Updated on 2024-05-07 GMT+08:00

CREATE AUDIT POLICY

Description

Creates a unified audit policy.

Precautions

Only users with the poladmin or sysadmin permission, or the initial user can perform this operation.

The masking policy takes effect only after the security policy is enabled, that is, enable_security_policy is set to on.

When you use database links to perform operations on remote objects, the client initiates a database link request. The actual sender is the server, and the attributes such as the IP address of the sender are the values of the server. For details, see DATABASE LINK.

Syntax

CREATE AUDIT POLICY [ IF NOT EXISTS ] policy_name { { privilege_audit_clause | access_audit_clause } [ filter_group_clause ] [ ENABLE | DISABLE ] };
  • privilege_audit_clause
    1
    PRIVILEGES { DDL | ALL } [ ON LABEL ( resource_label_name [, ... ] ) ]
    
  • access_audit_clause
    ACCESS { DML | ALL } [ ON LABEL ( resource_label_name [, ... ] ) ]
  • filter_group_clause

    FILTER ON { FILTER_TYPE ( filter_value [, ... ] ) } [, ... ]

Parameters

  • policy_name

    Specifies the audit policy name, which must be unique.

    Value range: a string. It must comply with the naming convention.

  • DDL

    Specifies the operations that are audited in the database: CREATE, ALTER, DROP, ANALYZE, COMMENT, GRANT, REVOKE, SET, and SHOW.

    If this parameter is set to ANALYZE, both ANALYZE and VACCUM operations are audited.

  • ALL

    Indicates all operations supported by the specified DDL statements in the database.

  • resource_label_name

    Specifies the resource label name.

  • DML

    Specifies the operations that are audited within the database: SELECT, COPY, DEALLOCATE, DELETE, EXECUTE, INSERT, PREPARE, REINDEX, TRUNCATE, and UPDATE.

  • FILTER_TYPE

    Specifies the types of information to be filtered by the policy, including APP, ROLES, and IP.

  • filter_value

    Indicates the detailed information to be filtered.

  • ENABLE|DISABLE

    Enables or disables the unified audit policy. If ENABLE|DISABLE is not specified, ENABLE is used by default.

Examples

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
-- Create users dev_audit and bob_audit.
gaussdb=# CREATE USER dev_audit PASSWORD '********';
gaussdb=# CREATE USER bob_audit password '********';

-- Create table tb_for_audit.
gaussdb=# CREATE TABLE tb_for_audit(col1 text, col2 text, col3 text);

-- Create a resource label.
gaussdb=# CREATE RESOURCE LABEL adt_lb0 add TABLE(tb_for_audit);

-- Perform the CREATE operation on the database to create an audit policy.
gaussdb=# CREATE AUDIT POLICY adt1 PRIVILEGES CREATE;

-- Perform the SELECT operation on the database to create an audit policy.
gaussdb=# CREATE AUDIT POLICY adt2 ACCESS SELECT;

-- Create an audit policy to audit only the CREATE operations performed on the adt_lb0 resource by users dev_audit and bob_audit.
gaussdb=# CREATE AUDIT POLICY adt3 PRIVILEGES CREATE ON LABEL(adt_lb0) FILTER ON ROLES(dev_audit, bob_audit);

-- Create an audit policy to audit only the SELECT, INSERT, and DELETE operations performed on the adt_lb0 resource by users dev_audit and bob_audit using client tool gsql on the servers whose IP addresses are 10.20.30.40 and 127.0.0.0/24.
gaussdb=# CREATE AUDIT POLICY adt4 ACCESS SELECT ON LABEL(adt_lb0), INSERT ON LABEL(adt_lb0), DELETE FILTER ON ROLES(dev_audit, bob_audit), APP(gsql), IP('10.20.30.40', '127.0.0.0/24');

-- Delete the audit policy.
gaussdb=# DROP AUDIT POLICY adt1, adt2, adt3, adt4;

-- Delete the resource label.
gaussdb=# DROP RESOURCE LABEL adt_lb0;

-- Delete the tb_for_audit table.
gaussdb=# DROP TABLE tb_for_audit;

-- Delete the dev_audit and bob_audit users.
gaussdb=# DROP USER dev_audit, bob_audit;