Introduction to the Db2 audit facility for Db2 Warehouse SaaS
To manage access to your sensitive data, you can use a variety of authentication and access control mechanisms to establish rules and controls for acceptable data access. But, to protect against and discover unknown or unacceptable behaviors, you can monitor data access by using the Db2® audit facility.
Successful monitoring of unwanted data access and subsequent analysis can lead to improvements in the control of data access and the ultimate prevention of malicious or careless unauthorized access to data. The monitoring of application and individual user access, including system administration actions, can provide a historical record of activity on your database systems.
- Audit (AUDIT): Generates records when audit settings are changed or when the audit log is accessed.
- Authorization Checking (CHECKING): Generates records during authorization checking of attempts to access or manipulate Db2 database objects or functions.
- Object Maintenance (OBJMAINT): Generates records when creating or dropping data objects, and when altering certain objects.
- Security Maintenance (SECMAINT): Generates records for the following conditions:
- Granting or revoking object privileges or database authorities
- Granting or revoking security labels or exemptions
- Altering the group authorization, role authorization, or override or restrict attributes of an LBAC security policy
- Granting or revoking the SETSESSIONUSER privilege
- Modifying any of the SYSADM_GROUP, SYSCTRL_GROUP, SYSMAINT_GROUP, or SYSMON_GROUP configuration parameters.
- System Administration (SYSADMIN): Generates records when operations requiring SYSADM, SYSMAINT, or SYSCTRL authority are performed.
- User Validation (VALIDATE): Generates records when authenticating users or retrieving system security information.
- Operation Context (CONTEXT): Generates records to show the operation context when a database operation is performed. This category allows for better interpretation of the audit log file. When used with the log's event correlator field, a group of events can be associated back to a single database operation. For example, a query statement for dynamic queries, a package identifier for static queries, or an indicator of the type of operation being performed, such as CONNECT, can provide needed context when analyzing audit results.
- Execute (EXECUTE): Generates records during the execution of SQL statements.
For any of the listed categories, you can audit failures, successes, or both.
Any operations on the database server can generate several records. The actual number of records generated in the audit log depends on the number of categories of events to be recorded as specified by the audit facility configuration. It also depends on whether successes, failures, or both, are audited. For this reason, it is important to be selective of the events to audit.
The records generated from this facility can be viewed from a set of AUDIT tables where each table corresponds to each category described above. The analysis of these records can reveal usage patterns that would identify system misuse. Once identified, actions can be taken to reduce or eliminate such system misuse.
The audit facility provides the ability to audit at the database level. Any member of the administrator group can configure an audit policy to control when such audit information is collected, such as monitoring authorization IDs, database authorities, trusted contexts, or particular tables.