CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark...
Transcript of CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark...
![Page 1: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/1.jpg)
CISIBMDB210Benchmark
v1.1.0-08-31-2016
![Page 2: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/2.jpg)
1|P a g e
ThisworkislicensedunderaCreativeCommonsAttribution-NonCommercial-ShareAlike4.0InternationalPublicLicense.Thelinktothelicensetermscanbefoundathttps://creativecommons.org/licenses/by-nc-sa/4.0/legalcode.
TofurtherclarifytheCreativeCommonslicenserelatedtoCISBenchmarkcontent,youareauthorizedtocopyandredistributethecontentforusebyyou,withinyourorganizationandoutsideyourorganizationfornon-commercialpurposesonly,providedthat(i)appropriatecreditisgiventoCIS,(ii)alinktothelicenseisprovided.Additionally,ifyouremix,transformorbuildupontheCISBenchmark(s),youmayonlydistributethemodifiedmaterialsiftheyaresubjecttothesamelicensetermsastheoriginalBenchmarklicenseandyourderivativewillnolongerbeaCISBenchmark.CommercialuseofCISBenchmarksissubjecttothepriorapprovaloftheCenterforInternetSecurity.
![Page 3: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/3.jpg)
2|P a g e
TableofContents
Overview......................................................................................................................................................................7
IntendedAudience..............................................................................................................................................7
ConsensusGuidance...........................................................................................................................................7
TypographicalConventions............................................................................................................................8
ScoringInformation............................................................................................................................................8
ProfileDefinitions................................................................................................................................................9
Acknowledgements..........................................................................................................................................11
Recommendations.................................................................................................................................................12
1InstallationandPatches.............................................................................................................................12
1.1Installthelatestfixpacks(NotScored).................................................................................12
1.2UseIPaddressratherthanhostname(Scored).................................................................13
1.3Leveragetheleastprivilegeprinciple(NotScored).........................................................15
1.4Usenon-defaultaccountnames(Scored).............................................................................16
1.5ConfigureDB2tousenon-standardports(NotScored)................................................17
1.6CreatingthedatabasewiththeRESTERICTIVEclause(NotScored)........................19
2DB2DirectoryandFilePermissions.....................................................................................................22
2.1SecureDB2RuntimeLibrary(Scored)...................................................................................22
2.2Securethedatabasecontainerdirectory(Scored)...........................................................24
2.3SetumaskvalueforDB2adminuser.profilefile(Scored)............................................25
2.4VerifythegroupswithintheDB2_GRP_LOOKUPenvironmentvariableareappropriate(Windowsonly)(NotScored)..................................................................................26
2.5VerifythedomainswithintheDB2DOMAINLISTenvironmentvariableareappropriate(Windowsonly)(NotScored)..................................................................................27
3DB2Configurations......................................................................................................................................28
3.1.1Enableauditbuffer(Scored)...................................................................................................28
3.1.2Encryptuserdataacrossthenetwork(Scored).............................................................30
3.1.3Requireexplicitauthorizationforcataloging(Scored)...............................................32
3.1.4Disabledatalinkssupport(Scored).....................................................................................34
3.1.5Securepermissionsfordefaultdatabasefilepath(Scored).....................................36
3.1.6Setdiagnosticloggingtocaptureerrorsandwarnings(Scored)...........................39
![Page 4: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/4.jpg)
3|P a g e
3.1.7Securepermissionsforalldiagnosticlogs(Scored).....................................................41
3.1.8Requireinstancenamefordiscoveryrequests(Scored)............................................43
3.1.9Disableinstancediscoverability(Scored).........................................................................45
3.1.10Authenticatefederatedusersattheinstancelevel(Scored).................................46
3.1.11Setmaximumconnectionlimits(Scored)......................................................................48
3.1.12Setadministrativenotificationlevel(Scored)..............................................................51
3.1.13Enableserver-basedauthentication(Scored)..............................................................53
3.1.14Setfailedarchiveretrydelay(Scored)............................................................................55
3.1.15Auto-restartafterabnormaltermination(Scored)....................................................57
3.1.16Disabledatabasediscovery(Scored)................................................................................58
3.1.17Securepermissionsfortheprimaryarchiveloglocation(Scored).....................60
3.1.18Securepermissionsforthesecondaryarchiveloglocation(Scored)................62
3.1.19Securepermissionsforthetertiaryarchiveloglocation(Scored)......................64
3.1.20Securepermissionsforthelogmirrorlocation(Scored)........................................66
3.1.21Establishretentionsetsizeforbackups(Scored).......................................................68
3.1.22Setarchivelogfailoverretrylimit(Scored)..................................................................70
3.2DatabaseManagerConfigurationparameters.........................................................................72
3.2.1TCP/IPservicename-svcename(Scored).......................................................................72
3.2.2SSLservicename-ssl_svcename(Scored).......................................................................73
3.2.3Authenticationtypeforincomingconnectionsattheserver-srvcon_auth(Scored).......................................................................................................................................................74
3.2.4DatabaseManagerConfigurationparameter:trust_allclnts(NotScored).........75
3.2.5DatabaseManagerConfigurationparameter:trust_clntauth(NotScored).......77
4RowandColumnAccessControl(RCAC)...........................................................................................79
4.1ReviewOrganization'sPoliciesagainstDB2RCACPolicies(NotScored)..............79
4.2SecureSECADMAuthority(NotScored)...............................................................................81
4.3ReviewUsers,Groups,andRoles(NotScored)..................................................................82
4.4ReviewRowPermissionlogicaccordingtopolicy(NotScored)................................85
4.5ReviewColumnMasklogicaccordingtopolicy(NotScored)......................................86
5DatabaseMaintenance................................................................................................................................87
5.1EnableBackupRedundancy(NotScored)............................................................................87
![Page 5: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/5.jpg)
4|P a g e
5.2ProtectingBackups(NotScored).............................................................................................88
5.3EnableAutomaticDatabaseMaintenance(Scored).........................................................89
6SecuringDatabaseObjects........................................................................................................................91
6.1RestrictAccesstoSYSCAT.AUDITPOLICIES(Scored)......................................................91
6.2RestrictAccesstoSYSCAT.AUDITUSE(Scored).................................................................93
6.3RestrictAccesstoSYSCAT.DBAUTH(Scored).....................................................................94
6.4RestrictAccesstoSYSCAT.COLAUTH(Scored)..................................................................96
6.5RestrictAccesstoSYSCAT.EVENTS(Scored)......................................................................98
6.6RestrictAccesstoSYSCAT.EVENTTABLES(Scored).....................................................100
6.7RestrictAccesstoSYSCAT.ROUTINES(Scored)..............................................................102
6.8RestrictAccesstoSYSCAT.INDEXAUTH(Scored)..........................................................103
6.9RestrictAccesstoSYSCAT.PACKAGEAUTH(Scored)...................................................105
6.10RestrictAccesstoSYSCAT.PACKAGES(Scored)...........................................................106
6.11RestrictAccesstoSYSCAT.PASSTHRUAUTH(Scored)..............................................107
6.12RestrictAccesstoSYSCAT.SECURITYPOLICIES(Scored).........................................109
6.13RestrictAccesstoSYSCAT.SECURITYPOLICYEXEMPTIONS(Scored)................111
6.14RestrictAccesstoSYSCAT.SURROGATEAUTHIDS(Scored)...................................113
6.15RestrictAccesstoSYSCAT.ROLEAUTH(Scored)..........................................................115
6.16RestrictAccesstoSYSCAT.ROLES(Scored)....................................................................117
6.17RestrictAccesstoSYSCAT.ROUTINEAUTH(Scored).................................................119
6.18RestrictAccesstoSYSCAT.SCHEMAAUTH(Scored)...................................................121
6.19RestrictAccesstoSYSCAT.SCHEMATA(Scored).........................................................122
6.20RestrictAccesstoSYSCAT.SEQUENCEAUTH(Scored)..............................................124
6.21RestrictAccesstoSYSCAT.STATEMENTS(Scored)....................................................126
6.22RestrictAccesstoSYSCAT.TABAUTH(Scored)............................................................128
6.23RestrictAccesstoSYSCAT.TBSPACEAUTH(Scored)..................................................130
6.24RestrictAccesstoTablespaces(Scored).........................................................................132
6.25RestrictAccesstoSYSCAT.MODULEAUTH(Scored)..................................................134
6.26RestrictAccesstoSYSCAT.VARIABLEAUTH(Scored)...............................................136
6.27RestrictAccesstoSYSCAT.WORKLOADAUTH(Scored)...........................................138
![Page 6: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/6.jpg)
5|P a g e
6.28RestrictAccesstoSYSCAT.XSROBJECTAUTH(Scored).............................................140
6.29RestrictAccesstoSYSCAT.AUTHORIZATIONIDS(Scored)......................................142
6.30RestrictAccesstoSYSIBMADM.OBJECTOWNERS(Scored)....................................144
6.31RestrictAccesstoSYSIBMADM.PRIVILEGES(Scored)..............................................146
7DB2Authorities..........................................................................................................................................148
7.1SecureSYSADMauthority(Scored)......................................................................................148
7.2SecureSYSCTRLauthority(Scored).....................................................................................150
7.3SecureSYSMAINTAuthority(Scored).................................................................................152
7.4SecureSYSMONAuthority(Scored).....................................................................................154
7.5SecureSECADMAuthority(Scored).....................................................................................156
7.6SecureDBADMAuthority(Scored).......................................................................................158
7.7SecureSQLADMAuthority(Scored).....................................................................................160
7.8SecureDATAACCESSAuthority(Scored)...........................................................................161
7.9SecureACCESSCTRLAuthority(Scored)............................................................................162
7.10SecureWLMADMauthority(Scored)................................................................................163
7.11SecureCREATABAuthority(Scored)................................................................................164
7.12SecureBINDADDAuthority(Scored)................................................................................166
7.13SecureCONNECTAuthority(Scored)...............................................................................168
7.14SecureLOADAuthority(Scored)........................................................................................170
7.15SecureEXTERNALROUTINEAuthority(Scored).........................................................172
7.16SecureQUIESCECONNECTAuthority(Scored).............................................................174
8DB2Roles......................................................................................................................................................176
8.1ReviewRoles(Scored)...............................................................................................................176
8.2ReviewRoleMembers(Scored).............................................................................................178
8.3NestedRoles(Scored)................................................................................................................180
8.4ReviewRolesgrantedtoPUBLIC(Scored)........................................................................181
8.5ReviewRoleGranteeswithWITHADMINOPTION(Scored)....................................183
9GeneralPolicyandProcedures............................................................................................................184
9.1StartandStopDB2Instance(NotScored).........................................................................184
9.2RemoveUnusedSchemas(NotScored)..............................................................................186
![Page 7: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/7.jpg)
6|P a g e
9.3ReviewSystemTablespaces(Scored).................................................................................187
9.4RemoveDefaultDatabases(Scored)....................................................................................188
9.5EnableSSLcommunicationwithLDAPserver(Scored).............................................190
9.6SecurethepermissionoftheIBMLDAPSecurity.inifile(Scored)............................191
9.7SecurethepermissionoftheSSLconfig.inifile(Scored).............................................193
9.8EnsureTrustedContextsareenabled(NotScored)......................................................195
9.9Secureplug-inlibrarylocations(NotScored)..................................................................196
9.10Ensurethatsecurityplug-insupportfortwo-partuserIDsisenabled(NotScored)......................................................................................................................................................198
9.11Ensurepermissionsoncommunicationexitlibrarylocations(NotScored)...200
9.12Ensureauditpoliciesareenabledwithinthedatabase(NotScored).................202
Appendix:SummaryTable.............................................................................................................................203
Appendix:ChangeHistory..............................................................................................................................207
![Page 8: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/8.jpg)
7|P a g e
OverviewThisdocument,SecurityConfigurationBenchmarkforIBMDB2,providesprescriptiveguidanceforestablishingasecureconfigurationpostureforDB2versions10.xrunningonLinuxandWindows.ThisguidewastestedagainstDB2version10.5installedonWindowsServer2008R2andCentOS6.Toobtainthelatestversionofthisguide,pleasevisithttp://cisecurity.org.Ifyouhavequestionsorcomments,orhaveidentifiedwaystoimprovethisguide,[email protected].
IntendedAudience
Thisdocumentisintendedforsystemandapplicationadministrators,securityspecialists,auditors,helpdesk,andplatformdeploymentpersonnel,whoplantodevelop,deploy,assess,orsecuresolutionsthatincorporateDB2onLinuxandWindowsplatforms.
ConsensusGuidance
Thisbenchmarkwascreatedusingaconsensusreviewprocesscomprisedofsubjectmatterexperts.Consensusparticipantsprovideperspectivefromadiversesetofbackgroundsincludingconsulting,softwaredevelopment,auditandcompliance,securityresearch,operations,government,andlegal.
EachCISbenchmarkundergoestwophasesofconsensusreview.Thefirstphaseoccursduringinitialbenchmarkdevelopment.Duringthisphase,subjectmatterexpertsconvenetodiscuss,create,andtestworkingdraftsofthebenchmark.Thisdiscussionoccursuntilconsensushasbeenreachedonbenchmarkrecommendations.Thesecondphasebeginsafterthebenchmarkhasbeenpublished.Duringthisphase,allfeedbackprovidedbytheInternetcommunityisreviewedbytheconsensusteamforincorporationinthebenchmark.Ifyouareinterestedinparticipatingintheconsensusprocess,pleasevisithttps://community.cisecurity.org.
![Page 9: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/9.jpg)
8|P a g e
TypographicalConventions
Thefollowingtypographicalconventionsareusedthroughoutthisguide:
Convention Meaning
Stylized Monospace font Usedforblocksofcode,command,andscriptexamples.Textshouldbeinterpretedexactlyaspresented.
Monospacefont Usedforinlinecode,commands,orexamples.Textshouldbeinterpretedexactlyaspresented.
<italicfontinbrackets> Italictextssetinanglebracketsdenoteavariablerequiringsubstitutionforarealvalue.
Italicfont Usedtodenotethetitleofabook,article,orotherpublication.
Note Additionalinformationorcaveats
ScoringInformation
Ascoringstatusindicateswhethercompliancewiththegivenrecommendationimpactstheassessedtarget'sbenchmarkscore.Thefollowingscoringstatusesareusedinthisbenchmark:
Scored
Failuretocomplywith"Scored"recommendationswilldecreasethefinalbenchmarkscore.Compliancewith"Scored"recommendationswillincreasethefinalbenchmarkscore.
NotScored
Failuretocomplywith"NotScored"recommendationswillnotdecreasethefinalbenchmarkscore.Compliancewith"NotScored"recommendationswillnotincreasethefinalbenchmarkscore.
![Page 10: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/10.jpg)
9|P a g e
ProfileDefinitions
ThefollowingconfigurationprofilesaredefinedbythisBenchmark:
• Level1-RDBMS
ItemsinthisprofileapplytotheRDBMSproperandintendto:
o Bepracticalandprudent;o Provideaclearsecuritybenefit;ando Notinhibittheutilityofthetechnologybeyondacceptablemeans.
• Level2-RDBMS
Thisprofileextendsthe"Level1"profile.Itemsinthisprofileexhibitoneormoreofthefollowingcharacteristics:
o Areintendedforenvironmentsorusecaseswheresecurityisparamounto Actsasdefenseindepthmeasureo Maynegativelyinhibittheutilityorperformanceofthetechnology
• Level1-WindowsHostOS
ItemsinthisprofileapplytotheWindowsHostOSproperandintendto:
o Bepracticalandprudent;o Provideaclearsecuritybenefit;ando Notinhibittheutilityofthetechnologybeyondacceptablemeans.
• Level2-WindowsHostOS
Thisprofileextends"Level1-WindowsHostOS".Itemsinthisprofileexhibitoneormoreofthefollowingcharacteristics:
o Areintendedforenvironmentsorusecaseswheresecurityisparamounto Actsasdefenseindepthmeasureo Maynegativelyinhibittheutilityorperformanceofthetechnology
• Level1-LinuxHostOS
ItemsinthisprofileapplytotheLinuxHostOSproperandintendto:
o Bepracticalandprudent;
![Page 11: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/11.jpg)
10|P a g e
o Provideaclearsecuritybenefit;ando Notinhibittheutilityofthetechnologybeyondacceptablemeans.
• Level2-LinuxHostOS
Thisprofileextends"Level1-LinuxHostOS".Itemsinthisprofileexhibitoneormoreofthefollowingcharacteristics:
o areintendedforenvironmentsorusecaseswheresecurityisparamounto actsasdefenseindepthmeasureo maynegativelyinhibittheutilityorperformanceofthetechnology
![Page 12: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/12.jpg)
11|P a g e
Acknowledgements
Thisbenchmarkexemplifiesthegreatthingsacommunityofusers,vendors,andsubjectmatterexpertscanaccomplishthroughconsensuscollaboration.TheCIScommunitythankstheentireconsensusteamwithspecialrecognitiontothefollowingindividualswhocontributedgreatlytothecreationofthisguide:
ContributorAdamMontvilleTimothyHarrisonEditorKarenScarfoneChrisBielinski
![Page 13: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/13.jpg)
12|P a g e
Recommendations1InstallationandPatches
[Thisspaceintentionallyleftblank]
1.1Installthelatestfixpacks(NotScored)
ProfileApplicability:
•Level1-RDBMS
•Level2-RDBMS
Description:
Periodically,IBMreleasesfixpackstoenhancefeaturesandresolvedefects,includingsecuritydefects.ItisrecommendedthattheDB2instanceremaincurrentwithallfixpacks.
Rationale:
InstallingthelatestDB2fixpackwillhelpprotectthedatabasefromknownvulnerabilitiesaswellasreducedowntimethatmayotherwiseresultfromfunctionaldefects.
Audit:
PerformthefollowingDB2commandstoobtaintheversion:
1. OpentheDB2CommandWindowandtypeindb2level:
$ db2level DB21085I Instance "DB2" uses "32" bits and DB2 code release "SQL09050" with level identifier "03010107". Informational tokens are "DB2 v9.5.0.808", "s071001", "NT3295", and Fix Pack "3".
Remediation:
ApplythelatestfixpackasofferedfromIBM.
![Page 14: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/14.jpg)
13|P a g e
1.2UseIPaddressratherthanhostname(Scored)
ProfileApplicability:
•Level1-WindowsHostOS
•Level1-LinuxHostOS
Description:
UseanIPaddressratherthanahostnametoconnecttothehostoftheDB2instance.
Rationale:
UsingahostnametoconnecttoaDB2instancecandisplayusefulinformationaboutthehosttoanattacker.Forexample,hostnamesforDB2instancesoftencontaintheDB2versionnumber,hosttype,oroperatingsystemtype.
Audit:
Windows:
1. RunDB2CommandPrompt-Administrator2. Type'db2listnodedirectoryshowdetail'3. Verifythatthe'HOSTNAME'valuesforallnodeslistedareinIPaddressformand
nothostnames
Linux:
1. LogintoDB2asDB2Instanceowner2. Type'db2listnodedirectoryshowdetail'3. Verifythatthe'HOSTNAME'valuesforallnodeslistedareinIPaddressformand
nothostnames
Sample:
Node Directory Number of entries in the directory = 2 Node 1 entry: Node name = SAMPLE Comment = Directory entry type = LDAP Protocol = TCPIP Hostname = 192.168.145.10 Service name = 50000
![Page 15: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/15.jpg)
14|P a g e
Remediation:
1. Dropallexistingnodes2. RecreatenodedirectoryusingIPaddressesandnothostnames
DefaultValue:
IPaddress
![Page 16: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/16.jpg)
15|P a g e
1.3Leveragetheleastprivilegeprinciple(NotScored)
ProfileApplicability:
•Level1-RDBMS
Description:
TheDB2databaseinstancewillexecuteunderthecontextofagivensecurityprinciple.Itisrecommendedthatthisservicehavetheleastprivilegespossible.Furthermore,itisadvisabletohavetheDB2serviceexecutedusingtheDB2instanceownerandmonitorsuchaccountsforunauthorizedaccesstothesensitivedata.
Rationale:
LeveragingaleastprivilegeaccountfortheDB2servicewillreduceanattacker'sabilitytocompromisethehostoperatingsystemshouldtheDB2serviceprocessbecomecompromised.
Audit:
ReviewallaccountsthathaveaccesstotheDB2databaseservicetoensureleastprivilegeisapplied.
Remediation:
Ensurethatallaccountshavetheabsoluteminimalprivilegegrantedtoperformtheirtasks.
![Page 17: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/17.jpg)
16|P a g e
1.4Usenon-defaultaccountnames(Scored)
ProfileApplicability:
•Level1-WindowsHostOS
•Level1-LinuxHostOS
Description:
TheDB2serviceisinstalledwithdefaultaccountswithwell-knownnamessuchasdb2admin,db2inst1,dasusr1,ordb2fenc1.Itisrecommendedthattheuseoftheseaccountnamesbeavoided.Thedefaultaccountsmayberenamedandthenused.
Rationale:
TheuseofdefaultaccountnamesmayincreasetheDB2service'ssusceptibilitytounauthorizedaccessbyanattacker.
Audit:
ForWindows:
1. Reviewthelistofusersforthesystemandconfirmthatnoneoftheaccountnamesaredb2admin,db2inst1,dasusr1,ordb2fenc1.
ForLinux:
1. Review/etc/passwdandconfirmthatnoneoftheaccountnamesaredb2admin,db2inst1,dasusr1,ordb2fenc1.
Remediation:
Foreachaccountwithadefaultname,eitherchangethenametoanamethatisnotwell-knownordeletetheaccountifitisnotneeded.
![Page 18: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/18.jpg)
17|P a g e
1.5ConfigureDB2tousenon-standardports(NotScored)
ProfileApplicability:
•Level1-WindowsHostOS
•Level2-WindowsHostOS
•Level1-LinuxHostOS
•Level2-LinuxHostOS
Description:
Ifenabled,thedefaultDB2instancewillbeassignedadefaultportofTCP:50000forTCP/IPcommunication.TCP:50000isawidelyknownDB2port,sothisportassignmentshouldbechanged.Thoughdeprecated,ifyoustillusetheDAS,itsdefaultportusesTCP:523andshouldbechanged.
Rationale:
Usinganon-defaultporthelpsreducethenumberofattacksdirectedatthedatabasethroughitsport.
Audit:
Usetheappropriatecommandbelowtoidentifytheassignedportandconfirmthatitdoesnotusethedefaultvalueof50000.
