IDUG NA 2025

In these days of heightened security, it is likely that you will be asked about Db2’s audit facility, db2audit. This tool has the ability to collect a number of types of security information and this presentation will show how to configure and use db2audit. dbaudit can collect massive amounts of data but there are ways to limit the data and those techniques will be shown in the presentation.

Mainframe is often perceived as the most secure platform in the world. However, the reality is that it is as secure as you make it. A group of well–known mainframe hackers shared their experience and lessons learned from the field. Specifically, they publicly showed the most common attack vectors for the mainframe. In this presentation, we will review their findings and see how these techniques can apply to Db2 for z/OS.

Prior to Db2 12.1, with Db2 audit enabled for the database using the db2audit facility, an unsustainably large amount of audit data is generated which has an impact on the general database performance, I/O, and space. This is especially true for the “execute” category of Db2 auditing. Almost all the data is generated by the SAP application and the SAP database connect user. Unfortunately, the db2audit facility provides very little in terms of application context that comes from the SAP system such as SAP logon user, reports, and so on.
On the other hand, there are SAP–level auditing functions and auditing within the SAP system which can provide application–related details.
However, auditing on SAP application level has its limits: You cannot audit statements that execute directly against the database and that come from outside the local ABAP stack.With Db2 12.1, the Db2 audit facility has been enhanced to overcome the above–mentioned limitation. Generally, the database data should only be accessed in a trusted way from the SAP application through the SAP database connect user, and all other connections to the database should be audited.
As of Db2 12.1, you can exclude auditing for connections originating from the local SAP application by the SAP connect user. This reduces the amount of audit data generated by the Db2 audit facility to something more manageable.

When we talk about Mainframe Modernization, we usually discuss DevOps, Zowe, APIs, Java, Python, etc, but how often does anyone talk about how your security posture needs to be modernized?  Many of these systems were built 30–40 years ago when it was just batch, IMS and CICS.  Now we have traffic coming in from everywhere, whether it is via APIs, distributed Db2, or other means, you need to make sure you are prepared to monitor that traffic to prevent DDoS attacks, and make sure nobody is getting at your most sensitive data.  I will discuss some of the core Db2 Security features that companies should consider using along with Data Access Monitors like Guardium.