Hi all,



I've been experimenting with C2 security auditing and - thanks to some good
KB documentation - have got it working very well.

Now I am testing conditions where the audit logs fill and the switch audit
log function fails (for example a faulty script or disk full situation).

When the SUSPEND option is used, I found non-dba user sessions lock and
cannot not be revived. The session status says:



Waiting for Security Audit to RESUME



Renaming the full audit logs does not fix the problem. DBA security users
can continue to run and the auditlogs continue to grow past the
max_log_size. If rmcmd is enabled, this hits iidbdb every second and
eventually creates a GB sized audit log. At this point, the security
auditing appears to be inconsistent. dbmsinfo ('security_audit_log') and
iisecurity_state nolonger agree and the server thinks auditing is turned
off. Attempts to connect as an end user just creates more locked sessions
entries. The only option which appears to work is to restart the DBMS
server.



Ingres support is on the job and waiting for feedback. Has anyone run into
this before?



eg



switch_audit.bat

@echo off

set log=%II_SYSTEM%\ingres\files\switch_audit.log

cd /d %II_SYSTEM%\ingres\files >> %log% 2>&1

echo params %0 %1 %2 %3 %4 >> %log%

call yyyymmdd.bat

echo move %1 %1.%yyyymmdd%%timestamps% >> %log% 2>&1

REM

REM disabled temporarily

REM

REM move %1 %1.%yyyymmdd%%timestamps% >> %log% 2>&1

REM



%II_SYSTEM%\ingres\files

audit.1 102 KB

audit.2 102 KB

audit.3 1,000,000...





IIMONITOR

Session 117F0100:2608 (paulwh ) cs_state: CS_EVENT_WAIT
(LKEVENT) cs_mask:

DB Name: equiprent (Owned by: ingres )

User: paulwh (paulwh
)

User Name at Session Startup: paulwh

Terminal: console

Group Id:

Role Id:

Application Code: 00000000 Current Facility: SCF (00000009)

Activity: Waiting for Security Audit to RESUME

Client user: administrator

Client host: INGRES-XP3

Client tty: INGRES-XP3

Client pid: 3264

Client connection target: locpw::equiprent

Client information:
user='administrator',host='INGRES-XP3',tty='INGRES-XP3',pid=3264,conn='locpw
::equiprent'

Description:

Query:



E:\admin>sql iidbdb

INGRES TERMINAL MONITOR Copyright 2008 Ingres Corporation

Ingres Microsoft Windows Version II 9.2.0 (int.w32/143) login

Wed Jul 21 11:06:38 2010



continue

* disable security_audit all\g

Executing . . .



E_SX002B Security auditing is not active.

(Wed Jul 21 11:07:28 2010)



continue

* enable security_audit all\g

Executing . . .



E_SX002B Security auditing is not active.

(Wed Jul 21 11:07:33 2010)



continue

* SELECT STATE FROM iisecurity_state WHERE NAME = 'All';\g

Executing . . .





+------+

+------+

+------+

(1 row)

continue



Local connect works ok

E:\admin>sql -upaulwh equiprent

INGRES TERMINAL MONITOR Copyright 2008 Ingres Corporation

Ingres Microsoft Windows Version II 9.2.0 (int.w32/143) login

Wed Jul 21 11:49:19 2010



continue

*



Connect through vnode configured as enduser.

E:\admin>sql locpw::equiprent

INGRES TERMINAL MONITOR Copyright 2008 Ingres Corporation

[[locks up]]









regards



Paul White





&
Shift Seven Solutions

Paul White wrote:

[snip]

FWIW, no, I haven't. But I do have a couple of systems that make use of
security auditing so I will try to find some time to reproduce the
problem.

--
Roy

UK Ingres User Association Conference 2011 will be on Tuesday June 7 2011.
Put the date in your diary today.