Linux:
cat etc/services | grep db2
Windows:
netstat -bao
Remediation:
Assignanon-defaultport(avalueotherthan50000)tothedefaultDB2instance.
Impact:
Changingtheportwillbreakconnectivityforanyservers,clients,etc.configuredtoaccesstheDBinstanceattheoriginalport.Anyportnumberchangesneedtobecoordinatedtopreventinadvertentoutages.
![Page 19: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/19.jpg)
18|P a g e
References:
1. http://www.ibm.com/support/knowledgecenter/en/SSEPGG_10.5.0/com.ibm.db2.luw.admin.config.doc/doc/c0060794.html
![Page 20: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/20.jpg)
19|P a g e
1.6CreatingthedatabasewiththeRESTERICTIVEclause(NotScored)
ProfileApplicability:
•Level1-RDBMS
•Level2-RDBMS
Description:
ThisparameterindicateswhetherthedatabasewascreatedwiththeRESTRICTIVEclauseintheCREATEDATABASEstatement.Whencreatingadatabase,theuseoftheRESTRICTIVEclausewillcausecertaincommandstoberevokedfromPUBLIC.
Rationale:
AllowingthedefaultprivilegesgrantedtothegroupPUBLICtoremainintackcanhavenegativeimpactsonthedatabaseaswellasunderminemeasuresputinplacetolimitaccesstoauthorizedusers.
Audit:
db2=> select case when value = '-1' then 'automatic' when value = '' then 'NULL' else value end as value from sysibmadm.dbcfg where name = 'restrict_access'
Remediation:
There is no remediation for this parameter due to the fact that the placement of the RESTRICTIVE clause happens within the CREATE DATABASE statement. Unless your backup strategies allow for a complete overhaul of your environment where you are able to recreate the database with the RESTRICTIVE clause, we do not recommend changing this parameter. However, if you would like to align your database configuration to that which the RESTRICTIVE clause would provide, please ensure the following:
1. SYSCAT.DBAUTH – Ensure PUBLIC is NOT granted the following authorities:
• CREATETAB• BINDADD• CONNECT• IMPLICIT_SCHEMA
![Page 21: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/21.jpg)
20|P a g e
2. SYSCAT.TABAUTH – Ensure PUBLIC is NOT granted the following privileges:
• SELECTonallSYSCATandSYSIBMtables• SELECTandUPDATEonallSYSSTATtables• SELECTonthefollowingviewsinschemaSYSIBMADM:
o ALL_*o USER_*o ROLE_*o SESSION_*o DICTIONARYo TAB
3. SYSCAT.ROUTINEAUTH – Ensure PUBLIC is NOT granted the following privileges:
• EXECUTEwithGRANTonallproceduresinschemaSQLJ• EXECUTEwithGRANTonallfunctionsandproceduresinschemaSYSFUN• EXECUTEwithGRANTonallfunctionsandproceduresinschemaSYSPROC• EXECUTEonalltablefunctionsinschemaSYSIBM• EXECUTEonallotherproceduresinschemaSYSIBM
4. SYSCAT.MODULEAUTH – Ensure PUBLIC is NOT granted the following privileges:
• EXECUTEonthefollowingmodulesinschemaSYSIBMADM:o DBMS_DDLo DBMS_JOBo DBMS_LOBo DBMS_OUTPUTo DBMS_SQLo DBMS_STANDARDo DBMS_UTILITY
5. SYSCAT.PACKAGEAUTH – Ensure PUBLIC is NOT granted the following privileges:
• BINDonallpackagescreatedintheNULLIDschema• EXECUTEonallpackagescreatedintheNULLIDschema
6. SYSCAT.SCHEMAAUTH – Ensure PUBLIC is NOT granted the following privileges:
• CREATEINonschemaSQLJ• CREATEINonschemaNULLID
7. SYSCAT.TBSPACEAUTH – Ensure PUBLIC is NOT granted the USE privilege on table space USERSPACE1.
8. SYSCAT.WORKLOADAUTH – Ensure PUBLIC is NOT granted the USAGE privilege on SYSDEFAULTUSERWORKLOAD.
![Page 22: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/22.jpg)
21|P a g e
9.SYSCAT.VARIABLEAUTH–EnsurePUBLICisNOTgrantedtheREADprivilegeonschemaglobalvariablesintheSYSIBMschema.
References:
1. https://www.ibm.com/support/knowledgecenter/en/SSEPGG_10.5.0/com.ibm.db2.luw.admin.cmd.doc/doc/r0001941.html
2. https://www.ibm.com/support/knowledgecenter/en/SSEPGG_10.5.0/com.ibm.db2.luw.admin.sec.doc/doc/c0054269.html
![Page 23: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/23.jpg)
22|P a g e
2DB2DirectoryandFilePermissions
ThissectionprovidesguidanceonsecuringalloperatingsystemspecificobjectsforDB2.
2.1SecureDB2RuntimeLibrary(Scored)
ProfileApplicability:
•Level1-WindowsHostOS
•Level1-LinuxHostOS
Description:
ADB2softwareinstallationwillplaceallexecutablesunderthedefault<DB2PATH>\sqllibdirectory.Thisdirectoryneedstobesecuredsoitgrantsonlythenecessaryaccesstoauthorizedusersandadministrators.
Rationale:
TheDB2runtimeiscomprisedoffilesthatareexecutedaspartoftheDB2service.Iftheseresourcesarenotsecured,anattackermayalterthemtoexecutearbitrarycode.
Audit:
Performthefollowingtoobtainthevalueforthissetting:ForWindows:
1. ConnecttotheDB2host2. Right-clickontheNODE000x/sqldbdirdirectory3. ChooseProperties4. SelecttheSecuritytab5. DeterminethepermissionsforDBadministratoraccountsandallotheraccounts
ForLinux:
1. ConnecttotheDB2host2. ChangetotheNODE000x/sqldbdirdirectory3. Determinethepermissionsforthedirectory
OS => ls -al
![Page 24: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/24.jpg)
23|P a g e
Remediation:
ForWindows:
1. ConnecttotheDB2host2. Right-clickonthe\NODE000x\sqldbdirdirectory3. ChooseProperties4. SelecttheSecuritytab5. SelectallDBadministratoraccountsandgrantthemtheFullControlauthority6. SelectallotheraccountsandrevokeallprivilegesotherthanReadandExecute
ForLinux:
1. ConnecttotheDB2host2. Changetothe/NODE000x/sqldbdirdirectory3. Changethepermissionlevelofthedirectorytothisrecommendedvalue
OS => chmod -R 755
![Page 25: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/25.jpg)
24|P a g e
2.2Securethedatabasecontainerdirectory(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
ADB2databasecontaineristhephysicalstorageofthedata.
Rationale:
Thecontainersareneededinorderforthedatabasetooperateproperly.Thelossofthecontainerscancausedowntime.Also,allowingexcessiveaccesstothecontainersmayhelpanattackertogainaccesstotheircontents.Therefore,securethelocation(s)ofthecontainersbyrestrictingtheaccessandownership.Allowonlytheinstanceownertohaveaccesstothetablespacecontainers.
Audit:
ReviewallusersthathaveaccesstothedirectoryofthecontainerstoensureonlyDB2administratorshavefullaccess.Allotherusersshouldhaveread-onlyaccess.
Remediation:
SettheprivilegesforthedirectoryofthecontainerssothatonlyDB2administratorshavefullaccess,andallotherusershaveread-onlyaccess.
![Page 26: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/26.jpg)
25|P a g e
2.3SetumaskvalueforDB2adminuser.profilefile(Scored)
ProfileApplicability:
•Level1-LinuxHostOS
Description:
TheDB2Admin.profilefileinLinuxsetstheenvironmentvariablesandthesettingsfortheuser.
Rationale:
Theumask valueshouldbesetto022 fortheowneroftheDB2softwareatalltimes.
Audit:
Ensurethattheumask 022 settingexistsinthe.profile.
Remediation:
Addumask 022 tothe.profile file.
![Page 27: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/27.jpg)
26|P a g e
2.4VerifythegroupswithintheDB2_GRP_LOOKUPenvironmentvariableareappropriate(Windowsonly)(NotScored)
ProfileApplicability:
•Level1-WindowsHostOS
•Level2-WindowsHostOS
Description:
TheDB2_GRP_LOOKUPenvironmentvariablemanageswhichgroupsareidentifiedonalocalmachine/domainlevel.
Rationale:
Periodicreviewofthesegroupsisrequiredtoensurethatnon-essentialgroupsdonothaveunnecessaryauthorization.
Audit:
VerifythattheDB2_GRP_LOOKUPenvironmentvariableincludesonlytheappropriategroupslistedwithinthelocalmachine/domain.
db2set -all
Remediation:
AlterthevalueoftheDB2_GRP_LOOKUPenvironmentvariablesothatitincludesonlytheappropriategroupslistedwithinthelocalmachine/domain.
References:
1. http://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.admin.sec.doc/doc/t0005914.html
![Page 28: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/28.jpg)
27|P a g e
2.5VerifythedomainswithintheDB2DOMAINLISTenvironmentvariableareappropriate(Windowsonly)(NotScored)
ProfileApplicability:
•Level1-WindowsHostOS
•Level2-WindowsHostOS
Description:
Itispossibletohaveauseridberepresentedacrossmultipledomains.Issuescouldarisewhentryingtoauthenticatesuchauserid.Topreventtheseissues,alistingofdomainsshouldbedefinedwithintheDB2DOMAINLISTenvironmentvariable.Note:theDB2DOMAINLISTisonlyeffectiveiftheauthenticationparameterissettoCLIENT.
Rationale:
PeriodicreviewofthedomainlistassignedtotheDB2DOMAINLISTenvironmentvariablehelpsensurethatnon-essentialdomainsdonothaveunnecessaryauthorizations.
Audit:
VerifythattheDB2DOMAINLISTenvironmentvariableincludesonlytheappropriatedomains.
db2set -all
Remediation:
AlterthevalueoftheDB2DOMAINLISTenvironmentvariablesothatitincludesonlytheappropriatedomains.
References:
1. https://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.admin.sec.doc/doc/t0011962.html?lang=en
![Page 29: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/29.jpg)
28|P a g e
3DB2Configurations
[Thisspaceintentionallyleftblank]
3.1DB2InstanceParameterSettings
ThissectionprovidesguidanceonhowDB2willcontrolthedatainthedatabasesandthesystemresourcesthatareallocatedtotheinstance.
3.1.1Enableauditbuffer(Scored)
ProfileApplicability:
•Level1-RDBMS
•Level2-RDBMS
Description:
DB2canbeconfiguredtouseanauditbuffer.Itisrecommendedthattheauditbuffersizebesettoatleast1000.
Rationale:
Increasingtheauditbuffersizetogreaterthan0willallocatespacefortheauditrecordsgeneratedbytheauditfacility.Atscheduledintervals,orwhentheauditbufferisfull,thedb2auditdauditdaemonemptiestheauditbuffertodisk,writingtheauditrecordsasynchronously.
Audit:
Performthefollowingtodetermineiftheauditbufferissetasrecommended:
1. AttachtotheDB2instance.
db2 => attach to $DB2INSTANCE
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => get database manager configuration
![Page 30: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/30.jpg)
29|P a g e
3. LocateAUDIT_BUF_SZ valueintheoutput:
db2 => get database manager configuration db2 => … Audit buffer size (4KB) (AUDIT_BUF_SZ) = 1000
EnsureAUDIT_BUF_SZisgreaterthanorequalto1000.
Remediation:
Performthefollowingtoestablishanauditbuffer:
1. AttachtotheDB2instance
db2 => attach to $DB2INSTANCE
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => update database manager configuration using audit_buf_sz 1000
![Page 31: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/31.jpg)
30|P a g e
3.1.2Encryptuserdataacrossthenetwork(Scored)
ProfileApplicability:
•Level1-RDBMS
•Level2-RDBMS
Description:
DB2supportsanumberofauthenticationmechanisms.ItisrecommendedthattheDATA_ENCRYPTauthenticationmechanismbeused.
Rationale:
TheDATA_ENCRYPT authenticationmechanismemployscryptographicalgorithmstoprotecttheconfidentialityofauthenticationcredentialsanduserdataastheytraversethenetworkbetweentheDB2clientandserver.
Audit:
Performthefollowingtodetermineiftheauthenticationmechanismissetasrecommended:
1. AttachtotheDB2instance.
db2 => attach to $DB2INSTANCE
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => get database manager configuration
3. LocatetheAUTHENTICATION valueintheoutput:
db2 => get database manager configuration db2 => … Database manager authentication (AUTHENTICATION) = DATA_ENCRYPT
Note:AUTHENTICATION issettoDATA_ENCRYPT intheaboveoutput.
![Page 32: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/32.jpg)
31|P a g e
Remediation:
SuggestedvalueisDATA_ENCRYPTsothatauthenticationoccursattheserver.
1. AttachtotheDB2instance
db2 => attach to $DB2INSTANCE
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => update database manager configuration using authentication data_encrypt
![Page 33: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/33.jpg)
32|P a g e
3.1.3Requireexplicitauthorizationforcataloging(Scored)
ProfileApplicability:
•Level1-RDBMS
•Level2-RDBMS
Description:
DB2canbeconfiguredtoallowusersthatdonotpossesstheSYSADM authoritytocataloganduncatalogdatabasesandnodes.Itisrecommendedthatthecatalog_noauth parameterbesettoNO.
Rationale:
Catalogingadatabaseistheprocessofregisteringadatabasefromaremoteclienttoallowremotecallandaccess.Settingcatalog-noauth toYES bypassesallpermissionschecksandallowsanyonetocataloganduncatalogdatabases.
Audit:
Performthefollowingtodetermineifauthorizationisexplicitlyrequiredtocataloganduncatalogdatabasesandnodes:
1. AttachtotheDB2instance.
db2 => attach to $DB2INSTANCE
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => get database manager configuration
3. LocatethevalueofCATALOG_NOAUTHintheoutput:
db2 => get database manager configuration db2 => … Cataloging allowed without authority (CATALOG_NOAUTH) = NO
Note:CATALOG_NOAUTH issettoNO intheaboveoutput.
![Page 34: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/34.jpg)
33|P a g e
Remediation:
Performthefollowingtorequireexplicitauthorizationtocataloganduncatalogdatabasesandnodes.
1. AttachtotheDB2instance
db2 => attach to $DB2INSTANCE
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => update database manager configuration using catalog_noauth no
References:
1. http://www-01.ibm.com/support/knowledgecenter/SSEPGG_9.1.0/com.ibm.db2.udb.admin.doc/doc/r0000143.htm?cp=SSEPGG_9.1.0%2F11-0-0-4-3
![Page 35: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/35.jpg)
34|P a g e
3.1.4Disabledatalinkssupport(Scored)
ProfileApplicability:
•Level1-RDBMS
•Level2-RDBMS
Description:
Datalinks enablesthedatabasetosupporttheDataLinksManagertomanageunstructureddata,suchasimages,largefilesandotherunstructuredfilesonthehost.Itisrecommendedthatdatalinkssupportbedisabled.
Rationale:
Disabledatalinks ifthereisnouseforthemasthiswillreducetheattacksurfaceoftheDB2service.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1. AttachtotheDB2instance.
db2 => attach to $DB2INSTANCE
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => get database manager configuration
3. LocatethisvalueofDATALINKS intheoutput:
db2 => get database manager configuration db2 => … Data Links support (DATALINKS) = NO
Note:DATALINKSissettoNOintheaboveoutput.
![Page 36: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/36.jpg)
35|P a g e
Remediation:
1. AttachtotheDB2instance
db2 => attach to $DB2INSTANCE
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => update database manager configuration using datalinks no
![Page 37: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/37.jpg)
36|P a g e
3.1.5Securepermissionsfordefaultdatabasefilepath(Scored)
ProfileApplicability:
•Level1-RDBMS
•Level2-RDBMS
•Level1-WindowsHostOS
•Level1-LinuxHostOS
Description:
Thedftdbpath parametercontainsthedefaultfilepathusedtocreateDB2databases.ItisrecommendedthatthepermissionsforthisdirectorybesettofullaccessforDB2administratorsandreadandexecuteaccessonlyforallotheraccounts.ItisalsorecommendedthatthisdirectorybeownedbytheDB2Administrator.
Rationale:
Restrictingaccesstothedirectoryusedasthedefaultfilepaththroughpermissionswillhelpensurethattheconfidentiality,integrity,andavailabilityofthefilesthereareprotected.
Audit:
ForWindowsandLinux:
1. AttachtotheDB2instance.
db2 => attach to $DB2INSTANCE
2.RunthefollowingcommandfromtheDB2commandwindow:
db2 => get database manager configuration
3.Locatethisvalueintheoutputtofindthedefaultfilepath:
db2 => get database manager configuration db2 => … Default database path (DFTDBPATH) = <valid directory>
![Page 38: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/38.jpg)
37|P a g e
AdditionalstepsforWindows:
1. ConnecttotheDB2host2. Right-clickoverthedirectoryusedforthedefaultfilepath3. ChooseProperties4. SelecttheSecuritytab5. Reviewandverifytheprivilegesforallaccounts.6. ReviewandverifythattheDB2Administratoristheownerofthedirectory.
AdditionalstepsforLinux:
1. ConnecttotheDB2host2. Changetothedirectoryusedasthedefaultfilepath3. Reviewandverifythepermissionsforthedirectoryforallusers;alsoensurethat
theDB2Administratoristheowner.
OS => ls -al
Remediation:
ForWindowsandLinux:
1. AttachtotheDB2instance.
db2 => attach to $DB2INSTANCE
2.RunthefollowingcommandfromtheDB2commandwindowtochangethedefaultfilepath,ifnecessary:
db2 => update database manager configuration using dftdbpath <valid directory>
AdditionalstepsforWindows:
1. ConnecttotheDB2host2. Right-clickoverthedirectoryusedasthedefaultfilepath3. ChooseProperties4. SelecttheSecuritytab5. AssignownershipofthedirectorytotheDB2Administrator6. GrantallDBadministratoraccountstheFullControlauthority7. Grantonlyreadandexecuteprivilegestoallotherusers(revokeallotherprivileges)
![Page 39: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/39.jpg)
38|P a g e
AdditionalstepsforLinux:
1. ConnecttotheDB2host2. Changetothedirectoryusedasthedefaultfilepath3. AssigntheDB2Administratortobetheownerofthedirectoryusingthechown
command4. Changethepermissionsforthedirectory
OS => chmod -R 755
![Page 40: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/40.jpg)
39|P a g e
3.1.6Setdiagnosticloggingtocaptureerrorsandwarnings(Scored)
ProfileApplicability:
•Level1-RDBMS
•Level2-RDBMS
Description:
Thediaglevel parameterspecifiesthetypeofdiagnosticerrorsthatwillberecordedinthedb2diag.log file.Itisrecommendedthatthediaglevel parameterbesettoatleast3.
Rationale:
Therecommendeddiaglevelsettingis3,butanyvaluegreaterthan3isalsoacceptable.Avalueofatleast3willallowtheDB2instancetocaptureallerrorsandwarningsthatoccuronthesystem.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1. AttachtotheDB2instance.
db2 => attach to $DB2INSTANCE
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => get database manager configuration
3. LocatetheDIAGLEVEL valueintheoutput:
db2 => get database manager configuration db2 => … Diagnostic error capture level (DIAGLEVEL) = 3
EnsureDIAGLEVELisgreaterthanorequalto3.
![Page 41: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/41.jpg)
40|P a g e
Remediation:
1. AttachtotheDB2instance
db2 => attach to $DB2INSTANCE
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => update database manager configuration using diaglevel 3
![Page 42: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/42.jpg)
41|P a g e
3.1.7Securepermissionsforalldiagnosticlogs(Scored)
ProfileApplicability:
•Level1-RDBMS
•Level2-RDBMS
Description:
Thediagpath parameterspecifiesthelocationofthediagnosticfilesfortheDB2instance.Thedirectoryatthislocationshouldbesecuredsothatusershavereadandexecuteprivilegesonly(nowriteprivileges).AllDB2administratorsshouldhavefullaccesstothedirectory.
Rationale:
Securingthedirectorywillensurethattheconfidentiality,integrity,andavailabilityofthediagnosticfilescontainedinthedirectoryarepreserved.
Audit:
ForbothWindowsandLinux,performthefollowingDB2commandstoobtainthelocationofthedirectory:
1. AttachtotheDB2instance.
db2 => attach to $DB2INSTANCE
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => get database manager configuration
3. LocatetheDIAGPATH valueintheoutput:
db2 => get database manager configuration db2 => … Diagnostic data directory path (DIAGPATH) = <valid directory>
AdditionalstepsforWindows:
1. ConnecttotheDB2host2. Right-clickoverthediagnosticlogdirectory3. ChooseProperties4. SelecttheSecuritytab5. Reviewtheaccessforallaccounts
![Page 43: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/43.jpg)
42|P a g e
AdditionalstepsforLinux:
1. ConnecttotheDB2host2. Changetothediagnosticlogdirectory3. Reviewthepermissionsofthedirectory
OS => ls -al
Remediation:
ForWindowsandLinux,tochangethedirectoryforthediagnosticlogs:
1. AttachtotheDB2instance
db2 => attach to $DB2INSTANCE
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => update database manager configuration using diagpath <valid directory>
AdditionalstepsforWindows:
1. ConnecttotheDB2host2. Right-clickoverthediagnosticlogdirectory3. ChooseProperties4. SelecttheSecuritytab5. GranttheFullControlauthoritytoallDB2administratoraccounts6. Grantonlyreadandexecuteprivilegestoallotheraccounts(revokeanyother
privileges)
AdditionalstepsforLinux:
1. ConnecttotheDB2host2. Changetothediagnosticlogdirectory3. Changethepermissionsofthedirectory
OS => chmod -R 755
![Page 44: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/44.jpg)
43|P a g e
3.1.8Requireinstancenamefordiscoveryrequests(Scored)
ProfileApplicability:
•Level1-RDBMS
•Level2-RDBMS
Description:
Thediscover parameterdetermineswhatkindofdiscoveryrequests,ifany,theDB2serverwillfulfill.ItisrecommendedthattheDB2serveronlyfulfillrequestsfromclientsthatknowthegiveninstancename(discover parametervalueofknown).
Rationale:
DiscoverycapabilitiesmaybeusedbyamaliciousentitytoderivethenamesofandtargetDB2instances.Inthisconfiguration,theclienthastospecifyaknowninstancenametobeabletodetecttheinstance.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1. AttachtotheDB2instance.
db2 => attach to $DB2INSTANCE
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => get database manager configuration
3. LocatetheDISCOVER valueintheoutput:
db2 => get database manager configuration db2 => … Discovery mode (DISCOVER) = KNOWN
Note:DISCOVER issettoKNOWN intheaboveoutput.
