DB2 auditing principles
db2audit audit occurred at the instance level, which means that once the audit function is activated, it will audit the activities of all instances of the database. Audit function must be started and stopped independently.
DB2 UDB architecture DB2 audit function diagram:
Audit Option Description:
Log audit events: "FAILURE" |
Generating record setting is changed when the audit or audit log is accessed |
Log checking events: "FAILURE" |
When generating the recording or attempts to access an object or function DB2 operation permission checks |
Log object maintenance events: "FAILURE" |
Generated records when creating or deleting data objects |
Log security maintenance events: "FAILURE" |
Generated records when granting or revoking object or database privileges or DBADM authority |
Log system administrator events: "FAILURE" |
Generating a recording operation is performed when required SYSADM, SYSMAINT or SYSCTRL authority |
Log validate events: "FAILURE" |
When generating recording user authentication or security information retrieval system |
Log context events: "NONE" |
When performing a database operation, generates a recording operation so as to display a context |
Audit Configuration
db2 audit is divided into sectors and database instance level, the audit when searching the Internet, usually see are just examples of the level of audit reports, the following are the two types of configuration examples.
Examples of Level Configuration
By db2audit describe View
SL1:/db2audit_arch # db2audit describe
DB2 AUDIT SETTINGS:
Audit active: "TRUE "
Log audit events: "NONE"
Log checking events: "FAILURE"
Log object maintenance events: "FAILURE"
Log security maintenance events: "FAILURE"
Log system administrator events: "FAILURE"
Log validate events: "FAILURE"
Log context events: "NONE"
Return SQLCA on audit error: "FALSE "
Audit Data Path: "/db2audit_arch/"
Audit Archive Path: "/db2audit_arch/"
AUD0000I Operation succeeded.
Library Level Configuration
By looking at syscat.auditpolicies view the table
Audit Options |
value |
AUDITPOLICYNAME |
SAMPLEPOLICY |
AUDITPOLICYID |
100 |
CREATE_TIME |
2016-03-03-11.08.34.117134 |
ALTER_TIME |
2016-03-15-10.35.45.099762 |
AUDITSTATUS |
N |
CONTEXTSTATUS |
S |
VALIDATESTATUS |
N |
CHECKINGSTATUS |
N |
SECMAINTSTATUS |
N |
OBJMAINTSTATUS |
N |
SYSADMINSTATUS |
N |
EXECUTESTATUS |
N |
EXECUTEWITHDATA |
N |
ERRORTYPE |
A |
REMARKS |
- |
Audit log directory
Audit log database generated directly written to / db2audit_arch directory. When the directory usage is full, it will not record audit logs, the database will not be used normally.
/dev/aduitarch 40.00 34.51 14% 22 1% /db2audit_arch
Audit scheduling time
Usually we can write a script scheduled tasks, audit log management. For example, archiving, extraction, storage and so on. Time timed task, can be configured according to the actual environment.
50 * * * * /db2archive/db2inst1/SAMPLE/NODE0000/_db2audit/mkaudit_SQL.sh &
Audit task execution
When the timing invoking script, can be broadly summarized as follows steps:
A. The audit flush to a file;
B. The database-level audit log archiving;
C. The audit log from binary format that can be read;
D. audit records storage to save files, or upload the audit to the audit department;
E. 定期清理审计文件;
F. 定期清理库中的审计记录。
审计文件保留周期
审计日志的保留周期,通常在1~3年。根据要求部署定期清理脚本即可。
本地审计原文件,存放在/db2audit_arch。
/dev/aduitarch 40.00 34.51 14% 22 1% /db2audit_arch
SL1:/db2audit_arch # ls -rlt
total 11510256
-rw------- 1 db2inst1 db2grp 53852001 Jun 27 17:50 db2audit.db.SAMPLE.log.0.20170627175001
-rw------- 1 db2inst1 db2grp 71379624 Jun 27 19:50 db2audit.db.SAMPLE.log.0.20170627195001
-rw------- 1 db2inst1 db2grp 96795801 Jun 27 23:50 db2audit.db.SAMPLE.log.0.20170627235001
-rw------- 1 db2inst1 db2grp 4369101512 Jun 28 03:50 db2audit.db.SAMPLE.log.0.20170628035001
-rw------- 1 db2inst1 db2grp 82103216 Jun 28 07:50 db2audit.db.SAMPLE.log.0.20170628075000
-rw------- 1 db2inst1 db2grp 141386477 Jun 28 11:50 db2audit.db.SAMPLE.log.0.20170628115001
-rw------- 1 db2inst1 db2grp 611120029 Jun 28 15:45 db2audit.instance.log.0
-rw------- 1 db2inst1 db2grp 197411690 Jun 28 15:50 db2audit.db.SAMPLE.log.0.20170628155001
-rw------- 1 db2inst1 db2grp 4637688 Jun 28 15:54 db2audit.db.SAMPLE.log.0
转换格式后的文件,保存在/db2archive/db2inst1/SAMPLE/NODE0000/_db2audit
SL1:/db2audit_arch # ls -rlt
total 11510256
drwxr-xr-x 2 db2inst1 db2grp 256 Mar 15 2016 lost+found
-rw-rw-rw- 1 db2inst1 db2grp 0 Jun 21 2016 validate.del
-rw-rw-rw- 1 db2inst1 db2grp 0 Jun 21 2016 sysadmin.del
-rw-rw-rw- 1 db2inst1 db2grp 0 Jun 21 2016 secmaint.del
-rw-rw-rw- 1 db2inst1 db2grp 0 Jun 21 2016 objmaint.del
-rw-rw-rw- 1 db2inst1 db2grp 0 Jun 21 2016 execute.del
-rw-rw-rw- 1 db2inst1 db2grp 0 Jun 21 2016 checking.del
-rw-rw-rw- 1 db2inst1 db2grp 0 Jun 21 2016 audit.del
-rw-rw-rw- 1 db2inst1 db2grp 186838785 Jun 02 17:28 context.del
-rw-rw-rw- 1 db2inst1 db2grp 78538009 Jun 02 17:28 auditlobs
开启方法
审计开启/关闭
db2audit start/stop
确认开关是否开启
db2inst1@s1l:~/audit_dump> db2audit describe|grep -i 'Audit active'
Audit active: "TRUE "
实例级别审计,通过db2audit,修改相应选项,即可开启对应的审计。
db2audit configure scope context status SUCCESS errortype normal
库级别审计通过db2 audit database using开启。
db2 audit database using policy auditdb
注意事项
在开启审计后,一定要对审计目录使用率进行监控,否则在撑爆后,影响数据库访问。
归档实例级别审计使用“db2audit archive”,库级别审计使用“db2audit archive database dbname。