Various Infrastructure Audit Audit Programs
Various Infrastructure Audit Audit Programs
Conduct audit by running the SQL below through QMF / DB2I or utilising any other
front end administration tool that may be installed (e.g. RC-Secure) to get the results.
You will need to determine who owns the IDs (primary or secondary) from
RACF/ACF2
1. Identify which accounts are used by batch jobs, which are user accounts and
which accounts are used by the DBAs, support staff etc.
2. Establish whether the number of accounts allocated DBA privileges which can
access data (SYSADM, DBADM) is reasonable
3. Establish which support accounts can ‘fix’ data (of course without any audit
trailing to offsite storage it would be impossible to tell that they did with it and
when).
4. Establish how migration to production is performed – using what accounts
5. Establish how patching and upgrades are performed – using what accounts
Alternatively, do users login to the application itself with the application being
granted access to DB2 by virtue of CICS access? If so, who grants this access to
users?
Establish what direct access is granted to staff (basically DBA have direct access
via TSO/DB2I/SPUFI. Who else?
DB2 Query SQL
The commands, tables and column definitions should be up-to-date but I would suggest a
check, especially if you get spurious results. I would suggest a sanity check of the output (i.e.
take some data you know exists and ensure that it appears on the relevant output).
To retrieve all user IDs (not plans) with DBADM authority and whether they
hold this privilege ‘with grant option’ or not
(If GRANTEETYPE is blank, the value of GRANTEE is an ID that has been granted
a privilege)
OR
To retrieve all system privileges held by users, enter the following SQL (If
GRANTEETYPE is blank, the value of GRANTEE is an ID that has been
granted a privilege):-
Contd..
To list the privileges held by users over databases, enter the following SQL :-
CREATETS
New tablespaces may be created within the specified database
DISPLAYDB
The status of the specified DB2 databases may be displayed
DROP
The specified DB2 databases may be dropped
Note: All tables, table spaces and views are also dropped when a database is dropped
IMAGECOPY
The COPY and MERGECOPY utilities may be run against table spaces and
indexes within the specified DB2 databases
LOAD
The LOAD utility may be used to load table spaces and indexes within the
specified DB2 databases. Note: The creator of a table can always use the
LOAD utility for the table.
REORG
Table spaces and indexes may be reorganised within the specified DB2 databases
RECOVERDB
The RECOVER utility may be invoked against table spaces and indexes within the
specified DB2 databases
REPAIR
The REPAIR utility may be invoked against table spaces and indexes within
the specified DB2 databases
STARTDB
The START command may be issued against the specified DB2 databases
STATS
The RUNSTATS utility may be invoked against the specified DB2 databases.
STOPDB
The STOP command may be issued against the specified DB2 databases
USE OF
The specified objects (bufferpools, storage groups or table spaces) may be used.
Use of a bufferpool means the ability to create table spaces that use the bufferpool.
Use of a storage group means the ability to create table spaces that use the storage
group.
Use of a table space means the ability to create tables in the table space.
This ensures that storage groups can be reserved for table spaces and table spaces
reserved for tables.
Single General Capabilities
Stored in the SYSUSERAUTH TABLE
BINDADD
The BIND TSO sub-command with the ACTION(ADD) option may be issued.
(The ADD option is used to add a new plan - it must not already exist)
BSDS
The RECOVER BSDS command may be issued
CREATEDBA
New databases may be created. The user gets the DBADM authority for all databases
created this way
CREATEDBC
New databases may be created. The user gets the DBCTRL authority for all
databases created this way
CREATESG
New storage groups may be created
DISPLAY
DB2 threads (‘DISPLAY THREAD’) and DB2 databases (‘DISPLAY DB’) may be
displayed
RECOVER
The ‘RECOVER INDOUBT’ command may be issued
STOPALL
The ‘STOP DB2’ command may be issued to terminate the DB2 subsystem
STOSPACE
The STOSPACE utility may be invoked
TRACE
The ‘START TRACE’ and ‘STOP TRACE’ commands may be issued.
