IBM Support

Using DB2audit command to only audit System Administration (SYSADMIN) activities.

Technote (troubleshooting)


Problem(Abstract)

How do I set up DB2audit to only audit sysadmin activities?

Resolving the problem

Here are the steps you need to take in order set up the db2audit to only look for sysadmin activities:

1.) Connect to your database

   db2 CONNECT TO SAMPLE

2.) To configure db2 audit to only look for system administrator events run the following command:

    db2audit configure scope sysadmin status both

3.) To make sure that the db2audit shows the type of event set run the following command:
    db2audit describe
    DB2 AUDIT SETTINGS:

    Audit active: "TRUE "
    Log audit events: "FAILURE"
    Log checking events: "FAILURE"
    Log object maintenance events: "FAILURE"
    Log security maintenance events: "FAILURE"
    Log system administrator events: "BOTH"
    Log validate events: "FAILURE"
    Log context events: "NONE"
    Return SQLCA on audit error: "FALSE "
    Audit Data Path: ""
    Audit Archive Path: ""

    AUD0000I Operation succeeded.
Because system administrator events was set to "both" db2audit will collect data on both failed and successful commands that take sysadmin permissions.

3.) To start db2audit run:
    db2audit start

4.) Then perform an action that takes SYSADMIN permissions for example:
    db2 update dbm cfg   using svcename 50002

5.) Before reviewing events that db2 audit has collected a flush is need, to do run:
    db2audit flush

5.) Then db2 audit will need to be stopped by running:
    db2audit stop

6.) The data will need to be archived by running:

db2audit archive to /home/db2inst

Node AUD Archived or Interim Log File
Message
-------- -------- ---------------------------------------------------
0 AUD0000I db2audit.instance.log.0.20110203191349



7.) Then take the above archive file name and run the below command:
    db2audit extract delasc to /home/db2inst from files /home/db2inst/db2audit.instance.log.0.20110203191349

8.) Then the audit.out is ready for viewing for example:

timestamp=2011-02-03-18.38.47.688491;
category=SYSADMIN;e

audit event=UPDATE_DBM_CFG;
event correlator=0;
event status=0;
userid=db2inst;
authid=DB2inst;
origin node=0;
coordinator node=0;
application id=*LOCAL_APPLICATION;
application name=db2flacc;

timestamp=2011-02-03-18.38.47.688499;category=SYSADMIN;audit
event=START_DB2;
event correlator=0;
event status=-1026;
userid=db2inst;
authid=DB2inst;
origin node=0;
coordinator node=0;
application id=*LOCAL_APPLICATION;
application name=db2start;

Related information

Introduction to DB2 audit facility
Audit Policy
Part 5: Understand the DB2 audit facility

Document information

More support for: DB2 for Linux, UNIX and Windows
Security / Plug-Ins - Auditor

Software version: 9.1, 9.5, 9.7

Operating system(s): AIX, HP-UX, Linux, Solaris, Windows

Reference #: 1461792

Modified date: 23 February 2011