cis ibm db2 10 benchmark v1.1.0 - itsecure€¦ · this document, security configuration benchmark...
TRANSCRIPT
CISIBMDB210Benchmark
v1.1.0-08-31-2016
1|P a g e
ThisworkislicensedunderaCreativeCommonsAttribution-NonCommercial-ShareAlike4.0InternationalPublicLicense.Thelinktothelicensetermscanbefoundathttps://creativecommons.org/licenses/by-nc-sa/4.0/legalcode.
TofurtherclarifytheCreativeCommonslicenserelatedtoCISBenchmarkcontent,youareauthorizedtocopyandredistributethecontentforusebyyou,withinyourorganizationandoutsideyourorganizationfornon-commercialpurposesonly,providedthat(i)appropriatecreditisgiventoCIS,(ii)alinktothelicenseisprovided.Additionally,ifyouremix,transformorbuildupontheCISBenchmark(s),youmayonlydistributethemodifiedmaterialsiftheyaresubjecttothesamelicensetermsastheoriginalBenchmarklicenseandyourderivativewillnolongerbeaCISBenchmark.CommercialuseofCISBenchmarksissubjecttothepriorapprovaloftheCenterforInternetSecurity.
2|P a g e
TableofContents
Overview......................................................................................................................................................................7
IntendedAudience..............................................................................................................................................7
ConsensusGuidance...........................................................................................................................................7
TypographicalConventions............................................................................................................................8
ScoringInformation............................................................................................................................................8
ProfileDefinitions................................................................................................................................................9
Acknowledgements..........................................................................................................................................11
Recommendations.................................................................................................................................................12
1InstallationandPatches.............................................................................................................................12
1.1Installthelatestfixpacks(NotScored).................................................................................12
1.2UseIPaddressratherthanhostname(Scored).................................................................13
1.3Leveragetheleastprivilegeprinciple(NotScored).........................................................15
1.4Usenon-defaultaccountnames(Scored).............................................................................16
1.5ConfigureDB2tousenon-standardports(NotScored)................................................17
1.6CreatingthedatabasewiththeRESTERICTIVEclause(NotScored)........................19
2DB2DirectoryandFilePermissions.....................................................................................................22
2.1SecureDB2RuntimeLibrary(Scored)...................................................................................22
2.2Securethedatabasecontainerdirectory(Scored)...........................................................24
2.3SetumaskvalueforDB2adminuser.profilefile(Scored)............................................25
2.4VerifythegroupswithintheDB2_GRP_LOOKUPenvironmentvariableareappropriate(Windowsonly)(NotScored)..................................................................................26
2.5VerifythedomainswithintheDB2DOMAINLISTenvironmentvariableareappropriate(Windowsonly)(NotScored)..................................................................................27
3DB2Configurations......................................................................................................................................28
3.1.1Enableauditbuffer(Scored)...................................................................................................28
3.1.2Encryptuserdataacrossthenetwork(Scored).............................................................30
3.1.3Requireexplicitauthorizationforcataloging(Scored)...............................................32
3.1.4Disabledatalinkssupport(Scored).....................................................................................34
3.1.5Securepermissionsfordefaultdatabasefilepath(Scored).....................................36
3.1.6Setdiagnosticloggingtocaptureerrorsandwarnings(Scored)...........................39
3|P a g e
3.1.7Securepermissionsforalldiagnosticlogs(Scored).....................................................41
3.1.8Requireinstancenamefordiscoveryrequests(Scored)............................................43
3.1.9Disableinstancediscoverability(Scored).........................................................................45
3.1.10Authenticatefederatedusersattheinstancelevel(Scored).................................46
3.1.11Setmaximumconnectionlimits(Scored)......................................................................48
3.1.12Setadministrativenotificationlevel(Scored)..............................................................51
3.1.13Enableserver-basedauthentication(Scored)..............................................................53
3.1.14Setfailedarchiveretrydelay(Scored)............................................................................55
3.1.15Auto-restartafterabnormaltermination(Scored)....................................................57
3.1.16Disabledatabasediscovery(Scored)................................................................................58
3.1.17Securepermissionsfortheprimaryarchiveloglocation(Scored).....................60
3.1.18Securepermissionsforthesecondaryarchiveloglocation(Scored)................62
3.1.19Securepermissionsforthetertiaryarchiveloglocation(Scored)......................64
3.1.20Securepermissionsforthelogmirrorlocation(Scored)........................................66
3.1.21Establishretentionsetsizeforbackups(Scored).......................................................68
3.1.22Setarchivelogfailoverretrylimit(Scored)..................................................................70
3.2DatabaseManagerConfigurationparameters.........................................................................72
3.2.1TCP/IPservicename-svcename(Scored).......................................................................72
3.2.2SSLservicename-ssl_svcename(Scored).......................................................................73
3.2.3Authenticationtypeforincomingconnectionsattheserver-srvcon_auth(Scored).......................................................................................................................................................74
3.2.4DatabaseManagerConfigurationparameter:trust_allclnts(NotScored).........75
3.2.5DatabaseManagerConfigurationparameter:trust_clntauth(NotScored).......77
4RowandColumnAccessControl(RCAC)...........................................................................................79
4.1ReviewOrganization'sPoliciesagainstDB2RCACPolicies(NotScored)..............79
4.2SecureSECADMAuthority(NotScored)...............................................................................81
4.3ReviewUsers,Groups,andRoles(NotScored)..................................................................82
4.4ReviewRowPermissionlogicaccordingtopolicy(NotScored)................................85
4.5ReviewColumnMasklogicaccordingtopolicy(NotScored)......................................86
5DatabaseMaintenance................................................................................................................................87
5.1EnableBackupRedundancy(NotScored)............................................................................87
4|P a g e
5.2ProtectingBackups(NotScored).............................................................................................88
5.3EnableAutomaticDatabaseMaintenance(Scored).........................................................89
6SecuringDatabaseObjects........................................................................................................................91
6.1RestrictAccesstoSYSCAT.AUDITPOLICIES(Scored)......................................................91
6.2RestrictAccesstoSYSCAT.AUDITUSE(Scored).................................................................93
6.3RestrictAccesstoSYSCAT.DBAUTH(Scored).....................................................................94
6.4RestrictAccesstoSYSCAT.COLAUTH(Scored)..................................................................96
6.5RestrictAccesstoSYSCAT.EVENTS(Scored)......................................................................98
6.6RestrictAccesstoSYSCAT.EVENTTABLES(Scored).....................................................100
6.7RestrictAccesstoSYSCAT.ROUTINES(Scored)..............................................................102
6.8RestrictAccesstoSYSCAT.INDEXAUTH(Scored)..........................................................103
6.9RestrictAccesstoSYSCAT.PACKAGEAUTH(Scored)...................................................105
6.10RestrictAccesstoSYSCAT.PACKAGES(Scored)...........................................................106
6.11RestrictAccesstoSYSCAT.PASSTHRUAUTH(Scored)..............................................107
6.12RestrictAccesstoSYSCAT.SECURITYPOLICIES(Scored).........................................109
6.13RestrictAccesstoSYSCAT.SECURITYPOLICYEXEMPTIONS(Scored)................111
6.14RestrictAccesstoSYSCAT.SURROGATEAUTHIDS(Scored)...................................113
6.15RestrictAccesstoSYSCAT.ROLEAUTH(Scored)..........................................................115
6.16RestrictAccesstoSYSCAT.ROLES(Scored)....................................................................117
6.17RestrictAccesstoSYSCAT.ROUTINEAUTH(Scored).................................................119
6.18RestrictAccesstoSYSCAT.SCHEMAAUTH(Scored)...................................................121
6.19RestrictAccesstoSYSCAT.SCHEMATA(Scored).........................................................122
6.20RestrictAccesstoSYSCAT.SEQUENCEAUTH(Scored)..............................................124
6.21RestrictAccesstoSYSCAT.STATEMENTS(Scored)....................................................126
6.22RestrictAccesstoSYSCAT.TABAUTH(Scored)............................................................128
6.23RestrictAccesstoSYSCAT.TBSPACEAUTH(Scored)..................................................130
6.24RestrictAccesstoTablespaces(Scored).........................................................................132
6.25RestrictAccesstoSYSCAT.MODULEAUTH(Scored)..................................................134
6.26RestrictAccesstoSYSCAT.VARIABLEAUTH(Scored)...............................................136
6.27RestrictAccesstoSYSCAT.WORKLOADAUTH(Scored)...........................................138
5|P a g e
6.28RestrictAccesstoSYSCAT.XSROBJECTAUTH(Scored).............................................140
6.29RestrictAccesstoSYSCAT.AUTHORIZATIONIDS(Scored)......................................142
6.30RestrictAccesstoSYSIBMADM.OBJECTOWNERS(Scored)....................................144
6.31RestrictAccesstoSYSIBMADM.PRIVILEGES(Scored)..............................................146
7DB2Authorities..........................................................................................................................................148
7.1SecureSYSADMauthority(Scored)......................................................................................148
7.2SecureSYSCTRLauthority(Scored).....................................................................................150
7.3SecureSYSMAINTAuthority(Scored).................................................................................152
7.4SecureSYSMONAuthority(Scored).....................................................................................154
7.5SecureSECADMAuthority(Scored).....................................................................................156
7.6SecureDBADMAuthority(Scored).......................................................................................158
7.7SecureSQLADMAuthority(Scored).....................................................................................160
7.8SecureDATAACCESSAuthority(Scored)...........................................................................161
7.9SecureACCESSCTRLAuthority(Scored)............................................................................162
7.10SecureWLMADMauthority(Scored)................................................................................163
7.11SecureCREATABAuthority(Scored)................................................................................164
7.12SecureBINDADDAuthority(Scored)................................................................................166
7.13SecureCONNECTAuthority(Scored)...............................................................................168
7.14SecureLOADAuthority(Scored)........................................................................................170
7.15SecureEXTERNALROUTINEAuthority(Scored).........................................................172
7.16SecureQUIESCECONNECTAuthority(Scored).............................................................174
8DB2Roles......................................................................................................................................................176
8.1ReviewRoles(Scored)...............................................................................................................176
8.2ReviewRoleMembers(Scored).............................................................................................178
8.3NestedRoles(Scored)................................................................................................................180
8.4ReviewRolesgrantedtoPUBLIC(Scored)........................................................................181
8.5ReviewRoleGranteeswithWITHADMINOPTION(Scored)....................................183
9GeneralPolicyandProcedures............................................................................................................184
9.1StartandStopDB2Instance(NotScored).........................................................................184
9.2RemoveUnusedSchemas(NotScored)..............................................................................186
6|P a g e
9.3ReviewSystemTablespaces(Scored).................................................................................187
9.4RemoveDefaultDatabases(Scored)....................................................................................188
9.5EnableSSLcommunicationwithLDAPserver(Scored).............................................190
9.6SecurethepermissionoftheIBMLDAPSecurity.inifile(Scored)............................191
9.7SecurethepermissionoftheSSLconfig.inifile(Scored).............................................193
9.8EnsureTrustedContextsareenabled(NotScored)......................................................195
9.9Secureplug-inlibrarylocations(NotScored)..................................................................196
9.10Ensurethatsecurityplug-insupportfortwo-partuserIDsisenabled(NotScored)......................................................................................................................................................198
9.11Ensurepermissionsoncommunicationexitlibrarylocations(NotScored)...200
9.12Ensureauditpoliciesareenabledwithinthedatabase(NotScored).................202
Appendix:SummaryTable.............................................................................................................................203
Appendix:ChangeHistory..............................................................................................................................207
7|P a g e
OverviewThisdocument,SecurityConfigurationBenchmarkforIBMDB2,providesprescriptiveguidanceforestablishingasecureconfigurationpostureforDB2versions10.xrunningonLinuxandWindows.ThisguidewastestedagainstDB2version10.5installedonWindowsServer2008R2andCentOS6.Toobtainthelatestversionofthisguide,pleasevisithttp://cisecurity.org.Ifyouhavequestionsorcomments,orhaveidentifiedwaystoimprovethisguide,[email protected].
