DB2X-00-001000 - DB2 must initiate session auditing upon startup - SYSADMIN

Information

Session auditing is for use when a user's activities are under investigation. To be sure of capturing all activity during those periods when session auditing is in use, it needs to be in operation for the whole time the DBMS is running.

Solution

Define an audit policy using the CREATE AUDIT POLICY SQL statement:
DB2> CREATE AUDIT POLICY <user audit policy name>
CATEGORIES AUDIT STATUS BOTH, CHECKING STATUS BOTH, CONTEXT STATUS BOTH, EXECUTE WITH DATA STATUS BOTH, OBJMAINT STATUS BOTH, SECMAINT STATUS BOTH, SYSADMIN STATUS BOTH, VALIDATE STATUS BOTH ERROR TYPE AUDIT

To modify an existing audit policy, replace 'CREATE' with 'ALTER' in the preceding statement. Only the categories explicitly named in the statement will be affected. In this case, the changes take effect immediately.

If CREATE was used above, apply the correct audit policy to either the database as a whole or to the specific user using one of these two statements:
DB2> AUDIT DATABASE USING POLICY <user audit policy name>
Or
DB2> AUDIT USER <user name> USING POLICY <user audit policy name>

Note: This requirement is to audit suspicious user activity. For a targeted session activity use the AUDIT USER command after the policy has been created. For a general database level use the AUDIT DATABASE command.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_IBM_DB2_V10-5_LUW_V2R1_STIG.zip

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-14(1), CAT|II, CCI|CCI-001464, Rule-ID|SV-213678r879562_rule, STIG-ID|DB2X-00-001000, STIG-Legacy|SV-89119, STIG-Legacy|V-74445, Vuln-ID|V-213678

Plugin: IBM_DB2DB

Control ID: f89cec166731b97536ac670c345505a0425a1084e911d8b7df27d3c9567ba142