Managing audit policies
A Db2 audit policy is a set of criteria that determines the categories to be audited.
About this task
You create an audit policy by inserting a row into the Db2 catalog table SYSIBM.SYSAUDITPOLICIES. You can then edit and delete these policies by modifying the rows in this table. Db2 Admin Tool helps you perform these steps.
Procedure
To manage audit policies:
- On the DB2 Administration Menu (ADB2) panel, specify option Z, and press Enter.
- On the System Administration
(ADB2Z) panel, specify option AP, and press Enter.
The Manage Audit Policies (ADBPZAP) panel displays the audit policies that are stored in SYSAUDITPOLICIES:
ADBPZAP n ---------- DC1A Manage Audit Policies ------------ Row 1 to 11 of 11 Line commands: I - Interpret U - Update INS - Insert D - Delete S - Show object Object Object C V O E C S D Sel Name Name Schema T H A M X O M SYSAD DBADM Database Collection S * * * * * * * * * * * * * * * --- -------- -------- -------- - - - - - - - ----- ----- -------- ---------- - TEST1 ADBCHGT T A A T TEST2 ADBCHGT T A S TEST3 ADBCHGT T A Y TEST4 ADBCHGT T A Y TEST5 ADBCHGT TS5764 T A Y TEST6 ADBCHGT TS5764 T C Y TEST7 ADBCHGT T A Y TEST8 ADBCHGT TS5764 T A Y TEST9 ADBCHGT TS5764 T R Y TEST10 ADBCHGT TS5764 T T Y TEST11 ADBCHGT TS5764 T A A A C * P Y ******************************* END OF DB2 DATA *******************************
- Use the line commands on the Manage Audit Policies
(ADBPZAP) panel to view, add, and update any audit policies as needed:
- If you view a policy (by using the I line command), the Interpretation of an Object in
SYSAUDITPOLICIES (ADBPZAPI)
panel displays the
policy
details:
ADBPZAPI ----- DC1A Interpretation of an Object in SYSAUDITPOLICIES ---- 16:52 Option ===> Details for Audit Policy: TST1 Object Schema : Object Name . : Object Type . : Checking . . . : A - Audit all authorization and authentication failures Validate . . . : blank - Audit none Object Maint . : blank - Audit none Execute . . . : blank - Audit none Context . . . : blank - Audit none Security Maint : blank - Audit none System Admin . : blank - Audit none DB Admin . . . : blank - Audit none Database name : Collection ID : DB2 start . . : N - Do not start automatically Created TS . . : 2021-05-05-16.51.23.156304 Altered TS . . : 2021-05-05-16.51.23.156304
- If you insert a new policy (with the INS line command) or update a policy (with the U line
command), the Insert/Update Audit Policies
(ADBPZAPU) panel is
displayed:
ADBPZAPU -------------- DC1A Insert/Update Audit Policies -------------- 11:3 Command ===> Enter Audit policy details: Audit name . . . TEST6 > (? to lookup) Object schema . . TS5764 (Optional) Object name . . . ADBCHGT > (? to lookup) Object type . . . T (C, P, T or blank) Categories: Checking . . . (A or blank) Validate . . . (A or blank) Objmaint . . . (A or blank) Execute . . . C (A, C or blank) Context . . . (A or blank) Secmaint . . . (A or blank) Sysadmin . . . (I, L, O, R, S, * or blank) Dbadmin . . . (B, C, D, E, G, K, M, P, T, * or blank) DB name . . . . . > (? to lookup) Collection ID . . > (? to lookup) DB2 start . . . . Y (Y, S, T or N)
On this panel, enter the values that you want inserted or updated in the SYSAUDITPOLICIES table and press Enter.
Tip: For Db2 12 function level 509 or higher, you can create a tamper-proof audit policy, which requires special authorization to modify or stop. To create such a policy, specify T in the DB2 start field.
- If you view a policy (by using the I line command), the Interpretation of an Object in
SYSAUDITPOLICIES (ADBPZAPI)
panel displays the
policy
details: