Audit facility tips and techniques
Best practices for managing your audit include regularly archiving the audit log, using the error type AUDIT when you create an audit policy, and other tips as described here.
Archiving the audit log
You should archive the audit log on a regular basis. Archiving the audit log moves the current audit log to an archive directory while the server begins writing to a new, active audit log. The name of each archived log file includes a timestamp that helps you identify log files of interest for later analysis.
For long-term storage, you might want to compress groups of archived files.
For archived audit logs that you are no longer interested in, the instance owner can simply delete the files from the operating system.
Error handling
When you create an audit policy, you should use the error type AUDIT, unless you are just creating a test audit policy. For example, if the error type is set to AUDIT, and an error occurs, such as running out of disk space, then an error is returned. The error condition must be corrected before any more auditable actions can continue. However, if the error type was set to NORMAL, the logging would simply fail and no error is returned to the user. Operation continues as if the error did not happen.
If a problem occurs during archive, such as running out of disk space in the archive path, or the archive path does not exist, the archive process fails and an interim log file with the file extension .bk is generated in the audit log data path, for example, db2audit.instance.log.0.20070508172043640941.bk. After the problem is resolved (by allocating sufficient disk space in the archive path, or by creating the archive path) you must move this interim log to the archive path. Then, you can treat it in the same way as a successfully archived log.
DDL statement restrictions
Some data definition language (DDL) statements, called AUDIT exclusive SQL statements, do not take effect until the next unit of work. Therefore, you are advised to use a COMMIT statement immediately after each of these statements.
- AUDIT
- CREATE AUDIT POLICY, ALTER AUDIT POLICY, and DROP AUDIT POLICY
- DROP ROLE and DROP TRUSTED CONTEXT, if the role or trusted context being dropped is associated with an audit policy
Table format for holding archived data might change
The security administrator can use the SYSPROC.AUDIT_DEL_EXTRACT stored procedure, or the system administrator can use the db2audit extract command, to extract audit records from the archived audit log files into delimited files. You can load the audit data from the delimited files into Db2® database tables for analysis. The format of the tables you need to create to hold the audit data might change from release to release.
Using CHECKING events
In most cases, when
working with CHECKING events, the object type field in the audit record
is the object being checked to see if the required privilege or authority
is held by the user ID attempting to access the object. For example,
if a user attempts to ALTER a table by adding a column, then the CHECKING
event audit record indicates the access attempted was ALTER
and
the object type being checked was TABLE
(not the column, because
it is table privileges that are checked).
However, when the checking involves verifying if a database authority exists to allow a user ID to CREATE or BIND an object, or to DROP an object, then although there is a check against the database, the object type field will specify the object being created, bound, or dropped (rather than the database itself).
When creating an index on a table,
the privilege to create an index is required, therefore the CHECKING
event audit record has an access attempt type of index
rather
than create
.
Audit records created for binding a package
When binding a package that already exists, then an OBJMAINT event audit record is created for the DROP of the package and then another OBJMAINT event audit record is created for the CREATE of the new copy of the package.
Using CONTEXT event information after ROLLBACK
Data Definition Language (DDL) might generate OBJMAINT or SECMAINT events that are logged as successful. It is possible however that following the logging of the event, a subsequent error might cause a ROLLBACK to occur. This would leave the object as not created; or the GRANT or REVOKE actions as incomplete. The use of CONTEXT events becomes important in this case. Such CONTEXT event audit records, especially the statement that ends the event, indicates the nature of the completion of the attempted operation.
The load delimiter
When extracting audit records in a delimited format suitable for loading into a Db2 database table, you should be clear regarding the delimiter used within the statement text field. This can be done when extracting the delimited file, using:
db2audit extract delasc delimiter load_delimiter
The load
_delimiter can be a single character (such as ") or a four-byte
string representing a hexadecimal value (such as 0x3b
).
Examples of valid commands are:
db2audit extract delasc
db2audit extract delasc delimiter !
db2audit extract delasc delimiter 0x3b
If you have
used anything other than the default load delimiter as the delimiter
when extracting, you should use the MODIFIED BY option
on the LOAD command. A partial example of the LOAD command
with 0x3b
used
as the delimiter follows:
db2 load from context.del of del modified by chardel0x3b replace into ...
This overrides the default load character string delimiter which is " (double quote).