DB2 Catalog Tables (* = tables of interest in a
security review)
SYSIBM.LUNAMES
This table must contain a row for each remote SNA client or server that
communicates with DB2. Rows in this table can be inserted, updated and deleted
SYSIBM.MODESELECT
Associates a mode name with any conversation created to support an outgoing SQL
request. Each row represents one or more combinations of LUNAME, authorisation
ID, and application plan name. Rows in this table can be inserted, updated and
deleted
SYSIBM.SYSAUXRELS
This table was introduced with Version 6. It contains one row for each auxiliary table
created for a LOB column. A base table space that is partitioned must have one
auxiliary table for each partition of each LOB column
SYSIBM.SYSCHECKDEP
Contains one row for each reference to a column in a table check constraint
SYSIBM.SYSCHECKS
This table contains one row for each table check constraint
SYSIBM.SYSCOLAUTH *
Records the UPDATE or REFERENCES privileges that are held by users on
individual columns of a table or view
SYSIBM.SYSCOLDIST
Contains one or more rows for the first key column of an index key. Rows in this
table can be inserted, updated and deleted
SYSIBM.SYSCOLDISTSTATS
This table contains none, one, or more rows per partition for the first key column of a
partitioning index. Rows are inserted when RUNSTATS scans index partitions of the
partitioning index. No row is inserted if the index is a non-partitioning index. Rows
in this table can be inserted, updated, and deleted
SYSIBM.SYSCOLSTATS
Contains partition statistics for selected columns. For each column, a row exists for
each partition in the table. Rows are inserted when RUNSTATS collects either
indexed column statistics or non-indexed column statistics for a partitioned table
space. No row is inserted if the tablespace is non-partitioned. Rows in this table can
be inserted, updated, and deleted
SYSIBM.SYSCOLUMNS
Contains one row for ever column of each table and view; defining creator, data type,
length, name, etc…
SYSIBM.SYSCONSTDEP
This table has been introduced with Version 6. It records dependencies on check
constraints or user-defined defaults for a column
SYSIBM.SYSCOPY
This table contains information on the execution of DB2 COPY, QUIESCE, LOAD
and REORG utilities such as database and table space ID, type of copy, date created,
location, etc… It is used by DB2 to manage recovery
SYSIBM.SYSDATABASE
Contains one row of information (e.g. name, creator, default storage group, buffer
pool, etc…) for each database, except for database DSNDB01
SYSIBM.SYSDATATYPES
This table contains one row of information for each distinct data type defined to the
system
SYSIBM.SYSDBAUTH *
This table contains the privileges that are held by users over databases
SYSIBM.SYSDBRM
Contains DBRM information for DBRMs which have been bound into plans, e.g. date
compiled, host language (assembler; COBOL; FORTRAN…) etc
SYSIBM.SYSDUMMY1
This table contains one row. The table is used for SQL Statements in which a table
reference is required, but the contents of the table are not important
SYSIBM.SYSFIELDS
Contains one row of information for every column that has a field procedure
SYSIBM.SYSFOREIGNKEYS
This table contains one row of information for every column of every foreign key
SYSIBM.SYSINDEXES
Contains one row of information for every index
SYSIBM.SYSINDEXPART
Contains one row for each non-partitioning index and one row for each partition of a
partitioning index
SYSIBM.SYSINDEXSTATS
Contains one row of information for each partition of a partitioning index, e.g. name
of index, partition number, index owner, etc…
SYSIBM.SYSKEYS
Contains one row of information for each column of an index key
SYSIBM.SYSDBSTATS
Contains one row of information for each Large OBject (LOB) table space
SYSIBM.SYSPACKAGE
Contains one row of information for every package
SYSIBM.SYSPACKAUTH *
Records the privileges that are held by users over packages
SYSIBM.SYSPACKDEP
This table records dependencies of packages on local tables, views, synonyms, table
spaces, indexes, aliases, functions and stored procedures
SYSIBM.SYSPACKLIST
Contains one or more rows for every local application plan bound with a package list.
Each row represents a unique entry in the plan’s package list
SYSIBM.SYSPACKSTMT
This table contains one or more rows of information for each statement in a package
SYSIBM.SYSPARMS
This table contains a row for each parameter of a routine or multiple rows for table
parameters (one for each column of the table)
SYSIBM.SYSPKSYSTEM
Contains zero or more rows for every package. Each row for a given package
represents one or more connections to an environment in which the package could be
executed
SYSIBM.SYSPLAN
Contains information on every plan, e.g. creator, date bound, whether valid / invalid,
ID of binder, etc …
SYSIBM.SYSPLANAUTH *
Records the privileges which are held by users over application plans (e.g. BIND,
EXECUTE)
SYSIBM.SYSPLANDEP
Records the dependencies e.g. of plans on tables, views, aliases, synonyms, table
spaces, indexes, functions, and stored procedures
SYSIBM.SYSPLSYSTEM
Contains none, one, or more rows for every plan. Each row for a given plan
represents one or more connections to an environment in which the plan could be used
SYSIBM.SYSPROCEDURES *
In releases of DB2 for OS/390 prior to Version 6, users were required to use the
SYSPROCEDURES catalog table to define stored procedures to DB2. In Version 6,
the SYSROUTINES catalog table contains information about stored procedures.
