Db2 for z/OS and its ecosystem

 View Only

Tamper-proof audit policies in Db2 12 function level 509

By Jennie Chang posted Mon March 01, 2021 01:36 PM


By Jennie Chang and Gayathiri Chandran.

Function level 509 in Db2 12 for z/OS introduces support for tamper-proof audit policies. The new tamper-proof feature provides the capability to define an audit policy that prevents audit trails from being unnecessarily modified or stopped by users with advanced Db2 privileges, minimizing the possibility of loss of audit information. 

To modify or stop a tamper-proof audit policy, you must be authorized to access the audit policy profile in a z/OS® security product that is external to Db2, such as RACF®. A z/OS system security administrator must perform a special task in the external security product to permit you access to update, delete, or stop the audit policy. 

You can create a new tamper-proof audit policy by inserting an audit policy record into the SYSIBM.SYSAUDITPOLICIES catalog table with a DB2START value of 'T'. For more information, see Creating and activating audit policies. A newly inserted tamper-proof audit policy record with a DB2START column value of ‘T’ is started automatically during Db2 startup. If the audit trace needs to be started immediately before Db2 restart, you must issue a START TRACE command. 

Any STOP TRACE commands on the tamper-proof audit policy record require additional RACF authorization in function level 509. UPDATE and DELETE statements require additional RACF authorization in function level 509 regardless of the application compatibility level. 

For example, suppose you must update a tamper-proof audit policy that is already started. You must first ask your system security administrator to complete the following steps: 

  1. Activate and RACLIST the RACF DSNR class if they have not already done so. 
  2. Optional: Define a default profile, DSNAUDIT.*, in the RACF DSNR class that prevents any tamper-proof audit policy records from being modified or stopped. 
  3. Create a profile in the RACF DSNR class for the tamper-proof audit policy and permit you access to the profile. 

      You can update the tamper-proof audit policy only after you have been permitted access to the RACF profile. In addition to access to the profile, you must also have the privileges that are required for the statements and commands that you will use to update and restart the tamper-proof audit policy. 

      After you have updated the tamper-proof audit policy, complete the following steps: 

      1. Since the tamper-proof audit policy is already started, restart the modified audit policy record by issuing the STOP TRACE and START TRACE commands. 
      2. Ask your system security administrator to remove your access to the audit policy profile in RACF. 

        Note that you cannot use the SCOPE(GROUP) option in a START TRACE or STOP TRACE command that starts or stops a tamper-proof audit policy. To start or stop a tamper-proof audit policy for all members of a data sharing group, issue the command on each data sharing member.

        For more information, see Updating tamper-proof audit policies. 


        Jennie Chang is an Information Developer for Db2 for z/OS documentation. Gayathiri Chandran is a Senior Software Engineer for Db2 for z/OS development. 

        Sign in and subscribe to always get the latest news about Db2 for z/OS from the IBM lab: http://ibm.biz/db2znews-subscribe