![Page 45: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/45.jpg)
44|P a g e
Remediation:
TherecommendedvalueisKNOWN.Note:thisrequiresaDB2restart.
1. AttachtotheDB2instance
db2 => attach to $DB2INSTANCE
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => update database manager configuration using discover known
3. RestarttheDB2instance.
db2 => db2stop db2 => db2start
Impact:
Itisimportanttobeawarethattheimplementationofthisrecommendationresultsinabriefdowntime.Itisadvisabletoensurethatthesettingisimplementedduringanapprovedmaintenancewindow.
![Page 46: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/46.jpg)
45|P a g e
3.1.9Disableinstancediscoverability(Scored)
ProfileApplicability:
•Level1-RDBMS
•Level2-RDBMS
Description:
Thediscover_inst parameterspecifieswhethertheinstancecanbediscoveredinthenetwork.Itisrecommendedthatinstancesnotbediscoverable.
Rationale:
DiscoverycapabilitiesmaybeusedbyamaliciousentitytoderivethenamesofandtargetDB2instances.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1. AttachtotheDB2instance.
db2 => attach to $DB2INSTANCE
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => get database manager configuration
3. LocatetheDISCOVER_INSTvalueintheoutput:
db2 => get database manager configuration db2 => … Discover server instance (DISCOVER_INST) = DISABLE
Note:DISCOVER_INSTissettoDISABLEintheaboveoutput.
Remediation:
1. AttachtotheDB2instance
db2 => attach to $DB2INSTANCE
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => update database manager configuration using discover_inst disable
![Page 47: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/47.jpg)
46|P a g e
3.1.10Authenticatefederatedusersattheinstancelevel(Scored)
ProfileApplicability:
•Level1-RDBMS
•Level2-RDBMS
Description:
Thefed_noauth parameterdetermineswhetherfederatedauthenticationwillbebypassedattheinstance.Itisrecommendedthatthisparameterbesettono.
Rationale:
Settingfed_noauth tono willensurethatauthenticationischeckedattheinstancelevel.Thiswillpreventanyfederatedauthenticationfrombypassingtheclientandtheserver.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1. AttachtotheDB2instance.
db2 => attach to $DB2INSTANCE
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => get database manager configuration
3. LocatetheFED_NOAUTHvalueintheoutput:
db2 => get database manager configuration db2 => … Bypass federated authentication (FED_NOAUTH) = NO
Note:FED_NOAUTH issettoNO intheaboveoutput.
![Page 48: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/48.jpg)
47|P a g e
Remediation:
1. AttachtotheDB2instance
db2 => attach to $DB2INSTANCE
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => update database manager configuration using fed_noauth no
![Page 49: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/49.jpg)
48|P a g e
3.1.11Setmaximumconnectionlimits(Scored)
ProfileApplicability:
•Level1-RDBMS
•Level2-RDBMS
Description:
Themax_connections parameterindicatesthemaximumnumberofclientconnectionsallowedperdatabasepartition.Itisrecommendedthatthisparameterbesetequaltothemax_coordagents parameter.Themax_coordagents parameterequalsthemaximumnumberofagentsneededtoperformconnectionstothedatabaseorattachmentstotheinstance.
NOTE:Ensurethatdependentparameters,suchasmaxappls,aresetlessthanthemax_coordagents parameter.Thiswouldensurethatthelocklimitisn'treached,whichwouldresultinlockescalationissues.
Rationale:
Bydefault,DB2allowsanunlimitednumberofuserstoaccesstheDB2instance.InadditiontogivingaccesstotheDB2instancetoauthorizedusersonly,itisrecommendedtosetalimittothenumberofusersallowedtoaccessaDB2instance.Thishelpspreventdenialofserviceconditionsshouldanauthorizedprocessmalfunctionandattemptalargenumberofsimultaneousconnections.
Audit:
PerformthefollowingDB2commandstoobtainthevalue(s)forthesesettings:
1. AttachtotheDB2instance.
db2 => attach to $DB2INSTANCE
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => get database manager configuration
![Page 50: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/50.jpg)
49|P a g e
3. LocatetheMAX_CONNECTIONS andMAX_COORDAGENTS valuesintheoutput:
db2 => get database manager configuration db2 => … Max number of client connections (MAX_CONNECTIONS) = 150 Max number of existing agents (MAX_COORDAGENTS) = 150
Note:MAX_CONNECTIONS issetto150 andtheMAX_COORDAGENTS issetto150 intheaboveoutput.
PerformthefollowingDB2commandstoobtainthevalueoftheMAXAPPLSparameter:
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => get database configuration
3. LocatetheMAXAPPLS valueintheoutput:
db2 => get database configuration db2 => … Max Number of Active Applications (MAXAPPLS) = [99]
Note:MAXAPPLS issetto99 intheaboveoutput.
![Page 51: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/51.jpg)
50|P a g e
Remediation:
Thedefaultvalueformax_coordagents issettoAUTOMATIC.Allowablerangeis1to64,000,or-1forunlimited.Therecommendedvalueis100.Thefollowingcommandwillsetthemax_coordagents to100,aswellassetthemax_connections toAUTOMATIC whichisalsorecommended.
1. AttachtotheDB2instance
db2 => attach to $DB2INSTANCE
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => update database manager configuration using max_coordagents 100 AUTOMATIC
Ifmaxappls isNOTlessthanthevalueformax_coordagents,thenadjustthevalueofmaxapplsaccordingly:
db2 => update database configuration using maxappls <a number less then max_coordagents>
DefaultValue:
Thedefaultvalueformax_connections isAUTOMATIC.
Thedefaultvalueformax_coordagents isAUTOMATIC.
ThedefaultvalueformaxapplsisAUTOMATIC.
![Page 52: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/52.jpg)
51|P a g e
3.1.12Setadministrativenotificationlevel(Scored)
ProfileApplicability:
•Level1-RDBMS
•Level2-RDBMS
Description:
Thenotifylevel parameterspecifiesthetypeofadministrationnotificationmessagesthatarewrittentotheadministrationnotificationlog.Itisrecommendedthatthisparameterbesetgreaterthanorequalto3.Asettingof3,whichincludessettings1&2,willlogallfatalerrors,failingservices,systemintegrity,aswellassystemhealth.
Rationale:
ThesystemshouldbemonitoringallHealthMonitoralarms,warnings,andattentions.ThismaygiveanindicationofanymalicioususageontheDB2instance.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1. AttachtotheDB2instance.
db2 => attach to $DB2INSTANCE
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => get database manager configuration
3. LocatetheNOTIFYLEVEL valueintheoutput:
db2 => get database manager configuration db2 => … Notify Level (NOTIFYLEVEL) = 3
Note:NOTIFYLEVEL issetto3 intheaboveoutput.
![Page 53: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/53.jpg)
52|P a g e
Remediation:
1. AttachtotheDB2instance
db2 => attach to $DB2INSTANCE
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => update database manager configuration using notifylevel 3
DefaultValue:
Thedefaultvalueofnotifylevelis3.
![Page 54: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/54.jpg)
53|P a g e
3.1.13Enableserver-basedauthentication(Scored)
ProfileApplicability:
•Level1-RDBMS
•Level2-RDBMS
Description:
Thesrvcon_auth parameterspecifieshowandwhereauthenticationistotakeplaceforincomingconnectionstotheserver.ItisrecommendedthatthisparameterisnotsettoCLIENT.
Rationale:
Thisparameterwilltakeprecedenceoverandoverridetheauthenticationlevel.Authenticationshouldbesetontheserverside.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1. AttachtotheDB2instance.
db2 => attach to $DB2INSTANCE
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => get database manager configuration
3. LocatetheSRVCON_AUTH valueintheoutput:
db2 => get database manager configuration db2 => … Server Connection Authentication (SRVCON_AUTH) = SERVER
Note:SRVCON_AUTH issettoSERVER intheaboveoutput.
![Page 55: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/55.jpg)
54|P a g e
Remediation:
TherecommendedvalueisSERVER.Note:thiswillrequireaDB2restart.
1. AttachtotheDB2instance
db2 => attach to $DB2INSTANCE
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => update database manager configuration using srvcon_auth server
3. RestarttheDB2instance.
db2 => db2stop db2 => db2start
Impact:
Itisimportanttobeawarethattheimplementationofthisrecommendationresultsinabriefdowntime.Itisadvisabletoensurethatthesettingisimplementedduringanapprovedmaintenancewindow.
![Page 56: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/56.jpg)
55|P a g e
3.1.14Setfailedarchiveretrydelay(Scored)
ProfileApplicability:
•Level1-RDBMS
•Level2-RDBMS
Description:
Thearchretrydelay parameterspecifiesthenumberofsecondstheDB2servicewillwaitbeforeitreattemptstoarchivelogfilesafterafailure.Itisrecommendedthatthisparameterbesetanywhereintherangeof10-30.Youdonotwantthedelaytobesoshortthatthedatabaseendsupinadenialofservicescenario,butyoudon'twantthedelaytobetoolongifanoutsideattackhappensatthesametime.
Rationale:
Ensurethatthevalueisnon-zero,otherwisearchiveloggingwillnotretryafterthefirstfailure.Adenialofserviceattackcanrenderthedatabasewithoutanarchivelogifthissettingisnotset.Anarchivelogwillensurethatalltransactionscansafelyberestoredorloggedforauditing.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => get database configuration
3. LocatetheARCHRETRYDELAY valueintheoutput:
db2 => get database configuration db2 => … Log archive retry Delay (secs) (ARCHRETRYDELAY) = 20
Note:ARCHRETRYDELAY issetto20 intheaboveoutput.
![Page 57: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/57.jpg)
56|P a g e
Remediation:
1. ConnecttotheDB2database
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. Tosuccessfullysetthearchretrydelay withinthe10-30range,runthefollowingcommandfromtheDB2commandwindow:
db2 => update database configuration using archretrydelay nn (where nn is a range between 10-30)
DefaultValue:
Thedefaultvalueforarchretrydelayis20
![Page 58: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/58.jpg)
57|P a g e
3.1.15Auto-restartafterabnormaltermination(Scored)
ProfileApplicability:
•Level1-RDBMS
•Level2-RDBMS
Description:
Theautorestart parameterspecifiesifthedatabaseinstanceshouldrestartafteranabnormaltermination.ItisrecommendedthatthisparameterbesettoON.
Rationale:
Settingthedatabasetoauto-restartwillreducethedowntimeofthedatabase.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => get database configuration
3. LocatetheAUTORESTART valueintheoutput:
db2 => get database configuration db2 => … Auto restart enabled (AUTORESTART) = ON
Note:AUTORESTART issettoON intheaboveoutput.
Remediation:
1. ConnecttotheDB2database
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => update database configuration using autorestart on
![Page 59: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/59.jpg)
58|P a g e
3.1.16Disabledatabasediscovery(Scored)
ProfileApplicability:
•Level1-RDBMS
•Level2-RDBMS
Description:
Thediscover_db parameterspecifiesifthedatabasewillrespondtoadiscoveryrequestfromaclient.ItisrecommendedthatthisparameterbesettoDISABLE.
Rationale:
Settingthedatabasediscoverytodisabledcanhideadatabasewithsensitivedata.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => get database configuration
3. LocatetheDISCOVER_DB valueintheoutput:
db2 => get database configuration db2 => … Discovery support for this database (DISCOVER_DB) = DISABLE
Note:DISCOVER_DB issettoDISABLE intheaboveoutput.
![Page 60: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/60.jpg)
59|P a g e
Remediation:
1. ConnecttotheDB2database
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => update database configuration using discover_db disable
![Page 61: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/61.jpg)
60|P a g e
3.1.17Securepermissionsfortheprimaryarchiveloglocation(Scored)
ProfileApplicability:
•Level1-RDBMS
•Level2-RDBMS
•Level1-WindowsHostOS
•Level1-LinuxHostOS
Description:
Thelogarchmeth1 parameterspecifiesthetypeofmediaandthelocationusedastheprimarydestinationofarchivedlogs.ItisrecommendedthatthedirectoryusedforthearchivedlogsbesettofullaccessforDB2administratoraccountsandreadandexecuteforallotheraccounts.
Rationale:
Restrictingaccesstothecontentsoftheprimaryarchivelogdirectorywillhelpensurethattheconfidentiality,integrity,andavailabilityofarchivelogsareprotected.Althoughtherearemanywaystoensurethatyourprimarylogswillbearchived,werecommendusingthevalueofDISKaspartofthelogarchmeth1 parameter.Thiswillproperlyensurethattheprimarylogsarearchived.AfindingofOFFisnotacceptable.
Audit:
ForWindowsandLinux:
1.AttachtotheDB2instance.
db2 => attach to $DB2INSTANCE
2.RunthefollowingcommandfromtheDB2commandwindow:
db2 => get database manager configuration
3.Locatethisvalueintheoutputtofindtheprimaryarchivelogdirectory:
db2 => get database manager configuration db2 => ... Default database path (LOGARCHMETH1) = <valid directory>
![Page 62: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/62.jpg)
61|P a g e
AdditionalstepsforWindows:
1. ConnecttotheDB2host2. Right-clickontheprimaryarchivelogdirectory3. ChooseProperties4. SelecttheSecuritytab5. Reviewandverifytheprivilegesforallaccounts
AdditionalstepsforLinux:
1. ConnecttotheDB2host2. Changetotheprimaryarchivelogdirectory3. Reviewandverifythepermissionsforthedirectoryforallusers.
OS => ls -al
Remediation:
ForWindowsandLinux:
1. AttachtotheDB2instance.2. RunthefollowingcommandfromtheDB2commandwindowtochangetheprimary
archivelogdirectory,ifnecessary:
db2 => update database configuration using logarchmeth1 <valid directory>
AdditionalstepsforWindows(assumingthatthelogarchmeth1parameterincludesDISK):
1. ConnecttotheDB2host2. Right-clickontheprimaryarchivelogdirectory3. ChooseProperties4. SelecttheSecuritytab5. GrantallDB2administratoraccountstheFullControlauthority6. Grantallotheraccountsreadandexecuteprivilegesonly(revokeallother
privileges)
AdditionalstepsforLinux(assumingthatthelogarchmeth1parameterincludesDISK):
1. ConnecttotheDB2host2. Changetotheprimaryarchivelogdirectory3. Changethepermissionsforthedirectory
OS => chmod -R 755
![Page 63: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/63.jpg)
62|P a g e
3.1.18Securepermissionsforthesecondaryarchiveloglocation(Scored)
ProfileApplicability:
•Level1-WindowsHostOS
•Level1-LinuxHostOS
Description:
Thelogarchmeth2 parameterspecifiesthetypeofmediaandthelocationusedasthesecondarydestinationforarchivedlogs.ItisrecommendedthatthedirectoryusedforthearchivedlogsbesettofullaccessforDB2administratoraccountsandreadandexecuteonlyforallotheraccounts.
Rationale:
Restrictingaccesstothecontentsofthesecondaryarchivelogdirectorywillhelpensurethattheconfidentiality,integrity,andavailabilityofarchivelogsareprotected.Althoughtherearemanywaystoensurethatyourlogswillbearchived,werecommendusingthevalueofDISKaspartofthelogarchmeth2parameter.Thiswillproperlyensurethatthelogsarearchived.AfindingofOFFisnotacceptable.
Audit:
ForWindowsandLinux:
1.AttachtotheDB2instance.
db2 => attach to $DB2INSTANCE
2.RunthefollowingcommandfromtheDB2commandwindow:
db2 => get database manager configuration
3.Locatethisvalueintheoutputtofindthesecondaryarchivelogdirectory:
db2 => get database manager configuration db2 => ... Default database path (LOGARCHMETH2) = <valid directory>
AdditionalstepsforWindows:
1. ConnecttotheDB2host2. Right-clickonthesecondaryarchivelogdirectory3. ChooseProperties4. SelecttheSecuritytab5. Reviewandverifytheprivilegesforallaccounts
![Page 64: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/64.jpg)
63|P a g e
AdditionalstepsforLinux:
1. ConnecttotheDB2host2. Changetothesecondaryarchivelogdirectory3. Reviewandverifythepermissionsforthedirectoryforallusers
OS => ls -al
Remediation:
ForWindowsandLinux:
1. AttachtotheDB2instance.2. RunthefollowingcommandfromtheDB2commandwindowtochangethe
secondaryarchivelogdirectory,ifnecessary:
db2 => update database configuration using logarchmeth2 <valid directory>
AdditionalstepsforWindows(assumingthatthelogarchmeth2parameterincludesDISK):
1. ConnecttotheDB2host2. Right-clickonthesecondaryarchivelogdirectory3. ChooseProperties4. SelecttheSecuritytab5. GrantallDB2administratoraccountstheFullControlauthority6. Grantallotheraccountsreadandexecuteprivilegesonly(revokeallother
privileges)
AdditionalstepsforLinux(assumingthatthelogarchmeth2parameterincludesDISK):
1. ConnecttotheDB2host2. Changetothesecondaryarchivelogdirectory3. Changethepermissionsforthedirectory
OS => chmod -R 755
![Page 65: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/65.jpg)
64|P a g e
3.1.19Securepermissionsforthetertiaryarchiveloglocation(Scored)
ProfileApplicability:
•Level1-RDBMS
•Level1-WindowsHostOS
•Level1-LinuxHostOS
Description:
Thefailarchpath parameterspecifiesthetypeofmediaandthelocationusedasthetertiarydestinationofarchivedlogs.ItisrecommendedthatthedirectoryusedforthearchivedlogsbesettofullaccessforDB2administratoraccountsandreadandexecuteonlyforallotheraccounts.
Rationale:
Restrictingaccesstothecontentsofthetertiaryarchivelogdirectorywillhelpensurethattheconfidentiality,integrity,andavailabilityofarchivelogsareprotected.Althoughtherearemanywaystoensurethatyourlogswillbearchived,werecommendusingthevalueofDISKaspartofthefailarchpathparameter.Thiswillproperlyensurethatthelogsarearchived.AfindingofOFFisnotacceptable.
Audit:
ForWindowsandLinux:
1.AttachtotheDB2instance.
db2 => attach to $DB2INSTANCE
2.RunthefollowingcommandfromtheDB2commandwindow:
db2 => get database manager configuration
3.Locatethisvalueintheoutputtofindthetertiaryarchivelogdirectory:
db2 => get database manager configuration db2 => ... Default database path (FAILARCHPATH) = <valid directory>
![Page 66: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/66.jpg)
65|P a g e
AdditionalstepsforWindows:
1. ConnecttotheDB2host2. Right-clickonthetertiaryarchivelogdirectory3. ChooseProperties4. SelecttheSecuritytab5. Reviewandverifytheprivilegesforallaccounts
AdditionalstepsforLinux:
1. ConnecttotheDB2host2. Changetothetertiaryarchivelogdirectory3. Reviewandverifythepermissionsforthedirectoryforallusers.
OS => ls -al
Remediation:
ForWindowsandLinux:
1. AttachtotheDB2instance.2. RunthefollowingcommandfromtheDB2commandwindowtochangethetertiary
archivelogdirectory,ifnecessary:
db2 => update database configuration using failarchpath
AdditionalstepsforWindows(assumingthatthefailarchpathparameterincludesDISK):
1. ConnecttotheDB2host2. Right-clickonthetertiaryarchivelogdirectory3. ChooseProperties4. SelecttheSecuritytab5. GrantallDB2administratoraccountstheFullControlauthority6. Grantallotheraccountsreadandexecuteprivilegesonly(revokeallother
privileges)
ForLinux(assumingthatthefailarchpathparameterincludesDISK):
1. ConnecttotheDB2host2. Changetothetertiaryarchivelogdirectory3. Changethepermissionsforthedirectory
OS => chmod -R 755
![Page 67: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/67.jpg)
66|P a g e
3.1.20Securepermissionsforthelogmirrorlocation(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
Themirrorlogpath parameterspecifiesthetypeofmediaandthelocationusedtostorethemirrorcopyofthelogs.ItisrecommendedthatthedirectoryusedforthemirrorcopyofthelogsbesettofullaccessforDB2administratoraccountsandreadandexecuteonlyforallotheraccounts.
Rationale:
Amirrorlogpathshouldnotbeemptyanditshouldbeavalidpath.Themirrorlogpathstoresasecondcopyoftheactivelogfiles.Accesstothedirectorypointedtobythatpathshouldberestrictedthroughpermissionstohelpensurethattheconfidentiality,integrity,andavailabilityofthemirrorlogsareprotected.
Audit:
ForWindowsandLinux,performthefollowingDB2commandstoobtainthedirectorylocation:
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => get database configuration
3. LocatetheMIRRORLOGPATH valueintheoutput:
db2 => get database configuration db2 => … Mirror log path (MIRRORLOGPATH) = C:\DB2MIRRORLOGS
Note:MIRRORLOGPATH issettoC:\DB2MIRRORLOGSintheaboveoutput.
![Page 68: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/68.jpg)
67|P a g e
AdditionalstepsforWindows:
1. ConnecttotheDB2host2. Right-clickonthemirrorlogdirectory3. ChooseProperties4. SelecttheSecuritytab5. Reviewandverifytheprivilegesforallaccounts
AdditionalstepsforLinux:
1. ConnecttotheDB2host2. Changetothemirrorlogdirectory3. Reviewandverifythepermissionsforthedirectoryforallusers.
OS => ls -al
Remediation:
ForWindowsandLinux:
1. ConnecttotheDB2database
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindowtochangethemirrorlogdirectory,ifnecessary:
db2 => update database configuration using mirrorlogpath <valid path>
AdditionalstepsforWindows:
1. ConnecttotheDB2host2. Right-clickontheprimaryarchivelogdirectory3. ChooseProperties4. SelecttheSecuritytab5. GrantallDB2administratoraccountstheFullControlauthority6. Grantallotheraccountsreadandexecuteprivilegesonly(revokeallother
privileges)
AdditionalstepsforLinux:
1. ConnecttotheDB2host2. Changetothemirrorlogdirectory3. Changethepermissionsforthedirectory
OS => chmod -R 755
![Page 69: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/69.jpg)
68|P a g e
3.1.21Establishretentionsetsizeforbackups(Scored)
ProfileApplicability:
•Level1-RDBMS
•Level2-RDBMS
Description:
Thenum_db_backups parameterspecifiesthenumberofbackupstoretainforadatabasebeforemarkingtheoldestbackupasdeleted.Itisrecommendedthatthisparameterbesettoatleast12.
