Db2 audit policies
An audit policy is a set of criteria that determines the categories to be audited. It helps you configure and control the audit requirements of your security policies and to monitor data access by applications and individual users (authorization IDs or roles), including administrative authorities.
You create Db2 audit policies by inserting rows in the SYSIBM.SYSAUDITPOLICIES table. Users with appropriate authorities can modify the audit policies by issuing UPDATE or DELETE statements.
Db2 supports several types of audit policies, including audit policies that you start manually, audit policies that start automatically when Db2 starts, secure audit policies, and tamper-proof audit policies. The DB2START column in the SYSIBM.SYSAUDIPOLICIES table specifies the type of audit policy.
After a Db2 audit policy is created, users with the required authorities can start and manage the policies by issuing START TRACE, STOP TRACE, and DISPLAY TRACE commands with the AUDTPLCY
option to start and manage audit polices.
Authorization for Db2 audit policies
If the SEPARATE_SECURITY subsystem parameter is set to YES, only the SECADM authority has implicit INSERT, UPDATE, and DELETE privileges on the SYSIBM.SYSAUDITPOLICIES table. If SEPARATE_SECURITY is set to NO, SYSADM authority also has these implicit privileges. For more information, see Separating the SYSADM authority.
Any user with authority to start traces can start any audit policy. However, some types of audit policies can only be modified or stopped with specific authorities.
With secure audit policies, SECADM authority is always required to stop the audit policy, regardless of the SEPARATE_SECURITY subsystem parameter value. Secure audit policies are created with DB2START='S' in the SYSIBM.SYSAUDITPOLICIES table.
FL 509With tamper proof audit polices, external authorities are required to either modify or stop the audit policy. Tamper-proof audit policies are created with DB2START='T' in the SYSIBM.SYSAUDITPOLICIES table. For more information, see Updating or stopping tamper-proof audit policies.
For any type of audit policy, each of following authorities has implicit SELECT privilege on the SYSIBM.SYSAUDITPOLICIES table: SECADM, SYSADM, ACCESSCTRL, DATAACCESS, system DBADM, SQLADM, and SYSCRTL.
If a view is created on the SYSIBM.SYSAUDITPOLICIES table, the DATAACCESS authority can perform INSERT, UPDATE, and DELETE on the view to indirectly INSERT, UPDATE, and DELETE on the SYSIBM.SYSAUDITPOLICIES table.