4.6 Review audit queue size

Information

Sybase ASE allows the number of audit records held in memory to be set via the audit
queue size configuration parameter.

The default value is 100 audit records (approximately 42K of memory). If an attacker is
able to trigger a crash while an audit record is stored in memory but has not been written
to disk, the audit record will likely be lost (it may, however, be stored in a crash dump
depending on the system configuration).

It is recommended that this setting is reviewed; the default value of 100 is likely to be
sufficient for most organizations although depending on the nature of the data stored in the
database, this value could be reduced.

It should be noted that decreasing this value is likely to have an effect on performance,
especially on a system that is under heavy use and that generates a significant number of
audit events.

Rationale:

If this value is set high, an attacker may be able to cover their tracks by triggering a crash.

Solution

1. Connect to the ASE server as a user with the sso_role and execute the following
SQL statement to set the audit queue size to 100 (modify 100 as per your
organizations requirements):

sp_configure 'audit queue size', 100

See Also

https://workbench.cisecurity.org/files/1612