Operation Auditing
audit_system_object
Parameter description: Specifies whether to audit the CREATE, DROP, and ALTER operations on the openGauss database object. The openGauss database objects include databases, users, schemas, and tables. The operations on the database object can be audited by changing the value of this parameter.
This parameter is a SIGHUP parameter. Set it based on instructions provided in Table 1.
Value range: an integer ranging from 0 to 67108863
- 0 indicates that the function of auditing the CREATE, DROP, and ALTER operations on the openGauss database object can be disabled.
- Other values indicate that the CREATE, DROP, and ALTER operations on a certain or some openGauss database objects are audited.
Value description:
The value of this parameter is calculated by 26 binary bits. The 26 binary bits represent 26 types of openGauss objects. If the corresponding binary bit is set to 0, the CREATE, DROP, and ALTER operations on corresponding database objects are not audited. If it is set to 1, the CREATE, DROP, and ALTER operations are audited. For details about the audit contents represented by these 26 binary bits, see Table 1.
Default value: 12295
Table 1 Meaning of each value for the audit_system_object parameter
audit_dml_state
Parameter description: Specifies whether to audit the INSERT, UPDATE, and DELETE operations on a specific table.
This parameter is a SIGHUP parameter. Set it based on instructions provided in Table 1.
Value range: 0 or 1
- 0 indicates that the function of auditing the DML operations (except SELECT) is disabled.
- 1 indicates that the function of auditing the DML operations (except SELECT) is enabled.
Default value: 0
audit_dml_state_select
Parameter description: Specifies whether to audit the SELECT operation.
This parameter is a SIGHUP parameter. Set it based on instructions provided in Table 1.
Value range: 0 or 1
- 0 indicates that the SELECT auditing function is disabled.
- 1 indicates that the SELECT auditing function is enabled.
Default value: 0
audit_function_exec
Parameter description: Specifies whether to record the audit information during the execution of the stored procedures, anonymous blocks, or user-defined functions (excluding system functions).
This parameter is a SIGHUP parameter. Set it based on instructions provided in Table 1.
Value range: 0 or 1
- 0 indicates that the function of auditing the procedure or function execution is disabled.
- 1 indicates that the function of auditing the procedure or function execution is enabled.
Default value: 0
audit_copy_exec
Parameter description: Specifies whether to audit the COPY operation.
This parameter is a SIGHUP parameter. Set it based on instructions provided in Table 1.
Value range: 0 or 1
- 0 indicates that the COPY auditing function is disabled.
- 1 indicates that the COPY auditing function is enabled.
Default value: 1
audit_set_parameter
Parameter description: Specifies whether to audit the SET operation.
This parameter is a SIGHUP parameter. Set it based on instructions provided in Table 1.
Value range: 0 or 1
- 0 indicates that the SET auditing function is disabled.
- 1 indicates that the SET auditing function is enabled.
Default value: 1
audit_xid_info
Parameter description: Specifies whether to record the transaction ID of the SQL statement in the detail_info column of the audit log.
This parameter is a SIGHUP parameter. Set it based on instructions provided in Table 1.
Value range: 0 or 1
- 0 indicates that the function of recording transaction IDs in audit logs is disabled.
- 1 indicates that the function of recording transaction IDs in audit logs is enabled.
Default value: 0
NOTICE:
If this function is enabled, the detail_info information in audit logs starts with xid. For example:
detail_info: xid=14619 , create table t1(id int);
If transaction IDs do not exist, xid is recorded as NA in audit logs.
enableSeparationOfDuty
Parameter description: Specifies whether the separation of three duties is enabled.
This parameter is a POSTMASTER parameter. Set it based on instructions provided in Table 1.
Value range: Boolean
- on indicates that the separation of three duties is enabled.
- off indicates that the separation of three duties is disabled.
Default value: off
enable_nonsysadmin_execute_direct
Parameter description: Specifies whether non-system administrators and non-monitoring administrator are allowed to execute the EXECUTE DIRECT ON statement.
This parameter is a POSTMASTER parameter. Set it based on instructions provided in Table 1.
Value range: Boolean
- on indicates that any user is allowed to execute the EXECUTE DIRECT ON statement.
- off indicates that only the system administrators and monitoring administrators are allowed to execute the EXECUTE DIRECT ON statement.
Default value: off
enable_access_server_directory
Parameter description: Specifies whether to allow non-initial users to create, modify, and delete directories.
This parameter is a SIGHUP parameter. Set it based on instructions provided in Table 1.
Value range: Boolean
- on indicates that non-initial users have the permission to create, modify, and delete directories.
- off indicates that non-initial users do not have the permission to create, modify, and delete directories.
Default value: off
NOTICE:
- For security purposes, only the initial user can create, modify, and delete DIRECTORY objects by default.
- If enable_access_server_directory is enabled, users with the SYSADMIN permission and users who inherit the gs_role_directory_create permission of the built-in role can create directory objects. A user with the SYSADMIN permission, the owner of a directory, a user who is granted with the DROP permission for the directory, or a user who inherits the gs_role_directory_drop permission of the built-in role can delete a directory. A user with the SYSADMIN permission and the owner of a directory object can change the owner of the directory object, and the user must be a member of the new owner.