× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. April 2009

Re: Read Audit Trail


On 03/04/2009, at 8:29 AM, Eftimios Pantzopoulos wrote:

The company I'm working for has asked me whether it's possible to track all accesses to a file which contains an (encrypted) credit card number.

From my research I've discovered that there is a READ trigger on the iSeries DB2 but it is highly recommended that it not be used, which I can understand.

Investigate column-level security. This won't help with authorised access but may help restrict those users who need to access data in other columns in the file.

Read Triggers were intended to audit access to sensitive information such as medical records so it would seem that this is another case where they are appropriate. The performance issue is a potential concern but if all the trigger does is log access to another file or add a user-entry to a journal (safer from an audit perspective) then really each read will result in one dynamic call plus one I/O operation. Many applications do more than that on a read so you may find the performance penalty is not significant. Just don't have the trigger page, e-mail, or fax someone about unauthorised access!.

I've also come across a reference to a DB2 audit function, but unfortunately, only for the LUW version of DB2 (http://publib.boulder.ibm.com/infocenter/db2luw/v8/index.jsp?topic=/com.ibm.db2.udb.doc/admin/t0011540.htm )
I went searching for the function in iSeries DB2 and couldn't find it. Can anyone tell me if it exists, where any good documentation for it is, or if not, any alternatives to tracking access to important data.

This says "log file". A log file in LUW land is equivalent to a journal. So journal the file to log access to the file. A skim through the referenced URL indicates that the audit information does not go down to the read level. The various audit functions seem to equate to OS/400 system auditing. I suspect the LUW audit function won't solve your problem.

Perhaps there are better techniques using normal iSeries authority?


All you can do here is restrict unauthorised access. Tracking what authorised persons do requires different techniques. The answer to the initial question (Is it possible to track all access) is YES but you need to determine the real concern. They (and they know who they are) want to know who accessed credit-card details but WHY do they want to know that? What is the problem they're trying to solve? Knowing that will lead to either a better solution or the only solution.

Regards,
Simon Coulter.
--------------------------------------------------------------------
FlyByNight Software OS/400, i5/OS Technical Specialists

http://www.flybynight.com.au/
Phone: +61 2 6657 8251 Mobile: +61 0411 091 400 /"\
Fax: +61 2 6657 8251 \ /
X
ASCII Ribbon campaign against HTML E-Mail / \
--------------------------------------------------------------------




As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2025 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.