BeatrixKiddo
ISP
Hello, is there a guideline or check list about Db2 auditing?
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Db2 auditory
- Thread starter BeatrixKiddo
- Start date
- Status
sathyarams
IS-IT--Management
What do you want to audit ?
For db2 resoruces visit More DB2 questions answered at &
For db2 resoruces visit More DB2 questions answered at &
- Thread starter
- #3
BeatrixKiddo
ISP
Profiles, security access configuration, superdbas, etc.
- Thread starter
- #4
BeatrixKiddo
ISP
Found some notes about the topic,
DB2 Query SQL
The commands, tables and column definitions should be up-to-date but I would suggest a check, especially if you get spurious results. I would suggest a sanity check of the output (i.e. take some data you know exists and ensure that it appears on the relevant output).
To retrieve all user IDs (not plans) with DBADM authority and whether they hold this privilege ‘with grant option’ or not
SELECT GRANTEE, DBADMAUTH FROM SYSIBM.SYSDBAUTH WHERE GRANTEETYPE = ' ' AND WHERE DBADMAUTH <> ' ';
(If GRANTEETYPE is blank, the value of GRANTEE is an ID that has been granted a privilege)
OR
SELECT DISTINCT GRANTEE FROM SYSIBM.SYSDBAUTH WHERE GRANTEETYPE = ' ' AND DBADMAUTH IN (‘G’,’Y’) ;
Retrieve all users with SYSADM authority
SELECT GRANTEE, GRANTEETYPE, SYSADMAUTH FROM SYSIBM.SYSUSERAUTH WHERE SYSADMAUTH <>' ';
OR
SELECT GRANTEE FROM SYSIBM.SYSUSERAUTH WHERE SYSADMAUTH IN (‘G’,’Y’);
(If GRANTEETYPE is blank, the value of GRANTEE is an ID that has been granted a privilege)
Find all users with SYSCTRL authority
Repeat the above query for SYSADM but substituting ‘WHERE SYSCTRLAUTH’ for ‘WHERE SYSADMAUTH’
To retrieve all system privileges held by users, enter the following SQL (If GRANTEETYPE is blank, the value of GRANTEE is an ID that has been granted a privilege):-
SELECT GRANTEE, GRANTEETYPE, SYSADMAUTH FROM SYSIBM.SYSUSERAUTH WHERE SYSADMAUTH <>' ';
? (Repeat for SYSCTRLAUTH, SYSOPRAUTH, BSDSAUTH, CREATEDBAAUTH, CREATEDBCAUTH, CREATESGAUTH, BINDADDAUTH, ALTERBPAUTH, BINDAGENTAUTH, ARCHIVEAUTH, RECOVERAUTH, STOPALLAUTH, STOSPACEAUTH, TRACEAUTH, DISPLAYAUTH)
Contd..
To list the privileges held by users over databases, enter the following SQL :-
SELECT GRANTEE, DBADMAUTH FROM SYSIBM.SYSDBAUTH WHERE DBADMAUTH <> ' ';
? (Repeat for DBCTRLAUTH, DBMAINTAUTH, CREATETABAUTH, CREATETSAUTH, DISPLAYDBAUTH, DROPAUTH, IMAGCOPYAUTH, LOADAUTH, REORGAUTH, RECOVERDBAUTH, REPAIRAUTH, STARTDBAUTH, STATSAUTH, STOPAUTH)
DB2 Query SQL
The commands, tables and column definitions should be up-to-date but I would suggest a check, especially if you get spurious results. I would suggest a sanity check of the output (i.e. take some data you know exists and ensure that it appears on the relevant output).
To retrieve all user IDs (not plans) with DBADM authority and whether they hold this privilege ‘with grant option’ or not
SELECT GRANTEE, DBADMAUTH FROM SYSIBM.SYSDBAUTH WHERE GRANTEETYPE = ' ' AND WHERE DBADMAUTH <> ' ';
(If GRANTEETYPE is blank, the value of GRANTEE is an ID that has been granted a privilege)
OR
SELECT DISTINCT GRANTEE FROM SYSIBM.SYSDBAUTH WHERE GRANTEETYPE = ' ' AND DBADMAUTH IN (‘G’,’Y’) ;
Retrieve all users with SYSADM authority
SELECT GRANTEE, GRANTEETYPE, SYSADMAUTH FROM SYSIBM.SYSUSERAUTH WHERE SYSADMAUTH <>' ';
OR
SELECT GRANTEE FROM SYSIBM.SYSUSERAUTH WHERE SYSADMAUTH IN (‘G’,’Y’);
(If GRANTEETYPE is blank, the value of GRANTEE is an ID that has been granted a privilege)
Find all users with SYSCTRL authority
Repeat the above query for SYSADM but substituting ‘WHERE SYSCTRLAUTH’ for ‘WHERE SYSADMAUTH’
To retrieve all system privileges held by users, enter the following SQL (If GRANTEETYPE is blank, the value of GRANTEE is an ID that has been granted a privilege):-
SELECT GRANTEE, GRANTEETYPE, SYSADMAUTH FROM SYSIBM.SYSUSERAUTH WHERE SYSADMAUTH <>' ';
? (Repeat for SYSCTRLAUTH, SYSOPRAUTH, BSDSAUTH, CREATEDBAAUTH, CREATEDBCAUTH, CREATESGAUTH, BINDADDAUTH, ALTERBPAUTH, BINDAGENTAUTH, ARCHIVEAUTH, RECOVERAUTH, STOPALLAUTH, STOSPACEAUTH, TRACEAUTH, DISPLAYAUTH)
Contd..
To list the privileges held by users over databases, enter the following SQL :-
SELECT GRANTEE, DBADMAUTH FROM SYSIBM.SYSDBAUTH WHERE DBADMAUTH <> ' ';
? (Repeat for DBCTRLAUTH, DBMAINTAUTH, CREATETABAUTH, CREATETSAUTH, DISPLAYDBAUTH, DROPAUTH, IMAGCOPYAUTH, LOADAUTH, REORGAUTH, RECOVERDBAUTH, REPAIRAUTH, STARTDBAUTH, STATSAUTH, STOPAUTH)
- Status
Similar threads
- Locked
- Question