Re: db2audit survey

Re: db2audit survey

 

  

RLam wrote:
> hi db2 gurus, after reading up on
> http://www.databasejournal.com/features/db2/article.php/3438801, I would
> like to get some input on "how" to develop a security policy.

That's a nice overview of the audit facility in db2. But also take a
look at the audit chapter in the db2 implementation guide. It's about
30 pages of pretty straight-forward info.

> I believe enabling every option below will give the most complete audit
> trail, however, it likely comes with a huge price tag on performance.
> Do you implement db2audit? Why is it important? What does it do? Which
> option is a must? Will performance be affected if db2audit is enabled?

First off, keep in mind that the audit facility can generate an enormous
volume of hard to decipher info. My inclination is to only audit
objmaint, secmaint, or sysadmin events: with the intention of
potentially catching a record of a malicious attack on the database via
a privileged id.

I would only go into a deeper level than that if absolutely required for
the application.

But there are quite a few other things that I would do as well: the
audit facility is just a small part of a security policy. Take a look
things like:
- which users are allowed which authorities - and are they justified
- which users are allowed which privileges
- is there a written record of the application & approval of the
authorities & privs?
- are authorities & privs revalidated annually?
- is there an annual audit of database security?
- who is allowed access to database containers, backups, logs, etc -
even read access should be restricted to dba authorities. Note
that it's easy to accidently create files wide open to universal
reading...
- are there users in the database that aren't on the os? this could
allow a new user to inherit old privs...
- how are users authenticated? server-encrypt is much better than
client-side authentication...
- etc, etc, etc

The ideal scenario is that you run a security health-checking tool for
your database every month, if not every day. I wrote one in python that
we're now scheduling to run constantly - looking for any violations.
It's a bit of a pain to spend the time doing this (took a couple of
days), but also checks for violations of our standards. In the end it
actually saves you time. And there may be some commercial products out
there that can do the same.

ken farmer

DB2 & UDB email list listserv db2-l LazyDBA home page