Information
Sybase ASE is configured by default to suspend auditing when the device is full. This is
controlled via the suspend audit when device full configuration parameter. suspend
audit when device full is enabled by default.
If this option has been disabled (i.e. database operations continue when the audit device is
full), older events will be overwritten which could allow an attacker to mask evidence of an
attack.
Note that this is a potentially disruptive setting as it will suspend the audit process and all
user processes that cause an auditable event when the audit device is full. To resume
normal operation, an administrator with the sso_role must log in and set up an empty
table as the current audit table.
It is advised that this configuration is enabled for databases where maintaining an accurate
audit trail is more important than the database availability. If this setting is enabled, it is
recommended that audit device resources are checked regularly.
Rationale:
Enabling this configuration will ensure that an attacker cannot simply overwrite audit logs
by submitting a large number of events.
Solution
1. Connect to the ASE server as a user with the sso_role and execute the following
SQL statement:
exec sp_configure 'suspend audit when device full', 1