Configuring audit logging for Db2 or Db2 Warehouse
Audit logging allows you to monitor data access and detect concerning behaviors performed on a database.
Enabling audit logging
Db2 or Db2 Warehouse audit logging uses predefined policies to audit data. For more information,
see Audit policies.
Note: Audit logging can only be enabled for fresh deployment.
- Enabling audit logging from a custom resource definition (CRD)
- Edit your database's YAML file to add audit logging functionality. Refer to the following example:
apiVersion: db2u.databases.ibm.com/v1 kind: Db2uCluster metadata: name: db2-test spec: addOns: audit: enableAudit: true interval: "15" applyDefaultPolicy: true archiveToDb: false ... storage: - name: auditlogs type: "create" spec: storageClassName: <storage_class_name> accessModes: - ReadWriteMany resources: requests: storage: 30Gi- Add an audit entry to the addons section.
- Add an auditlogs PVC to the storage section.
- Parameters
-
- enableAudit: A bool type input. Set to true if you want the audit to run during the deployment run-time. If set to false, the audit will not start. You can run it later from the db2u pod.
- interval: An int type input. The time interval in minutes for the frequency of logging the audit records into AUDIT. database tables. The minimum input allowed is 15 minutes.
- applyDefaultPolicy: A bool type input. The Db2u instance will
have two predefined audit policies called AUDIT_DEFAULT and
AUDIT_ALL.
AUDIT_ALL policy audits all successes and failures for every category of audit record.
AUDIT_DEFAULT policy records only these event types:FAILURE for VALIDATEFAILURE AND SUCCESS for SECMAINTFAILURE AND SUCCESS for OBJMAINTFAILURE AND SUCCESS for SYSADMIN- By setting applyDefaultPolicy to
true, AUDIT_DEFAULT will be applied to the entire database.
Note: To create a custom policy that fits your needs, see Creating a customized audit policy. - archiveToDb: A bool type input. Set to true
if you want the audit record to be loaded into AUDIT. database tables.Warning: Please set archiveToDb to false due to a known issue in the current release. For more information, see Disabling the ArchiveToDb parameter to prevent storage issue.
Important: When an audit policy is enabled and the audit task is scheduled,
AUDIT. database tables will continue to accumulate space on your system. You
are required to manage the storage used by the AUDIT. tables. It is
recommended that you periodically organize and export the audit data
- Verifying that the audit policy has been enabled
-
- Run the following command to access your deployment and switch to a db2inst1
user:
Replace <db2u-pod> with the value for your instance.oc rsh <db2u-pod> bash -l su - db2inst1 - Run the following command inside the db2u main pod as a db2inst1
user:
db2audit describe
- Run the following command to access your deployment and switch to a db2inst1
user:
Creating a customized audit policy
If you have applyDefaultPolicy set to false in the CRD settings, you will need to manually create a customized audit policy.
Run the following command to access your deployment and switch to a db2inst1
user:
oc rsh <db2u-pod> bash -l
su - db2inst1- Creating a customized policy
- Run the following command to create a
policy:
For more information on creating a policy, see CREATE AUDIT POLICY statementt.CREATE AUDIT POLICY policy_name CATEGORIES category or ALL STATUS status ERROR TYPE NORMAL; - Applying your customized policy
- Apply your customized policy to your Db2 or Db2 Warehouse on OpenShift®
instance:
For more information on creating a policy, see AUDIT statement.AUDIT database_entity USING POLICY policy_name;
Managing Db2 or Db2 Warehouse on OpenShift audit policies
Refer to the following audit commands to manage your audit policy. For more information on managing audit policies, see Audit policy guidelines.
- View all created audit policies:
-
select * from SYSCAT.AUDITPOLICIES; - View current audit policies being used:
-
select * from SYSCAT.AUDITUSE; - Remove a policy from a database:
-
AUDIT database_entity REMOVE POLICY;