Rationale:
Retainmultiplecopiesofthedatabasebackuptoensurethatthedatabasecanrecoverfromanunexpectedfailure.Thisparametershouldnotbesetto0.Multiplebackupsshouldbekepttoensurethatalllogsandtransactionscanbeusedforauditing.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => get database configuration
3. LocatetheNUM_DB_BACKUPS valueintheoutput:
db2 => get database configuration db2 => … Number of database backups to retain (NUM_DB_BACKUPS) = 12
Note:NUM_DB_BACKUPS issetto12 intheaboveoutput.
![Page 70: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/70.jpg)
69|P a g e
Remediation:
1. ConnecttotheDB2database
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => update database configuration using num_db_backups 12
![Page 71: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/71.jpg)
70|P a g e
3.1.22Setarchivelogfailoverretrylimit(Scored)
ProfileApplicability:
•Level1-RDBMS
•Level2-RDBMS
Description:
Thenumarchretry parameterdetermineshowmanytimesadatabasewilltrytoarchivethelogfiletotheprimaryorthesecondaryarchivedestinationbeforetryingthefailoverdirectory.Itisrecommendedthatthisparameterbesetto5.
Rationale:
Establishingafailoverretrytimelimitwillensurethatthedatabasewillalwayshaveameanstorecoverfromanabnormaltermination.Thisparametershouldnotbesetto0.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => get database configuration
3. LocatetheNUMARCHRETRY valueintheoutput:
db2 => get database configuration db2 => … Number of log archive retries on error (NUMARCHRETRY) = 5
Note:NUMARCHRETRY issetto5 intheaboveoutput.
![Page 72: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/72.jpg)
71|P a g e
Remediation:
1. ConnecttotheDB2database
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => update database configuration using numarchretry 5
![Page 73: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/73.jpg)
72|P a g e
3.2DatabaseManagerConfigurationparameters
DatabaseConfigurationParameterssetseveralresourcelimits[values]tobeallocatedtoadatabase.Manydatabaseconfigurationparameterscanbemodifiedtooptimizeperformanceandcapacity.
3.2.1TCP/IPservicename-svcename(Scored)
ProfileApplicability:
•Level2-RDBMS
Description:
Thesvcename parameterreservestheportnumber(orname,onLinuxhosts)forlisteningtoincomingcommunicationsfromaDataServerRuntimeClient.BoththedatabaseserverportnumberornameandtheTCP/IPservicenamemustbedefinedonthedatabaseclient.
Rationale:
Whenthedatabaseserverisstarted,aportnumberornameisrequiredtolistenforincomingconnectionrequests.Thesvcename parameterdefinestheportnumberornameforincomingconnectionrequests.OnLinuxsystems,theservicesfileisfoundat:/etc/services
Audit:
1.Runthefollowingcommandtodetermineifthesvcename parametervalueiscorrectlysetandisnotthedefaultport(50000).
select name, value from sysibmadm.dbmcfg where name = 'svcename'
Remediation:
1.Runthefollowingcommandtosetthesvcename parametervalue.
update dbm cfg using svcename <value> immediate or deferred
References:
1. https://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.admin.config.doc/doc/r0000273.html?lang=en
![Page 74: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/74.jpg)
73|P a g e
3.2.2SSLservicename-ssl_svcename(Scored)
ProfileApplicability:
•Level2-RDBMS
Description:
Thessl_svcename configurationparameterdefinesthenameornumberoftheportthedatabaseserverlistensforcommunicationsfromremoteclientnodesusingSSLprotocol.Thessl_svcename andthesvcenameportnumberscannotbethesame.
OnLinuxoperatingsystems,thessl_svcenamefileislocatedin:/etc/services
Rationale:
ThedatabaserequiresadefinedporttolistenforincomingremoteclientsusingtheSSLprotocol.Thessl_svcename configurationparameterdefinestheportforcommunicatingwithremoteclients.
Considerusinganon-defaultporttohelpprotectthedatabasefromattacksdirectedtoadefaultport.
Audit:
1.Runthefollowingcommandtodetermineifthecurrentssl_svcename parametervalueiscorrectlysetandisnotadefaultport(50000).
select name, value from sysibmadm.dbmcfg where name = 'ssl_svcename'
Remediation:
1.Runthefollowingcommandtosetthessl_svcename parametervalue.
update dbm cfg using ssl_svcename <value> immediate or deferred
DefaultValue:
Null
References:
1. http://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.admin.config.doc/doc/r0053615.html
![Page 75: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/75.jpg)
74|P a g e
3.2.3Authenticationtypeforincomingconnectionsattheserver-srvcon_auth(Scored)
ProfileApplicability:
•Level2-RDBMS
Description:
Thesrvcon_authparameterdefineswhereandhowuserauthenticationisdoneforincomingconnectionsattheserver.Ifnovalueisused,DB2usesthedatabasemanagerconfigurationparameterauthentication.
Rationale:
IncomingconnectionstotheDB2servermustfollowanauthenticationprotocol.Thesrvcon_authserverconfigurationparameterdefineshowandwhereuserauthenticationisdone.
Audit:
1.Runthefollowingcommandtoidentifythecurrentvalueofthesrvcon_authdatabaseconfigurationparameter:
select name, value from sysibmadm.dbmcfg where name = 'srvcon_auth'
Remediation:
1.Runthefollowingcommandtoupdatethecurrentvalueofthesrvcon_authdatabaseconfigurationparametertothecorrectvalue:
db2 => update dbm cfg using srvcon_auth <any supported authentication>
DefaultValue:
Notspecified
References:
1. http://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.admin.config.doc/doc/r0011454.html?lang=en
![Page 76: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/76.jpg)
75|P a g e
3.2.4DatabaseManagerConfigurationparameter:trust_allclnts(NotScored)
ProfileApplicability:
•Level1-WindowsHostOS
•Level2-WindowsHostOS
•Level1-LinuxHostOS
•Level2-LinuxHostOS
Description:
Thisparameterisusedtodeterminewhereusersarevalidatedwithinthedatabaseenvironment(client-sideauthentication).Iftheparameterissetto'YES',theserverassumesthattheclientsideishandlingauthenticationtothedatabase.Iftheparameterissetto'NO',theclientmustprovideauthenticationtotheserveronbehalfoftheuser.ThisparameterisonlyactivewhentheauthenticationparameterissettoCLIENT.
Rationale:
Thisparameterisreliedupontodeterminewhethereachuser(client)needstobeauthenticatedbytheserveroriftheservershouldassumethateachuser(client)hasalreadybeensufficientlyauthenticated.
Audit:
Issuethefollowingcommandtocheckthevalueoftheparameter:
db2=> select name, value from sysibmadm.dbmcfg where name = 'trust_allclnts'
Thevalueshouldbe'YES'forclient-sideauthenticationand'NO'forserver-sideauthentication.
![Page 77: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/77.jpg)
76|P a g e
Remediation:
Tospecifyclient-sideauthentication,issuethefollowingcommandtosettheparameterto'YES':
db2=> update dbm cfg using trust_allclnts YES
Tospecifyserver-sideauthentication,issuethefollowingcommandtosettheparameterto'NO':
db2=> update dbm cfg using trust_allclnts NO
References:
1. http://www.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.admin.config.doc/doc/r0000380.html
![Page 78: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/78.jpg)
77|P a g e
3.2.5DatabaseManagerConfigurationparameter:trust_clntauth(NotScored)
ProfileApplicability:
•Level1-WindowsHostOS
•Level2-WindowsHostOS
•Level1-LinuxHostOS
•Level2-LinuxHostOS
Description:
Thisparameterspecifieswhereatrustedclientisauthenticated(attheserverortheclient)ifitprovidesauserIDandpassword.
Iftheparameterissetto'CLIENT',theuserIDandpasswordarenotneeded,butiftheyareprovided,authenticationwilloccurattheclient.
Iftheparameterissetto'SERVER',theuserIDandpasswordareneededandwillbeauthenticatedattheserver.
Thisparameterisonlyactiveiftheauthenticationparameterissetto'CLIENT'.
Rationale:
ThisparameterisreliedupontodeterminewhethereachtrustedclientneedstobeauthenticatedbytheserverortheclientafterprovidingauserIDandpassword.
Audit:
Issuethefollowingcommandtocheckthevalueoftheparameter:
db2=> select name, value from sysibmadm.dbmcfg where name = 'trust_clntauth'
Thevalueshouldbe'CLIENT'forclient-sideauthenticationand'SERVER'forserver-sideauthentication.
Remediation:
Issuethefollowingcommandtosettheparameterto'CLIENT'or'SERVER':
db2=> update dbm cfg using trust_clntauth <CLIENT/SERVER>
![Page 79: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/79.jpg)
78|P a g e
References:
1. http://www.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.admin.config.doc/doc/r0000381.html
![Page 80: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/80.jpg)
79|P a g e
4RowandColumnAccessControl(RCAC)
DB2RCACcontrolsaccesstoatableattherowandcolumnlevel.Rowandcolumnaccesscontrolissometimesreferredtoasfine-grainedaccesscontrolorFGAC.Identifyandgathertheorganization'ssecuritypolicies,managementandstaffroles,anduserandgroupliststocompareagainstexistingDB2RCACpoliciesforcompliance.
4.1ReviewOrganization'sPoliciesagainstDB2RCACPolicies(NotScored)
ProfileApplicability:
•Level2-RDBMS
Description:
DB2RowandColumnAccessControl(RCAC)PoliciescontrolaccesstoDB2tables.Theyshouldmatchtheorganization'ssecurityanddatabaseaccesspolicies,andtheyshouldberegularlyreviewedforgaps.
Rationale:
Missing,incomplete,orincorrectDB2RCACpolicieswillincreasetheriskstotheorganization'sprotecteddataandwillpreventeffortstomonitor,alert,andrespondtotheserisksinthefuture.
Audit:
ScheduleandcompletearegularreviewofallorganizationsecurityanddataaccessdatabasepoliciesagainstthecurrentDB2policiestodetermineifgapsexist.
1. Identifyeachwrittenorganizationpolicy.2. FindthematchingDB2RCACpolicy.3. DetermineiftheRCACpolicyappliesandcorrectlysupportsthewrittenpolicy.4. IfnomatchingDB2RCACpolicyisfound,recorda'gap'forfutureremediation.
Remediation:
1. CreateRCACpoliciesforeach'gap'listedfromtheAuditprocedure.2. ReviewthenewlycreatedDB2RCACpolicyagainsttheorganization'swritten
policies.
![Page 81: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/81.jpg)
80|P a g e
DefaultValue:
Notinstalled
References:
1. http://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.admin.sec.doc/doc/c0057423.html?lang=en
![Page 82: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/82.jpg)
81|P a g e
4.2SecureSECADMAuthority(NotScored)
ProfileApplicability:
•Level1-RDBMS
Description:
TheSECADM (securityadministrator)rolegrantstheauthoritytocreate,alter(whereapplicable),anddroproles,trustedcontexts,auditpolicies,securitylabelcomponents,securitypoliciesandsecuritylabels.Itisalsotheauthorityrequiredtograntandrevokeroles,securitylabelsandexemptions,andtheSETSESSIONUSERprivilege.SECADM authorityhasnoinherentprivilegetoaccessdatastoredintables.ItisrecommendedthattheSECADM rolebegrantedtoauthorizedusersonly.
Rationale:
Ifanaccountthatpossessesthisauthorityiscompromisedorusedinamaliciousmanner,theconfidentiality,integrity,andavailabilityofdataintheDB2instancewillbeatincreasedrisk.
Audit:
ItisimportanttoconsiderreviewingthemembersoftheSECADM authoritywhenimplementingthisrecommendation.SuchconsiderationofthisreviewisaddressedinSection7.5ofthisdocument.
Remediation:
ItisimportanttoconsiderreviewingthemembersoftheSECADM authoritywhenimplementingthisrecommendation.SuchconsiderationofthisreviewisaddressedinSection7.5ofthisdocument.
References:
1. https://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.1.0/com.ibm.db2.luw.admin.sec.doc/doc/c0021054.html?lang=en
![Page 83: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/83.jpg)
82|P a g e
4.3ReviewUsers,Groups,andRoles(NotScored)
ProfileApplicability:
•Level1-WindowsHostOS
•Level1-LinuxHostOS
Description:
Withrowandcolumnaccesscontrol,individualsarepermittedaccesstoonlythesubsetofdatathatisrequiredtoperformtheirjobtasks.Periodicreviewoftheseindividualsiscrucialwhentryingtokeepdatasecure.Asbusinessneedsmoveforward,requirementsbehindaccessingthedatamaychange,leadingtoarevisioninsecuritypolicy.Byinspectingthelistofusers,groups,androles,youareidentifyingexcessiveprivilegesthatcouldposepossiblesecuritythreatswithinyourinfrastructure.
Rationale:
Ifauser(eitherbyhimselforpartofagrouporrole)isnolongerrequiredaccesstothedatathatisprotectedbyrowandcolumnaccesscontrols,allowingthatindividualtomaintainaccessallowsthatindividualtocompromisetheconfidentiality,integrity,and/oravailabilityofthedataintheDB2instance.
Audit:
1.Reviewtheuserswithinyourdatabaseenvironment:
Linux:
cat /etc/passwd
Windows:
1. Runcompmgmt.msc2. Click'LocalUsersandGroups'3. Doubleclick'Users'4. Reviewusers
![Page 84: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/84.jpg)
83|P a g e
2.Reviewthegroupswithinyourdatabaseenvironment:
Linux:
cat /etc/group
Windows:
1. Runcompmgmt.msc2. Click'LocalUsersandGroups'3. Doubleclick'Groups'4. Reviewgroups
3.Reviewtherolesandrolememberswithinyourdatabaseenvironment:
a.AttachtoDB2Instance:
db2 => attach to $DB2INSTANCE
b.ConnecttoDB2database:
db2 => connect to $DBNAME
c.Runthecommand:
db2 => select rolename, grantee from syscat.roleauth where grantortype <> 'S'
Remediation:
1.Toremoveusersfromyourdatabaseenvironment:
Linux:
userdel -r <user name>
Windows:
1. Runcompmgmt.msc2. Click'LocalUsersandGroups'3. Doubleclick'Users'4. Right-clickon<username>5. Select'Delete'
![Page 85: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/85.jpg)
84|P a g e
2.Toremovegroupsfromyourdatabaseenvironment:
Linux:
groupdel <group name>
Windows:
1. Runcompmgmt.msc2. Click'LocalUsersandGroups'3. Doubleclick'Groups'4. Right-clickon<groupname>5. Select'Delete'
3.Toremoverolesorrolemembersfromyourdatabaseenvironment
a.AttachtoDB2Instance:
db2 => attach to $DB2INSTANCE
b.ConnecttoDB2database:
db2 => connect to $DBNAME
c.Toremoverolemembersfromroles:
db2 => revoke role <role name> from <user/group/role member>
d.Toremoveroles:
db2 => drop role <role name>
![Page 86: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/86.jpg)
85|P a g e
4.4ReviewRowPermissionlogicaccordingtopolicy(NotScored)
ProfileApplicability:
•Level2-RDBMS
Description:
Thelogicbehindinstitutingrowpermissionsiscrucialforasuccessfulsecuritypolicy.Inspectingthislogicandcomparingittothesecuritypolicywillassurethatallaspectsofthedataaccesscontrolsarebeingadheredto.
Rationale:
MissingorincompleteDB2RCACSecurityPolicieswillincreasetheriskstotheorganization'sprotecteddataandwillpreventeffortstomonitor,alert,andrespondtotheserisksinthefuture.
Audit:
1.AttachtotheDB2Instance:
db2 => attach to $DB2INSTANCE
2.Connecttodatabaseenvironment:
db2 => connect to $DBNAME
3.Runthefollowingandreviewtheresultstoconfirmthattherowpermissionsarecorrectandthattheycomplywiththeexistingsecuritypolicy:
db2 => select role.rolename, control.ruletext from syscat.roles role inner join syscat.controls control on locate(role.rolename,control.ruletext) <> 0 where enable = 'Y' and enforced = 'A' and valid = 'Y' and controltype = 'R'
Remediation:
1.CreateRCACPoliciesforeach'gap'listedfromtheAuditprocedure.
2.ReviewthenewlycreatedDB2RCACpolicyagainsttheorganization'spolicy
References:
1. http://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.admin.sec.doc/doc/c0057423.html?lang=en
![Page 87: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/87.jpg)
86|P a g e
4.5ReviewColumnMasklogicaccordingtopolicy(NotScored)
ProfileApplicability:
•Level2-RDBMS
Description:
Thelogicbehindinstitutingcolumnmasksiscrucialforasuccessfulsecuritypolicy.Inspectingthislogicandcomparingittothesecuritypolicywillassurethatallaspectsofthedataaccesscontrolsarebeingadheredto.
Rationale:
MissingorincompleteDB2RCACsecuritypolicieswillincreasetheriskstotheorganization'sprotecteddataandwillpreventeffortstomonitor,alert,andrespondtotheserisksinthefuture.
Audit:
1.AttachtotheDB2Instance:
db2 => attach to $DB2INSTANCE
2.Connecttodatabaseenvironment:
db2 => connect to $DBNAME
3.Runthefollowingandreviewtheresultstoverifythatthepermissionsarecorrectandthattheycomplywiththeorganization'sexistingsecuritypolicy:
db2 => select role.rolename, control.colname, control.ruletext from syscat.roles role inner join syscat.controls control on locate(role.rolename,control.ruletext) <> 0 where enable = 'Y' and enforced = 'A' and valid = 'Y' and controltype = 'C'
Remediation:
1.CreateRCACPoliciesforeach'gap'listedfromtheAuditprocedure.
2.ReviewthenewlycreatedDB2RCACpolicyagainsttheorganization'swrittenpolicy.
References:
1. http://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.admin.sec.doc/doc/c0057423.html?lang=en
![Page 88: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/88.jpg)
87|P a g e
5DatabaseMaintenance
Thissectionprovidesguidanceonprotectingandmaintainingthedatabaseinstance.
5.1EnableBackupRedundancy(NotScored)
ProfileApplicability:
•Level1-RDBMS
•Level2-RDBMS
Description:
Backupredundancyensuresthatmultipleinstancesofdatabasebackupsexist.
Rationale:
MaintainingredundantcopiesofdatabasebackupswillincreasebusinesscontinuitycapabilitiesshouldaDB2servicefailurecoincidewithacorruptbackup.
Audit:
Reviewthereplicationofyourbackupsbasedonorganizationpolicy.
Remediation:
Defineandimplementaprocesstoreplicateyourbackupsontomultiplelocations.
![Page 89: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/89.jpg)
88|P a g e
5.2ProtectingBackups(NotScored)
ProfileApplicability:
•Level1-RDBMS
Description:
Backupsofyourdatabaseshouldbestoredsecurelyinalocationwithfullaccessforadministrators,readandexecuteaccessforgroup,andnoaccessforusers.
Rationale:
Backupsmaycontainsensitivedatathatattackerscanusetoretrievevaluableinformationabouttheorganization.
Audit:
Reviewtheprivilegesappliedtoyourbackups.
Remediation:
Defineasecuritypolicyforallbackupsthatspecifiestheprivilegestheyshouldbeassigned.
![Page 90: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/90.jpg)
89|P a g e
5.3EnableAutomaticDatabaseMaintenance(Scored)
ProfileApplicability:
•Level1-RDBMS
•Level2-RDBMS
Description:
EnableautomaticdatabasemaintenanceonyourDB2instance.ItisrecommendedthattheDB2AutomaticMaintenancetoolbeusedtoensurethattheinstanceisperformingoptimally.
Rationale:
Awell-maintainedDB2instancewillprovideaccesstothedataandreducedatabaseoutages.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1. ConnecttotheDB2database:
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => update database configuration
3. Locatethisvalueintheoutput:
db2 => get database configuration db2 => … Automatic maintenance (AUTO_MAINT) = ON
Note:AUTO_MAINT issettoON intheaboveoutput.
![Page 91: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/91.jpg)
90|P a g e
Remediation:
1. ConnecttotheDB2database:
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => update database configuration using auto_maint on
![Page 92: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/92.jpg)
91|P a g e
6SecuringDatabaseObjects
Note:SYSCAT viewshaveunderlyingSYSIBM tablesthatarealsograntedaccessbythePUBLIC groupbydefault.Ensurethatpermissionsappliedtothesetablesrevokeaccessfromunnecessaryusers.IfthedatabasewascreatedusingtheRESTRICTIVE option,thengrantstoPUBLIC arevoided.
6.1RestrictAccesstoSYSCAT.AUDITPOLICIES(Scored)
ProfileApplicability:
•Level1-RDBMS
•Level2-RDBMS
Description:
TheSYSCAT.AUDITPOLICIES viewcontainsallauditpoliciesforadatabase.ItisrecommendedthatthePUBLIC roleberestrictedfromaccessingthisview.
Rationale:
Thisviewcontainssensitiveinformationabouttheauditingsecurityforthisdatabase.Accesstotheauditpoliciesmayaidattackersinavoidingdetection.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => select grantee from sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'AUDITPOLICIES' and grantee = 'PUBLIC'
3. Reviewprivilegesgrantedtousers,groups,androles.IftheoutputisBLANK,thenitisconsideredasuccessfulfinding.
![Page 93: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/93.jpg)
92|P a g e
Remediation:
PerformthefollowingtorevokeaccessfromPUBLIC.
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => REVOKE SELECT ON SYSCAT.AUDITPOLICIES FROM PUBLIC
References:
1. http://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.sql.ref.doc/doc/r0050610.html?cp=SSEPGG_10.5.0%2F2-12-8-2&lang=en
![Page 94: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/94.jpg)
93|P a g e
6.2RestrictAccesstoSYSCAT.AUDITUSE(Scored)
ProfileApplicability:
•Level1-RDBMS
•Level2-RDBMS
Description:
TheSYSCAT.AUDITUSE viewcontainsdatabaseauditpolicyforallnon-databaseobjects,suchasauthority,groups,roles,andusers.ItisrecommendedthatthePUBLIC roleberestrictedfromaccessingthisview.
Rationale:
Thisviewcontainssensitiveinformationaboutthetypesofobjectsbeingaudited.Accesstotheauditpolicymayaidattackersinavoidingdetection.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => select grantee from sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'AUDITUSE' and grantee = 'PUBLIC'
3. Reviewprivilegesgrantedtousers,groups,androles.IftheoutputisBLANK,thenitisconsideredasuccessfulfinding.
Remediation:
RevokeaccessfromPUBLIC.
