Updating or stopping tamper-proof audit policies

A tamper-proof audit policy cannot be modified or stopped unless the user is authorized to access the Db2 audit policy profile by a z/OS® security product that is external to Db2, such as RACF®.

Before you begin

Your system security administrator must activate and RACLIST the RACF DSNR class if they have not already done so.

SETR CLASSACT(DSNR) GENERIC(DSNR)
SETR RACLIST(DSNR)

About this task

You can create a new tamper-proof audit policy by inserting an audit policy record into the SYSIBM.SYSAUDITPOLICIES catalog table with a DB2START value of 'T'. For more information, see Creating and activating audit policies. Any UPDATE or DELETE statements or STOP TRACE commands on this record require additional RACF authorization.

Procedure

To update a tamper-proof audit policy:

  1. Ask your system security administrator to complete the following steps:
    1. Optional: Define a default profile, DSNAUDIT.*, in the RACF DSNR class that prevents any tamper-proof audit policy records from being modified or stopped. 
      RDEFINE DSNR DSNAUDIT.* UACC(NONE) OWNER(DB2OWNER)
SETR RACLIST(DSNR) REFRESH
    2. Create a profile in the RACF DSNR class for the tamper-proof audit policy and permit you access to the profile.
      The profile name must have the following format: 
      DSNAUDIT.policy-name
      where policy-name is the name of the tamper-proof audit policy.
      Note: In addition to access to the tamper-proof audit policy profile, you must also have the privileges that are required for the statements and commands that you will use to update and possibly restart the tamper-proof audit policy.
  2. Update the tamper-proof audit policy record in the SYSIBM.SYSAUDITPOLICIES table.
  3. If the tamper-proof audit policy is already started, restart the modified tamper-proof audit policy record by issuing the STOP TRACE and START TRACE commands.
  4. Ask your system security administrator to remove your access to the audit policy profile in RACF.

Examples

Example: Updating a tamper-proof audit policy that is already started
Update the tamper-proof audit policy TAMPERPRFPOLICY01, which is already started, as a user with user ID SARA.
  1. Ask your system security administrator to complete the following steps:
    1. Activate and RACLIST the DSNR class.
      SETR CLASSACT(DSNR) GENERIC(DSNR)
SETR RACLIST(DSNR)
    2. Create a RACF profile, DSNAUDIT.TAMPERPRFPOLICY01, for the audit policy that is to be modified. Permit your user ID access to the profile.
      RDEFINE DSNR DSNAUDIT.TAMPERPRFPOLICY01 UACC(NONE) OWNER(DB2OWNER)
PE DSNAUDIT.TAMPERPRFPOLICY01 ID(SARA) ACCESS(READ) CLASS(DSNR)
SETR RACLIST(DSNR) REFRESH
  2. Update the tamper-proof audit policy record in the SYSIBM.SYSAUDITPOLICIES table.
    UPDATE SYSIBM.SYSAUDITPOLICIES SET SYSADMIN=’IR’
   WHERE AUDITPOLICYNAME=‘TAMPERPRFPOLICY01’;
  3. Issue the STOP TRACE command to stop the tamper-proof audit policy record.
    STO TRACE(AUDIT) AUDTPLCY(TAMPERPRFPOLICY01)
  4. Issue the START TRACE command to restart the modified tamper-proof audit policy record.
    STA TRACE(AUDIT) AUDTPLCY(TAMPERPRFPOLICY01)
  5. Ask your system security administrator to remove access to the audit policy profile in RACF for your user ID.
    PE DSNAUDIT.TAMPERPRFPOLICY01 ID(SARA) DELETE CLASS(DSNR)
SETR RACLIST(DSNR) REFRESH
Example: Updating a tamper-proof audit policy that is not started
Update the tamper-proof audit policy TAMPERPRFPOLICY02, which is not started, as a user that is associated with RACF group DBSECA.
  1. Ask your system security administrator to complete the following steps:
    1. Activate and RACLIST the DSNR class.
      SETR CLASSACT(DSNR) GENERIC(DSNR)
SETR RACLIST(DSNR)
    2. Create a RACF profile, DSNAUDIT.TAMPERPRFPOLICY02, for the audit policy to be modified. Permit the RACF group DBSECA access to the profile.
      RDEFINE DSNR DSNAUDIT.TAMPERPRFPOLICY02 UACC(NONE) OWNER(DB2OWNER)
PE DSNAUDIT.TAMPERPRFPOLICY02 ID(DBSECA) ACCESS(READ) CLASS(DSNR)
SETR RACLIST(DSNR) REFRESH
  2. Update the tamper-proof audit policy record in the SYSIBM.SYSAUDITPOLICIES table.
    UPDATE SYSIBM.SYSAUDITPOLICIES SET DBADMIN=’BGT’
   WHERE AUDITPOLICYNAME = ‘TAMPERPRFPOLICY02’;
  3. Ask your system security administrator to remove access to the audit policy profile in RACF for DBSECA.
    PE DSNAUDIT.TAMPERPRFPOLICY02 ID(DBSECA) DELETE CLASS(DSNR)
SETR RACLIST(DSNR) REFRESH