Creating and activating audit policies
With the SECADM authority, you can create, display, activate, or inactivate Db2 audit policies.
Before you begin
Obtain the SECADM authority if you do not have it. Alternately, you can have the SECADM authority grant you the required privileges to create an audit policy. 
This task always requires explicit SECADM authority regardless of the SEPARATE_SECURITY subsystem parameter setting. For more information, see Separating the SYSADM authority.
A user with the SYSOPR authority can activate the policy.
Procedure
To create and activate an audit policy:
- Create a new audit policy by issuing the INSERT statement.
You need to specify a name for the new audit policy. An audit policy name is an identifier that is 1 to 128 letters or digits in length, begins with a letter.
You also need to specify proper audit categories in the new audit policy. If you specify the OBJMAINT or EXECUTE category, you must also specify the OBJECTSCHEMA, OBJECTNAME, and OBJECTTYPE columns in the SYSIBM.SYSAUDITPOLICIES table that identify the table to be audited.
For example, if you want to create a new AUDITADMIN1 policy to audit the SYSADM authority, you can specify SYSADMIN as the category:
INSERT INTO SYSIBM.SYSAUDITPOLICIES(AUDITPOLICYNAME, SYSADMIN) VALUES('AUDITADMIN1','S');
You can also use the SQL LIKE predicate to audit tables of the same characteristics. For example, you can audit all tables that start with EMP in schema TSCHEMA by issuing the following INSERT statement:
INSERT INTO SYSIBM.SYSAUDITPOLICIES (AUDITPOLICYNAME, OBJECTSCHEMA, OBJECTNAME, OBJECTTYPE, EXECUTE) VALUES('TEST2','TSCHEMA','''E_P%''','T','C');FL 509 To create a tamper-proof audit policy, which requires special authorization to modify or stop, set the DB2START column to T:
For more information on tamper-proof audit policies, see Updating tamper-proof audit policies.INSERT INTO SYSIBM.SYSAUDITPOLICIES (AUDITPOLICYNAME, CHECKING, SECMAINT, SYSADMIN, DB2START) VALUES('TAMPERPRFPOLICY01','A','A','I','T') - Activate the audit policy by issuing the START TRACE command with the AUDTPLCY option.
You need to specify the AUDTPLCY option on the command to enable a specific audit policy:
-STA TRACE (AUDIT) DEST (GTF) AUDTPLCY(AUDITADMIN1)
Recommendation: FL 509 Start all tamper-proof audit policies in one START TRACE command, which assigns them to one trace number. Doing so helps avoid the possibility of mismatching trace numbers among data sharing members if the SCOPE(GROUP) option is used to stop a tamper-proof audit policy.This command starts a trace for IFCID 361 to audit the use of the SYSADM authority. Db2 also starts an IFCID 362 trace record to trace the audit policy information as defined in the catalog. If multiple audit policies are specified to start at the same time, the IFCID 362 record is written for every audit policy specified and contains the information about whether the policies successfully started or failed.
Up to 32 audit policies can be active concurrently.
Depending on the categories in the audit policy, Db2 starts the associated audit trace records, one for each IFCID that is related to the specified audit category.
Db2 runs against the audit policies that are already defined in the SYSIBM.SYSAUDITPOLICIES table when you issue the START TRACE command; it ignores any change you make to a specific audit policy after you start the START TRACE command. If you want Db2 to run against the updated audit policy, you need to stop and then start the audit policy trace. In addition, you cannot specify the CLASS or IFCID option when you specify the AUDTPLCY option on the START TRACE command.
FL 509 If you prefer the audit policy to be automatically started, you need to set the DB2START column to Y, S, or T in the SYSIBM.SYSAUDITPOLICIES table. The audit policy will be started during Db2 startup. When you specify DB2START='S', only users (authorization IDs or roles) with the SECADM authority can stop the policy. When you specify DB2START ='T', only users with additional authorization in RACF® can modify or stop the policy. If you set DB2START = 'S' or 'T' to an audit policy that is already started, you must stop and restart the policy for the new setting to take effect.You can automatically start up to 8 audit policies during Db2 startup. If you specify to automatically start multiple audit policies with different DB2START column settings, Db2 will start two traces, one for policies with DB2START = 'Y' and the other for policies with DB2START = 'S'. If you need to stop any audit policy that is automatically started, you must simultaneously stop all the policies that are assigned the same trace number.
- If necessary, display the audit policy by issuing the DISPLAY
TRACE command.
You need to specify the AUDTPLCY option on the command to show the name and other details about the AUDITADMIN1 audit policy:
-DISPLAY TRACE (AUDIT) DETAIL(2) DEST (GTF) AUDTPLCY(AUDITADMIN1) The command returns an output like the following sample:
15.49.46 -DIS TRACE(AUDIT) DETAIL(2) 15.49.47 STC00125 DSNW143I - CURRENT TRACE QUALIFICATIONS ARE - 15.49.47 STC00125 DSNW152I - BEGIN TNO 04 QUALIFICATIONS: NO QUALIFICATIONS END TNO 04 QUALIFICATIONS 15.49.47 STC00125 DSNW185I - BEGIN TNO 04 AUDIT POLICIES: ACTIVE AUDIT POLICY: AUDITADMIN1 ACTIVE AUDIT POLICY: AUDITTABLE1 END TNO 04 AUDIT POLICIES 15.49.47 STC00125 DSNW148I - ******END OF DISPLAY TRACE QUALIFICATION DATA****** 15.49.47 STC00125 DSN9022I - DSNWVCM1 '-DIS TRACE' NORMAL COMPLETION - If necessary, disable the audit policy by issuing the STOP
TRACE command.
You need to specify the AUDTPLCY option on the command to stop all the trace activities that are started by a specific audit policy:
-STO TRACE (AUDIT) DEST (GTF) AUDTPLCY(AUDITADMIN1) Only the STOP TRACE command can stop all the trace activities that are started by a specific audit policy; deleting the active policy row from the SYSIBM.SYSAUDITPOLICIES table does not stop the tracing.