IntendedAudience
Thisdocumentisintendedforsystemandapplicationadministrators,securityspecialists,auditors,helpdesk,andplatformdeploymentpersonnel,whoplantodevelop,deploy,assess,orsecuresolutionsthatincorporateDB2onLinuxandWindowsplatforms.
ConsensusGuidance
Thisbenchmarkwascreatedusingaconsensusreviewprocesscomprisedofsubjectmatterexperts.Consensusparticipantsprovideperspectivefromadiversesetofbackgroundsincludingconsulting,softwaredevelopment,auditandcompliance,securityresearch,operations,government,andlegal.
EachCISbenchmarkundergoestwophasesofconsensusreview.Thefirstphaseoccursduringinitialbenchmarkdevelopment.Duringthisphase,subjectmatterexpertsconvenetodiscuss,create,andtestworkingdraftsofthebenchmark.Thisdiscussionoccursuntilconsensushasbeenreachedonbenchmarkrecommendations.Thesecondphasebeginsafterthebenchmarkhasbeenpublished.Duringthisphase,allfeedbackprovidedbytheInternetcommunityisreviewedbytheconsensusteamforincorporationinthebenchmark.Ifyouareinterestedinparticipatingintheconsensusprocess,pleasevisithttps://community.cisecurity.org.
8|P a g e
TypographicalConventions
Thefollowingtypographicalconventionsareusedthroughoutthisguide:
Convention Meaning
Stylized Monospace font Usedforblocksofcode,command,andscriptexamples.Textshouldbeinterpretedexactlyaspresented.
Monospacefont Usedforinlinecode,commands,orexamples.Textshouldbeinterpretedexactlyaspresented.
<italicfontinbrackets> Italictextssetinanglebracketsdenoteavariablerequiringsubstitutionforarealvalue.
Italicfont Usedtodenotethetitleofabook,article,orotherpublication.
Note Additionalinformationorcaveats
ScoringInformation
Ascoringstatusindicateswhethercompliancewiththegivenrecommendationimpactstheassessedtarget'sbenchmarkscore.Thefollowingscoringstatusesareusedinthisbenchmark:
Scored
Failuretocomplywith"Scored"recommendationswilldecreasethefinalbenchmarkscore.Compliancewith"Scored"recommendationswillincreasethefinalbenchmarkscore.
NotScored
Failuretocomplywith"NotScored"recommendationswillnotdecreasethefinalbenchmarkscore.Compliancewith"NotScored"recommendationswillnotincreasethefinalbenchmarkscore.
9|P a g e
ProfileDefinitions
ThefollowingconfigurationprofilesaredefinedbythisBenchmark:
• Level1-RDBMS
ItemsinthisprofileapplytotheRDBMSproperandintendto:
o Bepracticalandprudent;o Provideaclearsecuritybenefit;ando Notinhibittheutilityofthetechnologybeyondacceptablemeans.
• Level2-RDBMS
Thisprofileextendsthe"Level1"profile.Itemsinthisprofileexhibitoneormoreofthefollowingcharacteristics:
o Areintendedforenvironmentsorusecaseswheresecurityisparamounto Actsasdefenseindepthmeasureo Maynegativelyinhibittheutilityorperformanceofthetechnology
• Level1-WindowsHostOS
ItemsinthisprofileapplytotheWindowsHostOSproperandintendto:
o Bepracticalandprudent;o Provideaclearsecuritybenefit;ando Notinhibittheutilityofthetechnologybeyondacceptablemeans.
• Level2-WindowsHostOS
Thisprofileextends"Level1-WindowsHostOS".Itemsinthisprofileexhibitoneormoreofthefollowingcharacteristics:
o Areintendedforenvironmentsorusecaseswheresecurityisparamounto Actsasdefenseindepthmeasureo Maynegativelyinhibittheutilityorperformanceofthetechnology
• Level1-LinuxHostOS
ItemsinthisprofileapplytotheLinuxHostOSproperandintendto:
o Bepracticalandprudent;
10|P a g e
o Provideaclearsecuritybenefit;ando Notinhibittheutilityofthetechnologybeyondacceptablemeans.
• Level2-LinuxHostOS
Thisprofileextends"Level1-LinuxHostOS".Itemsinthisprofileexhibitoneormoreofthefollowingcharacteristics:
o areintendedforenvironmentsorusecaseswheresecurityisparamounto actsasdefenseindepthmeasureo maynegativelyinhibittheutilityorperformanceofthetechnology
11|P a g e
Acknowledgements
Thisbenchmarkexemplifiesthegreatthingsacommunityofusers,vendors,andsubjectmatterexpertscanaccomplishthroughconsensuscollaboration.TheCIScommunitythankstheentireconsensusteamwithspecialrecognitiontothefollowingindividualswhocontributedgreatlytothecreationofthisguide:
ContributorAdamMontvilleTimothyHarrisonEditorKarenScarfoneChrisBielinski
12|P a g e
Recommendations1InstallationandPatches
[Thisspaceintentionallyleftblank]
1.1Installthelatestfixpacks(NotScored)
ProfileApplicability:
•Level1-RDBMS
•Level2-RDBMS
Description:
Periodically,IBMreleasesfixpackstoenhancefeaturesandresolvedefects,includingsecuritydefects.ItisrecommendedthattheDB2instanceremaincurrentwithallfixpacks.
Rationale:
InstallingthelatestDB2fixpackwillhelpprotectthedatabasefromknownvulnerabilitiesaswellasreducedowntimethatmayotherwiseresultfromfunctionaldefects.
Audit:
PerformthefollowingDB2commandstoobtaintheversion:
1. OpentheDB2CommandWindowandtypeindb2level:
$ db2level DB21085I Instance "DB2" uses "32" bits and DB2 code release "SQL09050" with level identifier "03010107". Informational tokens are "DB2 v9.5.0.808", "s071001", "NT3295", and Fix Pack "3".
Remediation:
ApplythelatestfixpackasofferedfromIBM.
13|P a g e
1.2UseIPaddressratherthanhostname(Scored)
ProfileApplicability:
•Level1-WindowsHostOS
•Level1-LinuxHostOS
Description:
UseanIPaddressratherthanahostnametoconnecttothehostoftheDB2instance.
Rationale:
UsingahostnametoconnecttoaDB2instancecandisplayusefulinformationaboutthehosttoanattacker.Forexample,hostnamesforDB2instancesoftencontaintheDB2versionnumber,hosttype,oroperatingsystemtype.
Audit:
Windows:
1. RunDB2CommandPrompt-Administrator2. Type'db2listnodedirectoryshowdetail'3. Verifythatthe'HOSTNAME'valuesforallnodeslistedareinIPaddressformand
nothostnames
Linux:
1. LogintoDB2asDB2Instanceowner2. Type'db2listnodedirectoryshowdetail'3. Verifythatthe'HOSTNAME'valuesforallnodeslistedareinIPaddressformand
nothostnames
Sample:
Node Directory Number of entries in the directory = 2 Node 1 entry: Node name = SAMPLE Comment = Directory entry type = LDAP Protocol = TCPIP Hostname = 192.168.145.10 Service name = 50000
14|P a g e
Remediation:
1. Dropallexistingnodes2. RecreatenodedirectoryusingIPaddressesandnothostnames
DefaultValue:
IPaddress
15|P a g e
1.3Leveragetheleastprivilegeprinciple(NotScored)
ProfileApplicability:
•Level1-RDBMS
Description:
TheDB2databaseinstancewillexecuteunderthecontextofagivensecurityprinciple.Itisrecommendedthatthisservicehavetheleastprivilegespossible.Furthermore,itisadvisabletohavetheDB2serviceexecutedusingtheDB2instanceownerandmonitorsuchaccountsforunauthorizedaccesstothesensitivedata.
Rationale:
LeveragingaleastprivilegeaccountfortheDB2servicewillreduceanattacker'sabilitytocompromisethehostoperatingsystemshouldtheDB2serviceprocessbecomecompromised.
