Scribd Logo
Hochladen

Willkommen bei Scribd!

  • How I Can Now Answer Auditor's Questions - Leveraging DB2's Audit Facility - Db2talk

    Hochgeladen von

    prakash_6849
    105 Ansichten12 Seiten
    The document discusses how to leverage DB2's audit facility to answer auditor questions about database permissions. It provides a 5 step process: 1) Configure audit log paths, 2) Create audit tables, 3) Start db2audit and create/activate an audit policy, 4) Extract audit data and load into tables, 5) Analyze the audit data. It then walks through setting up and using db2audit on a sample database to log when a role was granted to a user.

    Originalbeschreibung:

    Audit

    Originaltitel

    How I Can Now Answer Auditor’s Questions – Leveraging DB2’s Audit Facility – Db2talk

    Copyright

    © © All Rights Reserved

    Verfügbare Formate

    PDF, TXT oder online auf Scribd lesen

    Stufen Sie dieses Dokument als nützlich ein?

    Sind diese Inhalte unangemessen?

    Dieses Dokument melden
    The document discusses how to leverage DB2's audit facility to answer auditor questions about database permissions. It provides a 5 step process: 1) Configure audit log paths, 2) Create audit tables, 3) Start db2audit and create/activate an audit policy, 4) Extract audit data and load into tables, 5) Analyze the audit data. It then walks through setting up and using db2audit on a sample database to log when a role was granted to a user.

    Copyright:

    © All Rights Reserved
    Als PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    105 Ansichten12 Seiten

    How I Can Now Answer Auditor's Questions - Leveraging DB2's Audit Facility - Db2talk

    Hochgeladen von

    prakash_6849
    The document discusses how to leverage DB2's audit facility to answer auditor questions about database permissions. It provides a 5 step process: 1) Configure audit log paths, 2) Create audit tables, 3) Start db2audit and create/activate an audit policy, 4) Extract audit data and load into tables, 5) Analyze the audit data. It then walks through setting up and using db2audit on a sample database to log when a role was granted to a user.

    Copyright:

    © All Rights Reserved
    Als PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    von 12

    db2talk

    DB2Linux,UnixandWindowsAdministrationandDevelopment
    JUNE2,2014BYPAVANKRISTIPATI

    HowIcannowanswerauditorsquestionsLeveragingDB2s
    Auditfacility
    Lastweek,Ihadaseriesofconversationswithaninternalauditor(atmywork).Iwasaskedaseeminglysimplequestion.Isit
    possibletondoutwhen(dateandtime)wasadatabaserolegrantedtoagivenuser?Atthetimeofthedepartmentsaudit,
    wehadnotleveragedDB2sauditfeatureyet.However,Iamnowequippedtoanswersuchquestionsinfuture.Inthisblogpost,
    IshowhowDB2sauditfacility(db2audit)couldbeleveragedtoanswerthisquestion.Treatthisasaproofofconceptusinga
    simpleexample.
    MyrststepwastondoutifDB2scatalogobjectsSYSCAT.ROLEAUTHorSYSIBM.SYSROLEAUTHhaveagrant_timetypeof
    column of timestamp datatype. My hope was based on the fact that there are create_time, alter_time columns in
    SYSCAT.TABLES.Iquicklyrealizedcatalogobjectsdonotholdsuchinformation.Istartedtopursuedb2auditroute.
    MyexperiencewithdbauditinthisblogpostisonDB210.1fp2onAIX7.1

    HighLevelSteps:
    Fromahighlevel,theprocesshas5steps

    Fromahighlevel,theprocesshas5steps
    1)Conguredataandarchivepathsfordb2auditlogs(onetime)
    2)Createtablestosaveauditdata(onetime)
    3)Startdb2audit,createauditpolicyandactivatethepolicy(onetimeforaspecictypeofpolicy)
    4)Extractdatafromauditlogsanddumpintoaudittablescreatedinstep2(ongoing)
    5)Analyzedata(ongoing)

    Beforeyoustart:
    AsSYSADM,thedescribeoptionindb2auditsummarizesthecurrentinfoaboutdb2auditfacility.

    $db2auditdescribe
    DB2AUDITSETTINGS:
    Auditactive:"FALSE"
    Logauditevents:"FAILURE"
    Logcheckingevents:"FAILURE"
    Logobjectmaintenanceevents:"FAILURE"
    Logsecuritymaintenanceevents:"FAILURE"
    Logsystemadministratorevents:"FAILURE"
    Logvalidateevents:"FAILURE"
    Logcontextevents:"NONE"
    ReturnSQLCAonauditerror:"FALSE"
    AuditDataPath:""
    AuditArchivePath:""
    AUD0000IOperationsucceeded.

