|
Problem IC98130
|
Status: Closed |
Parameter markers can unexpectedly be logged when auditing a table |
| product: |
DB2 FOR LUW / DB2FORLUW / A10 - DB2 |
| Problem description: |
When defining a database audit policy to audit EXECUTE category
events, one can specify WITH DATA or WITHOUT DATA as part of
the DDL. When WITHOUT DATA is specified, input data values
provided for any host variables and parameter markers are not
logged as part of the EXECUTE category. However, if such policy
is used to audit a table object, input data values provided for
host variables and parameter markers could be logged
unexpectedly.
Problem Reproducible Steps:
1) Edit repro.java for correcting url
2) $ javac repro.java
3) $ repro_tab.sh USERNAME PASSWORD
--> will create audit.tab.out file
--> it records parameter marker
=======================
type = CHAR
data = A01 ;
=======================
----- repro_tab.sh ----------------
#!/bin/sh
if [ -z "$1" -o -z "$2" ] ; then
echo "need USERID and PASSWORD." ; exit
fi
db2stop force
db2start
db2 drop db TESTDB
db2 -v create database TESTDB
db2 -v connect to TESTDB
db2 -v "create table test (col1 char(5), col2 char(5))"
db2 -v "insert into test values ('A01','AAAA')"
db2 -v "CREATE AUDIT POLICY EXECPOL CATEGORIES EXECUTE WITHOUT
DATA STATUS BOTH ERROR TYPE NORMAL"
# audit the table ######
db2 -v "audit table TEST using policy EXECPOL"
java repro $1 $2
db2audit flush
db2audit archive database TESTDB
ARCFILE=`ls -1 $HOME/sqllib/security/auditdata | tail -1`
db2audit extract file audit.tab.out from files $ARCFILE
echo "see audit.tab.out file."
---------------------
----- repro.java ----------------
import java.sql.*;
class repro {
public static void main (String argv[]){
try {
Connection con = null;
Class.forName("com.ibm.db2.jcc.DB2Driver");
String url = "jdbc:db2://hidehy.ibm.com:50000/TESTDB";
if (argv.length == 2){
String userID = argv[0];
String passwd = argv[1];
con = DriverManager.getConnection(url,userID,passwd);
}
else
{ throw new Exception
("\n Usage: java repro userID password\n");
}
PreparedStatement pStmt = con.prepareStatement
("SELECT COL2 " +
"FROM TEST " +
"WHERE COL1 = ? ");
pStmt.setString(1,"A01");
ResultSet rs = pStmt.executeQuery();
while ( rs.next() ) {
System.out.println("COL2 = " + rs.getString(1));
}
rs.close();
pStmt.close();
con.close();
} catch (Exception e) {
e.printStackTrace();
}
}
}
-------------------------------------- |
| Problem Summary: |
****************************************************************
* USERS AFFECTED: *
* DB2 UDB Version 10.1 *
****************************************************************
* PROBLEM DESCRIPTION: *
* See Error Description *
****************************************************************
* RECOMMENDATION: *
* Upgrade to Version 10.1 FixPack 4. *
**************************************************************** |
| Local Fix: |
When the same audit policy is used to audit the entire
database, we do not log the parameters.
Try to use:
db2 -v "audit database using policy EXECPOL"
instead of using
db2 -v "audit table TEST using policy EXECPOL"
in repro_tab.sh. |
| available fix packs: |
DB2 Version 10.1 Fix Pack 4 for Linux, UNIX, and Windows
DB2 Version 10.1 Fix Pack 6 for Linux, UNIX, and Windows
|
| Solution |
Problem was first fixed in DB2 UDB Version 10.1 FixPack 4. |
| Workaround |
not known / see Local fix |
| BUG-Tracking |
forerunner : APAR is sysrouted TO one or more of the following: IC98255
follow-up : |
| Timestamps |
Date - problem reported :
Date - problem closed :
Date - last modified :
| 04.12.2013
03.06.2014
03.06.2014 |
| Problem solved at the following versions (IBM BugInfos) |
|
| Problem solved according to the fixlist(s) of the following version(s) |
| 10.1.0.4
|
 |
