Updated on 2024-08-20 GMT+08:00

Operation Auditing

audit_system_object

Parameter description: Specifies whether to audit the operations such as CREATE, DROP, and ALTER on database objects. Database objects include databases, users, schemas, and tables. You can change the value of this parameter to audit only the operations on required database objects. In the scenario where the leader node is forcibly elected, you are advised to set audit_system_object to the maximum value and audit all DDL objects.

Parameter type: integer

Unit: none

Value range: 0 to 536870911
  • 0 indicates that the operations such as CREATE, DROP, and ALTER are not audited.
  • A non-zero value indicates that the operations such as CREATE, DROP, and ALTER on a certain or some database objects are audited.

Value description:

The value of this parameter is calculated by 29 binary bits. The 29 binary bits represent 29 types of database objects. If the corresponding binary bit is set to 0, the operations such as CREATE, DROP, and ALTER on corresponding database objects are not audited. If it is set to 1, the operations such as CREATE, DROP, and ALTER are audited. For details about the audit contents represented by these 29 binary bits, see Table 1.

When SQL patches are audited and audit_dml_state_select is enabled, an SQL patch operation will be audited twice and recorded as DML and DDL operations in the audit log, respectively.

Default value: 67121159 (decimal), corresponding to 00100 0000 0000 0011 0000 0000 0111 in binary, indicating that DDL operations on the four database objects DATABASE, SCHEMA, USER, and SQLPatch are audited.

Setting method: This is a SIGHUP parameter. Set it based on instructions provided in Table 1.

Setting suggestion: Set the type of database objects to be audited based on service requirements.
  • The more types of objects to be audited, the greater the impact on system performance.
  • The more objects to be audited, the more CPU and I/O resources are occupied.
Table 1 Meaning of each value for the audit_system_object parameter

Binary Bit

Description

Value Range

Bit 0

Specifies whether to audit the CREATE, DROP, and ALTER operations on databases.

  • 0 indicates that the CREATE, DROP, and ALTER operations on these objects are not audited.
  • 1 indicates that the CREATE, DROP, and ALTER operations on these objects are audited.

Bit 1

Specifies whether to audit the CREATE, DROP, and ALTER operations on schemas.

  • 0 indicates that the CREATE, DROP, and ALTER operations on these objects are not audited.
  • 1 indicates that the CREATE, DROP, and ALTER operations on these objects are audited.

Bit 2

Specifies whether to audit the CREATE, DROP, and ALTER operations on users.

  • 0 indicates that the CREATE, DROP, and ALTER operations on these objects are not audited.
  • 1 indicates that the CREATE, DROP, and ALTER operations on these objects are audited.

Bit 3

Specifies whether to audit the CREATE, DROP, ALTER, and TRUNCATE operations on tables.

  • 0 indicates that the CREATE, DROP, ALTER, and TRUNCATE operations on these objects are not audited.
  • 1 indicates that the CREATE, DROP, ALTER, and TRUNCATE operations on these objects are audited.

Bit 4

Specifies whether to audit the CREATE, DROP, and ALTER operations on indexes.

  • 0 indicates that the CREATE, DROP, and ALTER operations on these objects are not audited.
  • 1 indicates that the CREATE, DROP, and ALTER operations on these objects are audited.

Bit 5

Specifies whether to audit the CREATE and DROP operations on VIEW and MATVIEW objects.

  • 0 indicates that the CREATE and DROP operations on these objects are not audited.
  • 1 indicates that the CREATE and DROP operations on these objects are audited.

Bit 6

Specifies whether to audit the CREATE, DROP, and ALTER operations on triggers.

  • 0 indicates that the CREATE, DROP, and ALTER operations on these objects are not audited.
  • 1 indicates that the CREATE, DROP, and ALTER operations on these objects are audited.

Bit 7

Specifies whether to audit the CREATE, DROP, and ALTER operations on procedures/functions.

  • 0 indicates that the CREATE, DROP, and ALTER operations on these objects are not audited.
  • 1 indicates that the CREATE, DROP, and ALTER operations on these objects are audited.

Bit 8

Specifies whether to audit the CREATE, DROP, and ALTER operations on tablespaces.

