Auditing access with RACF security

To ensure that only intended users have access to Spiffy Computer resources when you use RACF security, you can generate a RACF audit report.

1. In RDEFINE commands that define RACF profiles for Db2 resources, include the AUDIT(ALL(READ)) option to direct RACF to write audit information to SMF data sets.

   Example: In the following RDEFINE command, the AUDIT option causes records to be written to an SMF data set when a SELECT operation is performed on the PAYDEPT view.

   RDEFINE MDSNTB DB2A.SYSADM.PAYDEPT.SELECT UACC(NONE) AUDIT(ALL(READ))

2. When the SMF recording data sets become full, dump the contents of the recording data sets to permanent data sets using one of the SMF dump utilities, IFASMFDP or IFASMFDL. Dump all types and subtypes of SMF records.

   Example: The following JCL job step formats the contents of SYS1.MANX to sequential data set SYSADM.SMFDATA1.

   //SMFDUMP EXEC PGM=IFASMFDP
   //SYSPRINT DD SYSOUT=*
   //ADUPRINT DD SYSOUT=*
   //DUMPIN   DD  DSN=SYS1.MANX,DISP=SHR
   //DUMPOUT1 DD  DSN=SYSADM.SMFDATA2,DISP=(NEW,KEEP),UNIT=SYSDA,
   //             SPACE=(CYL,(10,2))                
   //SYSIN DD *
   INDD(DUMPIN,OPTIONS(DUMP))    
   OUTDD(DUMPOUT2,TYPE(000:255)) 
   /*

3. Run IFASMFDP or IFASMFDL with the IRRADU00 exit on the data sets you populated in step 2 to retrieve and format the SMF records that are related to RACF access.

   Example: Suppose that SMF records have been stored in SMF data set SYSADM.SMFDATA1. The following JCL job step formats RACF-related records from SYSADM.SMFDATA1 and stores them in sequential data set SMF.UNLOAD1.

   //SMFDUMP EXEC PGM=IFASMFDP
   //SYSPRINT DD SYSOUT=*
   //ADUPRINT DD SYSOUT=*
   //DUMPIN   DD  DSN=SYSADM.SMFDATA1,DISP=SHR
   //DUMPOUT DD DUMMY
   //OUTDD   DD  DSN=SMF.UNLOAD1,DISP=(NEW,CATLG,DELETE),                
   //        SPACE=(CYL,(100,10),RLSE),UNIT=SYSDA,DCB=(LRECL=12288,RECFM=VB)
   //SYSIN DD *
   ABEND(NORETRY)
   USER2(IRRADU00)
   USER3(IRRADU86)
   /*

4. Optional: Load the contents of the data set that you populated in step 3 into Db2 tables so that you can easily retrieve and examine the records of interest.
   See Using the RACF SMF data unload utility output with Db2 for information about sample jobs for creating tables and a sample LOAD statement for loading data into the tables.