DB2 audit is a powerful tool allowing to supervise the usage of DB2 instance and databases. Some practical advice how to set up and use DB audit is described here.
But DB2 audit by itself collects data. Next step is to make practical use of the tool. It is for no advantage to collect data without analyzing them.
So I developed a simple solution to discover and escalate any suspicious behaviour. The solution and description are available here.
The solution consists of several bash scripts and does not require any additional dependency.
Two tasks are implemented:
- Collecting audit records and moving them to additional DB2 database ready for further analysis. This part can be executed as a crontab job
- Running investigative SQL queries on the audit database to discover suspicious and not expected behaviour. This part can be executed on-demand or as a crontab job. Example
- Not authorized user connected to DB2 database.
- Read-only user run an update SQL statement.
- Failed command reported as "not authorized" suggesting a user trying to overuse its authority.
The solution is running at the instance level but investigative queries can be customized at the database level. In the case of several databases in a single instance, every database can come with its own security rules.
Every violation can be escalated using a customizable script. The script example reporting violations in a special text file is available here.
Brak komentarzy:
Prześlij komentarz