How To Audit IBMGROUP with Top Secret
Article ID: 10104
Updated On:
Products
Issue/Introduction
How to show which acid's use a specific IBMGROUP.
Environment
Top Secret r16.0
Resolution
Without native DB2 IBMGROUP activity will not show in TSS AUDIT or ACTION(AUDIT).
When a user connects to DB2 there is racxtrt that is done.
At that point, Top Secret will pass back info to DB2 on all IBMGROUP
resources that user has access to.
It is then the responsibility of DB2 to allow or deny access based on the info passed back by TSS.
Top Secret does not allow or deny access; DB2 does.
The resource will not be audited, even when the resource
is in the AUDIT Record because there is no actual security event(call) for
access to that resource. The only security event is the racxtrt that that is done
when the user connects to db2.
With TSSDB2 you should be able to cut record for IBMGROUP because the secondary authorization ID should be signed on.
Additional Information
-Here it is a Top secret DB2 trace which perfectly illustrate how it works.
CADB2SEC - 00000110: *--------------------------------------------------*
CADB2SEC - 00000110: ASCB=00FC9580 TCB=009B91E0
CADB2SEC - 00000110: ----- DB2 Authorization Parameters -----
CADB2SEC - 00000110: Privilege = 0050 SELECT
CADB2SEC - 00000110: Resource Class = T DB2TABLE
CADB2SEC - 00000110: Object qualifier = SYSIBM
CADB2SEC - 00000110: Object name = SYSTABLES
CADB2SEC - 00000110: Database name = DSNDB06
CADB2SEC - 00000110: ----- Authorization IDS -----
CADB2SEC - 00000110: AUTHCHK ID = MYACID1
CADB2SEC - 00000110: Primary authid = MYACID1
CADB2SEC - 00000110: Secondary IDs = MYACID2
CADB2SEC - 00000110: ----- Control Information -----
CADB2SEC - 00000110: Authid checked = All IDs
CADB2SEC - 00000110: Static/dynamic = Dynamic
CADB2SEC - 00000110: ----- Authorization Requests and Results -----
CADB2SEC - 00000110: !DB2TABLE!SYSIBM.SYSTABLES !SELECT !MYACID1 !
CADB2SEC - 00000110: #SECUR results: R15 = 08 feedback = 08 detail = 88
CADB2SEC - 00000110: !DB2DBASE!DSNDB06 !DBADM !MYACID1 !
CADB2SEC - 00000110: #SECUR results: R15 = 08 feedback = 08 detail = 88
CADB2SEC - 00000110: !DB2SYS !SQLADM ! !MYACID1 !
CADB2SEC - 00000110: #SECUR results: R15 = 08 feedback = 08 detail = 88
CADB2SEC - 00000110: !DB2SYS !SYSDBADM ! !MYACID1 !
CADB2SEC - 00000110: #SECUR results: R15 = 08 feedback = 08 detail = 88
CADB2SEC - 00000110: !DB2SYS !DATAACCESS ! !MYACID1 !
CADB2SEC - 00000110: #SECUR results: R15 = 08 feedback = 08 detail = 88
CADB2SEC - 00000110: !DB2SYS !ACCESSCTRL ! !MYACID1 !
CADB2SEC - 00000110: #SECUR results: R15 = 08 feedback = 08 detail = 88
CADB2SEC - 00000110: !DB2SYS !SYSCTRL ! !MYACID1 !
CADB2SEC - 00000110: #SECUR results: R15 = 08 feedback = 08 detail = 88
CADB2SEC - 00000110: !DB2SYS !SYSADM ! !MYACID1 !
CADB2SEC - 00000110: #SECUR results: R15 = 08 feedback = 08 detail = 88
CADB2SEC - 00000110: !DB2SYS !SECADM ! !MYACID1 !
CADB2SEC - 00000110: #SECUR results: R15 = 08 feedback = 08 detail = 88
CADB2LTS - 00000110: MYACID2 signed on: 7F5D9BA0
CADB2SEC - 00000110: !DB2TABLE!SYSIBM.SYSTABLES !SELECT !MYACID2 !
CADB2SEC - 00000110: #SECUR results: R15 = 00 feedback = 00 detail = 00
CADB2SEC - 00000110: Exit conditions: R15 = 00 R0 = 00
CADB2TTH - 00000110: *--------------------------------------------------*
CADB2TTH - 00000110: ASCB=00FC9580 TCB=009B91E0
CADB2LTS - 00000110: MYACID2 signoff: SAF=00 RC=00 RS=00
Primary authID is accessing DB2 table "SYSIBM.SYSTABLES". This trace also shows how Top Secret DB2 mimics how DB2's GRANT works.
Top Secret DB2 checks from the most specfic DB2 resource to the highest possible DB2 privilege.
If the primary authID is not allowed to any of these resources, then the Secondary authID is signed on and checks are made against it.
So, auditing the secondary authID allows you to track when they are used and which resources they have accessed.
Feedback
