Auditing the use of an administrative authority

You can create and activate an audit policy to audit how a Db2 administrative authority is used. The audit policy records all uses of the administrative authority for access, even when it is not the primary or secondary authorization ID of a process.

About this task

Suppose that you have the SECADM authority and are responsible for making sure that all security policies, including audit policies, work as designed. You want to audit the use of the SYSADM authority by user SYSADMIN1.

Procedure

To audit the use of the SYSADM authority by SYSADMIN1:

  1. Create audit policy AUDITADMN1 by issuing the following INSERT statement:

    Begin general-use programming interface information.

    INSERT INTO SYSIBM.SYSAUDITPOLICIES(AUDITPOLICYNAME, SYSADMIN)
		VALUES('AUDITADMN1','S');
    End general-use programming interface information.

    Db2 checks to make sure that you have the required privilege to issue the INSERT statement. Upon successful verification, it inserts a row in SYSIBM.SYSAUDITPOLICIES to include the new policy.

  2. Activate the audit policy by issuing the START TRACE command:

    Begin general-use programming interface information.

    -STA TRACE (AUDIT) DEST (GTF) AUDTPLCY(AUDITADMN1)
    End general-use programming interface information.

Results

Begin program-specific programming interface information.

Db2 checks to make sure that you have the required privilege to run the START TRACE command. Upon successful verification, it starts an IFCID 0361 trace record.

The IFCID 0361 trace record is then written whenever the audited authority is used for access. For example, if SYSADM1 issues the ALTER BUFFERPOOL command to alter the attributes for active buffer pools, Db2 records the ALTER activity in the IFCID 0361 trace record.

Start of changeThe IFCID 0361 trace record is written regardless of whether the audited authority is associated with the primary authorization ID of the process. For example, assume that a stored procedure named SPROC1 is owned by SYSADM1, but the stored procedure package is owned by ADMIN2. If the user, USER1 issues an SQL CALL statement to execute SPROC1, Db2 records the EXECUTE privilege on the stored procedure package in the IFCID 0361 trace record for SYSADM1. The reason is that SYSADM1, as owner of the SPROC1 stored procedure, is the first ID checked for stored procedure package execution.End of change

End program-specific programming interface information.