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => REVOKE SELECT ON SYSCAT.AUDITUSE FROM PUBLIC
![Page 95: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/95.jpg)
94|P a g e
6.3RestrictAccesstoSYSCAT.DBAUTH(Scored)
ProfileApplicability:
•Level1-RDBMS
•Level2-RDBMS
Description:
TheSYSCAT.DBAUTH viewcontainsinformationonauthoritiesgrantedtousersorgroupsofusers.ItisrecommendedthatthePUBLIC roleberestrictedfromaccessingthisview.
Rationale:
Thisviewcontainsallthegrantsinthedatabaseandmaybeusedasanattackvector.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => select grantee from sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'DBAUTH' and grantee = 'PUBLIC'
3. Reviewprivilegesgrantedtousers,groups,androles.IftheoutputisBLANK,thenitisconsideredasuccessfulfinding.
Remediation:
PerformthefollowingtorevokeaccessfromPUBLIC.
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => REVOKE SELECT ON SYSCAT.DBAUTH FROM PUBLIC
![Page 96: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/96.jpg)
95|P a g e
References:
1. http://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.sql.ref.doc/doc/r0001041.html?cp=SSEPGG_10.5.0%2F2-12-8-30&lang=en
![Page 97: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/97.jpg)
96|P a g e
6.4RestrictAccesstoSYSCAT.COLAUTH(Scored)
ProfileApplicability:
•Level1-RDBMS
•Level2-RDBMS
Description:
TheSYSCAT.COLAUTHviewcontainsthecolumnprivilegesgrantedtotheuser,group,orroleinthedatabase.
Rationale:
TheSYSCAT.COLAUTHviewcontainsthecolumnprivilegesgrantedtotheuseroragroupofusers.ItisrecommendedthatthePUBLICroleberestrictedfromaccessingthisview.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => select grantee from sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'COLAUTH' and grantee = 'PUBLIC'
3. Reviewprivilegesgrantedtousers,groups,androles.IftheoutputisBLANK,thenitisconsideredasuccessfulfinding.
Remediation:
PerformthefollowingtorevokeaccessfromPUBLIC.
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => REVOKE SELECT ON SYSCAT.COLAUTH FROM PUBLIC
![Page 98: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/98.jpg)
97|P a g e
References:
1. http://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.admin.dbobj.doc/doc/t0005379.html?lang=en
![Page 99: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/99.jpg)
98|P a g e
6.5RestrictAccesstoSYSCAT.EVENTS(Scored)
ProfileApplicability:
•Level2-RDBMS
Description:
TheSYSCAT.EVENTS viewcontainsalltypesofeventsthatthedatabaseiscurrentlymonitoring.ItisrecommendedthatthePUBLIC roleberestrictedfromaccessingthisview.
Rationale:
Thetypesofeventsthatthedatabaseismonitoringshouldnotbemadereadilyavailabletothepublic.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => select grantee from sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'EVENTS' and grantee = 'PUBLIC'
3. Reviewprivilegesgrantedtousers,groups,androles.IftheoutputisBLANK,thenitisconsideredasuccessfulfinding.
Remediation:
PerformthefollowingtorevokeaccessfromPUBLIC.
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => REVOKE SELECT ON SYSCAT.EVENTS FROM PUBLIC
![Page 100: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/100.jpg)
99|P a g e
References:
1. http://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.sql.ref.doc/doc/r0001043.html?cp=SSEPGG_10.5.0%2F2-12-8-34&lang=en
![Page 101: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/101.jpg)
100|P a g e
6.6RestrictAccesstoSYSCAT.EVENTTABLES(Scored)
ProfileApplicability:
•Level2-RDBMS
Description:
TheSYSCAT.EVENTTABLES viewcontainsthenameofthedestinationtablethatwillreceivethemonitoringevents.ItisrecommendedthatthePUBLIC roleberestrictedfromaccessingthisview.
Rationale:
PUBLICshouldnothaveaccesstoseethetargetnameoftheeventmonitoringtable.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => select grantee from sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'EVENTTABLES' and grantee = 'PUBLIC'
3. Reviewprivilegesgrantedtousers,groups,androles.IftheoutputisBLANK,thenitisconsideredasuccessfulfinding.
Remediation:
PerformthefollowingtorevokeaccessfromPUBLIC.
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => REVOKE SELECT ON SYSCAT.EVENTTABLES FROM PUBLIC
![Page 102: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/102.jpg)
101|P a g e
References:
1. http://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.sql.ref.doc/doc/r0007483.html?cp=SSEPGG_10.5.0%2F2-12-8-35&lang=en
![Page 103: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/103.jpg)
102|P a g e
6.7RestrictAccesstoSYSCAT.ROUTINES(Scored)
ProfileApplicability:
•Level1-RDBMS
•Level2-RDBMS
Description:
TheSYSCAT.ROUTINES viewcontainsalluser-definedroutines,functions,andstoredproceduresinthedatabase.ItisrecommendedthatthePUBLIC roleberestrictedfromaccessingthisview.
Rationale:
User-definedfunctionsandroutinesshouldnotbeexposedtothepublicforexploits.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => select grantee from sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'ROUTINES' and grantee = 'PUBLIC'
3. Reviewprivilegesgrantedtousers,groups,androles.IftheoutputisBLANK,thenitisconsideredasuccessfulfinding.
Remediation:
PerformthefollowingtorevokeaccessfromPUBLIC.
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => REVOKE SELECT ON SYSCAT.ROUTINES FROM PUBLIC
![Page 104: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/104.jpg)
103|P a g e
6.8RestrictAccesstoSYSCAT.INDEXAUTH(Scored)
ProfileApplicability:
•Level2-RDBMS
Description:
TheSYSCAT.INDEXAUTH viewcontainsalistofusersorgroupsthathaveCONTROL accessonanindex.ItisrecommendedthatthePUBLIC roleberestrictedfromaccessingthisview.
Rationale:
Thelistofalluserswithaccesstoanindexshouldnotbeexposedtothepublic.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => select grantee from sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'INDEXAUTH' and grantee = 'PUBLIC'
3. Reviewprivilegesgrantedtousers,groups,androles.IftheoutputisBLANK,thenitisconsideredasuccessfulfinding.
Remediation:
RevokeaccessfromPUBLIC.
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => REVOKE SELECT ON SYSCAT.INDEXAUTH FROM PUBLIC
![Page 105: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/105.jpg)
104|P a g e
References:
1. http://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.sql.ref.doc/doc/r0001046.html?cp=SSEPGG_10.5.0%2F2-12-8-44&lang=en
![Page 106: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/106.jpg)
105|P a g e
6.9RestrictAccesstoSYSCAT.PACKAGEAUTH(Scored)
ProfileApplicability:
•Level1-RDBMS
•Level2-RDBMS
Description:
TheSYSCAT.PACKAGEAUTH viewcontainsalistofusersorgroupsthathasEXECUTE privilegeonapackage.ItisrecommendedthatthePUBLIC roleberestrictedfromaccessingthisview.
Rationale:
Thelistofalluserswithaccesstoapackageshouldnotbeexposedtothepublic.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => select grantee from sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'PACKAGEAUTH' and grantee = 'PUBLIC'
3. Reviewprivilegesgrantedtousers,groups,androles.IftheoutputisBLANK,thenitisconsideredasuccessfulfinding.
Remediation:
PerformthefollowingtorevokeaccessfromPUBLIC.
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => REVOKE SELECT ON SYSCAT.PACKAGEAUTH FROM PUBLIC
![Page 107: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/107.jpg)
106|P a g e
6.10RestrictAccesstoSYSCAT.PACKAGES(Scored)
ProfileApplicability:
•Level1-RDBMS
•Level2-RDBMS
Description:
TheSYSCAT.PACKAGES viewcontainsthenamesofallpackagescreatedinthedatabaseinstance.ItisrecommendedthatthePUBLIC roleberestrictedfromaccessingthisview.
Rationale:
Thenamesofpackagescreatedinthedatabasecanbeusedasanentrypointifavulnerablepackageexists.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => select grantee from sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'PACKAGES' and grantee = 'PUBLIC'
3. Reviewprivilegesgrantedtousers,groups,androles.IftheoutputisBLANK,thenitisconsideredasuccessfulfinding.
Remediation:
PerformthefollowingtorevokeaccessfromPUBLIC.
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => REVOKE SELECT ON SYSCAT.PACKAGES FROM PUBLIC
![Page 108: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/108.jpg)
107|P a g e
6.11RestrictAccesstoSYSCAT.PASSTHRUAUTH(Scored)
ProfileApplicability:
•Level1-RDBMS
•Level2-RDBMS
Description:
TheSYSCAT.PASSTHRUAUTH viewcontainsthenamesofuserorgroupthathavepass-throughauthorizationtoquerythedatasource.ItisrecommendedthatthePUBLIC roleberestrictedfromaccessingthisview.
Rationale:
Theabilitytoseewhichaccountshavethepass-throughprivilegecouldallowanattackertoexploittheseaccountstoaccessanotherdatasource.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => select grantee from sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'PASSTHRUAUTH' and grantee = 'PUBLIC'
3. Reviewprivilegesgrantedtousers,groups,androles.IftheoutputisBLANK,thenitisconsideredasuccessfulfinding.
![Page 109: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/109.jpg)
108|P a g e
Remediation:
PerformthefollowingtorevokeaccessfromPUBLIC.
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => REVOKE SELECT ON SYSCAT.PASSTHRUAUTH FROM PUBLIC
References:
1. http://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.sql.ref.doc/doc/r0002184.html?cp=SSEPGG_10.5.0%2F2-12-8-70&lang=en
![Page 110: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/110.jpg)
109|P a g e
6.12RestrictAccesstoSYSCAT.SECURITYPOLICIES(Scored)
ProfileApplicability:
•Level1-RDBMS
•Level2-RDBMS
Description:
TheSYSCAT.SECURITYPOLICIES viewcontainsalldatabasesecuritypolicies.ItisrecommendedthatthePUBLIC roleberestrictedfromaccessingthisview.
Rationale:
PUBLIC shouldnotbeabletoviewallthedatabasesecuritypolicies.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => select grantee from sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'SECURITYPOLICIES' and grantee = 'PUBLIC'
3. Reviewprivilegesgrantedtousers,groups,androles.IftheoutputisBLANK,thenitisconsideredasuccessfulfinding.
Remediation:
PerformthefollowingtorevokeaccessfromPUBLIC.
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => REVOKE SELECT ON SYSCAT SYSCAT.SECURITYPOLICIES FROM PUBLIC
![Page 111: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/111.jpg)
110|P a g e
References:
1. http://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.sql.ref.doc/doc/r0020048.html?cp=SSEPGG_10.5.0%2F2-12-8-91&lang=en
![Page 112: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/112.jpg)
111|P a g e
6.13RestrictAccesstoSYSCAT.SECURITYPOLICYEXEMPTIONS(Scored)
ProfileApplicability:
•Level1-RDBMS
•Level2-RDBMS
Description:
TheSYSCAT.SECURITYPOLICYEXEMPTIONS containstheexemptiontoasecuritypolicythatwasgrantedtoadatabaseaccount.ItisrecommendedthatthePUBLIC roleberestrictedfromaccessingthisview.
Rationale:
Publicshouldnotbeabletoviewalltheexemptionstothedatabasesecuritypolicies.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => select grantee from sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'SECURITYPOLICYEXEMPTIONS' and grantee = 'PUBLIC'
3. Reviewprivilegesgrantedtousers,groups,androles.IftheoutputisBLANK,thenitisconsideredasuccessfulfinding.
Remediation:
PerformthefollowingtorevokeaccessfromPUBLIC.
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => REVOKE SELECT ON SYSCAT.SECURITYPOLICYEXEMPTIONS FROM PUBLIC
![Page 113: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/113.jpg)
112|P a g e
References:
1. http://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.sql.ref.doc/doc/r0020042.html?cp=SSEPGG_10.5.0%2F2-12-8-93&lang=en
![Page 114: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/114.jpg)
113|P a g e
6.14RestrictAccesstoSYSCAT.SURROGATEAUTHIDS(Scored)
ProfileApplicability:
•Level1-RDBMS
•Level2-RDBMS
Description:
TheSYSCAT.SURROGATEAUTHIDS containsthenamesofallaccountsthathavebeengrantedSETSESSIONUSER privilegeonauserortoPUBLIC.ItisrecommendedthatthePUBLIC roleberestrictedfromaccessingthisview.
Rationale:
PublicshouldnotbeabletoviewthenamesofallthesurrogateaccountswithSETSESSIONUSER privilege.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => select grantee from sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'SURROGATEAUTHIDS' and grantee = 'PUBLIC'
3. Reviewprivilegesgrantedtousers,groups,androles.IftheoutputisBLANK,thenitisconsideredasuccessfulfinding.
Remediation:
PerformthefollowingtorevokeaccessfromPUBLIC.
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => REVOKE SELECT ON SYSCAT.SURROGATEAUTHIDS FROM PUBLIC
![Page 115: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/115.jpg)
114|P a g e
References:
1. http://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.sql.ref.doc/doc/r0020044.html?cp=SSEPGG_10.5.0%2F2-12-8-102&lang=en
![Page 116: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/116.jpg)
115|P a g e
6.15RestrictAccesstoSYSCAT.ROLEAUTH(Scored)
ProfileApplicability:
•Level1-RDBMS
•Level2-RDBMS
Description:
TheSYSCAT.ROLEAUTH viewcontainsinformationonallrolesandtheirrespectivegrantees.ItisrecommendedthatthePUBLIC roleberestrictedfromaccessingthisview.
Rationale:
PUBLICshouldnothaveaccesstoseethegrantsoftherolesbecausethiscouldbeusedasapointofexploit.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => select grantee from sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'ROLEAUTH' and grantee = 'PUBLIC'
3. Reviewprivilegesgrantedtousers,groups,androles.IftheoutputisBLANK,thenitisconsideredasuccessfulfinding.
Remediation:
PerformthefollowingtorevokeaccessfromPUBLIC.
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => REVOKE SELECT ON SYSCAT.ROLEAUTH FROM PUBLIC
![Page 117: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/117.jpg)
116|P a g e
References:
1. http://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.sql.ref.doc/doc/r0050619.html?cp=SSEPGG_10.5.0%2F2-12-8-74&lang=en
![Page 118: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/118.jpg)
117|P a g e
6.16RestrictAccesstoSYSCAT.ROLES(Scored)
ProfileApplicability:
•Level1-RDBMS
•Level2-RDBMS
Description:
TheSYSCAT.ROLES viewcontainsallrolesavailableinthedatabase.ItisrecommendedthatthePUBLIC roleberestrictedfromaccessingthisview.
Rationale:
PUBLICshouldnothaveaccesstoseealltherolesbecausethiscouldbeusedasapointofexploit.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => select grantee from sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'ROLES' and grantee = 'PUBLIC'
3. Reviewprivilegesgrantedtousers,groups,androles.IftheoutputisBLANK,thenitisconsideredasuccessfulfinding.
Remediation:
PerformthefollowingtorevokeaccessfromPUBLIC.
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => REVOKE SELECT ON SYSCAT.ROLES FROM PUBLIC
![Page 119: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/119.jpg)
118|P a g e
References:
1. http://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.sql.ref.doc/doc/r0050612.html?cp=SSEPGG_10.5.0%2F2-12-8-75&lang=en
![Page 120: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/120.jpg)
119|P a g e
6.17RestrictAccesstoSYSCAT.ROUTINEAUTH(Scored)
ProfileApplicability:
•Level1-RDBMS
•Level2-RDBMS
Description:
TheSYSCAT.ROUTINEAUTH viewcontainsalistofallusersthathaveEXECUTE privilegeonaroutine(function,method,orprocedure).ItisrecommendedthatthePUBLIC roleberestrictedfromaccessingthisview.
Rationale:
PUBLICshouldnothaveaccesstoseealltheusersbecausethiscouldbeusedasapointofexploit.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => select grantee from sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'ROUTINEAUTH' and grantee = 'PUBLIC'
3. Reviewprivilegesgrantedtousers,groups,androles.IftheoutputisBLANK,thenitisconsideredasuccessfulfinding.
Remediation:
PerformthefollowingtorevokeaccessfromPUBLIC.
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => REVOKE SELECT ON SYSCAT.ROUTINEAUTH FROM PUBLIC
![Page 121: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/121.jpg)
120|P a g e
References:
1. http://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.sql.ref.doc/doc/r0007491.html?cp=SSEPGG_10.5.0%2F2-12-8-76&lang=en
![Page 122: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/122.jpg)
121|P a g e
6.18RestrictAccesstoSYSCAT.SCHEMAAUTH(Scored)
ProfileApplicability:
•Level1-RDBMS
•Level2-RDBMS
Description:
TheSYSCAT.SCHEMAAUTH viewcontainsalistofallusersthathaveoneormoreprivilegesoraccesstoaparticularschema.ItisrecommendedthatthePUBLIC roleberestrictedfromaccessingthisview.
Rationale:
PUBLICshouldnothaveaccesstoseealltheusersbecausethiscouldbeusedasapointofexploit.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => select grantee from sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'SCHEMAAUTH' and grantee = 'PUBLIC'
3. Reviewprivilegesgrantedtousers,groups,androles.IftheoutputisBLANK,thenitisconsideredasuccessfulfinding.
Remediation:
PerformthefollowingtorevokeaccessfromPUBLIC.
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => REVOKE SELECT ON SYSCAT.SCHEMAAUTH FROM PUBLIC
![Page 123: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/123.jpg)
122|P a g e
6.19RestrictAccesstoSYSCAT.SCHEMATA(Scored)
ProfileApplicability:
•Level1-RDBMS
•Level2-RDBMS
Description:
TheSYSCAT.SCHEMATA viewcontainsallschemanamesinthedatabase.ItisrecommendedthatthePUBLIC roleberestrictedfromaccessingthisview.
Rationale:
PUBLICshouldnothaveaccesstoseealltheschemanamesinthedatabasebecausethiscouldbeusedasapointofexploit.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => select grantee from sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'SCHEMATA' and grantee = 'PUBLIC'
3. Reviewprivilegesgrantedtousers,groups,androles.IftheoutputisBLANK,thenitisconsideredasuccessfulfinding.
Remediation:
PerformthefollowingtorevokeaccessfromPUBLIC.
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => REVOKE SELECT ON SYSCAT.SCHEMATA FROM PUBLIC
![Page 124: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/124.jpg)
123|P a g e
References:
1. http://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.sql.ref.doc/doc/r0001059.html?cp=SSEPGG_10.5.0%2F2-12-8-85&lang=en
![Page 125: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/125.jpg)
124|P a g e
6.20RestrictAccesstoSYSCAT.SEQUENCEAUTH(Scored)
ProfileApplicability:
•Level1-RDBMS
•Level2-RDBMS
Description:
TheSYSCAT.SEQUENCEAUTH viewcontainsusers,groups,orrolesgrantedprivilege(s)onasequence.ItisrecommendedthatthePUBLIC roleberestrictedfromaccessingthisview.
Rationale:
PUBLICshouldnothaveaccesstoseeallthegrantedaccessofasequenceinthedatabasebecausethiscouldbeusedasapointofexploit.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => select grantee from sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'SEQUENCEAUTH' and grantee = 'PUBLIC'
3. Reviewprivilegesgrantedtousers,groups,androles.IftheoutputisBLANK,thenitisconsideredasuccessfulfinding.
Remediation:
PerformthefollowingtorevokeaccessfromPUBLIC.
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => REVOKE SELECT ON SYSCAT.SEQUENCEAUTH FROM PUBLIC
![Page 126: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/126.jpg)
125|P a g e
References:
1. http://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.sql.ref.doc/doc/r0008181.html?cp=SSEPGG_10.5.0%2F2-12-8-94&lang=en
![Page 127: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/127.jpg)
126|P a g e
6.21RestrictAccesstoSYSCAT.STATEMENTS(Scored)
ProfileApplicability:
•Level1-RDBMS
•Level2-RDBMS
Description:
TheSYSCAT.STATEMENTS viewcontainsallSQLstatementsofacompiledpackage.ItisrecommendedthatthePUBLIC roleberestrictedfromaccessingthisview.
Rationale:
PUBLICshouldnothaveaccesstotheSQLstatementsofadatabasepackage.Thiscouldleadtoanexploit.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => select grantee from sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'STATEMENTS' and grantee = 'PUBLIC'
3. Reviewprivilegesgrantedtousers,groups,androles.IftheoutputisBLANK,thenitisconsideredasuccessfulfinding.
Remediation:
PerformthefollowingtorevokeaccessfromPUBLIC.
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => REVOKE SELECT ON SYSCAT.STATEMENTS FROM PUBLIC
![Page 128: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/128.jpg)
127|P a g e
References:
1. http://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.sql.ref.doc/doc/r0001060.html?cp=SSEPGG_10.5.0%2F2-12-8-99&lang=en
![Page 129: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/129.jpg)
128|P a g e
6.22RestrictAccesstoSYSCAT.TABAUTH(Scored)
ProfileApplicability:
•Level1-RDBMS
•Level2-RDBMS
Description:
TheSYSCAT.TABAUTH viewcontainsusersorgroupsthathavebeengrantedoneormoreprivilegesonatableorview.ItisrecommendedthatthePUBLIC roleberestrictedfromaccessingthisview.
Rationale:
PUBLICshouldnothaveaccesstothegrantsofviewsandtablesinadatabase.Thiscouldleadtoanexploit.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1.ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2.RunthefollowingcommandfromtheDB2commandwindow:
db2 => select grantee from sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'TABAUTH' and grantee = 'PUBLIC'
3.Reviewprivilegesgrantedtousers,groups,androles.IftheoutputisBLANK,thenitisconsideredasuccessfulfinding.
Remediation:
PerformthefollowingtorevokeaccessfromPUBLIC.
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => REVOKE SELECT ON SYSCAT.TABAUTH FROM PUBLIC
![Page 130: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/130.jpg)
129|P a g e
References:
1. http://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.sql.ref.doc/doc/r0001061.html?cp=SSEPGG_10.5.0%2F2-12-8-103&lang=en
![Page 131: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/131.jpg)
130|P a g e
6.23RestrictAccesstoSYSCAT.TBSPACEAUTH(Scored)
ProfileApplicability:
•Level1-RDBMS
•Level2-RDBMS
Description:
TheSYSCAT.TBSPACEAUTH containsusersorgroupsthathavebeengrantedtheUSEprivilegeonaparticulartablespaceinthedatabase.ItisrecommendedthatthePUBLIC roleberestrictedfromaccessingthisview.