Audit:
ReviewallaccountsthathaveaccesstotheDB2databaseservicetoensureleastprivilegeisapplied.
Remediation:
Ensurethatallaccountshavetheabsoluteminimalprivilegegrantedtoperformtheirtasks.
16|P a g e
1.4Usenon-defaultaccountnames(Scored)
ProfileApplicability:
•Level1-WindowsHostOS
•Level1-LinuxHostOS
Description:
TheDB2serviceisinstalledwithdefaultaccountswithwell-knownnamessuchasdb2admin,db2inst1,dasusr1,ordb2fenc1.Itisrecommendedthattheuseoftheseaccountnamesbeavoided.Thedefaultaccountsmayberenamedandthenused.
Rationale:
TheuseofdefaultaccountnamesmayincreasetheDB2service'ssusceptibilitytounauthorizedaccessbyanattacker.
Audit:
ForWindows:
1. Reviewthelistofusersforthesystemandconfirmthatnoneoftheaccountnamesaredb2admin,db2inst1,dasusr1,ordb2fenc1.
ForLinux:
1. Review/etc/passwdandconfirmthatnoneoftheaccountnamesaredb2admin,db2inst1,dasusr1,ordb2fenc1.
Remediation:
Foreachaccountwithadefaultname,eitherchangethenametoanamethatisnotwell-knownordeletetheaccountifitisnotneeded.
17|P a g e
1.5ConfigureDB2tousenon-standardports(NotScored)
ProfileApplicability:
•Level1-WindowsHostOS
•Level2-WindowsHostOS
•Level1-LinuxHostOS
•Level2-LinuxHostOS
Description:
Ifenabled,thedefaultDB2instancewillbeassignedadefaultportofTCP:50000forTCP/IPcommunication.TCP:50000isawidelyknownDB2port,sothisportassignmentshouldbechanged.Thoughdeprecated,ifyoustillusetheDAS,itsdefaultportusesTCP:523andshouldbechanged.
Rationale:
Usinganon-defaultporthelpsreducethenumberofattacksdirectedatthedatabasethroughitsport.
Audit:
Usetheappropriatecommandbelowtoidentifytheassignedportandconfirmthatitdoesnotusethedefaultvalueof50000.
Linux:
cat etc/services | grep db2
Windows:
netstat -bao
Remediation:
Assignanon-defaultport(avalueotherthan50000)tothedefaultDB2instance.
Impact:
Changingtheportwillbreakconnectivityforanyservers,clients,etc.configuredtoaccesstheDBinstanceattheoriginalport.Anyportnumberchangesneedtobecoordinatedtopreventinadvertentoutages.
18|P a g e
References:
1. http://www.ibm.com/support/knowledgecenter/en/SSEPGG_10.5.0/com.ibm.db2.luw.admin.config.doc/doc/c0060794.html
19|P a g e
1.6CreatingthedatabasewiththeRESTERICTIVEclause(NotScored)
ProfileApplicability:
•Level1-RDBMS
•Level2-RDBMS
Description:
ThisparameterindicateswhetherthedatabasewascreatedwiththeRESTRICTIVEclauseintheCREATEDATABASEstatement.Whencreatingadatabase,theuseoftheRESTRICTIVEclausewillcausecertaincommandstoberevokedfromPUBLIC.
Rationale:
AllowingthedefaultprivilegesgrantedtothegroupPUBLICtoremainintackcanhavenegativeimpactsonthedatabaseaswellasunderminemeasuresputinplacetolimitaccesstoauthorizedusers.
Audit:
db2=> select case when value = '-1' then 'automatic' when value = '' then 'NULL' else value end as value from sysibmadm.dbcfg where name = 'restrict_access'
Remediation:
There is no remediation for this parameter due to the fact that the placement of the RESTRICTIVE clause happens within the CREATE DATABASE statement. Unless your backup strategies allow for a complete overhaul of your environment where you are able to recreate the database with the RESTRICTIVE clause, we do not recommend changing this parameter. However, if you would like to align your database configuration to that which the RESTRICTIVE clause would provide, please ensure the following:
1. SYSCAT.DBAUTH – Ensure PUBLIC is NOT granted the following authorities:
• CREATETAB• BINDADD• CONNECT• IMPLICIT_SCHEMA
20|P a g e
2. SYSCAT.TABAUTH – Ensure PUBLIC is NOT granted the following privileges:
• SELECTonallSYSCATandSYSIBMtables• SELECTandUPDATEonallSYSSTATtables• SELECTonthefollowingviewsinschemaSYSIBMADM:
o ALL_*o USER_*o ROLE_*o SESSION_*o DICTIONARYo TAB
3. SYSCAT.ROUTINEAUTH – Ensure PUBLIC is NOT granted the following privileges:
• EXECUTEwithGRANTonallproceduresinschemaSQLJ• EXECUTEwithGRANTonallfunctionsandproceduresinschemaSYSFUN• EXECUTEwithGRANTonallfunctionsandproceduresinschemaSYSPROC• EXECUTEonalltablefunctionsinschemaSYSIBM• EXECUTEonallotherproceduresinschemaSYSIBM
4. SYSCAT.MODULEAUTH – Ensure PUBLIC is NOT granted the following privileges:
• EXECUTEonthefollowingmodulesinschemaSYSIBMADM:o DBMS_DDLo DBMS_JOBo DBMS_LOBo DBMS_OUTPUTo DBMS_SQLo DBMS_STANDARDo DBMS_UTILITY
5. SYSCAT.PACKAGEAUTH – Ensure PUBLIC is NOT granted the following privileges:
• BINDonallpackagescreatedintheNULLIDschema• EXECUTEonallpackagescreatedintheNULLIDschema
6. SYSCAT.SCHEMAAUTH – Ensure PUBLIC is NOT granted the following privileges:
• CREATEINonschemaSQLJ• CREATEINonschemaNULLID
7. SYSCAT.TBSPACEAUTH – Ensure PUBLIC is NOT granted the USE privilege on table space USERSPACE1.
8. SYSCAT.WORKLOADAUTH – Ensure PUBLIC is NOT granted the USAGE privilege on SYSDEFAULTUSERWORKLOAD.
21|P a g e
9.SYSCAT.VARIABLEAUTH–EnsurePUBLICisNOTgrantedtheREADprivilegeonschemaglobalvariablesintheSYSIBMschema.
References:
1. https://www.ibm.com/support/knowledgecenter/en/SSEPGG_10.5.0/com.ibm.db2.luw.admin.cmd.doc/doc/r0001941.html
2. https://www.ibm.com/support/knowledgecenter/en/SSEPGG_10.5.0/com.ibm.db2.luw.admin.sec.doc/doc/c0054269.html
22|P a g e
2DB2DirectoryandFilePermissions
ThissectionprovidesguidanceonsecuringalloperatingsystemspecificobjectsforDB2.
2.1SecureDB2RuntimeLibrary(Scored)
ProfileApplicability:
•Level1-WindowsHostOS
•Level1-LinuxHostOS
Description:
ADB2softwareinstallationwillplaceallexecutablesunderthedefault<DB2PATH>\sqllibdirectory.Thisdirectoryneedstobesecuredsoitgrantsonlythenecessaryaccesstoauthorizedusersandadministrators.
Rationale:
TheDB2runtimeiscomprisedoffilesthatareexecutedaspartoftheDB2service.Iftheseresourcesarenotsecured,anattackermayalterthemtoexecutearbitrarycode.
Audit:
Performthefollowingtoobtainthevalueforthissetting:ForWindows:
1. ConnecttotheDB2host2. Right-clickontheNODE000x/sqldbdirdirectory3. ChooseProperties4. SelecttheSecuritytab5. DeterminethepermissionsforDBadministratoraccountsandallotheraccounts
ForLinux:
1. ConnecttotheDB2host2. ChangetotheNODE000x/sqldbdirdirectory3. Determinethepermissionsforthedirectory
OS => ls -al
23|P a g e
Remediation:
ForWindows:
1. ConnecttotheDB2host2. Right-clickonthe\NODE000x\sqldbdirdirectory3. ChooseProperties4. SelecttheSecuritytab5. SelectallDBadministratoraccountsandgrantthemtheFullControlauthority6. SelectallotheraccountsandrevokeallprivilegesotherthanReadandExecute
ForLinux:
1. ConnecttotheDB2host2. Changetothe/NODE000x/sqldbdirdirectory3. Changethepermissionlevelofthedirectorytothisrecommendedvalue
OS => chmod -R 755
24|P a g e
2.2Securethedatabasecontainerdirectory(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
ADB2databasecontaineristhephysicalstorageofthedata.
Rationale:
Thecontainersareneededinorderforthedatabasetooperateproperly.Thelossofthecontainerscancausedowntime.Also,allowingexcessiveaccesstothecontainersmayhelpanattackertogainaccesstotheircontents.Therefore,securethelocation(s)ofthecontainersbyrestrictingtheaccessandownership.Allowonlytheinstanceownertohaveaccesstothetablespacecontainers.
Audit:
ReviewallusersthathaveaccesstothedirectoryofthecontainerstoensureonlyDB2administratorshavefullaccess.Allotherusersshouldhaveread-onlyaccess.
Remediation:
SettheprivilegesforthedirectoryofthecontainerssothatonlyDB2administratorshavefullaccess,andallotherusershaveread-onlyaccess.
25|P a g e
2.3SetumaskvalueforDB2adminuser.profilefile(Scored)
ProfileApplicability:
•Level1-LinuxHostOS
Description:
TheDB2Admin.profilefileinLinuxsetstheenvironmentvariablesandthesettingsfortheuser.
Rationale:
Theumask valueshouldbesetto022 fortheowneroftheDB2softwareatalltimes.
Audit:
Ensurethattheumask 022 settingexistsinthe.profile.
Remediation:
Addumask 022 tothe.profile file.