When Version 6 was installed, the rows in SYSPROCEDURES that had non-blank
values for authID and LUNAME were copied, with appropriate formatting, to
SYSROUTINES. Although Version 6 of DB2 for OS/390 does not use
SYSPROCEDURES, it is available for fallback to Version 5.
SYSIBM.SYSRELS
Contains information on the foreign key and link relationships for all tables, e.g.
referential constraints such as Cascade, Restrict, SetNull
SYSIBM.SYSRESAUTH *
Records CREATE IN and PACKADM ON privileges for collections; USAGE
privileges for distinct types; and USE privileges for buffer pools, storage group and
table spaces
SYSIBM.SYSROUTINEAUTH *
Records the privileges that are held by users on routines. (A routine can be a user-
defined function, a cast function or a stored procedure).
SYSIBM.SYSROUTINES
Contains a row for every routine. (A routine can be a user-defined function, cast
function or stored procedure).
SYSIBM.SYSSCHEMAAUTH *
Contains one or more rows of information for each user that is granted a privilege on
a particular schema in the database.
SYSIBM.SYSSTMT
This contains one or more rows for each SQL Statement of each DBRM
SYSIBM.SYSSTDGROUP
Contains one row of information for each storage group
SYSIBM.SYSSTRINGS
Contains information on conversion of strings from one character set to another
SYSIBM.SYSSYNONYMS
Contains synonyms for table names
SYSIBM.SYSTABAUTH *
Records the privileges that users hold on tables and views
SYSIBM.SYSTABLEPART
Contains one row for each non-partitioned table space and one row for each partition
of a partitioned tablespace
SYSIBM.SYSTABLES
Contains one row of information for each table, view or alias
SYSIBM.SYSTABLESPACE
Contains one row of information for each tablespace
SYSIBM.SYSTABSTATS
Contains a row of information for each partition of a partitioned table space. Rows in
this table can be inserted, updated and deleted
SYSIBM.SYSTRIGGERS
This table contains one row of information for each trigger.
SYSIBM.SYSUSERAUTH *
This table records information on system privileges held by DB2 users
SYSIBM.SYSVIEWDEP
Records the dependencies of views on tables, functions and other views
SYSIBM.SYSVIEWS *
Contains information on all views that have been defined in this location
SYSIBM.SYSVOLUMES
Contains one row for each volume of each storage group
SYSIBM.SYSUSERNAMES
Each row in this table is used to carry out either Outbound ID translation or Inbound
ID translations and “come from” checking. Rows in this table can be inserted, updated
and deleted
SYSIBM.SYSTABLESPACE
Contains one row of information for each tablespace.
Privilege - Columns on Security Tables
Each table entry holds the following privileges
Pre-defined group capabilities have completed entries as shown :-
SINGLE RESOURCE TYPE PREDEFINED
CAPABILITY CAPABILITIES
S D D D S
Y B B B Y
S A C M S
A D T A O
D M R I P
M L N R
T
SYSUSERAUTH
ALTERBP G
BINDADD N.B. Only the SYSADM authority G
BSDS starts off with the ability to G
CREATEDBA GRANT privileges G
CREATEDBC G
CREATESG G
DISPLAYDB G
STOSPACE G
DISPLAY G
Y
RECOVER G
Y
STOPALL G
Y
TRACE G
Y
SYSTABAUTH
ALTER table definitions G Y
DELETE table rows G Y
INDEX create indexes G Y
INSERT table rows G Y
SELECT table rows G Y
UPDATE tables (column list) G Y
SYSPLANAUTH
BIND application plans G
EXECUTE application plans G
SYSDBAUTH
DROP data base G Y Y
LOAD data base G Y Y
REORG data base G Y Y
RECOVERDB data base G Y Y
REPAIR data base G Y Y
CREATETAB data base G Y Y Y
CREATETS data base G Y Y Y
DISPLAYDB data base G Y Y Y
IMAGECOPY data base G Y Y Y
STARTDB data base G Y Y Y
STATS data base G Y Y Y
STOPDB data base G Y Y Y
Defines propagation privileges for predefined capabilities and any other user
‘G’ = Capability given WITH the GRANT option
‘Y’ = Capability given (but not with the GRANT option)
‘BLANK’ = NO capability
SYSIBM.SYSCOLAUTH Table
Contains the UPDATE privileges held by DB2 users on single table columns
or view columns.
Records the privileges held by users over buffer pools, storage groups, and
table spaces.
TYPE 'A' if the row defines and alias, 'T' if the row defines
a table, or 'V' if the row defines a view
A AUDIT ALL
C AUDIT CHANGE
blank AUDIT NONE, or row defines a view or
alias
CREATEDTS The date and time when the table, view, or alias was
created
Contains information on all views that have been defined in this location.
This table resides in the DSNDB06 database in each location.