Rationale:
PUBLICshouldnothaveaccesstothegrantsofthetablespacesinadatabase.Thiscouldleadtoanexploit.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => select grantee from sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'TBSPACEAUTH' and grantee = 'PUBLIC'
3. Reviewprivilegesgrantedtousers,groups,androles.IftheoutputisBLANK,thenitisconsideredasuccessfulfinding.
Remediation:
PerformthefollowingtorevokeaccessfromPUBLIC.
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => REVOKE SELECT ON SYSCAT.TBSPACEAUTH FROM PUBLIC
![Page 132: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/132.jpg)
131|P a g e
References:
1. http://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.sql.ref.doc/doc/r0002201.html?cp=SSEPGG_10.5.0%2F2-12-8-110&lang=en
![Page 133: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/133.jpg)
132|P a g e
6.24RestrictAccesstoTablespaces(Scored)
ProfileApplicability:
•Level1-RDBMS
•Level2-RDBMS
Description:
Atablespaceiswherethedataisphysicallystored.Itisrecommendedthattablespaceusageberestrictedtoauthorizedusers.
Rationale:
GranttheUSE oftablespaceprivilegetoonlyauthorizedusers.RestricttheprivilegefromPUBLIC,whereapplicable,asamalicioususercancauseadenialofserviceatthetablespacelevelbyoverloadingitwithcorrupteddata.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => select grantee, tbspace from sysibm.systbspaceauth where grantee = 'PUBLIC'
3. Reviewprivilegesgrantedtousers,groups,androles.IftheoutputisBLANK,thenitisconsideredasuccessfulfinding.
Remediation:
PerformthefollowingtorevokeaccessfromPUBLIC.
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => REVOKE USE OF TABLESPACE [$tablespace_name] FROM PUBLIC
![Page 134: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/134.jpg)
133|P a g e
References:
1. http://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.sql.ref.doc/doc/r0001064.html?cp=SSEPGG_10.5.0%2F2-12-8-108&lang=en
![Page 135: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/135.jpg)
134|P a g e
6.25RestrictAccesstoSYSCAT.MODULEAUTH(Scored)
ProfileApplicability:
•Level2-RDBMS
Description:
TheSYSCAT.MODULEAUTHviewcontainsallgrantedprivilegesonamoduleforusers,groups,orrolesandisreadonly.
Rationale:
AnydatabasescreatedwithouttheRESTRICToptionautomaticallyGRANTtheSELECTprivilegetoPUBLICforSYSCATviews.Therefore,itisstronglyrecommendedtoexplicitlyREVOKEtheSELECTprivilegeontheSYSCAT.MODULEAUTHviewfromPUBLICtoreducerisktotheorganization'sdata.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => select rtrim(grantee) as grantee, controlauth, alterauth, deleteauth, indexauth, insertauth, selectauth, updateauth, refauth from sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'MODULEAUTH'
3. Reviewprivilegesgrantedtousers,groups,androles.IftheoutputisBLANK,thenitisconsideredasuccessfulfinding.
Remediation:
PerformthefollowingtorevokeaccessfromPUBLIC.
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => revoke select on syscat.moduleauth from public
![Page 136: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/136.jpg)
135|P a g e
References:
1. http://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.sql.ref.doc/doc/r0054748.html?lang=en
![Page 137: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/137.jpg)
136|P a g e
6.26RestrictAccesstoSYSCAT.VARIABLEAUTH(Scored)
ProfileApplicability:
•Level2-RDBMS
Description:
TheSYSCAT.VARIABLEAUTHviewcontainsthegrantedprivilegesonaglobalvariableforusers,groups,orrolesandisreadonly.
Rationale:
AnydatabasescreatedwithouttheRESTRICToptionautomaticallyGRANTtheSELECTprivilegetoPUBLICforSYSCATviews.Therefore,itisstronglyrecommendedtoexplicitlyREVOKEtheSELECTprivilegeontheSYSCAT.VARIABLEAUTHviewfromPUBLICtoreducerisktotheorganization'sdata.
Audit:
DetermineifSYSCAT.VARIABLEAUTHprivilegesforusers,groups,androlesarecorrectlyset.
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => select rtrim(grantee) as grantee, controlauth, alterauth, deleteauth, indexauth, insertauth, selectauth, updateauth, refauth from sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'VARIABLEAUTH'
3. Reviewprivilegesforusers,groups,androles.IftheoutputisBLANK,thenitisconsideredasuccessfulfinding.
![Page 138: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/138.jpg)
137|P a g e
Remediation:
PerformthefollowingtorevokeaccessfromPUBLIC.
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => revoke select on syscat.variableauth from public
References:
1. http://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.sql.ref.doc/doc/r0050504.html?lang=en
![Page 139: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/139.jpg)
138|P a g e
6.27RestrictAccesstoSYSCAT.WORKLOADAUTH(Scored)
ProfileApplicability:
•Level2-RDBMS
Description:
TheSYSCAT.WORKLOADAUTHcatalogrepresentstheusers,groups,orrolesthathavebeengrantedtheUSAGEprivilegeonaworkload.
Rationale:
AnydatabasescreatedwithouttheRESTRICToptionautomaticallyGRANTtheSELECTprivilegetoPUBLICforSYSCATviews.Therefore,itisstronglyrecommendedtoexplicitlyREVOKEtheSELECTprivilegeontheSYSCAT.WORKLOADAUTHfromPUBLICtoreducerisktotheorganization'sdata.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => select rtrim(grantee) as grantee, controlauth, alterauth, deleteauth, indexauth, insertauth, selectauth, updateauth, refauth from sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'WORKLOADAUTH'
3. Reviewprivilegesgrantedtousers,groups,androles.IftheoutputisBLANK,thenitisconsideredasuccessfulfinding.
Remediation:
PerformthefollowingtorevokeaccessfromPUBLIC.
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => db2 => revoke select on syscat.workloadauth from public
![Page 140: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/140.jpg)
139|P a g e
References:
1. http://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.sql.ref.doc/doc/r0050558.html?cp=SSEPGG_10.5.0%2F2-12-8-127&lang=en
![Page 141: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/141.jpg)
140|P a g e
6.28RestrictAccesstoSYSCAT.XSROBJECTAUTH(Scored)
ProfileApplicability:
•Level2-RDBMS
Description:
TheSYSCAT.XSROBJECTAUTHviewcontainsgrantedUSAGEprivilegesonaparticularXSRobjectforusers,groups,orrolesandisreadonly.
Rationale:
AnydatabasescreatedwithouttheRESTRICToptionautomaticallyGRANTtheSELECTprivilegetoPUBLICforSYSCATviews.Therefore,itisstronglyrecommendedtoexplicitlyREVOKEtheSELECTprivilegeontheSYSCAT.XSROBJECTAUTHviewfromPUBLICtoreducerisktotheorganization'sdata.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => select rtrim(grantee) as grantee, controlauth, alterauth, deleteauth, indexauth, insertauth, selectauth, updateauth, refauth from sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'XSROBJECTAUTH'
3. Reviewprivilegesgrantedtousers,groups,androles.IftheoutputisBLANK,thenitisconsideredasuccessfulfinding.
Remediation:
PerformthefollowingtorevokeaccessfromPUBLIC.
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => revoke select on syscat.xsrmoduleauth from public
![Page 142: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/142.jpg)
141|P a g e
References:
1. http://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.sql.ref.doc/doc/r0021693.html?cp=SSEPGG_10.5.0%2F2-12-8-135&lang=en
![Page 143: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/143.jpg)
142|P a g e
6.29RestrictAccesstoSYSCAT.AUTHORIZATIONIDS(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
SYSCAT.AUTHORIZATIONIDSisanadministrativeviewforthecurrentlyconnectedserver.
Rationale:
DatabasescreatedwithouttheRESTRICToptionautomaticallyGRANTtheSELECTprivilegetoPUBLICforSYSCATviews.Therefore,itisstronglyrecommendedtoexplicitlyREVOKEtheSELECTprivilegeontheSYSCAT.AUTHORIZATIONIDSviewfromPUBLICtoreducerisktotheorganization'sdata.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => select rtrim(grantee) as grantee, controlauth, alterauth, deleteauth, indexauth, insertauth, selectauth, updateauth, refauth from sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'AUTHORIZATIONIDS'
3. Reviewprivilegesgrantedtousers,groups,androles.IftheoutputisBLANK,thenitisconsideredasuccessfulfinding.
Remediation:
PerformthefollowingtorevokeaccessfromPUBLIC.
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => revoke select on syscat.AUTHORIZATIONIDS from public
![Page 144: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/144.jpg)
143|P a g e
References:
1. http://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.sql.rtn.doc/doc/r0021977.html?lang=en
![Page 145: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/145.jpg)
144|P a g e
6.30RestrictAccesstoSYSIBMADM.OBJECTOWNERS(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
TheSYSIBMADM.OBJECTOWNERSadministrativeviewshowsthecompleteobjectownershipinformationforeachauthorizationIDforUSERowningasystemcatalogdefinedobjectfromtheconnecteddatabase.
Rationale:
AnydatabasescreatedwithouttheRESTRICToptionautomaticallyGRANTtheSELECTprivilegetoPUBLICforviews.Therefore,itisstronglyrecommendedtoexplicitlyREVOKEtheSELECTprivilegeontheSYSIBMADM.OBJECTOWNERSviewfromPUBLICtoreducerisktotheorganization'sdata.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => select rtrim(grantee) as grantee, controlauth, alterauth, deleteauth, indexauth, insertauth, selectauth, updateauth, refauth from sysibm.systabauth where tcreator = 'SYSIBMADM' and ttname = 'OBJECTOWNERS'
3. Reviewprivilegesgrantedtousers,groups,androles.IftheoutputisBLANK,thenitisconsideredasuccessfulfinding.
![Page 146: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/146.jpg)
145|P a g e
Remediation:
PerformthefollowingtorevokeaccessfromPUBLIC.
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => revoke select on SYSIBMADM.OBJECTOWNERS from public
References:
1. http://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.sql.rtn.doc/doc/r0021979.html?cp=SSEPGG_10.5.0%2F3-6-1-3-12-6&lang=en
![Page 147: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/147.jpg)
146|P a g e
6.31RestrictAccesstoSYSIBMADM.PRIVILEGES(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
TheSYSIBMADM.PRIVILEGESadministrativeviewdisplaysallexplicitprivilegesforallauthorizationIDsinthecurrentlyconnecteddatabases'systemcatalogs.PRIVILEGESschemaisSYSIBMADM.
Rationale:
AnydatabasescreatedwithouttheRESTRICToptionautomaticallyGRANTtheSELECTprivilegetoPUBLICforcatalogviews.Therefore,itisstronglyrecommendedtoexplicitlyREVOKEtheSELECTprivilegeonSYSIBMADM.PRIVILEGESfromPUBLICtoreducerisktotheorganization'sdata.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => select rtrim(grantee) as grantee, controlauth, alterauth, deleteauth, indexauth, insertauth, selectauth, updateauth, refauth from sysibm.systabauth where tcreator = 'SYSIBMADM' and ttname = 'PRIVILEGES'
3. Reviewprivilegesgrantedtousers,groups,androles.IftheoutputisBLANK,thenitisconsideredasuccessfulfinding.
![Page 148: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/148.jpg)
147|P a g e
Remediation:
PerformthefollowingtorevokeaccessfromPUBLIC.
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => revoke select on SYSIBMADM.PRIVILEGES from public
References:
1. http://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.sql.rtn.doc/doc/r0021978.html?cp=SSEPGG_10.5.0%2F3-6-1-3-12-7&lang=en
![Page 149: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/149.jpg)
148|P a g e
7DB2Authorities
ThissectionprovidesguidanceonsecuringtheauthoritiesthatexistintheDB2instanceanddatabase.
7.1SecureSYSADMauthority(Scored)
ProfileApplicability:
•Level2-RDBMS
•Level2-WindowsHostOS
•Level2-LinuxHostOS
Description:
Thesysadm_group parameterdefinesthesystemadministratorgroup(SYSADM)authority.Itisrecommendedthatthesysadm_group groupcontainsauthorizedusersonly.
Rationale:
Ifanaccountthatpossessesthisauthorityiscompromisedorusedinamaliciousmanner,theconfidentiality,integrity,andavailabilityofdataintheDB2instancewillbeatincreasedrisk.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1.AttachtotheDB2instance.
db2 => attach to $DB2INSTANCE
2.RunthefollowingcommandfromtheDB2commandwindow:
db2 => get database manager configuration
3.Locatethesysadm_group valueintheoutputandensurethevalueisnotNULL:
db2 => get database manager configuration db2 => … SYSADM group name (SYSADM_GROUP) = DB2ADM
Note:sysadm_group issettoDB2ADMintheaboveoutput.
![Page 150: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/150.jpg)
149|P a g e
4.Reviewthemembersofthesysadm_group ontheoperatingsystem.
Linux:
cat /etc/group | grep <sysadm group name>
Windows:
1. 1. Runcompmgmt.msc2. Click'LocalUsersandGroups'3. Doubleclick'Groups'4. Doubleclick5. Reviewgroupmembers
Remediation:
DefineavalidgroupnamefortheSYSADMgroup.
1.AttachtotheDB2instance.
db2 => attach to $DB2INSTANCE
2.RunthefollowingcommandfromtheDB2commandwindow:
db2 => update database manager configuration using sysadm_group <sys adm group name>
DefaultValue:
Thedefaultvalueforsysadm_group isNULL.
![Page 151: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/151.jpg)
150|P a g e
7.2SecureSYSCTRLauthority(Scored)
ProfileApplicability:
•Level2-RDBMS
Description:
Thesysctrl_group parameterdefinesthesystemadministratorgroupwithsystemcontrol(SYSCTRL)authority.Itisrecommendedthatthesysctrl_group groupcontainsauthorizedusersonly.
Rationale:
Ifanaccountthatpossessesthisauthorityiscompromisedorusedinamaliciousmanner,theconfidentiality,integrity,andavailabilityofdataintheDB2instancewillbeatincreasedrisk.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1.AttachtotheDB2instance.
db2 => attach to $DB2INSTANCE
2.RunthefollowingcommandfromtheDB2commandwindow:
db2 => get database manager configuration
3.Locatethesysctrl_group valueintheoutputandensurethevalueisnotNULL:
db2 => get database manager configuration db2 => … SYSCTRL group name (SYSCTRL_GROUP) = DB2CTRL
Note:sysctrl_group issettoDB2CTRLintheaboveoutput.
4.Reviewthemembersofthesysctrl_group ontheoperatingsystem.
Linux:
cat /etc/group | grep <sysctrl group name>
Windows:
1. Runcompmgmt.msc2. Click'LocalUsersandGroups'3. Doubleclick'Groups'4. Doubleclick<sysctrlgroupname>5. Reviewgroupmembers
![Page 152: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/152.jpg)
151|P a g e
Remediation:
DefineavalidgroupnamefortheSYSCTRLgroup.
1.AttachtotheDB2instance.
db2 => attach to $DB2INSTANCE
2.RunthefollowingcommandfromtheDB2commandwindow:
db2 => update database manager configuration using sysctrl_group <sys control group name>
DefaultValue:
Thedefaultvalueforsysctrl_group isNULL.
![Page 153: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/153.jpg)
152|P a g e
7.3SecureSYSMAINTAuthority(Scored)
ProfileApplicability:
•Level1-RDBMS
•Level1-WindowsHostOS
•Level1-LinuxHostOS
Description:
Thesysmaint_groupparameterdefinesthesystemadministratorgroupthatpossessesthesystemmaintenance(SYSMAINT)authority.Itisrecommendedthatthesysmaint_group groupcontainsauthorizedusersonly.
Rationale:
Ifanaccountthatpossessesthisauthorityiscompromisedorusedinamaliciousmanner,theconfidentiality,integrity,andavailabilityofdataintheDB2instancewillbeatincreasedrisk.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1.AttachtotheDB2instance.
db2 => attach to $DB2INSTANCE
2.RunthefollowingcommandfromtheDB2commandwindow:
db2 => get database manager configuration
3.Locatethesysmaint_group valueintheoutputandensurethevalueisnotNULL:
db2 => get database manager configuration db2 => … SYSMAINT group name (SYSMAINT_GROUP) = DB2MAINT
Note:sysmaint_group issettoDB2MAINTintheaboveoutput.
4.Reviewthemembersofthesysmaint_group ontheoperatingsystem.
Linux:
cat /etc/group | grep <sysmaint group name>
![Page 154: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/154.jpg)
153|P a g e
Windows:
1. Runcompmgmt.msc2. Click'LocalUsersandGroups'3. Doubleclick'Groups'4. Doubleclick<sysmaintgroupname>5. Reviewgroupmembers
Remediation:
DefineavalidgroupnamefortheSYSMAINTgroup.
1.AttachtotheDB2instance.
db2 => attach to $DB2INSTANCE
2.RunthefollowingcommandfromtheDB2commandwindow:
db2 => update database manager configuration using sysmaint_group <sys maintenance group name>
DefaultValue:
Thedefaultvalueforsysmaint_group isNULL.
![Page 155: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/155.jpg)
154|P a g e
7.4SecureSYSMONAuthority(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
Thesysmon_group parameterdefinestheoperatingsystemgroupswithsystemmonitor(SYSMON)authority.Itisrecommendedthatthesysmon_group groupcontainauthorizedusersonly.
Rationale:
Ifanaccountthatpossessesthisauthorityiscompromisedorusedinamaliciousmanner,theconfidentiality,integrity,andavailabilityofdataintheDB2instancewillbeatincreasedrisk.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1.AttachtotheDB2instance.
db2 => attach to $DB2INSTANCE
2.RunthefollowingcommandfromtheDB2commandwindow:
db2 => get database manager configuration
3.Locatethesysmon_group valueintheoutputandensurethevalueisnotNULL:
db2 => get database manager configuration db2 => … SYSMON group name (SYSMON_GROUP) = DB2MON
Note:sysmon_group issettoDB2MONintheaboveoutput.
4.Reviewthemembersofthesysmon_group ontheoperatingsystem.
Linux:
cat /etc/group | grep <sysmon group name>
Windows:
1. Runcompmgmt.msc2. Click'LocalUsersandGroups'3. Doubleclick'Groups'4. Doubleclick5. Reviewgroupmembers
![Page 156: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/156.jpg)
155|P a g e
Remediation:
DefineavalidgroupnamefortheSYSMONgroup.
1.AttachtotheDB2instance.
db2 => attach to $DB2INSTANCE
2.RunthefollowingcommandfromtheDB2commandwindow:
db2 => update database manager configuration using sysmon_group <sys monitor group name>
DefaultValue:
Thedefaultvalueforsysmon_groupisNULL.
![Page 157: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/157.jpg)
156|P a g e
7.5SecureSECADMAuthority(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
TheSECADM (securityadministrator)rolegrantstheauthoritytocreate,alter(whereapplicable),anddroproles,trustedcontexts,auditpolicies,securitylabelcomponents,securitypoliciesandsecuritylabels.Itisalsotheauthorityrequiredtograntandrevokeroles,securitylabelsandexemptions,andtheSETSESSIONUSERprivilege.SECADM authorityhasnoinherentprivilegetoaccessdatastoredintables.ItisrecommendedthattheSECADM rolebegrantedtoauthorizedusersonly.
Rationale:
Ifanaccountthatpossessesthisauthorityiscompromisedorusedinamaliciousmanner,theconfidentiality,integrity,andavailabilityofdataintheDB2instancewillbeatincreasedrisk.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => select distinct grantee, granteetype from syscat.dbauth where securityadmauth = 'Y'
3. Reviewthelistofusersintheaboveoutputtoensureonlyapprovedusersareassigned.
![Page 158: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/158.jpg)
157|P a g e
Remediation:
Revokethispermissionfromanyunauthorizedusers.
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => REVOKE SECADM ON DATABASE FROM USER <username>
References:
1. http://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.admin.sec.doc/doc/c0021054.html?lang=en
![Page 159: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/159.jpg)
158|P a g e
7.6SecureDBADMAuthority(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
TheDBADM (databaseadministration)rolegrantstheauthoritytoausertoperformadministrativetasksonaspecificdatabase.ItisrecommendedthattheDBADM rolebegrantedtoauthorizedusersonly.
Rationale:
Ifanaccountthatpossessesthisauthorityiscompromisedorusedinamaliciousmanner,theconfidentiality,integrity,andavailabilityofdatainthedatabasewillbeatincreasedrisk.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => select distinct grantee, granteetype from syscat.dbauth where dbadmauth = 'Y'
3. Reviewthelistofusersintheaboveoutputtoensureonlyapprovedusersareassigned.
Remediation:
Revokethispermissionfromanyunauthorizedusers.
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => REVOKE DBADM ON DATABASE FROM USER <username>
![Page 160: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/160.jpg)
159|P a g e
References:
1. http://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.admin.sec.doc/doc/c0005521.html?lang=en
![Page 161: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/161.jpg)
160|P a g e
7.7SecureSQLADMAuthority(Scored)
ProfileApplicability:
•Level1-RDBMS
•Level2-RDBMS
Description:
TheSQLADMauthorityisrequiredtomonitor,tune,andalterSQLstatements.
Rationale:
TheSQLADMauthoritycanCREATE,SET,FLUSH,DROPEVENTMONITORSandperformRUNSTATSandREORGINDEXESandTABLES.SQLADMcanbegrantedtousers,groups,orrolesorPUBLIC.SQLADMauthorityisasubsetoftheDBADMauthorityandcanbegrantedbytheSECADMauthority.
Audit:
1.RunthefollowingcommandfromtheDB2commandwindow:
select distinct grantee, granteetype from syscat.dbauth where sqladmauth = 'Y'
2.Reviewthelistofusersintheaboveoutputtoensureonlyapprovedusersareassigned.
Remediation:
1.RevokeSQLADMauthorityfromanyunauthorizedusers.
REVOKE SQLADM ON DATABASE FROM USER <username>
References:
1. http://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.admin.sec.doc/doc/c0053931.html?lang=en
![Page 162: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/162.jpg)
161|P a g e
7.8SecureDATAACCESSAuthority(Scored)
ProfileApplicability:
•Level1-RDBMS
•Level2-RDBMS
Description:
Grantstheauthoritytoaccessdata.TheDATAACCESSauthorityallowsthegranteetoleverageDMLlevelcommandsi.e.SELECT,INSERT,UPDATE,DELETE,LOAD,andEXECUTEanypackageorroutine.