26|P a g e
2.4VerifythegroupswithintheDB2_GRP_LOOKUPenvironmentvariableareappropriate(Windowsonly)(NotScored)
ProfileApplicability:
•Level1-WindowsHostOS
•Level2-WindowsHostOS
Description:
TheDB2_GRP_LOOKUPenvironmentvariablemanageswhichgroupsareidentifiedonalocalmachine/domainlevel.
Rationale:
Periodicreviewofthesegroupsisrequiredtoensurethatnon-essentialgroupsdonothaveunnecessaryauthorization.
Audit:
VerifythattheDB2_GRP_LOOKUPenvironmentvariableincludesonlytheappropriategroupslistedwithinthelocalmachine/domain.
db2set -all
Remediation:
AlterthevalueoftheDB2_GRP_LOOKUPenvironmentvariablesothatitincludesonlytheappropriategroupslistedwithinthelocalmachine/domain.
References:
1. http://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.admin.sec.doc/doc/t0005914.html
27|P a g e
2.5VerifythedomainswithintheDB2DOMAINLISTenvironmentvariableareappropriate(Windowsonly)(NotScored)
ProfileApplicability:
•Level1-WindowsHostOS
•Level2-WindowsHostOS
Description:
Itispossibletohaveauseridberepresentedacrossmultipledomains.Issuescouldarisewhentryingtoauthenticatesuchauserid.Topreventtheseissues,alistingofdomainsshouldbedefinedwithintheDB2DOMAINLISTenvironmentvariable.Note:theDB2DOMAINLISTisonlyeffectiveiftheauthenticationparameterissettoCLIENT.
Rationale:
PeriodicreviewofthedomainlistassignedtotheDB2DOMAINLISTenvironmentvariablehelpsensurethatnon-essentialdomainsdonothaveunnecessaryauthorizations.
Audit:
VerifythattheDB2DOMAINLISTenvironmentvariableincludesonlytheappropriatedomains.
db2set -all
Remediation:
AlterthevalueoftheDB2DOMAINLISTenvironmentvariablesothatitincludesonlytheappropriatedomains.
References:
1. https://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.admin.sec.doc/doc/t0011962.html?lang=en
28|P a g e
3DB2Configurations
[Thisspaceintentionallyleftblank]
3.1DB2InstanceParameterSettings
ThissectionprovidesguidanceonhowDB2willcontrolthedatainthedatabasesandthesystemresourcesthatareallocatedtotheinstance.
3.1.1Enableauditbuffer(Scored)
ProfileApplicability:
•Level1-RDBMS
•Level2-RDBMS
Description:
DB2canbeconfiguredtouseanauditbuffer.Itisrecommendedthattheauditbuffersizebesettoatleast1000.
Rationale:
Increasingtheauditbuffersizetogreaterthan0willallocatespacefortheauditrecordsgeneratedbytheauditfacility.Atscheduledintervals,orwhentheauditbufferisfull,thedb2auditdauditdaemonemptiestheauditbuffertodisk,writingtheauditrecordsasynchronously.
Audit:
Performthefollowingtodetermineiftheauditbufferissetasrecommended:
1. AttachtotheDB2instance.
db2 => attach to $DB2INSTANCE
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => get database manager configuration
29|P a g e
3. LocateAUDIT_BUF_SZ valueintheoutput:
db2 => get database manager configuration db2 => … Audit buffer size (4KB) (AUDIT_BUF_SZ) = 1000
EnsureAUDIT_BUF_SZisgreaterthanorequalto1000.
Remediation:
Performthefollowingtoestablishanauditbuffer:
1. AttachtotheDB2instance
db2 => attach to $DB2INSTANCE
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => update database manager configuration using audit_buf_sz 1000
30|P a g e
3.1.2Encryptuserdataacrossthenetwork(Scored)
ProfileApplicability:
•Level1-RDBMS
•Level2-RDBMS
Description:
DB2supportsanumberofauthenticationmechanisms.ItisrecommendedthattheDATA_ENCRYPTauthenticationmechanismbeused.
Rationale:
TheDATA_ENCRYPT authenticationmechanismemployscryptographicalgorithmstoprotecttheconfidentialityofauthenticationcredentialsanduserdataastheytraversethenetworkbetweentheDB2clientandserver.
Audit:
Performthefollowingtodetermineiftheauthenticationmechanismissetasrecommended:
1. AttachtotheDB2instance.
db2 => attach to $DB2INSTANCE
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => get database manager configuration
3. LocatetheAUTHENTICATION valueintheoutput:
db2 => get database manager configuration db2 => … Database manager authentication (AUTHENTICATION) = DATA_ENCRYPT
Note:AUTHENTICATION issettoDATA_ENCRYPT intheaboveoutput.
31|P a g e
Remediation:
SuggestedvalueisDATA_ENCRYPTsothatauthenticationoccursattheserver.
1. AttachtotheDB2instance
db2 => attach to $DB2INSTANCE
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => update database manager configuration using authentication data_encrypt
32|P a g e
3.1.3Requireexplicitauthorizationforcataloging(Scored)
ProfileApplicability:
•Level1-RDBMS
•Level2-RDBMS
Description:
DB2canbeconfiguredtoallowusersthatdonotpossesstheSYSADM authoritytocataloganduncatalogdatabasesandnodes.Itisrecommendedthatthecatalog_noauth parameterbesettoNO.
Rationale:
Catalogingadatabaseistheprocessofregisteringadatabasefromaremoteclienttoallowremotecallandaccess.Settingcatalog-noauth toYES bypassesallpermissionschecksandallowsanyonetocataloganduncatalogdatabases.
Audit:
Performthefollowingtodetermineifauthorizationisexplicitlyrequiredtocataloganduncatalogdatabasesandnodes:
1. AttachtotheDB2instance.
db2 => attach to $DB2INSTANCE
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => get database manager configuration
3. LocatethevalueofCATALOG_NOAUTHintheoutput:
db2 => get database manager configuration db2 => … Cataloging allowed without authority (CATALOG_NOAUTH) = NO
Note:CATALOG_NOAUTH issettoNO intheaboveoutput.
33|P a g e
Remediation:
Performthefollowingtorequireexplicitauthorizationtocataloganduncatalogdatabasesandnodes.
1. AttachtotheDB2instance
db2 => attach to $DB2INSTANCE
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => update database manager configuration using catalog_noauth no
References:
1. http://www-01.ibm.com/support/knowledgecenter/SSEPGG_9.1.0/com.ibm.db2.udb.admin.doc/doc/r0000143.htm?cp=SSEPGG_9.1.0%2F11-0-0-4-3
34|P a g e
3.1.4Disabledatalinkssupport(Scored)
ProfileApplicability:
•Level1-RDBMS
•Level2-RDBMS
Description:
Datalinks enablesthedatabasetosupporttheDataLinksManagertomanageunstructureddata,suchasimages,largefilesandotherunstructuredfilesonthehost.Itisrecommendedthatdatalinkssupportbedisabled.
Rationale:
Disabledatalinks ifthereisnouseforthemasthiswillreducetheattacksurfaceoftheDB2service.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1. AttachtotheDB2instance.
db2 => attach to $DB2INSTANCE
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => get database manager configuration
3. LocatethisvalueofDATALINKS intheoutput:
db2 => get database manager configuration db2 => … Data Links support (DATALINKS) = NO
Note:DATALINKSissettoNOintheaboveoutput.
35|P a g e
Remediation:
1. AttachtotheDB2instance
db2 => attach to $DB2INSTANCE
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => update database manager configuration using datalinks no
36|P a g e
3.1.5Securepermissionsfordefaultdatabasefilepath(Scored)
ProfileApplicability:
•Level1-RDBMS
•Level2-RDBMS
•Level1-WindowsHostOS
•Level1-LinuxHostOS
Description:
Thedftdbpath parametercontainsthedefaultfilepathusedtocreateDB2databases.ItisrecommendedthatthepermissionsforthisdirectorybesettofullaccessforDB2administratorsandreadandexecuteaccessonlyforallotheraccounts.ItisalsorecommendedthatthisdirectorybeownedbytheDB2Administrator.
Rationale:
Restrictingaccesstothedirectoryusedasthedefaultfilepaththroughpermissionswillhelpensurethattheconfidentiality,integrity,andavailabilityofthefilesthereareprotected.
Audit:
ForWindowsandLinux:
1. AttachtotheDB2instance.
db2 => attach to $DB2INSTANCE
2.RunthefollowingcommandfromtheDB2commandwindow:
db2 => get database manager configuration
3.Locatethisvalueintheoutputtofindthedefaultfilepath:
db2 => get database manager configuration db2 => … Default database path (DFTDBPATH) = <valid directory>
37|P a g e
AdditionalstepsforWindows:
1. ConnecttotheDB2host2. Right-clickoverthedirectoryusedforthedefaultfilepath3. ChooseProperties4. SelecttheSecuritytab5. Reviewandverifytheprivilegesforallaccounts.6. ReviewandverifythattheDB2Administratoristheownerofthedirectory.
AdditionalstepsforLinux:
1. ConnecttotheDB2host2. Changetothedirectoryusedasthedefaultfilepath3. Reviewandverifythepermissionsforthedirectoryforallusers;alsoensurethat
theDB2Administratoristheowner.
OS => ls -al
Remediation:
ForWindowsandLinux:
1. AttachtotheDB2instance.
db2 => attach to $DB2INSTANCE
2.RunthefollowingcommandfromtheDB2commandwindowtochangethedefaultfilepath,ifnecessary:
db2 => update database manager configuration using dftdbpath <valid directory>
AdditionalstepsforWindows:
1. ConnecttotheDB2host2. Right-clickoverthedirectoryusedasthedefaultfilepath3. ChooseProperties4. SelecttheSecuritytab5. AssignownershipofthedirectorytotheDB2Administrator6. GrantallDBadministratoraccountstheFullControlauthority7. Grantonlyreadandexecuteprivilegestoallotherusers(revokeallotherprivileges)
38|P a g e
AdditionalstepsforLinux:
1. ConnecttotheDB2host2. Changetothedirectoryusedasthedefaultfilepath3. AssigntheDB2Administratortobetheownerofthedirectoryusingthechown
command4. Changethepermissionsforthedirectory
OS => chmod -R 755
39|P a g e
3.1.6Setdiagnosticloggingtocaptureerrorsandwarnings(Scored)
ProfileApplicability:
•Level1-RDBMS
•Level2-RDBMS
Description:
Thediaglevel parameterspecifiesthetypeofdiagnosticerrorsthatwillberecordedinthedb2diag.log file.Itisrecommendedthatthediaglevel parameterbesettoatleast3.
