Re: Bitmap sysdatabases audflags

The definitions are actually in installmaster, but a little hard to find.

To start with, the comment before the definitions refers to the column as

sysdatabases.dbaudflags rather than sysdatabases.audflags.

Here is how I got to them:

bret-sun2% grep audflags installmaster

** These values translate sysobjects.objaudflags, sysdatabases.deftabaud,

/* These values translate sysdatabases.dbaudflags bits into text. */

/* These values translate syslogins.lgaudflags bits into text. */

        pwdate, audflags, fullname)

bret-sun2%

The underlined line looks particularly promising.  I opened installmaster with vi

and searched for dbaudflags.

Reading down from that point, I see

/* These values translate sysdatabases.dbaudflags bits into text. */

insert spt_values (name, number, type) values ("DATABASE AUDITING", -1, "Q")
insert spt_values (name, number, type) values ("successful drop", 1, "Q")
insert spt_values (name, number, type) values ("failed drop", 2, "Q")
insert spt_values (name, number, type) values ("successful use", 4, "Q")
insert spt_values (name, number, type) values ("failed use", 8, "Q")
insert spt_values (name, number, type) values ("successful outside access", 16, "Q")
insert spt_values (name, number, type) values ("failed outside access", 32, "Q")
insert spt_values (name, number, type) values ("successful grant", 64, "Q")
insert spt_values (name, number, type) values ("failed grant", 128, "Q")
insert spt_values (name, number, type) values ("successful revoke", 256, "Q")
insert spt_values (name, number, type) values ("failed revoke", 512, "Q")
insert spt_values (name, number, type) values ("successful truncate", 1024, "Q")
insert spt_values (name, number, type) values ("failed truncate", 2048, "Q")
insert spt_values (name, number, type) values ("successful remove", 16384, "Q")
insert spt_values (name, number, type) values ("failed remove", 32768, "Q")
go

I almost thought I was done, but a little further down I noticed the comment

** "Zd" are database specific audit options, they correspond to the

** AUDB_ defines in audit.h.

Now, "Zd" is not = "Q", so I kept reading and found:

  values ("drop", hextoint("0x00000001"), "Zd") /* sysdatabases */

insert spt_values (name, number, type)

  values ("dbaccess", hextoint("0x00000004"), "Zd") /* sysdatabases */

insert spt_values (name, number, type)

  values ("grant", hextoint("0x00000040"), "Zd") /* sysdatabases */

insert spt_values (name, number, type)

  values ("revoke", hextoint("0x00000100"), "Zd") /* sysdatabases */

insert spt_values (name, number, type)

  values ("truncate", hextoint("0x00000400"), "Zd") /* sysdatabases */

insert spt_values (name, number, type)

  values ("alter", hextoint("0x00001000"), "Zd") /* sysdatabases */

insert spt_values (name, number, type)

  values ("bind", hextoint("0x00004000"), "Zd") /* sysdatabases */

insert spt_values (name, number, type)

  values ("unbind", hextoint("0x00010000"), "Zd") /* sysdatabases */

insert spt_values (name, number, type)

  values ("create", hextoint("0x00040000"), "Zd") /* sysdatabases */

insert spt_values (name, number, type)

  values ("bcp", hextoint("0x00100000"), "Zd") /* sysdatabases */

insert spt_values (name, number, type)

  values ("dump", hextoint("0x00400000"), "Zd") /* sysdatabases */

insert spt_values (name, number, type)

  values ("load", hextoint("0x01000000"), "Zd") /* sysdatabases */

insert spt_values (name, number, type)

  values ("setuser", hextoint("0x04000000"), "Zd") /* sysdatabases */

insert spt_values (name, number, type)

  values ("func_dbaccess", hextoint("0x10000000"), "Zd") /* sysdatabases */

"Q" seems to give slightly more informative text and distinguishes between success

and failure , while Zd contains a few items  not included under Q and doesn't include

the "failure" states.

1> select number,left(name,40) from spt_values where type = "Q"
2> go
number
----------- ----------------------------------------
          -1 DATABASE AUDITING
           1 successful drop
           2 failed drop
           4 successful use
           8 failed use
          16 successful outside access
          32 failed outside access
          64 successful grant
         128 failed grant
         256 successful revoke
         512 failed revoke
        1024 successful truncate
        2048 failed truncate
       16384 successful remove
       32768 failed remove

(15 rows affected)

1> select number,left(name,40) from spt_values where type = "Zd"
2> go
number
----------- ----------------------------------------
           1 drop
           4 dbaccess
          16 install
          64 grant
         256 revoke
        1024 truncate
        4096 alter
       16384 bind
       65536 unbind
      262144 create
     1048576 bcp
     4194304 dump
    16777216 load
    67108864 setuser
   268435456 func_dbaccess
  1073741824 remove
  1073741824 encryption_key

(17 rows affected)

What I expect is that the "Zd" entries are what show up in sysdatabases.audflags, while the

"Q" entries show up in audit records.  i.e. you audit "truncate" and record whether each truncate was successful or a failure.

-bret