TheDATAACCESSauthoritycannotbegrantedtoPUBLIC.
Rationale:
TheDATAACCESSauthoritygivesthegranteereadaccessandalsocontrolovermanipulatingthedata.DATAACCESScanbegrantedtousers,groups,orroles,butnotPUBLIC.DATAACCESSauthorityisasubsetoftheDBADMauthorityandcanbegrantedbytheSECADMauthority.
Audit:
1.RunthefollowingcommandfromtheDB2commandwindow:
select distinct grantee, granteetype from syscat.dbauth where dataaccessauth = 'Y'
2.Reviewthelistofusersintheaboveoutputtoensureonlyapprovedusersareassigned.
Remediation:
1.RevokeDATAACCESSauthorityfromanyunauthorizedusers.
REVOKE DATAACCESS ON DATABASE FROM USER <username>
References:
1. https://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.admin.sec.doc/doc/c0005524.html?lang=en
![Page 163: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/163.jpg)
162|P a g e
7.9SecureACCESSCTRLAuthority(Scored)
ProfileApplicability:
•Level1-RDBMS
•Level2-RDBMS
Description:
ACCESSCTRLauthorityistheauthorityrequiredtograntandrevokeprivilegesonobjectswithinaspecificdatabase.SomeoftheseprivilegesincludeBINDADD,CONNECT,CREATETAB,CREATE_EXTERNAL_ROUTINE,LOAD,andQUIESCE_CONNECT.Ithasnoinherentprivilegetoaccessdatastoredintables,exceptthecatalogtablesandviews.
TheACCESSCTRLauthoritycannotbegrantedtoPUBLIC.
Rationale:
TheACCESSCTRLauthoritygivesthegranteeaccesscontroltoaspecifieddatabase.Withthisauthority,thegranteecangrant/revokeprivilegestootherusers.ACCESSCTRLcanbegrantedtousers,groups,orroles,butnotPUBLIC.ACCESSCTRLauthoritycanonlybegrantedbytheSECADMauthority.
Audit:
1.RunthefollowingcommandfromtheDB2commandwindow:
select distinct grantee, granteetype from syscat.dbauth where accessctrlauth = 'Y'
2.Reviewthelistofusersintheaboveoutputtoensureonlyapprovedusersareassigned.
Remediation:
1.RevokeACCESSCTRLauthorityfromanyunauthorizedusers.
REVOKE ACCESSCTRL ON DATABASE FROM USER <username>
References:
1. https://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.admin.sec.doc/doc/c0053933.html?lang=en
![Page 164: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/164.jpg)
163|P a g e
7.10SecureWLMADMauthority(Scored)
ProfileApplicability:
•Level1-RDBMS
•Level2-RDBMS
Description:
TheWLMADMauthoritymanagesworkloadobjectsforadatabase.HoldersofDBADMauthorityimplicitlyalsoholdWLMADMauthority.
Rationale:
TheWLMADMauthorityenablescreating,altering,dropping,commenting,granting,andrevokingaccesstoworkloadobjectsforadatabase.
Audit:
1.RunthefollowingcommandfromtheDB2commandwindow:
select grantee, wlmadmauth from syscat.dbauth
2.Determineifthegrantee(s)arecorrectlyset.
Remediation:
1.RevokeanyuserwhoshouldNOThaveWLMADMauthority:
REVOKE WLMADM ON DATABASE FROM USER <username>
References:
1. http://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.admin.sec.doc/doc/c0053932.html?lang=en
![Page 165: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/165.jpg)
164|P a g e
7.11SecureCREATABAuthority(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
TheCREATAB (createtable)rolegrantstheauthoritytoausertocreatetableswithinaspecificdatabase.ItisrecommendedthattheCREATAB rolebegrantedtoauthorizedusersonly.
Rationale:
Reviewallusersthathaveaccesstothisauthoritytoavoidtheadditionofunnecessaryand/orinappropriateusers.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => select distinct grantee, granteetype from syscat.dbauth where creatabauth = 'Y'
3. Reviewthelistofusersintheaboveoutputtoensureonlyapprovedusersareassigned.
Remediation:
Revokethispermissionfromanyunauthorizedusers.
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => REVOKE CREATAB ON DATABASE FROM USER <username>
![Page 166: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/166.jpg)
165|P a g e
References:
1. http://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.admin.sec.doc/doc/c0054269.html?lang=en
![Page 167: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/167.jpg)
166|P a g e
7.12SecureBINDADDAuthority(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
TheBINDADD (bindapplication)rolegrantstheauthoritytoausertocreatepackagesonaspecificdatabase.ItisrecommendedthattheBINDADD rolebegrantedtoauthorizedusersonly.
Rationale:
Ifanaccountthatpossessesthisauthorityiscompromisedorusedinamaliciousmanner,theconfidentiality,integrity,andavailabilityofdatainthedatabasewillbeatincreasedrisk.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => select distinct grantee, granteetype from syscat.dbauth where bindaddauth = 'Y'
3. Reviewthelistofusersintheaboveoutputtoensureonlyapprovedusersareassigned.
Remediation:
Revokethispermissionfromanyunauthorizedusers.
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => REVOKE BINDADD ON DATABASE FROM USER <username>
![Page 168: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/168.jpg)
167|P a g e
References:
1. http://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.admin.sec.doc/doc/c0005524.html?lang=en
![Page 169: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/169.jpg)
168|P a g e
7.13SecureCONNECTAuthority(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
TheCONNECT rolegrantstheauthoritytoausertoconnecttomainframeandmidrangedatabasesfromWindows,Unix,andLinuxoperatingsystems.ItisrecommendedthattheCONNECT rolebegrantedtoauthorizedusersonly.
Rationale:
Allusersthathaveaccesstothisauthorityshouldberegularlyreviewed.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => select distinct grantee, granteetype from syscat.dbauth where connectauth = 'Y'
3. Reviewthelistofusersintheaboveoutputtoensureonlyapprovedusersareassigned.
Remediation:
Revokethispermissionfromanyunauthorizedusers.
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => REVOKE CONNECT ON DATABASE FROM USER <username>
![Page 170: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/170.jpg)
169|P a g e
References:
1. http://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.qb.dbconn.doc/doc/r0059046.html?cp=SSEPGG_10.5.0%2F6&lang=en
![Page 171: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/171.jpg)
170|P a g e
7.14SecureLOADAuthority(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
TheLOAD rolegrantstheauthoritytoausertoloaddataintotables.ItisrecommendedthattheLOAD rolebegrantedtoauthorizedusersonly.
Rationale:
Allusersthathaveaccesstothisauthorityshouldberegularlyreviewed.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => select distinct grantee, granteetype from syscat.dbauth where loadauth = 'Y'
3. Reviewthelistofusersintheaboveoutputtoensureonlyapprovedusersareassigned.
Remediation:
Revokethispermissionfromanyunauthorizedusers.
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => REVOKE LOAD ON DATABASE FROM USER <username>
![Page 172: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/172.jpg)
171|P a g e
References:
1. http://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.admin.sec.doc/doc/c0005522.html?lang=en
![Page 173: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/173.jpg)
172|P a g e
7.15SecureEXTERNALROUTINEAuthority(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
TheEXTERNALROUTINE authoritygrantsausertheprivilegetocreateuser-definedfunctionsandproceduresinaspecificdatabase.
Rationale:
Alluserswiththisauthorityshouldberegularlyreviewedandapproved.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => select distinct grantee, granteetype from syscat.dbauth where externalroutineauth = 'Y'
3. Reviewthelistofusersintheaboveoutputtoensureonlyapprovedusersareassigned.
Remediation:
Revokethispermissionfromanyunauthorizedusers.
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => REVOKE CREATE_EXTERNAL_ROUTINE ON DATABASE FROM USER <username>
![Page 174: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/174.jpg)
173|P a g e
References:
1. http://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.apdv.routines.doc/doc/c0009198.html?lang=en
![Page 175: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/175.jpg)
174|P a g e
7.16SecureQUIESCECONNECTAuthority(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
TheQUIESCECONNECT rolegrantstheauthoritytoausertoaccessadatabaseeveninthequiescedstate.
Rationale:
ItisrecommendedthattheQUIESCECONNECT rolebegrantedtoauthorizedusersonly.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => select distinct grantee, granteetype from syscat.dbauth where quiesceconnectauth = 'Y'
3. Reviewthelistofusersintheaboveoutputtoensureonlyapprovedusersareassigned.
Remediation:
Revokethispermissionfromanyunauthorizedusers.
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => REVOKE QUIESCE_CONNECT ON DATABASE FROM USER <username>
![Page 176: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/176.jpg)
175|P a g e
References:
1. http://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.apdv.api.doc/doc/r0009331.html?lang=en
![Page 177: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/177.jpg)
176|P a g e
8DB2Roles
Roles simplify the administration and management of privileges by offering an equivalent capability as groups but without the same restrictions. A role is a database object that groups together one or more privileges and can be assigned to users, groups, PUBLIC, or other roles by using a GRANT statement. All the roles assigned to a user are enabled when that user establishes a connection, so all privileges and authorities granted to roles are taken into account when a user connects. Roles cannot be explicitly enabled or disabled.
8.1ReviewRoles(Scored)
ProfileApplicability:
•Level1-RDBMS
•Level2-RDBMS
Description:
Rolesprovideseveraladvantagesthatmakeiteasiertomanageprivilegesinadatabasesystem.Securityadministratorscancontrolaccesstotheirdatabasesinawaythatmirrorsthestructureoftheirorganizations(theycancreaterolesinthedatabasethatmapdirectlytothejobfunctionsintheirorganizations).Theassignmentofprivilegesissimplified.Insteadofgrantingthesamesetofprivilegestoeachindividualuserinaparticularjobfunction,theadministratorcangrantthissetofprivilegestoarolerepresentingthatjobfunctionandthengrantthatroletoeachuserinthatjobfunction.
Rationale:
Reviewingtheroleswithinadatabasehelpsminimizethepossibilityofunwantedaccess.
Audit:
1.AttachtoaDB2Instance:
db2 => attach to $DB2INSTANCE
2.ConnecttoDB2database:
db2 => connect to $DBNAME
3.Runthefollowingandreviewtheresultstodetermineifeachrolenamestillhasabusinessrequirementtoaccessthedata:
db2 => select rolename from syscat.roleauth where grantortype <> 'S' group by rolename
![Page 178: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/178.jpg)
177|P a g e
Remediation:
Toremovearolefromthedatabase:
1.AttachtoaDB2Instance:
db2 => attach to $DB2INSTANCE
2ConnecttoDB2database:
db2 => connect to $DBNAME
3.Runthefollowing:
db2 => drop role <role name>
References:
1. https://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.admin.sec.doc/doc/c0050531.html
![Page 179: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/179.jpg)
178|P a g e
8.2ReviewRoleMembers(Scored)
ProfileApplicability:
•Level1-RDBMS
•Level2-RDBMS
Description:
Havingrolesthathavebeengrantedspecificprivileges,thenassigninguserstotheroles,isusuallyconsideredthebestwaytograntapplicationaccess.Becausegrantingprivilegestoindividualuserscanbemoredifficulttotrackandmaintainagainstunauthorizedaccess,usersshouldbeassignedtoorganization-defineddatabaserolesaccordingtotheneedsofthebusiness.Asusersleavetheorganizationorchangeresponsibilitieswithintheorganization,theappropriaterolesforthemchangeaswell,sorolemembershipneedstobereviewedandverifiedperiodically.
Rationale:
Userswhohaveexcessiveprivilegesnotneededtodotheirjobsposeanunnecessaryrisktotheorganizationasaninsiderthreat.
Audit:
1.AttachtoaDB2Instance:
db2 => attach to $DB2INSTANCE
2.ConnecttoDB2database:
db2 => connect to $DBNAME
3.Runthefollowingtoreviewandverifythattherolemembersarecorrectforeachrole:
db2 => select rolename,grantee from syscat.roleauth where grantortype <> 'S' group by rolename, grantee
![Page 180: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/180.jpg)
179|P a g e
Remediation:
Toremovearolememberfromaparticularrole:
1.AttachtoaDB2Instance:
db2 => attach to $DB2INSTANCE
2.ConnecttoDB2database:
db2 => connect to $DBNAME
3.Runthefollowing:
db2 => revoke role <role name> from <role member>
References:
1. https://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.admin.sec.doc/doc/c0050531.html
![Page 181: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/181.jpg)
180|P a g e
8.3NestedRoles(Scored)
ProfileApplicability:
•Level2-RDBMS
Description:
Theuser-definedrolesinDB2canbenestedinthesamefashionasWindowssecuritygroups--anestedgrouphasbothitsdirectlyassignedpermissionsaswellastheassignedgrouppermissions.Bynestingroles,thedatabaseadministratorissavingtimebyonlyhavingtoassignagroupofusersversusassigningthemindividually.Nestingrolesproperlycanofteneasetheapplicationofthesecuritymodelifit'skeptfairlyshallow,andiftherolesarelogicallynamed.Ifthesearealltrue,thennestingofrolesisagoodidea.
Rationale:
Astrackingmultiplelevelsofpermissionscanresultinunauthorizedaccesstodataresources,thiscapabilityshouldberestrictedaccordingtotheneedsofthebusiness.
Audit:
1.AttachtoDB2Instance:
db2 => attach to $DB2INSTANCE
2.ConnecttoDB2database:
db2 => connect to $DBNAME
3.Runthefollowingtoidentifyanynestedroles:
db2 => select grantee, rolename from syscat.roleauth where grantee in (select rolename from syscat.roles)
NOTE:Ifvalueisblank,thiswouldbeconsideredpassing.
Remediation:
Toremoveanestedrole,performthefollowing:
1.AttachtoDB2Instance:
db2 => attach to $DB2INSTANCE
2.ConnecttoDB2database:
db2 => connect to $DBNAME
3.Runthefollowing:
db2 => revoke role <role name> from role <role>
![Page 182: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/182.jpg)
181|P a g e
8.4ReviewRolesgrantedtoPUBLIC(Scored)
ProfileApplicability:
•Level1-RDBMS
•Level2-RDBMS
Description:
GrantingtoPUBLICincreasestheriskofunauthorizedentryintothedatabase.BecausePUBLICisaccessiblebyanydatabaseuser,itisimportanttounderstandtheexposureithasonalldatabaseobjects.ItwouldmakesensetograntrolemembershiptoPUBLICifallusersrequiredalltheprivilegesgrantedthroughthatrole.
Rationale:
AsanyrolegrantedtoPUBLICcanpotentiallyallowthecompromiseofdatabaseavailability,confidentiality,orintegrity,theserolesshouldberestrictedaccordingtotheneedsofthebusiness.
Audit:
1.AttachtoaDB2Instance:
db2 => attach to $DB2INSTANCE
2.ConnecttoDB2database:
db2 => connect to $DBNAME
3.Runthefollowing:
db2 => select grantee, rolename from syscat.roleauth where grantee = 'PUBLIC'
NOTE:Ifthevaluereturnedisblank,thatisconsideredapassablefinding.
![Page 183: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/183.jpg)
182|P a g e
Remediation:
Toremovearolememberfromaparticularrole:
1.AttachtoaDB2Instance:
db2 => attach to $DB2INSTANCE
2.ConnecttoDB2database:
db2 => connect to $DBNAME
3.Runthefollowing:
db2 => revoke role <role name> from PUBLIC
References:
1. https://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.admin.sec.doc/doc/c0050531.html
![Page 184: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/184.jpg)
183|P a g e
8.5ReviewRoleGranteeswithWITHADMINOPTION(Scored)
ProfileApplicability:
•Level2-RDBMS
Description:
UsingtheWITHADMINOPTIONclauseoftheGRANT(Role)SQLstatement,thesecurityadministratorcandelegatethemanagementandcontrolofmembershipinaroletosomeoneelse.
Rationale:
TheWITHADMINOPTIONclausegivesanotherusertheauthoritytograntmembershipintheroletootherusers,torevokemembershipintherolefromothermembersoftherole,andtocommentonarole,butnottodroptherole.
Audit:
1.AttachtoDB2Instance:
db2 => attach to $DB2INSTANCE
2.ConnecttoDB2database:
db2 => connect to $DBNAME
3.Performthefollowingquery:
db2 => select rolename, grantee, admin from syscat.roleauth where grantortype <> 'S' and admin = 'Y'
NOTE:Ifthevaluereturnedisblank,thatisconsideredapassablefinding.
Remediation:
1.AttachtoDB2Instance:
db2 => attach to $DB2INSTANCE
2.ConnecttoDB2database:
db2 => connect to $DBNAME
3.Performthefollowingquery:
db2=> revoke admin option for role <role name> from user <user name>
![Page 185: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/185.jpg)
184|P a g e
9GeneralPolicyandProcedures
[Thisspaceintentionallyleftblank]
9.1StartandStopDB2Instance(NotScored)
ProfileApplicability:
•Level1-WindowsHostOS
•Level1-LinuxHostOS
Description:
TheDB2instancemanagesthedatabaseenvironmentandsetstheconfigurationparameters.ItisrecommendedthatonlyadministratorsareallowedtostartandstoptheDB2instance.
Rationale:
OnlyprivilegedusersshouldhaveaccesstostartandstoptheDB2instance.ThiswillensurethattheDB2instanceiscontrolledbyauthorizedadministrators.
Audit:
OnWindows:
1. GotoStart,thentotheRunoption.2. Typeinservices.msc inthecommandprompt.3. LocatetheDB2serviceandidentifytheusers/groupsthatcanstartandstopthe
service.
OnLinux:
1. IdentifythenameofthelocalDB2admingroup.2. Identifythemembersofthatgroup.3. IdentifythemembersthathaveaccesstostopandstarttheDB2instance.
![Page 186: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/186.jpg)
185|P a g e
Remediation:
Revokeaccessfromanyunnecessaryusers.
1. Connecttothehost2. ReviewusersandgroupsthathaveaccesstostartandstoptheDB2instance.3. Removestartandstopprivilegesfromallusersandgroupsthatshouldnothave
them.
![Page 187: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/187.jpg)
186|P a g e
9.2RemoveUnusedSchemas(NotScored)
ProfileApplicability:
•Level1-RDBMS
Description:
Aschemaisalogicalgroupingofdatabaseobjects.Itisrecommendedthatunusedschemasberemovedfromthedatabase.
Rationale:
Unusedschemascanbeleftunmonitoredandmaybesubjectedtoabuseandthereforeshouldberemoved.
Audit:
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => select schemaname from syscat.schemata
3. Reviewthelistofschemas
Remediation:
Remoteunnecessaryschemas.
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => drop scheme <scheme name> restrict
3. Reviewunusedschemasandremoveifnecessary
![Page 188: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/188.jpg)
187|P a g e
9.3ReviewSystemTablespaces(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
Systemtablespacesstoreallsystemobjectdatawithinthatdatabase.Itisrecommendedthatsystemtablespacesareusedtostoredsystemdataonlyandnotuserdata.
Rationale:
Usersshouldnothaveprivilegestocreateuserdataobjectswithinthesystemtablespaces.Userdataobjectscreatedwithinthesystemtablespacesshouldberemoved.
Audit:
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => select tabschema,tabname,tbspace from syscat.tables where tabschema not in ('ADMINISTRATOR','SYSIBM','SYSTOOLS') and tbspace in ('SYSCATSPACE','SYSTOOLSPACE','SYSTOOLSTMPSPACE','TEMPSPACE')
3. Reviewthelistofsystemtablespaces.IftheoutputisBLANK,thatisconsideredasuccessfulfinding.
Remediation:
1.ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2.Reviewthesystemtablespacestoidentifyanyuserdataobjectswithinthem.
3.Drop,migrate,orotherwiseremovealluserdataobjects(tables,schemas,etc.)fromwithinthesystemtablespaces.
4.Revokewriteaccessforthesystemtablespacesfromallusers.
![Page 189: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/189.jpg)
188|P a g e
9.4RemoveDefaultDatabases(Scored)
ProfileApplicability:
•Level1-RDBMS
•Level2-RDBMS
Description:
ADB2instancemaycomeinstalledwithdefaultdatabases.ItisrecommendedthattheSAMPLE databaseberemoved.
Rationale:
Removingunused,well-knowndatabaseswillreducetheattacksurfaceofthesystem.
Audit:
PerformthefollowingDB2commandstoobtainthelistofdatabases:
1. AttachtotheDB2instance.
db2 => attach to $DB2INSTANCE
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => list database directory
3. Locatethisvalueintheoutput:
db2 => Database 3 entry: Database alias = SAMPLE Database name = SAMPLE Local database directory = C: Database release level = c.00 Comment = Directory entry type = Indirect Catalog database partition number = 0 Alternate server hostname =
4. ReviewtheoutputaboveandidentifytheSAMPLEdatabase.IfthereisnoSAMPLEdatabase,thenitisconsideredasuccessfulfinding.
![Page 190: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/190.jpg)
189|P a g e
Remediation:
Dropunusedsampledatabases:
1. ConnecttotheDB2instance.2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => drop database sample
![Page 191: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/191.jpg)
190|P a g e
9.5EnableSSLcommunicationwithLDAPserver(Scored)
ProfileApplicability:
•Level1-WindowsHostOS
•Level1-LinuxHostOS
Description:
ThecommunicationlayerbetweenaDB2instanceandtheLDAPservershouldbeencrypted.ItisrecommendedthattheENABLE_SSL parameterintheIBMLDAPSecurity.ini filebesettoTRUE.
Rationale:
EnablingSSLwillhelpensuretheconfidentialityofauthenticationcredentialsandotherinformationthatissentbetweentheDB2instanceandtheLDAPserver.
Note:ThefileislocatedunderINSTANCE_HOME/sqllib/cfg/,forLinux;and%DB2PATH%\cfg\,forWindows.
Audit:
Performthefollowingcommandstoobtaintheparametersetting:
1. ConnecttotheDB2host2. EdittheIBMLDAPSecurity.ini file3. Verifytheexistenceofthisparameter:
ENABLE_SSL = TRUE
Remediation:
Verifytheparameter:
1. ConnecttotheDB2host2. EdittheIBMLDAPSecurity.ini file3. Addormodifythefiletoincludethefollowingparameter:
ENABLE_SSL = TRUE
DefaultValue:
Thedefaultvalueistheomissionofthisparameter.