Rationale:
Therecommendeddiaglevelsettingis3,butanyvaluegreaterthan3isalsoacceptable.Avalueofatleast3willallowtheDB2instancetocaptureallerrorsandwarningsthatoccuronthesystem.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1. AttachtotheDB2instance.
db2 => attach to $DB2INSTANCE
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => get database manager configuration
3. LocatetheDIAGLEVEL valueintheoutput:
db2 => get database manager configuration db2 => … Diagnostic error capture level (DIAGLEVEL) = 3
EnsureDIAGLEVELisgreaterthanorequalto3.
40|P a g e
Remediation:
1. AttachtotheDB2instance
db2 => attach to $DB2INSTANCE
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => update database manager configuration using diaglevel 3
41|P a g e
3.1.7Securepermissionsforalldiagnosticlogs(Scored)
ProfileApplicability:
•Level1-RDBMS
•Level2-RDBMS
Description:
Thediagpath parameterspecifiesthelocationofthediagnosticfilesfortheDB2instance.Thedirectoryatthislocationshouldbesecuredsothatusershavereadandexecuteprivilegesonly(nowriteprivileges).AllDB2administratorsshouldhavefullaccesstothedirectory.
Rationale:
Securingthedirectorywillensurethattheconfidentiality,integrity,andavailabilityofthediagnosticfilescontainedinthedirectoryarepreserved.
Audit:
ForbothWindowsandLinux,performthefollowingDB2commandstoobtainthelocationofthedirectory:
1. AttachtotheDB2instance.
db2 => attach to $DB2INSTANCE
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => get database manager configuration
3. LocatetheDIAGPATH valueintheoutput:
db2 => get database manager configuration db2 => … Diagnostic data directory path (DIAGPATH) = <valid directory>
AdditionalstepsforWindows:
1. ConnecttotheDB2host2. Right-clickoverthediagnosticlogdirectory3. ChooseProperties4. SelecttheSecuritytab5. Reviewtheaccessforallaccounts
42|P a g e
AdditionalstepsforLinux:
1. ConnecttotheDB2host2. Changetothediagnosticlogdirectory3. Reviewthepermissionsofthedirectory
OS => ls -al
Remediation:
ForWindowsandLinux,tochangethedirectoryforthediagnosticlogs:
1. AttachtotheDB2instance
db2 => attach to $DB2INSTANCE
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => update database manager configuration using diagpath <valid directory>
AdditionalstepsforWindows:
1. ConnecttotheDB2host2. Right-clickoverthediagnosticlogdirectory3. ChooseProperties4. SelecttheSecuritytab5. GranttheFullControlauthoritytoallDB2administratoraccounts6. Grantonlyreadandexecuteprivilegestoallotheraccounts(revokeanyother
privileges)
AdditionalstepsforLinux:
1. ConnecttotheDB2host2. Changetothediagnosticlogdirectory3. Changethepermissionsofthedirectory
OS => chmod -R 755
43|P a g e
3.1.8Requireinstancenamefordiscoveryrequests(Scored)
ProfileApplicability:
•Level1-RDBMS
•Level2-RDBMS
Description:
Thediscover parameterdetermineswhatkindofdiscoveryrequests,ifany,theDB2serverwillfulfill.ItisrecommendedthattheDB2serveronlyfulfillrequestsfromclientsthatknowthegiveninstancename(discover parametervalueofknown).
Rationale:
DiscoverycapabilitiesmaybeusedbyamaliciousentitytoderivethenamesofandtargetDB2instances.Inthisconfiguration,theclienthastospecifyaknowninstancenametobeabletodetecttheinstance.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1. AttachtotheDB2instance.
db2 => attach to $DB2INSTANCE
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => get database manager configuration
3. LocatetheDISCOVER valueintheoutput:
db2 => get database manager configuration db2 => … Discovery mode (DISCOVER) = KNOWN
Note:DISCOVER issettoKNOWN intheaboveoutput.
44|P a g e
Remediation:
TherecommendedvalueisKNOWN.Note:thisrequiresaDB2restart.
1. AttachtotheDB2instance
db2 => attach to $DB2INSTANCE
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => update database manager configuration using discover known
3. RestarttheDB2instance.
db2 => db2stop db2 => db2start
Impact:
Itisimportanttobeawarethattheimplementationofthisrecommendationresultsinabriefdowntime.Itisadvisabletoensurethatthesettingisimplementedduringanapprovedmaintenancewindow.
45|P a g e
3.1.9Disableinstancediscoverability(Scored)
ProfileApplicability:
•Level1-RDBMS
•Level2-RDBMS
Description:
Thediscover_inst parameterspecifieswhethertheinstancecanbediscoveredinthenetwork.Itisrecommendedthatinstancesnotbediscoverable.
Rationale:
DiscoverycapabilitiesmaybeusedbyamaliciousentitytoderivethenamesofandtargetDB2instances.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1. AttachtotheDB2instance.
db2 => attach to $DB2INSTANCE
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => get database manager configuration
3. LocatetheDISCOVER_INSTvalueintheoutput:
db2 => get database manager configuration db2 => … Discover server instance (DISCOVER_INST) = DISABLE
Note:DISCOVER_INSTissettoDISABLEintheaboveoutput.
Remediation:
1. AttachtotheDB2instance
db2 => attach to $DB2INSTANCE
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => update database manager configuration using discover_inst disable
46|P a g e
3.1.10Authenticatefederatedusersattheinstancelevel(Scored)
ProfileApplicability:
•Level1-RDBMS
•Level2-RDBMS
Description:
Thefed_noauth parameterdetermineswhetherfederatedauthenticationwillbebypassedattheinstance.Itisrecommendedthatthisparameterbesettono.
Rationale:
Settingfed_noauth tono willensurethatauthenticationischeckedattheinstancelevel.Thiswillpreventanyfederatedauthenticationfrombypassingtheclientandtheserver.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1. AttachtotheDB2instance.
db2 => attach to $DB2INSTANCE
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => get database manager configuration
3. LocatetheFED_NOAUTHvalueintheoutput:
db2 => get database manager configuration db2 => … Bypass federated authentication (FED_NOAUTH) = NO
Note:FED_NOAUTH issettoNO intheaboveoutput.
47|P a g e
Remediation:
1. AttachtotheDB2instance
db2 => attach to $DB2INSTANCE
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => update database manager configuration using fed_noauth no
48|P a g e
3.1.11Setmaximumconnectionlimits(Scored)
ProfileApplicability:
•Level1-RDBMS
•Level2-RDBMS
Description:
Themax_connections parameterindicatesthemaximumnumberofclientconnectionsallowedperdatabasepartition.Itisrecommendedthatthisparameterbesetequaltothemax_coordagents parameter.Themax_coordagents parameterequalsthemaximumnumberofagentsneededtoperformconnectionstothedatabaseorattachmentstotheinstance.
NOTE:Ensurethatdependentparameters,suchasmaxappls,aresetlessthanthemax_coordagents parameter.Thiswouldensurethatthelocklimitisn'treached,whichwouldresultinlockescalationissues.
Rationale:
Bydefault,DB2allowsanunlimitednumberofuserstoaccesstheDB2instance.InadditiontogivingaccesstotheDB2instancetoauthorizedusersonly,itisrecommendedtosetalimittothenumberofusersallowedtoaccessaDB2instance.Thishelpspreventdenialofserviceconditionsshouldanauthorizedprocessmalfunctionandattemptalargenumberofsimultaneousconnections.
Audit:
PerformthefollowingDB2commandstoobtainthevalue(s)forthesesettings:
1. AttachtotheDB2instance.
db2 => attach to $DB2INSTANCE
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => get database manager configuration
49|P a g e
3. LocatetheMAX_CONNECTIONS andMAX_COORDAGENTS valuesintheoutput:
db2 => get database manager configuration db2 => … Max number of client connections (MAX_CONNECTIONS) = 150 Max number of existing agents (MAX_COORDAGENTS) = 150
Note:MAX_CONNECTIONS issetto150 andtheMAX_COORDAGENTS issetto150 intheaboveoutput.
PerformthefollowingDB2commandstoobtainthevalueoftheMAXAPPLSparameter:
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => get database configuration
3. LocatetheMAXAPPLS valueintheoutput:
db2 => get database configuration db2 => … Max Number of Active Applications (MAXAPPLS) = [99]
Note:MAXAPPLS issetto99 intheaboveoutput.
50|P a g e
Remediation:
Thedefaultvalueformax_coordagents issettoAUTOMATIC.Allowablerangeis1to64,000,or-1forunlimited.Therecommendedvalueis100.Thefollowingcommandwillsetthemax_coordagents to100,aswellassetthemax_connections toAUTOMATIC whichisalsorecommended.
1. AttachtotheDB2instance
db2 => attach to $DB2INSTANCE
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => update database manager configuration using max_coordagents 100 AUTOMATIC
Ifmaxappls isNOTlessthanthevalueformax_coordagents,thenadjustthevalueofmaxapplsaccordingly:
db2 => update database configuration using maxappls <a number less then max_coordagents>
DefaultValue:
Thedefaultvalueformax_connections isAUTOMATIC.
Thedefaultvalueformax_coordagents isAUTOMATIC.
ThedefaultvalueformaxapplsisAUTOMATIC.