    Auditactive:FALSEsimplystatesthatDB2sauditfeatureiscurrentlydown.Thisisthedefault.Asshownabove,youwould

    Auditactive:FALSEsimplystatesthatDB2sauditfeatureiscurrentlydown.Thisisthedefault.Asshownabove,youwould
    noticeFAILUREorNONEorFALSEasthestatusforauditingonalleventsbecausenothinghasbeendoneyet.Pleaserefer
    to
    this
    link
    (hp://pic.dhe.ibm.com/infocenter/db2luw/v10r1/index.jsp?
    topic=%2Fcom.ibm.db2.luw.admin.cmd.doc%2Fdoc%2Fr0002072.html)forfurtherinformationaboutdb2auditcommand.

    Step1:Configuredataandarchivepathsfordb2auditlogs
    PayaentiontotheNULLpathsintheaboveoutputofdb2adutldescribe.Thegoalistosetapathforbothauditsdataand
    archivelogsfordb2audittowriteitslogstothesepaths.

    $db2auditconfigurescopeauditstatusbotharchivepath/db2home/maint/db2audit_poc/db2audit_archive_logs
    AUD0000IOperationsucceeded.
    $db2auditconfigurescopeauditstatusbothdatapath/db2home/maint/db2audit_poc/db2audit_data_logs
    AUD0000IOperationsucceeded.

    Ifyourerunthedb2auditdescribecommand,youwouldnoticethatpathsarenolongerNULL.

    $db2auditdescribe|grepPath
    AuditDataPath:"/db2home/maint/db2audit_poc/db2audit_data_logs/"
    AuditArchivePath:"/db2home/maint/db2audit_poc/db2audit_archive_logs/"

    Onepointtonoteisthatthefullpathmustexist.Inotherwords,directory(ies)havetobecreatedbeforeseingthepaths.
    Youwouldgetanerrorsimilartotheoneshownbelowifthepathdoesnotexist.

    AUD0003NI/Oerroronaccessing"/db2home/maint/db2audit_poc/db2audit_archive_logs",makesurethedirecto
    AUD0001NOperationfailed.

    Step2:Createtablestosaveauditdata
    DDL to create audit tables is readily available when you install DB2 software. It is located at <instance
    home>/sqllib/misc/db2audit.ddlwhere<instancehome>istheinstanceowneruserIDshomedirectory.Icopiedthisletomy
    workingdirectoryandaddedthefollowing2linestothetopoftheDDL.
    CREATESCHEMAAUDIT;
    SETSCHEMAAUDIT;
    IalsomodiedtheDDLtocreatetablesinadedicatedtablespace(AUDIT_TBSP)of8Kpagesize(Becauseofwiderrows,someof
    therowsinaudittableswouldnottin4Kpageandsoaempttocreateaudittablesin4Kpagesizetablespacefailed).Please
    notethatinordertocreate8Kpagesizetablespace,therehastobeatleastonebuerpoolofatleast8Kpagesize.
    Aftermakingtheabovementionedmodications,runtheDDLasbelow:

    db2tvfdb2audit.ddl|teedb2audit.ddl.log

    Youshouldnoticethat8audittablesgotcreated.

    db2"selectchar(tabschema,20)asschema,char(tabname,20)astable,tbspacefromsyscat.tableswhereta
    SCHEMATABLETBSPACE

    AUDITAUDITAUDIT_TBSP
    AUDITCHECKINGAUDIT_TBSP
    AUDITOBJMAINTAUDIT_TBSP
    AUDITSECMAINTAUDIT_TBSP
    AUDITSYSADMINAUDIT_TBSP
    AUDITVALIDATEAUDIT_TBSP
    AUDITCONTEXTAUDIT_TBSP
    AUDITEXECUTEAUDIT_TBSP
    8record(s)selected

    Step3:Startdb2audit,createauditpolicyandauditdatabaseusingpolicy

    $db2auditstart
    AUD0000IOperationsucceeded.
    $db2auditdescribe|grepiactive
    Auditactive:"TRUE"

    TRUEindicatesthatDB2sauditingfacilityisupandrunning.
    PleasenotethatcreateauditpolicycommandrequiresSECADMauthoritywhichisgrantedtoinstanceownerbydefault.

