Configuring audit logging for Db2

Audit logging allows you to monitor data access and detect concerning behaviors performed on a database.

Enabling audit logging before deploying a database

Db2 audit logging uses predefined policies to audit data. To learn more about the audit policies, see Audit policies.

Enabling audit logging from a custom resource (CR)
Edit your database's YAML file to add audit logging functionality. Refer to the following example:
apiVersion: db2u.databases.ibm.com/v1
kind: Db2uCluster
metadata:
  name: db2-test
spec:
  addOns:
    audit:
      enableAudit: true
      interval: "15"
      applyDefaultPolicy: true
      archiveToDb: false
...
  storage:
    - name: auditlogs
      spec:
        accessModes:
          - ReadWriteMany
        resources:
          requests:
            storage: <pvc-size>
        storageClassName: <storageClassName>
      type: create
Important: To forward auditing logs to the Cloud Pak for Data audit service, you need to create the dedicated auditlogs storage in the CR.
  • Add an audit entry to the addOns section.
  • Add an auditlogs entry to the storage section.
Parameters
  • enableAudit: A bool type input. Set to true if you want the audit to run during the deployment run-time. If set to false, the audit will not start. You can run it later from the db2u pod.
  • interval: An int type input. The time interval in minutes for the frequency of logging the audit records into AUDIT. database tables. The minimum input allowed is 15 minutes.
  • applyDefaultPolicy: A bool type input. The Db2 instance will have 2 predefined audit policies called AUDIT_ALL and AUDIT_DEFAULT.
    AUDIT_ALL
    Audits all successes and failures for every category of audit record.
    AUDIT_DEFAULT
    Only the following event types are recorded:
    • FAILURE for VALIDATE
    • FAILURE AND SUCCESS for SECMAINT
    • FAILURE AND SUCCESS for OBJMAINT
    • FAILURE AND SUCCESS for SYSADMIN
    By setting applyDefaultPolicy to true, AUDIT_DEFAULT will apply to the database instance.
    Note: To create a custom audit policy instead, see Creating a customized audit policy.
  • archiveToDb: A bool type input. Set to true if you want the audit record to be loaded into AUDIT. database tables.
Warning: Due to a known issue in the current release, set archiveToDb: false. For more information about the known issue for archiveToDb, see Known issues for Db2 and Db2 Warehouse.
Important: When an audit policy is enabled and the audit task is scheduled, AUDIT. database tables will continue to accumulate space on your system. You are required to manage the storage used by the AUDIT. tables. It is recommended that you periodically organize and export the audit data
Verifying that the audit policy has been enabled
  1. Run the following command to access your deployment and switch to a db2inst1 user:
    oc rsh <db2u-pod> bash -l
    su - db2inst1
    Replace <db2u-pod> with the value for your instance.
  2. Run the following command inside the db2u main pod as a db2inst1 user:
    db2audit describe

Enabling or disabling audit logging after deploying a database

Once the db2u pod is ready, you can enable or disable audit logging from the database's CR.

  1. Run the following command to return your db2ucluster instance:
    oc get db2ucluster -n ${PROJECT_CPD_INST_OPERANDS}
  2. Run the following command to edit your database instance to configure audit logging:
    oc edit db2ucluster <db2u-name> -n ${PROJECT_CPD_INST_OPERANDS} -oyaml
  3. Enable or disable audit configurations in addOns. Add auditlogs storage, if required. Refer to the following example:
    ...
      addOns:
        audit:
          enableAudit: true
          interval: "15"
          applyDefaultPolicy: true
          archiveToDb: true
    ...
      storage:
        - name: auditlogs
          spec:
            accessModes:
            - ReadWriteMany
            resources:
              requests:
                storage: <pvc-size> 
            storageClassName: <storageClassName>
          type: create
    

Creating a customized audit policy

If you have applyDefaultPolicy set to false in the CRD settings, you will need to manually create a customized audit policy.

Run the following command to access your deployment and switch to a db2inst1 user:
oc rsh <db2u-pod> bash -l
su - db2inst1
Replace <db2u-pod> with the value for your instance.
Creating a customized policy
Run the following command to create a policy:
CREATE AUDIT POLICY policy_name CATEGORIES category or ALL STATUS status ERROR TYPE NORMAL;
For more information on creating a policy, see CREATE AUDIT POLICY statement.
Applying your customized policy
Run the following command to apply your customized policy to your Db2 instance:
AUDIT database_entity USING POLICY policy_name;
For more information on applying a policy to database objects, see AUDIT statement.

Managing Db2 audit policies

Refer to the following audit commands to manage your audit policy. For more information on managing audit policies, see Audit policy guidelines.

View all created audit policies:
select * from SYSCAT.AUDITPOLICIES;
View current audit policies being used:
select * from SYSCAT.AUDITUSE;
Remove a policy from a database:
AUDIT database_entity REMOVE POLICY;