51|P a g e
3.1.12Setadministrativenotificationlevel(Scored)
ProfileApplicability:
•Level1-RDBMS
•Level2-RDBMS
Description:
Thenotifylevel parameterspecifiesthetypeofadministrationnotificationmessagesthatarewrittentotheadministrationnotificationlog.Itisrecommendedthatthisparameterbesetgreaterthanorequalto3.Asettingof3,whichincludessettings1&2,willlogallfatalerrors,failingservices,systemintegrity,aswellassystemhealth.
Rationale:
ThesystemshouldbemonitoringallHealthMonitoralarms,warnings,andattentions.ThismaygiveanindicationofanymalicioususageontheDB2instance.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1. AttachtotheDB2instance.
db2 => attach to $DB2INSTANCE
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => get database manager configuration
3. LocatetheNOTIFYLEVEL valueintheoutput:
db2 => get database manager configuration db2 => … Notify Level (NOTIFYLEVEL) = 3
Note:NOTIFYLEVEL issetto3 intheaboveoutput.
52|P a g e
Remediation:
1. AttachtotheDB2instance
db2 => attach to $DB2INSTANCE
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => update database manager configuration using notifylevel 3
DefaultValue:
Thedefaultvalueofnotifylevelis3.
53|P a g e
3.1.13Enableserver-basedauthentication(Scored)
ProfileApplicability:
•Level1-RDBMS
•Level2-RDBMS
Description:
Thesrvcon_auth parameterspecifieshowandwhereauthenticationistotakeplaceforincomingconnectionstotheserver.ItisrecommendedthatthisparameterisnotsettoCLIENT.
Rationale:
Thisparameterwilltakeprecedenceoverandoverridetheauthenticationlevel.Authenticationshouldbesetontheserverside.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1. AttachtotheDB2instance.
db2 => attach to $DB2INSTANCE
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => get database manager configuration
3. LocatetheSRVCON_AUTH valueintheoutput:
db2 => get database manager configuration db2 => … Server Connection Authentication (SRVCON_AUTH) = SERVER
Note:SRVCON_AUTH issettoSERVER intheaboveoutput.
54|P a g e
Remediation:
TherecommendedvalueisSERVER.Note:thiswillrequireaDB2restart.
1. AttachtotheDB2instance
db2 => attach to $DB2INSTANCE
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => update database manager configuration using srvcon_auth server
3. RestarttheDB2instance.
db2 => db2stop db2 => db2start
Impact:
Itisimportanttobeawarethattheimplementationofthisrecommendationresultsinabriefdowntime.Itisadvisabletoensurethatthesettingisimplementedduringanapprovedmaintenancewindow.
55|P a g e
3.1.14Setfailedarchiveretrydelay(Scored)
ProfileApplicability:
•Level1-RDBMS
•Level2-RDBMS
Description:
Thearchretrydelay parameterspecifiesthenumberofsecondstheDB2servicewillwaitbeforeitreattemptstoarchivelogfilesafterafailure.Itisrecommendedthatthisparameterbesetanywhereintherangeof10-30.Youdonotwantthedelaytobesoshortthatthedatabaseendsupinadenialofservicescenario,butyoudon'twantthedelaytobetoolongifanoutsideattackhappensatthesametime.
Rationale:
Ensurethatthevalueisnon-zero,otherwisearchiveloggingwillnotretryafterthefirstfailure.Adenialofserviceattackcanrenderthedatabasewithoutanarchivelogifthissettingisnotset.Anarchivelogwillensurethatalltransactionscansafelyberestoredorloggedforauditing.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => get database configuration
3. LocatetheARCHRETRYDELAY valueintheoutput:
db2 => get database configuration db2 => … Log archive retry Delay (secs) (ARCHRETRYDELAY) = 20
Note:ARCHRETRYDELAY issetto20 intheaboveoutput.
56|P a g e
Remediation:
1. ConnecttotheDB2database
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. Tosuccessfullysetthearchretrydelay withinthe10-30range,runthefollowingcommandfromtheDB2commandwindow:
db2 => update database configuration using archretrydelay nn (where nn is a range between 10-30)
DefaultValue:
Thedefaultvalueforarchretrydelayis20
57|P a g e
3.1.15Auto-restartafterabnormaltermination(Scored)
ProfileApplicability:
•Level1-RDBMS
•Level2-RDBMS
Description:
Theautorestart parameterspecifiesifthedatabaseinstanceshouldrestartafteranabnormaltermination.ItisrecommendedthatthisparameterbesettoON.
Rationale:
Settingthedatabasetoauto-restartwillreducethedowntimeofthedatabase.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => get database configuration
3. LocatetheAUTORESTART valueintheoutput:
db2 => get database configuration db2 => … Auto restart enabled (AUTORESTART) = ON
Note:AUTORESTART issettoON intheaboveoutput.
Remediation:
1. ConnecttotheDB2database
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => update database configuration using autorestart on
58|P a g e
3.1.16Disabledatabasediscovery(Scored)
ProfileApplicability:
•Level1-RDBMS
•Level2-RDBMS
Description:
Thediscover_db parameterspecifiesifthedatabasewillrespondtoadiscoveryrequestfromaclient.ItisrecommendedthatthisparameterbesettoDISABLE.
Rationale:
Settingthedatabasediscoverytodisabledcanhideadatabasewithsensitivedata.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => get database configuration
3. LocatetheDISCOVER_DB valueintheoutput:
db2 => get database configuration db2 => … Discovery support for this database (DISCOVER_DB) = DISABLE
Note:DISCOVER_DB issettoDISABLE intheaboveoutput.
59|P a g e
Remediation:
1. ConnecttotheDB2database
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => update database configuration using discover_db disable
60|P a g e
3.1.17Securepermissionsfortheprimaryarchiveloglocation(Scored)
ProfileApplicability:
•Level1-RDBMS
•Level2-RDBMS
•Level1-WindowsHostOS
•Level1-LinuxHostOS
Description:
Thelogarchmeth1 parameterspecifiesthetypeofmediaandthelocationusedastheprimarydestinationofarchivedlogs.ItisrecommendedthatthedirectoryusedforthearchivedlogsbesettofullaccessforDB2administratoraccountsandreadandexecuteforallotheraccounts.
Rationale:
Restrictingaccesstothecontentsoftheprimaryarchivelogdirectorywillhelpensurethattheconfidentiality,integrity,andavailabilityofarchivelogsareprotected.Althoughtherearemanywaystoensurethatyourprimarylogswillbearchived,werecommendusingthevalueofDISKaspartofthelogarchmeth1 parameter.Thiswillproperlyensurethattheprimarylogsarearchived.AfindingofOFFisnotacceptable.
Audit:
ForWindowsandLinux:
1.AttachtotheDB2instance.
db2 => attach to $DB2INSTANCE
2.RunthefollowingcommandfromtheDB2commandwindow:
db2 => get database manager configuration
3.Locatethisvalueintheoutputtofindtheprimaryarchivelogdirectory:
db2 => get database manager configuration db2 => ... Default database path (LOGARCHMETH1) = <valid directory>
61|P a g e
AdditionalstepsforWindows:
1. ConnecttotheDB2host2. Right-clickontheprimaryarchivelogdirectory3. ChooseProperties4. SelecttheSecuritytab5. Reviewandverifytheprivilegesforallaccounts
AdditionalstepsforLinux:
1. ConnecttotheDB2host2. Changetotheprimaryarchivelogdirectory3. Reviewandverifythepermissionsforthedirectoryforallusers.
OS => ls -al
Remediation:
ForWindowsandLinux:
1. AttachtotheDB2instance.2. RunthefollowingcommandfromtheDB2commandwindowtochangetheprimary
archivelogdirectory,ifnecessary:
db2 => update database configuration using logarchmeth1 <valid directory>
AdditionalstepsforWindows(assumingthatthelogarchmeth1parameterincludesDISK):
1. ConnecttotheDB2host2. Right-clickontheprimaryarchivelogdirectory3. ChooseProperties4. SelecttheSecuritytab5. GrantallDB2administratoraccountstheFullControlauthority6. Grantallotheraccountsreadandexecuteprivilegesonly(revokeallother
privileges)
AdditionalstepsforLinux(assumingthatthelogarchmeth1parameterincludesDISK):
1. ConnecttotheDB2host2. Changetotheprimaryarchivelogdirectory3. Changethepermissionsforthedirectory
OS => chmod -R 755
62|P a g e
3.1.18Securepermissionsforthesecondaryarchiveloglocation(Scored)
ProfileApplicability:
•Level1-WindowsHostOS
•Level1-LinuxHostOS
Description:
Thelogarchmeth2 parameterspecifiesthetypeofmediaandthelocationusedasthesecondarydestinationforarchivedlogs.ItisrecommendedthatthedirectoryusedforthearchivedlogsbesettofullaccessforDB2administratoraccountsandreadandexecuteonlyforallotheraccounts.
Rationale:
Restrictingaccesstothecontentsofthesecondaryarchivelogdirectorywillhelpensurethattheconfidentiality,integrity,andavailabilityofarchivelogsareprotected.Althoughtherearemanywaystoensurethatyourlogswillbearchived,werecommendusingthevalueofDISKaspartofthelogarchmeth2parameter.Thiswillproperlyensurethatthelogsarearchived.AfindingofOFFisnotacceptable.