    $db2"createauditpolicydb_sample_secmaint_policycategoriessecmaintstatusbotherrortypeaudit"
    DB20000ITheSQLcommandcompletedsuccessfully.
    $db2"selectchar(AUDITPOLICYNAME,40)asPOLICY_NAME,create_timefromsyscat.auditpolicieswithur"
    POLICY_NAMECREATE_TIME

    DB_SAMPLE_SECMAINT_POLICY2014053015.02.45.819852
    1record(s)selected.

    db_sample_secmaint_policyisthepolicynameIchose.sampleisthedatabasename.
    Our original goal was to keep track of and to document database permission changes. The category secmaint ts this
    requirement. There are various types of audit policies that could be created at database level using create audit policy
    command.
    Please
    refer
    to
    hp://pic.dhe.ibm.com/infocenter/db2luw/v10r1/index.jsp?
    topic=%2Fcom.ibm.db2.luw.sql.ref.doc%2Fdoc%2Fr0050607.html
    (hp://pic.dhe.ibm.com/infocenter/db2luw/v10r1/index.jsp?
    topic=%2Fcom.ibm.db2.luw.sql.ref.doc%2Fdoc%2Fr0050607.html)formoredetails.
    Nextstepistoactivatethepolicy.Hereishowyoudoit:

    db2"auditdatabaseusingpolicyDB_SAMPLE_SECMAINT_POLICY"
    DB20000ITheSQLcommandcompletedsuccessfully.
    db2"selectchar(AUDITPOLICYNAME,40)asPOLICY_NAME,OBJECTTYPEfromsyscat.audituse"
    POLICY_NAMEOBJECTTYPE

    DB_SAMPLE_SECMAINT_POLICY
    1record(s)selected.

    OBJECTTYPE in the above output is blank space (white space). From documentation on the view SYSCAT.AUDITUSE found

    OBJECTTYPE in the above output is blank space (white space). From documentation on the view SYSCAT.AUDITUSE found
    at
    hp://pic.dhe.ibm.com/infocenter/db2luw/v10r1/index.jsp?topic=%2Fcom.ibm.db2.luw.sql.ref.doc%2Fdoc%2Fr0050611.html
    (hp://pic.dhe.ibm.com/infocenter/db2luw/v10r1/index.jsp?topic=%2Fcom.ibm.db2.luw.sql.ref.doc%2Fdoc%2Fr0050611.html),
    objecypewouldbeblankfordatabaselevelauditing.
    Formoreclarity,theaboveSQLcouldberewrienasshownbelowtocheckthestatus:

    db2"selectchar(AUDITPOLICYNAME,40)asPOLICY_NAME,caseOBJECTTYPEwhen''then'DATABASE'endOBJECTTY
    POLICY_NAMEOBJECTTYPE

    DB_SAMPLE_SECMAINT_POLICYDATABASE
    1record(s)selected.

    Ifyouwanttostopauditingfacility,hereishowyoudoit:

    $db2auditstop
    AUD0000IOperationsucceeded.
    $db2auditdescribe|grepiactive
    Auditactive:"FALSE"

    Step4:Extractdatafromauditlogsanddumpintoaudittablescreatedinstep2
    Beforeweextractdatafromdb2auditfacility,letuscreatearoleandassignaroletoausersothatdb2auditcanpickupthis
    activity.Hereishowtodoit:

    $db2"createrolereadonly"
    DB20000ITheSQLcommandcompletedsuccessfully.
    $db2"grantrolereadonlytouserxyz1"
    DB20000ITheSQLcommandcompletedsuccessfully.

    Nextstepsaretoforceanypendingauditrecords(using'flush'option)tobewrittentotheauditlogfo

    Infutureblogposts,Iwillsharehowtoautomatethisstep.Fornow,belowishowyoucouldextractdatafromauditlogs.

    $db2auditflush
    AUD0000IOperationsucceeded.
    $db2auditarchivedatabasesample
    MemberDBPartitionAUDArchivedorInterimLogFile
    NumberNumberMessage

    00AUD0000Idb2audit.db.SAMPLE.log.0.20140530152200
    AUD0000IOperationsucceeded.

    #/db2home/maint/db2audit_poc/db2audit_archive_logs$lsltr
    rw1db2inst2db2iadm28382May3015:22db2audit.db.SAMPLE.log.0.20140530152200
    ExtractingDatafromauditlogs:

    $db2auditextractfile`date+"%Y%m%d%H%M"`_db_sample_db2audit.txtfrompath/db2home/maint/db2audit_p
    AUD0000IOperationsucceeded.

    Iused`date`inthecustomlenameinordertohavethecurrentdateasprex.