  • 0 indicates that the CREATE, DROP, and ALTER operations on these objects are not audited.
  • 1 indicates that the CREATE, DROP, and ALTER operations on these objects are audited.

Bit 9

Specifies whether to audit the CREATE, DROP, and ALTER operations on resource pools.

  • 0 indicates that the CREATE, DROP, and ALTER operations on these objects are not audited.
  • 1 indicates that the CREATE, DROP, and ALTER operations on these objects are audited.

Bit 10

Specifies whether to audit the CREATE, DROP, and ALTER operations on workloads.

  • 0 indicates that the CREATE, DROP, and ALTER operations on these objects are not audited.
  • 1 indicates that the CREATE, DROP, and ALTER operations on these objects are audited.

Bit 11

Specifies whether to audit the CREATE, DROP, and ALTER operations on server objects.

  • 0 indicates that the CREATE, DROP, and ALTER operations on these objects are not audited.
  • 1 indicates that the CREATE, DROP, and ALTER operations on these objects are audited.

Bit 13

Reserved

-

Bit 14

Specifies whether to audit the CREATE, DROP, and ALTER operations on ROW LEVEL SECURITY objects.

  • 0 indicates that the CREATE, DROP, and ALTER operations on these objects are not audited.
  • 1 indicates that the CREATE, DROP, and ALTER operations on these objects are audited.

Bit 15

Specifies whether to audit the CREATE, DROP, and ALTER operations on types.

  • 0 indicates that the CREATE, DROP, and ALTER operations on types are not audited.
  • 1 indicates that the CREATE, DROP, and ALTER operations on types are audited.

Bit 16

Specifies whether to audit the CREATE, DROP, and ALTER operations on text search objects (CONFIGURATION and DICTIONARY).

  • 0 indicates that the CREATE, DROP, and ALTER operations on text search objects are not audited.
  • 1 indicates that the CREATE, DROP, and ALTER operations on text search objects are audited.

Bit 17

Specifies whether to audit the CREATE, DROP, and ALTER operations on directories.

  • 0 indicates that the CREATE, DROP, and ALTER operations on directories are not audited.
  • 1 indicates that the CREATE, DROP, and ALTER operations on directories are audited.

Bit 18

Specifies whether to audit the CREATE, DROP, and ALTER operations on synonyms.

  • 0 indicates that the CREATE, DROP, and ALTER operations on synonyms are not audited.
  • 1 indicates that the CREATE, DROP, and ALTER operations on synonyms are audited.

Bit 19

Specifies whether to audit the CREATE, DROP, and ALTER operations on sequences.

  • 0 indicates that the CREATE, DROP, and ALTER operations on sequences are not audited.
  • 1 indicates that the CREATE, DROP, and ALTER operations on sequences are audited.

Bit 20

Specifies whether to audit the CREATE and DROP operations on CMK and CEK objects.

  • 0 indicates that the CREATE, ALTER, and DROP operations on CMKs and CEKs are not audited.
  • 1 indicates that the CREATE, ALTER, and DROP operations on CMKs and CEKs are audited.

Bit 21

Specifies whether to audit the CREATE, DROP, and ALTER operations on PACKAGE objects.

  • 0 indicates that the CREATE, DROP, and ALTER operations on packages are not audited.
  • 1 indicates that the operations are audited.

Bit 22

Specifies whether to audit the CREATE and DROP operations on MODEL objects.

  • 0 indicates that the CREATE and ALTER operations on models are not audited.
  • 1 indicates that the CREATE and DROP operations are audited.

Bit 24

Specifies whether to audit the ALTER and DROP operations on the gs_global_config objects.

  • 0 indicates that the ALTER and DROP operations on the gs_global_config objects are not audited.
  • 1 indicates that the ALTER and DROP operations on the gs_global_config objects are audited.

Bit 25

Specifies whether to audit the CREATE, DROP, and ALTER operations on FOREIGN DATA WRAPPER objects.

  • 0 indicates that the CREATE, DROP, and ALTER operations on FOREIGN DATA WRAPPER objects are not audited.
  • 1 indicates that the CREATE, DROP, and ALTER operations on FOREIGN DATA WRAPPER objects are audited.

