Monitoring the use of trigger programs
DB2 Universal Databaseā¢ for iSeriesā¢ provides the capability to associate trigger programs with database files. Trigger-program capability is common across the industry for high-function database managers.
When you associate a trigger program with a database file, you specify when the trigger program runs. For example, you can set up the customer order file to run a trigger program whenever a new record is added to the file. When the customer's outstanding balance exceeds the credit limit, the trigger program can print a warning letter to the customer and send a message to the credit manager. Trigger programs are a productive way both to provide application functions and to manage information. Trigger programs also provide the ability for someone with devious intentions to create a "Trojan horse" on your system. A destructive program can be sitting and waiting to run when a certain event occurs in a database file on your system.
In history, the Trojan horse was a large hollow wooden horse that was filled with Greek soldiers. After the horse was introduced within the walls of Troy, the soldiers climbed out of the horse and fought the Trojans. In the computer world, a program that hides destructive functions is often called a Trojan horse.
When your system ships, the ability to add a trigger program to a database file is restricted. If you are managing object authority carefully, the typical user will not have sufficient authority to add a trigger program to a database file. (Appendix D in the Security Reference book tells the authority that is required or all commands, including the Add Physical File Trigger (ADDPFTRG) command.
You can use the Print Trigger Programs (PRTTRGPGM) command to print a list of all the trigger programs in a specific library or in all libraries. The following example shows the report:
Trigger Programs (Full Report) Specified library . . . . . . : CUSTLIB Trigger Trigger Trigger Trigger Trigger Library File Library Program Time Event Condition CUSTLIB MB106 ARPGMLIB INITADDR Before Update Always CUSTLIB MB107 ARPGMLIB INITNAME Before Update AlwaysYou can use the initial report as a base to evaluate any trigger programs that already exist on your system. Then, you can print the changed report regularly to see whether new trigger programs have been added to your system. When you evaluate trigger programs, consider the following questions:
- Who created the trigger program? You can use the Display Object Description (DSPOBJD) command to determine this.
- What does the program do? You will have to look at the source program or talk to the program creator to determine this. For example, does the trigger program check to see who the user is? Perhaps the trigger program is waiting for a particular user (QSECOFR) in order to gain access to system resources.
After you have established a base of information, you can print the changed report regularly to monitor new trigger programs that have been added to your system. The following example shows the changed report:
Trigger Programs (Changed Report) Specified library . . . . . . : LIBX Last changed report . . . . . : 96/01/21 14:33:37 Trigger Trigger Trigger Trigger Trigger Library File Library Program Time Event Condition INVLIB MB108 INVPGM NEWPRICE After Delete Always INVLIB MB110 INVPGM NEWDSCNT After Delete Always
Parent topic:
Other important information about working with trigger programs