_unbindrule69 Object Access TABLE sp_unbindmsg70 Object Access TABLE Update71 Object Access VIEW Update73 Policy Management AUDIT_OPTION Set74 Policy Management AUDIT_OPTION Unset76 Security Systems PASSWORD Set80 Security Systems ROLE proc_role81 Security Systems DATABASE dbcc82 Security Systems AUDIT_OPTION sp_configure83 Security Systems TABLE Access84 Account Management SCHEME Set User85 Account Management SCHEME valid_user88 Administration SESSION Set89 Security Systems PROCESS Kill90 Security Systems SERVER Connect91 Object Access REFERENCE CreateeTrust Audit Mandatory FieldsMandatory fields are a fixed set of fields that are added to each event processedby any Recorder. The following tables describe what values are assigned to theMandatory Fields in the Recorder for Sybase.Required FieldsField Name Field Value DescriptionDate Event Timestamp Date and time when the event occurred (fromsysaudits table).Src Sybase database server name. The Src, or Source, field describes where the eventwas generated from.Log Sybase Logical name of this recorderLocation Hostname of the Sybase server Hostname of the host that generates or reportsevents. Corresponds to address_info from11

eTrust Audit Field Mappingsyslisteners.Category Derived from NID Event category. See Sybase event table above.Status‘S’ or ‘F’ depends oneventmod‘S’uccess when eventmod = 0 or 1‘F’ailed when eventmod = 2eTrust Audit Normalized FieldsNormalized Fields are eTrust Audit field names that are mapped or translatedfrom the native event field names according to the classification of the Recorder.Normalized fields are common across all products in the same classification. ForSAPI recorder, the classification is defined by the Log Name (see eTrust AuditMandatory Fields).Normalized Fields for Sybase RecordereTrust Audit Field Sybase sysaudit fields DescriptionOperation Derived from Event ID Name of the operation thattriggers the event. See Sybaseevent table above.ObjClass Derived from Event ID The class of objects as reported inthe event. See Sybase event tableabove.ObjName Derived from Event ID Object name corresponding toSybase_OID (see Product Specificfields below)Event ID Event Event type. See Sybase eventtable above.PID Spid Server process Id of the databaseprocess that caused the eventEventCount Sequence Sequence number within a singleevent. Some events require morethan one audit record12 eTrust Audit

eTrust Audit Field MappingUID Suid Server login id of the user whoperformed the audited eventUser Loginname Login name corresponding toUIDTerm extrainfo if event = 45 or 46 Terminal from which the userlogs inSurrogateUser extrainfo if event = 84 Name of the user being setInfo Extrainfo Text description of event.Sequence of up to 7 itemsseparated by ‘;’. The 7 items are:roles, keywords or options,previous value, current value,other information, proxyinformation, principal nameSybase Recorder Product Specific FieldsProduct Specific fields are native event fields that are not mapped or translatedby the Recorder. These fields are sent to eTrust Audit with minor name change:all characters in the field name that are not letters, digits, or underscore areconverted to underscores.Product Specific Fields for Sybase RecordereTrust Audit Field Sybase sysaudit fields DescriptionSybase_DBID Dbid Database ID in which the auditedevent occurred or the object /trigger resides, depending on theevent type.Sybase_OID Objid ID of the accessed object orstored procedure / triggerSybase_XACTID Xactid ID of the transaction containingthe audited event.Sybase_DBName Bbname Database name corresponding toSybase_DBID13

eTrust Audit Field MappingSybase_ObjOwner Objowner Name of the owner ofSybase_OIDSybase_Roles Derived from extrainfo A list of active roles, separatedby blanksSybase_Keyword Derived from extrainfo The name of keyword or optionthat was used for the eventSybase_PrevVal Derived from extrainfo Value prior to the update, ifevent resulted in the update of avalueSybase_CurrVal Derived from extrainfo Value after the update, if eventresulted in the update of a valueSybase_OtherInfo Derived from extrainfo Additional security-relevantinformationSybase_ProxyInfo Derived from extrainfo Original login name if the eventoccurred while a set proxy was ineffect.Sybase_Principal Derived from extrainfo The principal name from theunderlying security mechanism14 eTrust Audit