Audit category

Db2 audit policies are created and stored in the SYSIBM.SYSAUDITPOLICIES table. Each policy is specified with specific audit categories.

Begin program-specific programming interface information.Db2 supports the following audit categories:

Table 1. Db2 audit policy categories
Category Description
CHECKING Generates IFCID 140 trace records for denied access attempts due to inadequate Db2 authorization and IFCID 83 trace records for RACF® authentication failures
VALIDATE Generates IFCID 55, 83, 87, 169, and 319 trace records for new or changed assignments of authorization IDs and IFCID 269 trace records for the establishment of trusted connections or the switch of users in existing trusted connections
OBJMAINT

Generates IFCID 142 trace records when tables are altered or dropped. When an audit policy is defined, it specifies the tables to be audited. The same audit policy can be used to audit different tables in a schema by specifying the table names with the SQL LIKE predicate.

Only tables that are defined in the following types of table spaces can be audited:

  • Universal table space (UTS), including UTS that contains implicitly created tables, such as XML tables
  • Traditional partitioned table space
  • Segmented table space.

In addition to tables, an audit policy can also be used to audit clone tables and tables that are implicitly created for XML columns.

The type of the object to be audited can be specified by using the OBJECTTYPE column. The default OBJECTTYPE column value of blank indicates that all of the supported object types are audited.
EXECUTE Generates IFCID 143, 144 and 145 trace records for every SQL statement with a unique statement ID that changes or reads against tables that are identified in the audit policy. IFCID 145 records SQL bind time information that includes the text and the unique ID of a SQL statement. The SQL statement ID is used in the IFCID 143 and 144 trace records to record any change or reading by the SQL statement identified in the IFCID 145 trace records.

When an audit policy is defined, it specifies the tables to be audited. The same audit policy can be used to audit different tables in a schema by specifying the table names with the SQL LIKE predicate.

Only tables that are defined in the following types of table spaces can be audited:

  • Universal table space (UTS), including UTS that contains implicitly created tables, such as XML tables
  • Traditional partitioned table space
  • Segmented table space.

In addition to tables, an audit policy can also be used to audit clone tables and tables that are implicitly created for XML columns.

The type of the object to be audited can be specified by using the OBJECTTYPE column. The default OBJECTTYPE column value of blank indicates that all of the supported object types are audited.

If the audit policy is started after the SQL statement is started, access to the table is not be audited.
CONTEXT Generates IFCID 23, 24, and 25 records.
SECMAINT Generates IFCID 141 trace records for granting and revoking privileges or administrative authorities, IFCID 270 trace records for creating and altering trusted contexts, and IFCID 271 trace records for creating, altering, and dropping row permissions or column masks.
SYSADMIN Generates IFCID 361 trace records when an administrative authority, in the order of installation SYSADM, installation SYSOPR, SYSOPR, SYSCTRL, or SYSADM, satisfies the required privilege for performing an operation

If the Access Control Authorization Exit (ACAE) is active, only the operations that are performed by the installation SYSADM and installation SYSOPR authorities are audited.
DBADMIN Generates IFCID 361 trace records when an administrative authority, in the order of DBMAINT, DBCTRL, DBADM, PACKADM, SQLADM, system DBADM, DATAACCESS, ACCESSCTRL, or SECADM, satisfies the required privilege for performing an operation

The database name can be specified for auditing the DBADM, DBCTRL and DBMAINT authorities. If the database name is not specified, all the databases, including implicit databases, are audited.

The collection ID can be specified for auditing the PACKADM authority. If the collection ID is specified, all packages in that collection are audited. If the collection ID is not specified, the packages in all collections are audited.

If the Access Control Authorization Exit (ACAE) is active, only the operations that are performed by the SECADM authority are audited.

For the SYSADMIN and DBADMIN categories, Db2 checks a set of rules for each operation to determine the required authorization. In general, the rules are checked in the order of installation SYSADM, installation SYSOPR (if applicable), specific privileges required for the operation (i.e., SELECT, UPDATE), database authorities (i.e., DBMAINT, DBCTRL, DBADM), system database authorities (i.e., SQLADM, system DBADM, DATAACCESS, and ACCESSCTRL), and system authorities (i.e., SYSCTRL, SYSADM, and SECADM).

For example, to determine whether a user can alter a table, Db2 checks the required privilege in the following order:

  1. Installation SYSADM
  2. ALTER table privilege
  3. DBADM authority on the database that the table is in
  4. System DBADM
  5. SYSCTRL
  6. SYSADM

If the user has only the ALTER privilege on the table and if the audit policy is activated to audit the SYSADM authority, Db2 does not generate an IFCID 361 audit record on the ALTER operation. If the user also has the SYSADM authority, Db2 still does not generate an IFCID 361 record because the lowest (ALTER) privilege permits the operation.

In general, Db2 always checks the installation SYSADM and installation SYSOPR authorities prior to the lowest (ALTER) privilege. If the user has the installation SYSADM authority and the audit policy is activated to audit the installation SYSADM authority, Db2 generates an IFCID 361 record.End program-specific programming interface information.