![Page 192: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/192.jpg)
191|P a g e
9.6SecurethepermissionoftheIBMLDAPSecurity.inifile(Scored)
ProfileApplicability:
•Level1-WindowsHostOS
•Level1-LinuxHostOS
Description:
TheIBMLDAPSecurity.inifilecontainstheIBMLDAPsecurityplug-inconfigurations.
Rationale:
RecommendedvalueisreadandwriteaccesstoDB2administratorsonlyandread-onlytoEveryone/Other/Users/DomainUsers.Thiswillensurethattheparameterfileisprotected.Note:thefileislocatedunderINSTANCE_HOME/sqllib/cfg/,forLinux;and%DB2PATH%\cfg\,forWindows.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:ForWindows:
1. ConnecttotheDB2host2. Right-clickoverthefiledirectory3. ChooseProperties4. SelecttheSecuritytab5. Reviewaccessforallaccounts
ForLinux:
1. ConnecttotheDB2host2. Changetothefiledirectory3. Checkthepermissionsofthedirectory
OS => ls -al
![Page 193: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/193.jpg)
192|P a g e
Remediation:
ForWindows:
1. ConnecttotheDB2host2. Right-clickoverthefiledirectory3. ChooseProperties4. SelecttheSecuritytab5. SelectalladministratoraccountsandgrantthemReadandWriteauthorityonly
(revokeallothers).6. Selectallnon-administratoraccountsandgrantthemReadauthorityonly(revoke
allothers).
ForLinux:
1. ConnecttotheDB2host2. Changetothefiledirectory3. Changethepermissionlevelofthedirectory
OS => chmod -R 664
![Page 194: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/194.jpg)
193|P a g e
9.7SecurethepermissionoftheSSLconfig.inifile(Scored)
ProfileApplicability:
•Level1-WindowsHostOS
•Level1-LinuxHostOS
Description:
TheSSLconfig.inifilecontainstheSSLconfigurationparametersfortheDB2instance,includingthepasswordforKeyStore.
Rationale:
RecommendedvalueisfullaccesstoDB2administratorsonly,readandwriteaccessonlytomembersoftheSYSADMgroup,andnoaccesstootherusers.Thiswillensurethattheparameterfileisprotected.
Note:thefileislocatedunderINSTANCE_HOME/sqllib/cfg/,forLinux;and%INSTHOME%\,forWindows.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:ForWindows:
1. ConnecttotheDB2host2. Right-clickoverthefiledirectory3. ChooseProperties4. SelecttheSecuritytab5. Reviewaccessforallaccounts
ForLinux:
1. ConnecttotheDB2host2. Changetothefiledirectory3. Checkthepermissionsofthedirectory
OS => ls -al
![Page 195: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/195.jpg)
194|P a g e
Remediation:
ForWindows:
1. ConnecttotheDB2host2. Right-clickoverthefiledirectory3. ChooseProperties4. SelecttheSecuritytab5. SelectalladministratoraccountsandgrantthemtheFullControlauthority6. SelecttheSYSADMgroupandgrantitReadandWriteauthorityonly(revokeall
others)7. Selectallotheraccountsandrevokeallprivilegestothedirectory
ForUnix:
1. ConnecttotheDB2host2. Changetothefiledirectory3. Changethepermissionlevelofthedirectory
OS => chmod -R 760
![Page 196: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/196.jpg)
195|P a g e
9.8EnsureTrustedContextsareenabled(NotScored)
ProfileApplicability:
•Level1-WindowsHostOS
•Level2-WindowsHostOS
•Level1-LinuxHostOS
•Level2-LinuxHostOS
Description:
ATrustedContextobjectprovidesameansofenforcingencryption,assigningprivilegesbasedonroles,andensuringthattheactionsperformedonbehalfofauserareperformedinthecontextoftheuser’sIDandprivileges.
Rationale:
CreatingTrustedContextobjectstoenforceencryptionandassignroleswillprotectdataintransitandlimitaccesstoinformationonaperuser/rolebasis.Additionally,itensuresactionscanbetracedbacktotheuser.
Audit:
IssuethefollowingcommandtoverifythataTrustedContextobjectisenabled:
select contextname, enabled from syscat.contexts where enabled = 'Y'
Remediation:
IfthereisnoenabledTrustedContextobject,createaTrustedContextobjectifneededandenableit.
References:
1. http://www.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.admin.sec.doc/doc/c0050514.html
![Page 197: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/197.jpg)
196|P a g e
9.9Secureplug-inlibrarylocations(NotScored)
ProfileApplicability:
•Level1-WindowsHostOS
•Level2-WindowsHostOS
•Level1-LinuxHostOS
•Level2-LinuxHostOS
Description:
Whetherdevelopingyourownsecurityplug-insormigratingestablishedplug-insintoyourenvironment,itisimportanttoensurethattheplug-indirectoriesaresecure.
Rationale:
Ifplug-indirectoriesarenotsecure,theplug-inscouldbemisused,tamperedwith,orotherwiseaccessedinwaysthatcouldjeopardizethesecurityoftheserver.
Audit:
Linux32-bit:
Reviewtheprivilegesassignedtotheplug-indirectoriestoensuretheyaresetto755.
• Forclient-sideplug-ins:$DB2PATH/security32/plugin/client• Forserver-sideplug-ins:$DB2PATH/security32/plugin/server• Forgroupplug-ins:$DB2PATH/security32/plugin/group
Linux64-bit:
Reviewtheprivilegesassignedtotheplug-indirectoriestoensuretheyaresetto755.
• Forclient-sideplug-ins:$DB2PATH/security64/plugin/client• Forserver-sideplug-ins:$DB2PATH/security64/plugin/server• Forgroupplug-ins:$DB2PATH/security64/plugin/group
![Page 198: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/198.jpg)
197|P a g e
Windows32-bitand64-bit:
Reviewtheprivilegesassignedtotheplug-indirectoriestoensuretheyaresetto755.Note:Thesub-directories'instancename'and'client','server',and'group'arenotcreatedautomatically.Theinstanceownerhastomanuallycreatethem.
• Forclient-sideplug-ins:$DB2PATH\security\plugin\instancename\client• Forserver-sideplug-ins:$DB2PATH\security\plugin\instancename\server• Forgroupplug-ins:$DB2PATH\security\plugin\instancename\group
Remediation:
Changetheprivilegesforallplug-indirectoriessotheyaresetto755.
OnaLinuxsystem,performthefollowingforeachdirectoryneedingitsprivilegeschanged:
[db2inst1@tgt-db2-101-abc123 IBM]$ chmod 755 <directory>
![Page 199: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/199.jpg)
198|P a g e
9.10Ensurethatsecurityplug-insupportfortwo-partuserIDsisenabled(NotScored)
ProfileApplicability:
•Level1-WindowsHostOS
•Level2-WindowsHostOS
•Level1-LinuxHostOS
•Level2-LinuxHostOS
Description:
TheDB2databasemanageronWindowssupportstheuseoftwo-partuserIDsandthemappingoftwo-partuserIDstotwo-partauthorizationIDs.
Rationale:
Havingatwo-partauthorizationschemeincreasesthesecurityofuserIDsbymakingthemhardertocompromise.
Audit:
Issuethefollowingcommandandconfirmthattheclnt_pw_plugin,srvcon_gssplugin_list,andsrvcon_pw_pluginparametersareallsetto'DISABLED':
db2=> select name, case when ((name = 'srvcon_pw_plugin' AND value in ('IBMOSauthserverTwoPart','IBMOSauthserverTwoPart64')) AND (name = 'clnt_pw_plugin' and value in ('IBMOSauthclientTwoPart','IBMOSauthclientTwoPart64'))) OR ((name = 'srvcon_gssplugin_list' AND value in ('IBMOSkrb5TwoPart','IBMOSkrb5TwoPart64')) AND (name = 'clnt_krb_plugin' and value in ('IBMkrb5TwoPart','IBMkrb5TwoPart64')))then 'ENABLED' else 'DISABLED' end as Status from sysibmadm.dbmcfg where (name = 'srvcon_pw_plugin' OR name = 'srvcon_gssplugin_list' OR name = 'clnt_pw_plugin')
![Page 200: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/200.jpg)
199|P a g e
Remediation:
Toenableserverauthenticationthatmapstwo-partuserIDstotwo-partauthorizationIDs,youmustset:
• srvcon_pw_plugintoIBMOSauthserverTwoPart• clnt_pw_plugintoIBMOSauthclientTwoPart
Toenableclientauthenticationthatmapstwo-partuserIDstotwo-partauthorizationIDs,youmustset:
• srvcon_pw_plugintoIBMOSauthserverTwoPart• clnt_pw_plugintoIBMOSauthclientTwoPart
ToenableKerberosauthenticationthatmapstwo-partuserIDstotwo-partauthorizationIDs,youmustset:
• srvcon_gssplugin_listtoIBMOSkrb5TwoPart• clnt_krb_plugintoIBMkrb5TwoPart
Forexample:
db2=> update dbm cfg using srvcon_pw_plugin IBMOSauthserverTwoPart
References:
1. http://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.admin.sec.doc/doc/c0012039.html
![Page 201: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/201.jpg)
200|P a g e
9.11Ensurepermissionsoncommunicationexitlibrarylocations(NotScored)
ProfileApplicability:
•Level1-WindowsHostOS
•Level2-WindowsHostOS
•Level1-LinuxHostOS
•Level2-LinuxHostOS
Description:
DB2communicationexitlibrariesmustexistinspecificdirectories.Thereshouldbeproperpermissionsonthesedirectories.
Rationale:
IfthepermissionsontheDB2communicationexitlibrarydirectoriesarenotsetproperly,thecontentsofthosedirectoriescouldbemisused,tamperedwith,orotherwiseaccessedtonegativelyimpactthesecurityoftheserver.
Audit:
Linux64-bit:
Issuethefollowingcommandtocheckthepermissionsforthecommunicationexitlibrary:
[db2inst1@tgt-db2-101-abcd plugin]$ ll /opt/ibm/db2/V10.5/security64/plugin total 12 drwxr-x--- 2 db2iadm1 db2inst1 4096 Aug 17 2013 commexit
![Page 202: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/202.jpg)
201|P a g e
Remediation:
Thedatabasemanagerlooksforcommunicationexitlibrariesinthefollowingdirectories:
• Linux32-bit:$DB2PATH/security32/plugin/commexit• Linux64-bit:$DB2PATH/security64/plugin/commexit• Windows32-bitand64-bit:$DB2PATH\security\plugin\commexit\instance_name
Afterlocatingthedirectory,updateitspermissions.ThefollowingisanexampleforaLinux64-bitsystem:
[db2inst1@tgt-db2-101-abcd plugin]$ pwd /opt/ibm/db2/V10.5/security64/plugin [db2inst1@tgt-db2-101-abcd IBM]$ chmod -R 750 commexit
References:
1. http://www.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.admin.sec.doc/doc/c0060264.html
![Page 203: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/203.jpg)
202|P a g e
9.12Ensureauditpoliciesareenabledwithinthedatabase(NotScored)
ProfileApplicability:
•Level1-WindowsHostOS
•Level2-WindowsHostOS
•Level1-LinuxHostOS
•Level2-LinuxHostOS
Description:
Creatingandapplyingauditpoliciesiscrucialforsecuringanddiscoveringissueswithinyourdatabases.Auditpoliciescanhelptriggereventsforchangestodataobjects,tableDML,anduseraccess.
Rationale:
Ifauditpoliciesarenotenabled,issuesmaygoundiscovered,andcompromisesandotherincidentsmayoccurwithoutbeingquicklydetected.Itmayalsonotbepossibletoprovideevidenceofcompliancewithsecuritylaws,regulations,andotherrequirements.
Audit:
Issuethefollowingcommandtoensurethatatleastoneauditpolicyreturnsanauditstatusnotequalto'N'.Theassumptionisthatifthereisanactivepolicy,theninformationisbeingcapturedtoaudit.
db2=> select auditpolicyname, auditstatus from syscat.auditpolicies
Remediation:
Issuethefollowingcommandtocreateanauditpolicy:
db2=> create audit policy AUDIT_TEST CATEGORIES ALL STATUS BOTH
References:
1. http://www.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.sql.ref.doc/doc/r0050607.html
![Page 204: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/204.jpg)
203|P a g e
Appendix:SummaryTableControl Set
CorrectlyYes No
1 InstallationandPatches1.1 Installthelatestfixpacks(NotScored) o o1.2 UseIPaddressratherthanhostname(Scored) o o1.3 Leveragetheleastprivilegeprinciple(NotScored) o o1.4 Usenon-defaultaccountnames(Scored) o o1.5 ConfigureDB2tousenon-standardports(NotScored) o o1.6 CreatingthedatabasewiththeRESTERICTIVEclause(Not
Scored) o o
2 DB2DirectoryandFilePermissions2.1 SecureDB2RuntimeLibrary(Scored) o o2.2 Securethedatabasecontainerdirectory(Scored) o o2.3 SetumaskvalueforDB2adminuser.profilefile(Scored) o o2.4 VerifythegroupswithintheDB2_GRP_LOOKUPenvironment
variableareappropriate(Windowsonly)(NotScored) o o
2.5 VerifythedomainswithintheDB2DOMAINLISTenvironmentvariableareappropriate(Windowsonly)(NotScored) o o
3 DB2Configurations3.1 DB2InstanceParameterSettings3.1.1 Enableauditbuffer(Scored) o o3.1.2 Encryptuserdataacrossthenetwork(Scored) o o3.1.3 Requireexplicitauthorizationforcataloging(Scored) o o3.1.4 Disabledatalinkssupport(Scored) o o3.1.5 Securepermissionsfordefaultdatabasefilepath(Scored) o o3.1.6 Setdiagnosticloggingtocaptureerrorsandwarnings
(Scored) o o
3.1.7 Securepermissionsforalldiagnosticlogs(Scored) o o3.1.8 Requireinstancenamefordiscoveryrequests(Scored) o o3.1.9 Disableinstancediscoverability(Scored) o o3.1.10 Authenticatefederatedusersattheinstancelevel(Scored) o o3.1.11 Setmaximumconnectionlimits(Scored) o o3.1.12 Setadministrativenotificationlevel(Scored) o o3.1.13 Enableserver-basedauthentication(Scored) o o3.1.14 Setfailedarchiveretrydelay(Scored) o o3.1.15 Auto-restartafterabnormaltermination(Scored) o o3.1.16 Disabledatabasediscovery(Scored) o o3.1.17 Securepermissionsfortheprimaryarchiveloglocation
(Scored) o o
![Page 205: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/205.jpg)
204|P a g e
3.1.18 Securepermissionsforthesecondaryarchiveloglocation(Scored) o o
3.1.19 Securepermissionsforthetertiaryarchiveloglocation(Scored) o o
3.1.20 Securepermissionsforthelogmirrorlocation(Scored) o o3.1.21 Establishretentionsetsizeforbackups(Scored) o o3.1.22 Setarchivelogfailoverretrylimit(Scored) o o3.2 DatabaseManagerConfigurationparameters3.2.1 TCP/IPservicename-svcename(Scored) o o3.2.2 SSLservicename-ssl_svcename(Scored) o o3.2.3 Authenticationtypeforincomingconnectionsattheserver-
srvcon_auth(Scored) o o
3.2.4 DatabaseManagerConfigurationparameter:trust_allclnts(NotScored) o o
3.2.5 DatabaseManagerConfigurationparameter:trust_clntauth(NotScored) o o
4 RowandColumnAccessControl(RCAC)4.1 ReviewOrganization'sPoliciesagainstDB2RCACPolicies
(NotScored) o o
4.2 SecureSECADMAuthority(NotScored) o o4.3 ReviewUsers,Groups,andRoles(NotScored) o o4.4 ReviewRowPermissionlogicaccordingtopolicy(Not
Scored) o o
4.5 ReviewColumnMasklogicaccordingtopolicy(NotScored) o o5 DatabaseMaintenance5.1 EnableBackupRedundancy(NotScored) o o5.2 ProtectingBackups(NotScored) o o5.3 EnableAutomaticDatabaseMaintenance(Scored) o o6 SecuringDatabaseObjects6.1 RestrictAccesstoSYSCAT.AUDITPOLICIES(Scored) o o6.2 RestrictAccesstoSYSCAT.AUDITUSE(Scored) o o6.3 RestrictAccesstoSYSCAT.DBAUTH(Scored) o o6.4 RestrictAccesstoSYSCAT.COLAUTH(Scored) o o6.5 RestrictAccesstoSYSCAT.EVENTS(Scored) o o6.6 RestrictAccesstoSYSCAT.EVENTTABLES(Scored) o o6.7 RestrictAccesstoSYSCAT.ROUTINES(Scored) o o6.8 RestrictAccesstoSYSCAT.INDEXAUTH(Scored) o o6.9 RestrictAccesstoSYSCAT.PACKAGEAUTH(Scored) o o6.10 RestrictAccesstoSYSCAT.PACKAGES(Scored) o o6.11 RestrictAccesstoSYSCAT.PASSTHRUAUTH(Scored) o o6.12 RestrictAccesstoSYSCAT.SECURITYPOLICIES(Scored) o o6.13 RestrictAccesstoSYSCAT.SECURITYPOLICYEXEMPTIONS
(Scored) o o
![Page 206: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/206.jpg)
205|P a g e
6.14 RestrictAccesstoSYSCAT.SURROGATEAUTHIDS(Scored) o o6.15 RestrictAccesstoSYSCAT.ROLEAUTH(Scored) o o6.16 RestrictAccesstoSYSCAT.ROLES(Scored) o o6.17 RestrictAccesstoSYSCAT.ROUTINEAUTH(Scored) o o6.18 RestrictAccesstoSYSCAT.SCHEMAAUTH(Scored) o o6.19 RestrictAccesstoSYSCAT.SCHEMATA(Scored) o o6.20 RestrictAccesstoSYSCAT.SEQUENCEAUTH(Scored) o o6.21 RestrictAccesstoSYSCAT.STATEMENTS(Scored) o o6.22 RestrictAccesstoSYSCAT.TABAUTH(Scored) o o6.23 RestrictAccesstoSYSCAT.TBSPACEAUTH(Scored) o o6.24 RestrictAccesstoTablespaces(Scored) o o6.25 RestrictAccesstoSYSCAT.MODULEAUTH(Scored) o o6.26 RestrictAccesstoSYSCAT.VARIABLEAUTH(Scored) o o6.27 RestrictAccesstoSYSCAT.WORKLOADAUTH(Scored) o o6.28 RestrictAccesstoSYSCAT.XSROBJECTAUTH(Scored) o o6.29 RestrictAccesstoSYSCAT.AUTHORIZATIONIDS(Scored) o o6.30 RestrictAccesstoSYSIBMADM.OBJECTOWNERS(Scored) o o6.31 RestrictAccesstoSYSIBMADM.PRIVILEGES(Scored) o o7 DB2Authorities7.1 SecureSYSADMauthority(Scored) o o7.2 SecureSYSCTRLauthority(Scored) o o7.3 SecureSYSMAINTAuthority(Scored) o o7.4 SecureSYSMONAuthority(Scored) o o7.5 SecureSECADMAuthority(Scored) o o7.6 SecureDBADMAuthority(Scored) o o7.7 SecureSQLADMAuthority(Scored) o o7.8 SecureDATAACCESSAuthority(Scored) o o7.9 SecureACCESSCTRLAuthority(Scored) o o7.10 SecureWLMADMauthority(Scored) o o7.11 SecureCREATABAuthority(Scored) o o7.12 SecureBINDADDAuthority(Scored) o o7.13 SecureCONNECTAuthority(Scored) o o7.14 SecureLOADAuthority(Scored) o o7.15 SecureEXTERNALROUTINEAuthority(Scored) o o7.16 SecureQUIESCECONNECTAuthority(Scored) o o8 DB2Roles8.1 ReviewRoles(Scored) o o8.2 ReviewRoleMembers(Scored) o o8.3 NestedRoles(Scored) o o8.4 ReviewRolesgrantedtoPUBLIC(Scored) o o8.5 ReviewRoleGranteeswithWITHADMINOPTION(Scored) o o9 GeneralPolicyandProcedures
![Page 207: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/207.jpg)
206|P a g e
9.1 StartandStopDB2Instance(NotScored) o o9.2 RemoveUnusedSchemas(NotScored) o o9.3 ReviewSystemTablespaces(Scored) o o9.4 RemoveDefaultDatabases(Scored) o o9.5 EnableSSLcommunicationwithLDAPserver(Scored) o o9.6 SecurethepermissionoftheIBMLDAPSecurity.inifile
(Scored) o o
9.7 SecurethepermissionoftheSSLconfig.inifile(Scored) o o9.8 EnsureTrustedContextsareenabled(NotScored) o o9.9 Secureplug-inlibrarylocations(NotScored) o o9.10 Ensurethatsecurityplug-insupportfortwo-partuserIDsis
enabled(NotScored) o o
9.11 Ensurepermissionsoncommunicationexitlibrarylocations(NotScored) o o
9.12 Ensureauditpoliciesareenabledwithinthedatabase(NotScored) o o
![Page 208: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/208.jpg)
207|P a g e
Appendix:ChangeHistoryDate Version Changesforthisversion
12-19-2015 1.0.0 InitialRelease
08-05-2016 1.1.0 Ticket#144:AddedarecommendationforDB2tousenon-standardports.
08-10-2016 1.1.0 Ticket#141:AddedarecommendationforTrustedContexts.
08-10-2016 1.1.0 Ticket#148:Addedarecommendationforthetrust_allclntsparameter.
08-10-2016 1.1.0 Ticket#152:Addedarecommendationforsecureplug-inlibrarylocations.
08-10-2016 1.1.0 Ticket#155:Addedarecommendationforsecurityplug-insupportoftwo-partuserIDs.
08-10-2016 1.1.0 Ticket#156:Addedarecommendationforthecommunicationexitlibrarylocation.
08-10-2016 1.1.0 Ticket#157:Addedarecommendationforenablingauditpolicies.
08-10-2016 1.1.0 Ticket#159:AddedarecommendationfortheDB2_GRP_LOOKUPenvironmentalvariable.
08-10-2016 1.1.0 Ticket#160:AddedarecommendationfortheDB2DOMAINLISTenvironmentalvariable.
08-17-2016 1.1.0 Ticket#146:AddedarecommendationfortheRESTRICTIVEparameter.
![Page 209: CIS IBM DB2 10 Benchmark v1.1.0 - ITSecure€¦ · This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration](https://reader030.fdocuments.in/reader030/viewer/2022040214/5eadedeaa38bc801c611dc5c/html5/thumbnails/209.jpg)
208|P a g e