Bit 26

Specifies whether to audit the CREATE, ENABLE, DISABLE, and DROP operations on SQL patches.

  • 0 indicates that the CREATE, ENABLE, DISABLE, and DROP operations on SQL patches are not audited.
  • 1 indicates that the CREATE, ENABLE, DISABLE, and DROP operations on SQL patches are audited.

Bit 27

Specifies whether to audit the CREATE, ALTER, and DROP operations on events.

  • 0 indicates that the CREATE, ENABLE, DISABLE, and DROP operations on events are not audited.
  • 1 indicates that the CREATE, ENABLE, DISABLE, and DROP operations on events are audited.

Bit 28

Specifies whether to audit the CREATE, ALTER, and DROP operations on database links. Currently, the database link function is not supported.

  • 0 indicates that the CREATE, ALTER, and DROP operations on database links are not audited.
  • 1 indicates that the CREATE, ALTER, and DROP operations on database links are audited.

audit_dml_state

Parameter description: Specifies whether to audit the INSERT, UPDATE, DELETE, and MERGE operations on a specific table.

Parameter type: integer

Unit: none

Value range: 0 or 1

  • 0 indicates that the INSERT, UPDATE, DELETE, and MERGE operations on a specific table are not audited.
  • 1 indicates that the INSERT, UPDATE, DELETE, and MERGE operations on a specific table are audited.

Default value: 0

Setting method: This is a SIGHUP parameter. Set it based on instructions provided in Table 1.

Setting suggestion: Retain the default value.

audit_dml_state_select

Parameter description: Specifies whether to audit the SELECT operation.

Parameter type: integer

Unit: none

Value range: 0 or 1

  • 0 indicates that the SELECT auditing function is disabled.
  • 1 indicates that the SELECT auditing function is enabled.

Default value: 0

Setting method: This is a SIGHUP parameter. Set it based on instructions provided in Table 1.

Setting suggestion: Retain the default value.

audit_function_exec

Parameter description: Specifies whether to record the audit information during the execution of the stored procedures, anonymous blocks, or user-defined functions (excluding system functions).

Parameter type: integer

Unit: none

Value range: 0 or 1

  • 0 indicates that the stored procedures, anonymous blocks, or user-defined functions (excluding system functions) are not audited.
  • 1 indicates that the stored procedures, anonymous blocks, or user-defined functions (excluding system functions) are audited.

Default value: 0

Setting method: This is a SIGHUP parameter. Set it based on instructions provided in Table 1.

Setting suggestion: Retain the default value.

audit_system_function_exec

Parameter description: Specifies whether to record audit logs when system functions in the whitelist are executed.

This is a SIGHUP parameter. Set it based on instructions provided in Table 1.

Value range: an integer, 0 or 1

  • 0 indicates that the function of auditing the execution of system functions is disabled.
  • 1 indicates that the function of auditing system function execution is enabled.

Default value: 0

The following table lists the whitelist of system functions that can be recorded and audited.

