Creating and activating audit policies

With the SECADM authority, you can create, display, activate, or inactivate Db2 audit policies.

Procedure

To create and activate an audit policy:

  1. Obtain the SECADM authority if you don't have it.
    Alternately, you can have the SECADM authority grant you the required privileges to create an audit policy. A user with the SYSOPR authority can activate the policy.
  2. Create a new audit policy by issuing the INSERT statement.

    You need to specify a name for the new audit policy. An audit policy name is an identifier that is 1 to 128 letters or digits in length, begins with a letter.

    You also need to specify proper audit categories in the new audit policy. If you specify the OBJMAINT or EXECUTE category, you must also specify the OBJECTSCHEMA, OBJECTNAME, and OBJECTTYPE columns in the SYSIBM.SYSAUDITPOLICIES table that identify the table to be audited.

    For example, if you want to create a new AUDITADMIN1 policy to audit the SYSADM authority, you can specify SYSADMIN as the category:

    Begin general-use programming interface information.
    INSERT INTO SYSIBM.SYSAUDITPOLICIES(AUDITPOLICYNAME, SYSADMIN)
    			VALUES('AUDITADMIN1','S');
    End general-use programming interface information.

    You can also use the SQL LIKE predicate to audit tables of the same characteristics. For example, you can audit all tables that start with EMP in schema TSCHEMA by issuing the following INSERT statement:

    Begin general-use programming interface information.
    INSERT INTO SYSIBM.SYSAUDITPOLICIES
           (AUDITPOLICYNAME, OBJECTSCHEMA, OBJECTNAME, OBJECTTYPE, EXECUTE)
         VALUES('TEST2','TSCHEMA','''E_P%''','T','C');
    End general-use programming interface information.
    Start of changeFL 509 To create a tamper-proof audit policy, which requires special authorization to modify or stop, set the DB2START column to T:
    INSERT INTO SYSIBM.SYSAUDITPOLICIES
      (AUDITPOLICYNAME, CHECKING, SECMAINT, SYSADMIN, DB2START)
     VALUES('TAMPERPRFPOLICY01','A','A','I','T')
    For more information on tamper-proof audit policies, see Updating tamper-proof audit policies.End of change
  3. Activate the audit policy by issuing the START TRACE command with the AUDTPLCY option.

    You need to specify the AUDTPLCY option on the command to enable a specific audit policy:

    Begin general-use programming interface information.
    -STA TRACE (AUDIT) DEST (GTF) AUDTPLCY(AUDITADMIN1)
    End general-use programming interface information.
    Start of change
    Recommendation: FL 509 Start all tamper-proof audit policies in one START TRACE command, which assigns them to one trace number. Doing so helps avoid the possibility of mismatching trace numbers among data sharing members if the SCOPE(GROUP) option is used to stop a tamper-proof audit policy.
    End of change

    This command starts a trace for IFCID 361 to audit the use of the SYSADM authority. Db2 also starts an IFCID 362 trace record to trace the audit policy information as defined in the catalog. If multiple audit policies are specified to start at the same time, the IFCID 362 record is written for every audit policy specified and contains the information about whether the policies successfully started or failed.

    Up to 32 audit policies can be active concurrently.

    Depending on the categories in the audit policy, Db2 starts the associated audit trace records, one for each IFCID that is related to the specified audit category.

    Db2 runs against the audit policies that are already defined in the SYSIBM.SYSAUDITPOLICIES table when you issue the START TRACE command; it ignores any change you make to a specific audit policy after you start the START TRACE command. If you want Db2 to run against the updated audit policy, you need to stop and then start the audit policy trace. In addition, you cannot specify the CLASS or IFCID option when you specify the AUDTPLCY option on the START TRACE command.

    Start of changeFL 509 If you prefer the audit policy to be automatically started, you need to set the DB2START column to Y, S, or T in the SYSIBM.SYSAUDITPOLICIES table. The audit policy will be started during Db2 startup. When you specify DB2START='S', only users (authorization IDs or roles) with the SECADM authority can stop the policy. When you specify DB2START ='T', only users with additional authorization in RACF® can modify or stop the policy. If you set DB2START = 'S' or 'T' to an audit policy that is already started, you must stop and restart the policy for the new setting to take effect.End of change

    You can automatically start up to 8 audit policies during Db2 startup. If you specify to automatically start multiple audit policies with different DB2START column settings, Db2 will start two traces, one for policies with DB2START = 'Y' and the other for policies with DB2START = 'S'. If you need to stop any audit policy that is automatically started, you must simultaneously stop all the policies that are assigned the same trace number.

  4. If necessary, display the audit policy by issuing the DISPLAY TRACE command.

    You need to specify the AUDTPLCY option on the command to show the name and other details about the AUDITADMIN1 audit policy:

    Begin general-use programming interface information.
    -DISPLAY TRACE (AUDIT) DETAIL(2) DEST (GTF) AUDTPLCY(AUDITADMIN1)
    End general-use programming interface information.

    The command returns an output like the following sample:

    Begin general-use programming interface information.
    15.49.46                -DIS TRACE(AUDIT) DETAIL(2)
    15.49.47    STC00125    DSNW143I - CURRENT TRACE QUALIFICATIONS ARE -
    15.49.47    STC00125    DSNW152I - BEGIN TNO 04 QUALIFICATIONS:
    NO QUALIFICATIONS
    END TNO 04 QUALIFICATIONS
    15.49.47    STC00125    DSNW185I - BEGIN TNO 04 AUDIT POLICIES:
    ACTIVE AUDIT POLICY: AUDITADMIN1
    ACTIVE AUDIT POLICY: AUDITTABLE1
    END TNO 04 AUDIT POLICIES
    15.49.47    STC00125    DSNW148I - ******END OF DISPLAY TRACE QUALIFICATION
         DATA******
    15.49.47    STC00125    DSN9022I - DSNWVCM1 '-DIS TRACE' NORMAL COMPLETION
    End general-use programming interface information.
  5. If necessary, disable the audit policy by issuing the STOP TRACE command.

    You need to specify the AUDTPLCY option on the command to stop all the trace activities that are started by a specific audit policy:

    Begin general-use programming interface information.
    -STO TRACE (AUDIT) DEST (GTF) AUDTPLCY(AUDITADMIN1)
    End general-use programming interface information.

    Only the STOP TRACE command can stop all the trace activities that are started by a specific audit policy; deleting the active policy row from the SYSIBM.SYSAUDITPOLICIES table does not stop the tracing.