    Iused`date`inthecustomlenameinordertohavethecurrentdateasprex.
    Wearenowreadytolookatauditdatageneratedbydb2auditfacility.ItisclearfromthefollowingoutputthatDB2INST2
    grantedtheROLEcalledREADONLYtouserXYZ1indatabaseSAMPLEat2014053015.21.37.258238

    $cat201405301528_db_sample_db2audit.txt
    timestamp=2014053015.21.37.258238;
    category=SECMAINT;
    auditevent=GRANT;
    eventcorrelator=69;
    eventstatus=0;
    database=SAMPLE;
    userid=db2inst2;
    authid=DB2INST2;
    applicationid=*LOCAL.db2inst2.140530190320;
    applicationname=db2bp;
    packageschema=NULLID;
    packagename=SQLC2J24;
    packagesection=0;
    objectname=READONLY;
    objecttype=ROLE;
    grantor=DB2INST2;
    grantee=XYZ1;
    granteetype=USER;
    privilege=MEMBERSHIP;
    localtransactionid=0x000000000000039d;
    globaltransactionid=0x0000000000000000000000000000000000000000;
    grantortype=USER;

    Onealternativeapproachtousingdb2auditextractoptionistotakeadvantageofDB2sbuiltinstoredprocedure
    SYSPROC.AUDIT_DELIM_EXTRACTtoextractauditinformationintoadelimitedtextafterlogsarearchived.

    $CALLSYSPROC.AUDIT_DELIM_EXTRACT('','/db2home/maint/db2audit_poc/extract','/db2home/maint/db2audit_poc/db
    ReturnStatus=0

    In the above call to stored procedure, db2home/maint/db2audit_poc/extract is the destination path and
    db2home/maint/db2audit_poc/db2audit_archive_logsisthesourcepath(ofdb2auditsarchivelogs)
    SuchacalltoSYSPROC.AUDIT_DELIM_EXTRACTdumpsallauditdataintodelimitedles.

    /db2home/maint/db2audit_poc/extract$lsltr*del
    rwrr1db2inst2db2iadm20May3016:45validate.del
    rwrr1db2inst2db2iadm20May3016:45sysadmin.del
    rwrr1db2inst2db2iadm2291May3016:45secmaint.del
    rwrr1db2inst2db2iadm20May3016:45objmaint.del
    rwrr1db2inst2db2iadm20May3016:45execute.del
    rwrr1db2inst2db2iadm20May3016:45context.del
    rwrr1db2inst2db2iadm20May3016:45checking.del
    rwrr1db2inst2db2iadm20May3016:45audit.del

    Nextstepwouldbetoload(orImport)thelesecmaint.delintotherelevantaudittable.

    db2"IMPORTFROMsecmaint.delofdelinsertintoaudit.secmaint"
    SQL3109NTheutilityisbeginningtoloaddatafromfile"secmaint.del".
    SQL3110NTheutilityhascompletedprocessing."1"rowswerereadfromthe
    inputfile.
    SQL3221W...BeginCOMMITWORK.InputRecordCount="1".
    SQL3222W...COMMITofanydatabasechangeswassuccessful.
    SQL3149N"1"rowswereprocessedfromtheinputfile."1"rowswere
    successfullyinsertedintothetable."0"rowswererejected.
    Numberofrowsread=1
    Numberofrowsskipped=0
    Numberofrowsinserted=1
    Numberofrowsupdated=0
    Numberofrowsrejected=0
    Numberofrowscommitted=1

    Step5:Analyzedata
    Thenalstepinvolvesanalyzingdata,inthiscase,inAUDIT.SECMAINTtable.

    db2"SELECTTIMESTAMP,CATEGORY,EVENT,STATUS,DATABASE,USERID,AUTHID,GRANTOR,GRANTEE,GRANTEETYPE,A
    GRANTORTYPE,OBJTYPE,OBJNAMEFROMAUDIT.SECMAINT"
    TIMESTAMPCATEGORYEVENTSTATUSDATABASEUSERIDAUTHIDGRANTORGRANTEEGRANTEETYPEGRANTORTYPEOBJTYPEOBJ

    2014053015.21.37.258238SECMAINTGRANT0SAMPLEdb2inst2DB2INST2DB2INST2XYZ1USERNULLROLEREADONLY

    OurproblemstatementwasIsitpossibletondoutwhen(dateandtime)wasadatabaserolegrantedtoagivenuser?From

    OurproblemstatementwasIsitpossibletondoutwhen(dateandtime)wasadatabaserolegrantedtoagivenuser?From
    theaboveoutput,itisclearthatindatabaseSAMPLE,useriddb2inst2granteduserXYZ1rolecalledREADONLYat201405
    3015.21.37.258238.
    db2auditequipsDBAswithlotmoreoptionswhichIdidnotgetachancetoexploreyet.IamhopefulIwillsharemoredetailsin
    futureblogposts.

    Thisentrywaspostedindb2auditandtaggedAudit,auditor,DB2,db2audit,security.Bookmarkthepermalink.
    BlogatWordPress.com.|TheMistyLakeTheme.

    Das könnte Ihnen auch gefallen