Auditing DB2 on z/OS

Auditing using SMF data  

Auditing solutions based on SMF data require that DB2 audit tracing be activated.

Regular DB2 audit tracing will record only the first read (SELECT) and the first write (INSERT, UPDATE, DELETE) within the logical work unit. This is clearly insufficient for complete recording of DB2 accesses.

From DB2 version 10 on, audit policies may be defined for designated tables. An audit policy will record all DB2 accesses within the logical work unit and also provide the text of the SQL statement that performs the access. While a better auditing granularity is achieved in this case, the amount of data written to the SMF dataset might become immense. Therefore DB2 may be requested to compress the data sent to SMF.

Execution Flow:

Auditing using DBARS

DBARS is an auditing product provided by Software Product Research.

The DBARS Intercept component executes in the DB2 address space and records all accesses to auditable tables, including the SQL statement text and eventual host variables. No DB2 tracing is required to achieve this.

The Intercept component stores the access data into the DBARS Audit Queue. This queue resides in 64-bit storage.

The DBARS Writer component executes in the DBARS address space. The Writer polls the audit queue for new data and sends these data to its output destination.

When DBARS executes in standalone mode, the output destination is the DBARS Recorder dataset. When DBARS is connected to an external security manager, the output destination is the IP-address of the external manager.  

Execution Flow:

Both solutions compared

The SMF-based solution requires:

The DBARS solution requires: