Auditing tables without specifying the AUDIT clause

With the SECADM authority, you can set up audit policies and dynamically enable auditing of tables that do not have the AUDIT clause specified.

Procedure

To audit the activities on table EMPLOYEE.SALARY without having to specify the AUDIT clause:

  1. Obtain the SECADM authority if you do not have it.
    Alternately, you can have the SECADM authority grant you the required privileges to create an audit policy. A user with the SYSOPR authority can activate the policy.
  2. Create audit policy TABADT1 by issuing the following INSERT statement:

    Begin general-use programming interface information.

    INSERT INTO SYSIBM.SYSAUDITPOLICIES(AUDITPOLICYNAME, OBJECTSCHEMA,
      OBJECTNAME, OBJECTTYPE, EXECUTE)
		VALUES('TABADT1','EMPLOYEE','SALARY','T','A');
    End general-use programming interface information.

    Db2 checks to make sure that you have the required privilege to issue the INSERT statement. Upon successful verification, it inserts a row in SYSIBM.SYSAUDITPOLICIES to include the new policy.

  3. Activate the audit policy by issuing the START TRACE command:

    Begin general-use programming interface information.

    -STA TRACE (AUDIT) DEST (GTF) AUDTPLCY(TABADT1);
    End general-use programming interface information.

    Begin program-specific programming interface information.Db2 checks to make sure that you have the required privilege to run the START TRACE command. Upon successful verification, it starts the IFCID 0143, 0144, and 0145 trace records.

    For example, if a user issues the SELECT statement to select from the EMPLOYEE.SALARY table, Db2 records the query activity in the IFCID 0144 trace record.End program-specific programming interface information.