Managing audit policies

A Db2 audit policy is a set of criteria that determines the categories to be audited.

To manage audit policies:

1. On the DB2 Administration Menu (ADB2) panel, specify option Z, and press Enter.
2. On the System Administration (ADB2Z) panel, specify option AP, and press Enter.
   The Manage Audit Policies (ADBPZAP) panel displays the audit policies that are stored in SYSAUDITPOLICIES:

   ADBPZAP n ---------- DC1A Manage Audit Policies ------------ Row 1 to 11 of 11 
                                                                                  
   Line commands:                                                                 
    I - Interpret   U - Update   INS - Insert   D - Delete   S - Show object      
                                                                                  
                Object   Object     C V O E C S                                 D 
   Sel Name     Name     Schema   T H A M X O M SYSAD DBADM Database Collection S 
       *        *        *        * * * * * * * *     *     *        *          * 
   --- -------- -------- -------- - - - - - - - ----- ----- -------- ---------- - 
       TEST1    ADBCHGT           T A A                                         T 
       TEST2    ADBCHGT           T A                                           S 
       TEST3    ADBCHGT           T A                                           Y 
       TEST4    ADBCHGT           T   A                                         Y 
       TEST5    ADBCHGT  TS5764   T     A                                       Y 
       TEST6    ADBCHGT  TS5764   T       C                                     Y 
       TEST7    ADBCHGT           T         A                                   Y 
       TEST8    ADBCHGT  TS5764   T           A                                 Y 
       TEST9    ADBCHGT  TS5764   T             R                               Y 
       TEST10   ADBCHGT  TS5764   T                   T                         Y 
       TEST11   ADBCHGT  TS5764   T A A A C     *     P                         Y 
   ******************************* END OF DB2 DATA *******************************

3. Use the line commands on the Manage Audit Policies (ADBPZAP) panel to view, add, and update any audit policies as needed:
   • If you view a policy (by using the I line command), the Interpretation of an Object in SYSAUDITPOLICIES (ADBPZAPI) panel displays the policy details:

     ADBPZAPI  ----- DC1A Interpretation of an Object in SYSAUDITPOLICIES ---- 16:52
     Option ===>       
     
     Details for Audit Policy: TST1                                                 
                                                                                    
     Object Schema  :                                                               
     Object Name  . :                                                               
     Object Type  . :                                                               
     Checking . . . : A - Audit all authorization and authentication failures       
     Validate . . . : blank - Audit none                                            
     Object Maint . : blank - Audit none                                            
     Execute  . . . : blank - Audit none                                            
     Context  . . . : blank - Audit none                                            
     Security Maint : blank - Audit none                                            
     System Admin . : blank - Audit none                                            
     DB Admin . . . : blank - Audit none                                            
     Database name  :                                                               
     Collection ID  :                                                               
     DB2 start  . . : N - Do not start automatically 
     Created TS . . : 2021-05-05-16.51.23.156304
     Altered TS . . : 2021-05-05-16.51.23.156304

   • If you insert a new policy (with the INS line command) or update a policy (with the U line command), the Insert/Update Audit Policies (ADBPZAPU) panel is displayed:

     ADBPZAPU  -------------- DC1A Insert/Update Audit Policies -------------- 11:3
     Command ===>                                                                  
                                                                                   
     Enter Audit policy details:                                                   
                                                                                   
     Audit name  . . . TEST6    >  (? to lookup)                                   
     Object schema . . TS5764      (Optional)                                      
     Object name . . . ADBCHGT  >  (? to lookup)                                   
     Object type . . . T           (C, P, T or blank)                              
                                                                                   
     Categories:                                                                   
        Checking . . .             (A or blank)                                    
        Validate . . .             (A or blank)                                    
        Objmaint . . .             (A or blank)                                    
        Execute  . . . C           (A, C or blank)                                 
        Context  . . .             (A or blank)                                    
        Secmaint . . .             (A or blank)                                    
        Sysadmin . . .             (I, L, O, R, S, * or blank)                     
        Dbadmin  . . .             (B, C, D, E, G, K, M, P, T, * or blank)         
                                                                                   
     DB name . . . . .          >  (? to lookup)                                   
     Collection ID . .          >  (? to lookup)                                   
     DB2 start . . . . Y           (Y, S, T or N)                                  

     On this panel, enter the values that you want inserted or updated in the SYSAUDITPOLICIES table and press Enter.

     Tip: For Db2 12 function level 509 or higher, you can create a tamper-proof audit policy, which requires special authorization to modify or stop. To create such a policy, specify T in the DB2 start field.