Audit:
ForWindowsandLinux:
1.AttachtotheDB2instance.
db2 => attach to $DB2INSTANCE
2.RunthefollowingcommandfromtheDB2commandwindow:
db2 => get database manager configuration
3.Locatethisvalueintheoutputtofindthesecondaryarchivelogdirectory:
db2 => get database manager configuration db2 => ... Default database path (LOGARCHMETH2) = <valid directory>
AdditionalstepsforWindows:
1. ConnecttotheDB2host2. Right-clickonthesecondaryarchivelogdirectory3. ChooseProperties4. SelecttheSecuritytab5. Reviewandverifytheprivilegesforallaccounts
63|P a g e
AdditionalstepsforLinux:
1. ConnecttotheDB2host2. Changetothesecondaryarchivelogdirectory3. Reviewandverifythepermissionsforthedirectoryforallusers
OS => ls -al
Remediation:
ForWindowsandLinux:
1. AttachtotheDB2instance.2. RunthefollowingcommandfromtheDB2commandwindowtochangethe
secondaryarchivelogdirectory,ifnecessary:
db2 => update database configuration using logarchmeth2 <valid directory>
AdditionalstepsforWindows(assumingthatthelogarchmeth2parameterincludesDISK):
1. ConnecttotheDB2host2. Right-clickonthesecondaryarchivelogdirectory3. ChooseProperties4. SelecttheSecuritytab5. GrantallDB2administratoraccountstheFullControlauthority6. Grantallotheraccountsreadandexecuteprivilegesonly(revokeallother
privileges)
AdditionalstepsforLinux(assumingthatthelogarchmeth2parameterincludesDISK):
1. ConnecttotheDB2host2. Changetothesecondaryarchivelogdirectory3. Changethepermissionsforthedirectory
OS => chmod -R 755
64|P a g e
3.1.19Securepermissionsforthetertiaryarchiveloglocation(Scored)
ProfileApplicability:
•Level1-RDBMS
•Level1-WindowsHostOS
•Level1-LinuxHostOS
Description:
Thefailarchpath parameterspecifiesthetypeofmediaandthelocationusedasthetertiarydestinationofarchivedlogs.ItisrecommendedthatthedirectoryusedforthearchivedlogsbesettofullaccessforDB2administratoraccountsandreadandexecuteonlyforallotheraccounts.
Rationale:
Restrictingaccesstothecontentsofthetertiaryarchivelogdirectorywillhelpensurethattheconfidentiality,integrity,andavailabilityofarchivelogsareprotected.Althoughtherearemanywaystoensurethatyourlogswillbearchived,werecommendusingthevalueofDISKaspartofthefailarchpathparameter.Thiswillproperlyensurethatthelogsarearchived.AfindingofOFFisnotacceptable.
Audit:
ForWindowsandLinux:
1.AttachtotheDB2instance.
db2 => attach to $DB2INSTANCE
2.RunthefollowingcommandfromtheDB2commandwindow:
db2 => get database manager configuration
3.Locatethisvalueintheoutputtofindthetertiaryarchivelogdirectory:
db2 => get database manager configuration db2 => ... Default database path (FAILARCHPATH) = <valid directory>
65|P a g e
AdditionalstepsforWindows:
1. ConnecttotheDB2host2. Right-clickonthetertiaryarchivelogdirectory3. ChooseProperties4. SelecttheSecuritytab5. Reviewandverifytheprivilegesforallaccounts
AdditionalstepsforLinux:
1. ConnecttotheDB2host2. Changetothetertiaryarchivelogdirectory3. Reviewandverifythepermissionsforthedirectoryforallusers.
OS => ls -al
Remediation:
ForWindowsandLinux:
1. AttachtotheDB2instance.2. RunthefollowingcommandfromtheDB2commandwindowtochangethetertiary
archivelogdirectory,ifnecessary:
db2 => update database configuration using failarchpath
AdditionalstepsforWindows(assumingthatthefailarchpathparameterincludesDISK):
1. ConnecttotheDB2host2. Right-clickonthetertiaryarchivelogdirectory3. ChooseProperties4. SelecttheSecuritytab5. GrantallDB2administratoraccountstheFullControlauthority6. Grantallotheraccountsreadandexecuteprivilegesonly(revokeallother
privileges)
ForLinux(assumingthatthefailarchpathparameterincludesDISK):
1. ConnecttotheDB2host2. Changetothetertiaryarchivelogdirectory3. Changethepermissionsforthedirectory
OS => chmod -R 755
66|P a g e
3.1.20Securepermissionsforthelogmirrorlocation(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
Themirrorlogpath parameterspecifiesthetypeofmediaandthelocationusedtostorethemirrorcopyofthelogs.ItisrecommendedthatthedirectoryusedforthemirrorcopyofthelogsbesettofullaccessforDB2administratoraccountsandreadandexecuteonlyforallotheraccounts.
Rationale:
Amirrorlogpathshouldnotbeemptyanditshouldbeavalidpath.Themirrorlogpathstoresasecondcopyoftheactivelogfiles.Accesstothedirectorypointedtobythatpathshouldberestrictedthroughpermissionstohelpensurethattheconfidentiality,integrity,andavailabilityofthemirrorlogsareprotected.
Audit:
ForWindowsandLinux,performthefollowingDB2commandstoobtainthedirectorylocation:
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => get database configuration
3. LocatetheMIRRORLOGPATH valueintheoutput:
db2 => get database configuration db2 => … Mirror log path (MIRRORLOGPATH) = C:\DB2MIRRORLOGS
Note:MIRRORLOGPATH issettoC:\DB2MIRRORLOGSintheaboveoutput.
67|P a g e
AdditionalstepsforWindows:
1. ConnecttotheDB2host2. Right-clickonthemirrorlogdirectory3. ChooseProperties4. SelecttheSecuritytab5. Reviewandverifytheprivilegesforallaccounts
AdditionalstepsforLinux:
1. ConnecttotheDB2host2. Changetothemirrorlogdirectory3. Reviewandverifythepermissionsforthedirectoryforallusers.
OS => ls -al
Remediation:
ForWindowsandLinux:
1. ConnecttotheDB2database
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindowtochangethemirrorlogdirectory,ifnecessary:
db2 => update database configuration using mirrorlogpath <valid path>
AdditionalstepsforWindows:
1. ConnecttotheDB2host2. Right-clickontheprimaryarchivelogdirectory3. ChooseProperties4. SelecttheSecuritytab5. GrantallDB2administratoraccountstheFullControlauthority6. Grantallotheraccountsreadandexecuteprivilegesonly(revokeallother
privileges)
AdditionalstepsforLinux:
1. ConnecttotheDB2host2. Changetothemirrorlogdirectory3. Changethepermissionsforthedirectory
OS => chmod -R 755
68|P a g e
3.1.21Establishretentionsetsizeforbackups(Scored)
ProfileApplicability:
•Level1-RDBMS
•Level2-RDBMS
Description:
Thenum_db_backups parameterspecifiesthenumberofbackupstoretainforadatabasebeforemarkingtheoldestbackupasdeleted.Itisrecommendedthatthisparameterbesettoatleast12.
Rationale:
Retainmultiplecopiesofthedatabasebackuptoensurethatthedatabasecanrecoverfromanunexpectedfailure.Thisparametershouldnotbesetto0.Multiplebackupsshouldbekepttoensurethatalllogsandtransactionscanbeusedforauditing.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => get database configuration
3. LocatetheNUM_DB_BACKUPS valueintheoutput:
db2 => get database configuration db2 => … Number of database backups to retain (NUM_DB_BACKUPS) = 12
Note:NUM_DB_BACKUPS issetto12 intheaboveoutput.
69|P a g e
Remediation:
1. ConnecttotheDB2database
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => update database configuration using num_db_backups 12
70|P a g e
3.1.22Setarchivelogfailoverretrylimit(Scored)
ProfileApplicability:
•Level1-RDBMS
•Level2-RDBMS
Description:
Thenumarchretry parameterdetermineshowmanytimesadatabasewilltrytoarchivethelogfiletotheprimaryorthesecondaryarchivedestinationbeforetryingthefailoverdirectory.Itisrecommendedthatthisparameterbesetto5.
Rationale:
Establishingafailoverretrytimelimitwillensurethatthedatabasewillalwayshaveameanstorecoverfromanabnormaltermination.Thisparametershouldnotbesetto0.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => get database configuration
3. LocatetheNUMARCHRETRY valueintheoutput:
db2 => get database configuration db2 => … Number of log archive retries on error (NUMARCHRETRY) = 5
Note:NUMARCHRETRY issetto5 intheaboveoutput.
71|P a g e
Remediation:
1. ConnecttotheDB2database
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => update database configuration using numarchretry 5
72|P a g e
3.2DatabaseManagerConfigurationparameters
DatabaseConfigurationParameterssetseveralresourcelimits[values]tobeallocatedtoadatabase.Manydatabaseconfigurationparameterscanbemodifiedtooptimizeperformanceandcapacity.
3.2.1TCP/IPservicename-svcename(Scored)
ProfileApplicability:
•Level2-RDBMS
Description:
Thesvcename parameterreservestheportnumber(orname,onLinuxhosts)forlisteningtoincomingcommunicationsfromaDataServerRuntimeClient.BoththedatabaseserverportnumberornameandtheTCP/IPservicenamemustbedefinedonthedatabaseclient.
Rationale:
Whenthedatabaseserverisstarted,aportnumberornameisrequiredtolistenforincomingconnectionrequests.Thesvcename parameterdefinestheportnumberornameforincomingconnectionrequests.OnLinuxsystems,theservicesfileisfoundat:/etc/services
Audit:
1.Runthefollowingcommandtodetermineifthesvcename parametervalueiscorrectlysetandisnotthedefaultport(50000).
select name, value from sysibmadm.dbmcfg where name = 'svcename'
Remediation:
1.Runthefollowingcommandtosetthesvcename parametervalue.
update dbm cfg using svcename <value> immediate or deferred
References:
1. https://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.admin.config.doc/doc/r0000273.html?lang=en
73|P a g e
3.2.2SSLservicename-ssl_svcename(Scored)
ProfileApplicability:
•Level2-RDBMS
Description:
Thessl_svcename configurationparameterdefinesthenameornumberoftheportthedatabaseserverlistensforcommunicationsfromremoteclientnodesusingSSLprotocol.Thessl_svcename andthesvcenameportnumberscannotbethesame.
OnLinuxoperatingsystems,thessl_svcenamefileislocatedin:/etc/services
Rationale:
ThedatabaserequiresadefinedporttolistenforincomingremoteclientsusingtheSSLprotocol.Thessl_svcename configurationparameterdefinestheportforcommunicatingwithremoteclients.
Considerusinganon-defaultporttohelpprotectthedatabasefromattacksdirectedtoadefaultport.
