DB2 UDB Access Recording
UDBAR is a software tool that records how users and programs access sensitivecorporate data in designated DB2 tables. UDBAR provides collecting, archiving and scanning services for the audit data produced by DB2 LUW, operating in the zLinux environment. UDBAR services execute partly in the zLinux and partly in z/VM virtual machines.
UDBAR functions for the Linux environment
These functions process the output files produced by the DB2AUDIT EXTRACT command and forward the processed output using FTP to the UDBAR server UDBARP, executing in the z/VM environment.
UDBAR functions for the z/VM environment
The software components executing in the z/VM environment provide following functions:
The UDBAR Processor receives the audit data FTP-ed from the Linux environment. Audit data processed are stored into the UDBAR Audit Log.
The UDBAR Archiving Program transfers the current Audit Log to a sequential dataset, typically on magnetic tape.
The UDBAR Audit Log Scan function allows to search the Audit Log or an Audit Archive interactively or in batch.
For each access to an audited table, the UDBAR Processor writes a record in a CMS file, called the UDBAR audit log. An audit record contains:
The UDBAR archiving function transfers the audit log to cartridge or tape, so that auditing results can be kept for a longer period of time. Archiving may be scheduled explicitly. It may also occur implicitly when the audit log is full or when a defined number of audit requests have been stored.
Inspecting the Audit Log
A part of the UDBAR user interface, the Logscan program interactively searches the audit log or an audit archive tape for specific audit events. When performing the log scan, the user can formulate following search criteria:
- One or more audit record fields
This provides for requests such as:
- Search all accesses made by a named user to a named table during a specified period.
- Search all updates made by a named program to a named table on a specified date.
Table column names used in the text of an audited SQL statement
This scan method selects statements that reference a named table-column, for example:
- Search all statements that selected the column SALARY in the employee table.
- Search all changes to the column BALANCE in the customer table, performed by a named user on a given date.
Table column values used in the text of an audited SQL statement
This scan method selects statements that reference a named table-column with a specified value. It can be used to trace all audit events for a given table "key", for example:
- Search all accesses made to the EMPLOYEE table for EMPNO = 100 during a specified period.
- Search all updates that made the column BALANCE in the customer table negative.
An installation may provide an audit user exit to be invoked by the Audit Processor for every audit log record written. The exit is written as a REXX program.