Audit trace
The audit trace collects information about Db2 security controls and can be used to ensure that data access is allowed only for authorized purposes.
On the CREATE TABLE or ALTER
TABLE statements, you can specify whether or not a table is to be
audited, and in what manner; you can also audit security information
such as any access denials, grants, or revokes for the table. The
default causes no auditing to take place.
If you specified YES for AUDIT TRACE on installation panel DSNTIPN,
audit trace class 1 starts automatically when you start Db2. By default, Db2 sends
audit data to SMF. SMF records audit data in type 102 records. When
you invoke the -START TRACE command, you can also specify GTF as a
destination for audit data.
The following tables shows the IFCIDs that are activated for each audit trace class.
| Class | Description of class | Activated IFCIDs |
|---|---|---|
| 1 | Access attempts denied due to inadequate authorization. Class 1 is also activated when you omit the CLASS keyword from the START TRACE command when you start the audit trace. |
140 |
| 2 | Explicit GRANT and REVOKE. | 141 |
| 3 | CREATE, ALTER, and DROP operations against audited tables. | 142 |
| 4 | First change of audited object. | 143 |
| 5 | First read of audited object. | 144 |
| 6 | Bind time information about SQL statements that involve audited objects. | 145 |
| 7 | Assignment or change of authorization ID. | 55, 83, 87, 169, 319 |
| 8 | Utilities. | 23, 24, 25, 219, 220 |
| 9 | Installation-defined audit record. |  146, 392 |
| 10 | Trusted context information. | 269, 270 |
| 11 | Audits of successful access. | 3611 |
| 12–29 | Reserved. | |
| 30–32 | Available for local use. | |
|
Notes:
|
||