set_working_grand_version_num_manually

set_config

pg_cancel_backend

pg_cancel_session

pg_reload_conf

pg_rotate_logfile

pg_terminate_session

pg_terminate_backend

pg_create_restore_point

pg_start_backup

pg_stop_backup

pg_switch_xlog

pg_cbm_rotate_file

pg_cbm_get_merged_file

pg_cbm_recycle_file

pg_enable_delay_ddl_recycle

pg_disable_delay_ddl_recycle

gs_roach_stop_backup

gs_roach_enable_delay_ddl_recycle

gs_roach_disable_delay_ddl_recycle

gs_roach_switch_xlog

pg_last_xlog_receive_location

pg_xlog_replay_pause

pg_xlog_replay_resume

gs_pitr_clean_history_global_barriers

gs_pitr_archive_slot_force_advance

pg_create_physical_replication_slot_extern

gs_set_obs_delete_location

gs_hadr_do_switchover

gs_set_obs_delete_location_with_slotname

gs_streaming_dr_in_switchover

gs_upload_obs_file

gs_download_obs_file

gs_set_obs_file_context

gs_get_hadr_key_cn

pg_advisory_lock

pg_advisory_lock_shared

pg_advisory_unlock

pg_advisory_unlock_shared

pg_advisory_unlock_all

pg_advisory_xact_lock

pg_advisory_xact_lock_shared

pg_try_advisory_lock

pg_try_advisory_lock_shared

pg_try_advisory_xact_lock

pg_try_advisory_xact_lock_shared

pg_create_logical_replication_slot

pg_drop_replication_slot

pg_logical_slot_peek_changes

pg_logical_slot_get_changes

pg_logical_slot_get_binary_changes

pg_replication_slot_advance

pg_replication_origin_create

pg_replication_origin_drop

pg_replication_origin_session_setup

pg_replication_origin_session_reset

pg_replication_origin_session_progress

pg_replication_origin_xact_setup

pg_replication_origin_xact_reset

pg_replication_origin_advance

local_space_shrink

gs_space_shrink

pg_free_remain_segment

gs_fault_inject

gs_repair_file

local_clear_bad_block_info

gs_repair_page

-

-

-

-

-

audit_copy_exec

Parameter description: Specifies whether to audit the COPY operation.

This is a SIGHUP parameter. Set it based on instructions provided in Table 1.

Value range: an integer, 0 or 1

  • 0 indicates that auditing the COPY operation is disabled.
  • 1 indicates that auditing the COPY operation is enabled.

Default value: 1

audit_set_parameter

Parameter description: Specifies whether to audit the SET operation.

Parameter type: integer

Unit: none

Value range: 0 or 1

  • 0 indicates that auditing the SET operation is disabled.
  • 1 indicates that auditing the SET operation is enabled.

Default value: 0

Setting method: This is a SIGHUP parameter. Set it based on instructions provided in Table 1.

Setting suggestion: Retain the default value.

audit_xid_info

Parameter description: Specifies whether to record the transaction ID of the SQL statement in the detail_info column of the audit log.

Parameter type: integer

Unit: none

Value range: 0 or 1

  • 0 indicates that the function of recording transaction IDs in the audit log is disabled.
  • 1 indicates that the function of recording transaction IDs in the audit log is enabled.

Default value: 0

Setting method: This is a SIGHUP parameter. Set it based on instructions provided in Table 1.

Setting suggestion: Retain the default value.

If this function is enabled, the detail_info information in the audit log starts with xid. For example:

detail_info: xid=14619 , create table t1(id int);

If transaction IDs do not exist, xid=NA is recorded.

enableSeparationOfDuty

Parameter description: Specifies whether the separation of three duties is enabled.

This is a POSTMASTER parameter. Set it based on instructions provided in Table 1.

Value range: Boolean

  • on indicates that the separation of duties is enabled.
  • off indicates that the separation of duties is disabled.

Default value: off

enable_nonsysadmin_execute_direct

Parameter description: Specifies whether non-system administrators and non-monitor administrator are allowed to execute the EXECUTE DIRECT ON statement.

This is a POSTMASTER parameter. Set it based on instructions provided in Table 1.

Value range: Boolean

  • on indicates that any user is allowed to execute the EXECUTE DIRECT ON statement.
  • off indicates that only the system administrator and monitor administrator are allowed to execute the EXECUTE DIRECT ON statement.

Default value: off

enable_access_server_directory

Parameter description: Specifies whether to allow non-initial users to create, modify, and delete directories.

This is a SIGHUP parameter. Set it based on instructions provided in Table 1.

Value range: Boolean

  • on indicates that non-initial users have the permission to create, modify, and delete directories.
  • off indicates that non-initial users do not have the permission to create, modify, and delete directories.

Default value: off

  • For security purposes, only the initial user can create, modify, and delete DIRECTORY objects by default.
  • If enable_access_server_directory is enabled, users with the SYSADMIN permission and users who inherit the gs_role_directory_create permission of the built-in role can create directories. A user with the SYSADMIN permission, the owner of a directory, a user who is granted with the DROP permission for the directory, or a user who inherits the gs_role_directory_drop permission of the built-in role can delete the directory. A user with the SYSADMIN permission and the owner of a directory object can change the owner of the directory, and the user must be a member of the new owning role.