SQL/Auditing Facility: Product Summary
The SQL/Auditing Facility (SQL/AF) records how users and programs access sensitive or vital corporate data in designated DB2/VM tables. Audit Log

For each access to an audited table or table-column, the Audit Processor writes a record in a CMS file, called the SQL/AF audit log. An audit record contains:

Log Archiving

The SQL/AF archiving function transfers the audit log to cartridge or tape, so that auditing results can be kept for a longer period of time. Archiving may be scheduled explicitly. It may also occur implicitly when the audit log is full or when a defined number of audit requests have been stored. Archiving does not disrupt the auditing process.

Inspecting the Audit Log

A part of the SQL/AF user interface, the Logscan program interactively searches the audit log or an audit archive tape for specific audit events. When performing the log scan, the user can formulate following search criteria:

One or more audit record fields
This provides for scan requests such as:
Table column names used in the text of an audited SQL statement
This scan method selects statements that reference a named table-column, for example:
Table column values used in the text of an audited SQL statement
This scan method selects statements that reference a named table-column with a specified value. It can be used to trace all audit events for a given table "key", for example:
Sample Logscan session

Section Authorities

When requested, SQL/AF will implement a new security concept, called section authorities, as an extension to the table and package (program) authorities provided by DB2/VM. In the DB2/VM authorization schemes, a user with the RUN privilege on a program is able to execute all SQL statements contained in that program. With SQL/AF section authorities defined, the user will also need DB2/VM table authorities to successfully execute a program section that accesses an audited table. Using section authorities, operations on audited tables can be restricted more easily to one or more named users.

Customizing SQL/AF

An installation may provide an audit user exit to be invoked by the Audit Processor for every audit log record written. The exit is written as a REXX program.


Centralized auditing as implemented by SQL/AF offers the following benefits: