Monitor the use of trigger programs

DB2 Universal Database™ for iSeries™ provides the capability to associate trigger programs with database files. Trigger-program capability is common across the industry for high-function database managers.

When you associate a trigger program with a database file, you specify when the trigger program runs. For example, you can set up the customer order file to run a trigger program whenever a new record is added to the file. When the customer's outstanding balance exceeds the credit limit, the trigger program can print a warning letter to the customer and send a message to the credit manager.

Trigger programs are a productive way both to provide application functions and to manage information. Trigger programs also provide the ability for someone with devious intentions to create a "Trojan horse" on your system. A destructive program can be sitting and waiting to run when a certain event occurs in a database file on your system.

Note: In history, the Trojan horse was a large hollow wooden horse that was filled with Greek soldiers. After the horse was introduced within the walls of Troy, the soldiers climbed out of the horse and fought the Trojans. In the computer world, a program that hides destructive functions is often called a Trojan horse.

When your system ships, the ability to add a trigger program to a database file is restricted. If you are managing object authority carefully, the typical user will not have sufficient authority to add a trigger program to a database file. (Appendix D in the iSeries Security Reference book tells the authority that is required or all commands, including the Add Physical File Trigger (ADDPFTRG) command.

You can use the Print Trigger Programs (PRTTRGPGM) command to print a list of all the trigger programs in a specific library or in all libraries. The following example shows the report:

                                           Trigger Programs (Full Report)
 
Specified library  . . . . . . :   CUSTLIB
                              Trigger        Trigger        Trigger         Trigger         Trigger
Library        File           Library        Program        Time            Event           Condition
CUSTLIB        MB106          ARPGMLIB       INITADDR       Before          Update          Always
CUSTLIB        MB107          ARPGMLIB       INITNAME       Before          Update          Always

You can use the initial report as a base to evaluate any trigger programs that already exist on your system. Then, you can print the changed report regularly to see whether new trigger programs have been added to your system.

When you evaluate trigger programs, consider the following questions:

Who created the trigger program? You can use the Display Object Description (DSPOBJD) command to determine this.
What does the program do? You will have to look at the source program or talk to the program creator to determine this. For example, does the trigger program check to see who the user is? Perhaps the trigger program is waiting for a particular user (QSECOFR) in order to gain access to system resources.

After you have established a base of information, you can print the changed report regularly to monitor new trigger programs that have been added to your system. The following example shows the changed report:

                                            Trigger Programs (Changed Report)
Specified library  . . . . . . :   LIBX
Last changed report  . . . . . :   96/01/21  14:33:37
                              Trigger        Trigger        Trigger         Trigger         Trigger
Library        File           Library        Program        Time            Event           Condition
INVLIB         MB108          INVPGM         NEWPRICE       After           Delete          Always
INVLIB         MB110          INVPGM         NEWDSCNT       After           Delete          Always