How To Audit IBMGROUP with CA Top Secret for DB2?

Document ID : KB000010104
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

 

We'd like to get behind, which userid uses a specific IBMGROUP and therefore 

TSS ADD(AUDIT) IBMGROUP(MYACID2). 

But then: 


TSSUTIL audit report does not show any reference, although I definitely did a SPUFI command "SET CURRENT SQLID = 'MYACID2'" 

Are there specific considerations to AUDIT resclass IBMGROUP? Where can I find valid documentation? What are events, for which an audit-smf-record with IBMGROUPs is cut ? 

Environment:
z/OSDB2 v10 and above.
Instructions:

 

-Without TSSDB2 No IBMGROUP activity will not show in AUDIT or ACTION(AUDIT). 
IBMGROUP permissions are added to the ACEE as a list of GROUPS. The list of groups are anchored to the ACEE at ACEECGRP which contains the address of connected GROUPs either the ones permitted with IBMGROUP resource class or added as CA Top Secret GROUP().

 
-With TSSDB2 you should be able to cut record for IBMGROUP, like secondary authorization ID should be signed on.

 

As IBMGROUPs are indeed acids and are signed on onto DB2 by CA Top Secret DB2, you can audit them all on your own.

Additional Information:

 

-Here it is a CA Top secret DB2 trace which perfectly illustrate how it works.

 

 CADB2SEC - 00000110: *--------------------------------------------------*

 CADB2SEC - 00000110: ASCB=00FC9580             TCB=009B91E0

 CADB2SEC - 00000110: ----- DB2 Authorization Parameters -----

 CADB2SEC - 00000110: Privilege        = 0050     SELECT

 CADB2SEC - 00000110: Resource Class   = T        DB2TABLE

 CADB2SEC - 00000110: Object qualifier = SYSIBM

 CADB2SEC - 00000110: Object name      = SYSTABLES

 CADB2SEC - 00000110: Database name    = DSNDB06

 CADB2SEC - 00000110: ----- Authorization IDS -----

 CADB2SEC - 00000110: AUTHCHK ID       = MYACID1

 CADB2SEC - 00000110: Primary authid   = MYACID1

 CADB2SEC - 00000110: Secondary IDs    = MYACID2

 CADB2SEC - 00000110: ----- Control Information -----

 CADB2SEC - 00000110: Authid checked   = All IDs

 CADB2SEC - 00000110: Static/dynamic   = Dynamic

 CADB2SEC - 00000110: ----- Authorization Requests and Results -----

 CADB2SEC - 00000110: !DB2TABLE!SYSIBM.SYSTABLES                              !SELECT  !MYACID1 !

 CADB2SEC - 00000110: #SECUR results:  R15 = 08 feedback = 08 detail = 88

 CADB2SEC - 00000110: !DB2DBASE!DSNDB06                                       !DBADM   !MYACID1 !

 CADB2SEC - 00000110: #SECUR results:  R15 = 08 feedback = 08 detail = 88

 CADB2SEC - 00000110: !DB2SYS  !SQLADM                                        !        !MYACID1 !

 CADB2SEC - 00000110: #SECUR results:  R15 = 08 feedback = 08 detail = 88

 CADB2SEC - 00000110: !DB2SYS  !SYSDBADM                                      !        !MYACID1 !

 CADB2SEC - 00000110: #SECUR results:  R15 = 08 feedback = 08 detail = 88

 CADB2SEC - 00000110: !DB2SYS  !DATAACCESS                                    !        !MYACID1 !

 CADB2SEC - 00000110: #SECUR results:  R15 = 08 feedback = 08 detail = 88

 CADB2SEC - 00000110: !DB2SYS  !ACCESSCTRL                                    !        !MYACID1 !

 CADB2SEC - 00000110: #SECUR results:  R15 = 08 feedback = 08 detail = 88

 CADB2SEC - 00000110: !DB2SYS  !SYSCTRL                                       !        !MYACID1 !

 CADB2SEC - 00000110: #SECUR results:  R15 = 08 feedback = 08 detail = 88

 CADB2SEC - 00000110: !DB2SYS  !SYSADM                                        !        !MYACID1 !

 CADB2SEC - 00000110: #SECUR results:  R15 = 08 feedback = 08 detail = 88

 CADB2SEC - 00000110: !DB2SYS  !SECADM                                        !        !MYACID1 !

 CADB2SEC - 00000110: #SECUR results:  R15 = 08 feedback = 08 detail = 88

 CADB2LTS - 00000110: MYACID2  signed on:  7F5D9BA0

 CADB2SEC - 00000110: !DB2TABLE!SYSIBM.SYSTABLES                              !SELECT  !MYACID2 !

 CADB2SEC - 00000110: #SECUR results:  R15 = 00 feedback = 00 detail = 00

 CADB2SEC - 00000110: Exit conditions: R15 = 00 R0 = 00

 CADB2TTH - 00000110: *--------------------------------------------------*

 CADB2TTH - 00000110: ASCB=00FC9580             TCB=009B91E0

 CADB2LTS - 00000110: MYACID2 signoff:      SAF=00 RC=00 RS=00

 

Primary authID is accessing DB2 table "SYSIBM.SYSTABLES". This trace also shows how CA Top Secret DB2 mimics how DB2's GRANT works.

CA Top Secret DB2 checks from the most specfic DB2 resource to the highest possible DB2 privilege.

If the primary authID is not allowed to any of these resources, then the Secondary authID is signed on and checks are made against it.

So, auditing the secondary authID allow you to track when they are used and which resources they have accessed.