Audit Journal entries and Guardium

Content

The Guardium product is intented to be used as a security auditing tool. Not all audit journals are sent to the IBM Security Guardium collector. The below audit entries are those that are available to be processed:

AD - Auditing change
AF - Authority failure
AX - Row and column access control
CA - Authority change
CD - Command string (Note: CD is not included in the default settings of filter_audit_entry_types)
CO - Create object
CP - User Profile changes
DO - Delete object
GR - General purpose audit record
OM - Object moved or renamed
PG - Primary group change
PW - Invalid password or user ID
OW - Change owner
OR - Object restored
RA - Restore authority change
RO - Restore owner change
RZ - Restore primary group change
SV - System value change
ZR - Read object
ZC - Change object

To ensure all of these entries are processed by Guardium make sure all entries are listed in Filter audit entry types in the iSTAP configuration.

Example:

Filter audit entry types: AD AF CA CO CP DO GR OM OR OW PG PW RA RO RZ SV ZC ZR CD

iSTAP can further filter some of these entry types if you need. You can not filter journal entries if they are related to security entries. The following entries can NOT be filtered:

AD -A change was made to the auditing attribute
AF - All authority failures
AX - Row and column access control
CA - Changes to object authority (authorization list or object)
CP - Create, change, restore user profiles
GR - General purpose audit record
OR - Object restored
OW - Changes to object ownership
PG - Changes to an object's primary group
PW - Passwords used that are not valid
RA - Restore of objects when authority changes
RO - Restore of objects when ownership information changes
RZ - The primary group for an object was changed during a restore operation
SV - Changes to system values

The following are filtered by the User, Job or Table filters, unless they are for a *USRPRF object (all *USRPRF entries are sent):

*NOTE - to filter audit journal entries by the User, Job or Table filter requires the following PTF levels:

7.2 SF99702 Level 9
7.1 SF99701 Level 38

CD - A change was made to a command string
CO - Create object
DO - All delete operations on the system
OM - Object management change
ZC - A change was made to object change access
ZR - A change was made to object read access

Some audit journal entries are not associated with a specific object and some are. Any journal entry that IS associated with a specific object regardless of its journal entry type, must be one of the following object types:

*FILE
*SQLUDT
*DTAARA
*PGM
*SRVPGM
*SQLPKG
*LIB
*USRPRF