Audit:
1.Runthefollowingcommandtodetermineifthecurrentssl_svcename parametervalueiscorrectlysetandisnotadefaultport(50000).
select name, value from sysibmadm.dbmcfg where name = 'ssl_svcename'
Remediation:
1.Runthefollowingcommandtosetthessl_svcename parametervalue.
update dbm cfg using ssl_svcename <value> immediate or deferred
DefaultValue:
Null
References:
1. http://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.admin.config.doc/doc/r0053615.html
74|P a g e
3.2.3Authenticationtypeforincomingconnectionsattheserver-srvcon_auth(Scored)
ProfileApplicability:
•Level2-RDBMS
Description:
Thesrvcon_authparameterdefineswhereandhowuserauthenticationisdoneforincomingconnectionsattheserver.Ifnovalueisused,DB2usesthedatabasemanagerconfigurationparameterauthentication.
Rationale:
IncomingconnectionstotheDB2servermustfollowanauthenticationprotocol.Thesrvcon_authserverconfigurationparameterdefineshowandwhereuserauthenticationisdone.
Audit:
1.Runthefollowingcommandtoidentifythecurrentvalueofthesrvcon_authdatabaseconfigurationparameter:
select name, value from sysibmadm.dbmcfg where name = 'srvcon_auth'
Remediation:
1.Runthefollowingcommandtoupdatethecurrentvalueofthesrvcon_authdatabaseconfigurationparametertothecorrectvalue:
db2 => update dbm cfg using srvcon_auth <any supported authentication>
DefaultValue:
Notspecified
References:
1. http://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.admin.config.doc/doc/r0011454.html?lang=en
75|P a g e
3.2.4DatabaseManagerConfigurationparameter:trust_allclnts(NotScored)
ProfileApplicability:
•Level1-WindowsHostOS
•Level2-WindowsHostOS
•Level1-LinuxHostOS
•Level2-LinuxHostOS
Description:
Thisparameterisusedtodeterminewhereusersarevalidatedwithinthedatabaseenvironment(client-sideauthentication).Iftheparameterissetto'YES',theserverassumesthattheclientsideishandlingauthenticationtothedatabase.Iftheparameterissetto'NO',theclientmustprovideauthenticationtotheserveronbehalfoftheuser.ThisparameterisonlyactivewhentheauthenticationparameterissettoCLIENT.
Rationale:
Thisparameterisreliedupontodeterminewhethereachuser(client)needstobeauthenticatedbytheserveroriftheservershouldassumethateachuser(client)hasalreadybeensufficientlyauthenticated.
Audit:
Issuethefollowingcommandtocheckthevalueoftheparameter:
db2=> select name, value from sysibmadm.dbmcfg where name = 'trust_allclnts'
Thevalueshouldbe'YES'forclient-sideauthenticationand'NO'forserver-sideauthentication.
76|P a g e
Remediation:
Tospecifyclient-sideauthentication,issuethefollowingcommandtosettheparameterto'YES':
db2=> update dbm cfg using trust_allclnts YES
Tospecifyserver-sideauthentication,issuethefollowingcommandtosettheparameterto'NO':
db2=> update dbm cfg using trust_allclnts NO
References:
1. http://www.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.admin.config.doc/doc/r0000380.html
77|P a g e
3.2.5DatabaseManagerConfigurationparameter:trust_clntauth(NotScored)
ProfileApplicability:
•Level1-WindowsHostOS
•Level2-WindowsHostOS
•Level1-LinuxHostOS
•Level2-LinuxHostOS
Description:
Thisparameterspecifieswhereatrustedclientisauthenticated(attheserverortheclient)ifitprovidesauserIDandpassword.
Iftheparameterissetto'CLIENT',theuserIDandpasswordarenotneeded,butiftheyareprovided,authenticationwilloccurattheclient.
Iftheparameterissetto'SERVER',theuserIDandpasswordareneededandwillbeauthenticatedattheserver.
Thisparameterisonlyactiveiftheauthenticationparameterissetto'CLIENT'.
Rationale:
ThisparameterisreliedupontodeterminewhethereachtrustedclientneedstobeauthenticatedbytheserverortheclientafterprovidingauserIDandpassword.
Audit:
Issuethefollowingcommandtocheckthevalueoftheparameter:
db2=> select name, value from sysibmadm.dbmcfg where name = 'trust_clntauth'
Thevalueshouldbe'CLIENT'forclient-sideauthenticationand'SERVER'forserver-sideauthentication.
Remediation:
Issuethefollowingcommandtosettheparameterto'CLIENT'or'SERVER':
db2=> update dbm cfg using trust_clntauth <CLIENT/SERVER>
78|P a g e
References:
1. http://www.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.admin.config.doc/doc/r0000381.html
79|P a g e
4RowandColumnAccessControl(RCAC)
DB2RCACcontrolsaccesstoatableattherowandcolumnlevel.Rowandcolumnaccesscontrolissometimesreferredtoasfine-grainedaccesscontrolorFGAC.Identifyandgathertheorganization'ssecuritypolicies,managementandstaffroles,anduserandgroupliststocompareagainstexistingDB2RCACpoliciesforcompliance.
4.1ReviewOrganization'sPoliciesagainstDB2RCACPolicies(NotScored)
ProfileApplicability:
•Level2-RDBMS
Description:
DB2RowandColumnAccessControl(RCAC)PoliciescontrolaccesstoDB2tables.Theyshouldmatchtheorganization'ssecurityanddatabaseaccesspolicies,andtheyshouldberegularlyreviewedforgaps.
Rationale:
Missing,incomplete,orincorrectDB2RCACpolicieswillincreasetheriskstotheorganization'sprotecteddataandwillpreventeffortstomonitor,alert,andrespondtotheserisksinthefuture.
Audit:
ScheduleandcompletearegularreviewofallorganizationsecurityanddataaccessdatabasepoliciesagainstthecurrentDB2policiestodetermineifgapsexist.
1. Identifyeachwrittenorganizationpolicy.2. FindthematchingDB2RCACpolicy.3. DetermineiftheRCACpolicyappliesandcorrectlysupportsthewrittenpolicy.4. IfnomatchingDB2RCACpolicyisfound,recorda'gap'forfutureremediation.
Remediation:
1. CreateRCACpoliciesforeach'gap'listedfromtheAuditprocedure.2. ReviewthenewlycreatedDB2RCACpolicyagainsttheorganization'swritten
policies.
80|P a g e
DefaultValue:
Notinstalled
References:
1. http://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.admin.sec.doc/doc/c0057423.html?lang=en
81|P a g e
4.2SecureSECADMAuthority(NotScored)
ProfileApplicability:
•Level1-RDBMS
Description:
TheSECADM (securityadministrator)rolegrantstheauthoritytocreate,alter(whereapplicable),anddroproles,trustedcontexts,auditpolicies,securitylabelcomponents,securitypoliciesandsecuritylabels.Itisalsotheauthorityrequiredtograntandrevokeroles,securitylabelsandexemptions,andtheSETSESSIONUSERprivilege.SECADM authorityhasnoinherentprivilegetoaccessdatastoredintables.ItisrecommendedthattheSECADM rolebegrantedtoauthorizedusersonly.
Rationale:
Ifanaccountthatpossessesthisauthorityiscompromisedorusedinamaliciousmanner,theconfidentiality,integrity,andavailabilityofdataintheDB2instancewillbeatincreasedrisk.
Audit:
ItisimportanttoconsiderreviewingthemembersoftheSECADM authoritywhenimplementingthisrecommendation.SuchconsiderationofthisreviewisaddressedinSection7.5ofthisdocument.
Remediation:
ItisimportanttoconsiderreviewingthemembersoftheSECADM authoritywhenimplementingthisrecommendation.SuchconsiderationofthisreviewisaddressedinSection7.5ofthisdocument.
References:
1. https://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.1.0/com.ibm.db2.luw.admin.sec.doc/doc/c0021054.html?lang=en
82|P a g e
4.3ReviewUsers,Groups,andRoles(NotScored)
ProfileApplicability:
•Level1-WindowsHostOS
•Level1-LinuxHostOS
Description:
Withrowandcolumnaccesscontrol,individualsarepermittedaccesstoonlythesubsetofdatathatisrequiredtoperformtheirjobtasks.Periodicreviewoftheseindividualsiscrucialwhentryingtokeepdatasecure.Asbusinessneedsmoveforward,requirementsbehindaccessingthedatamaychange,leadingtoarevisioninsecuritypolicy.Byinspectingthelistofusers,groups,androles,youareidentifyingexcessiveprivilegesthatcouldposepossiblesecuritythreatswithinyourinfrastructure.
Rationale:
Ifauser(eitherbyhimselforpartofagrouporrole)isnolongerrequiredaccesstothedatathatisprotectedbyrowandcolumnaccesscontrols,allowingthatindividualtomaintainaccessallowsthatindividualtocompromisetheconfidentiality,integrity,and/oravailabilityofthedataintheDB2instance.
Audit:
1.Reviewtheuserswithinyourdatabaseenvironment:
Linux:
cat /etc/passwd
Windows:
1. Runcompmgmt.msc2. Click'LocalUsersandGroups'3. Doubleclick'Users'4. Reviewusers
83|P a g e
2.Reviewthegroupswithinyourdatabaseenvironment:
Linux:
cat /etc/group
Windows:
1. Runcompmgmt.msc2. Click'LocalUsersandGroups'3. Doubleclick'Groups'4. Reviewgroups
3.Reviewtherolesandrolememberswithinyourdatabaseenvironment:
a.AttachtoDB2Instance:
db2 => attach to $DB2INSTANCE
b.ConnecttoDB2database:
db2 => connect to $DBNAME
c.Runthecommand:
db2 => select rolename, grantee from syscat.roleauth where grantortype <> 'S'
Remediation:
1.Toremoveusersfromyourdatabaseenvironment:
Linux:
userdel -r <user name>
Windows:
1. Runcompmgmt.msc2. Click'LocalUsersandGroups'3. Doubleclick'Users'4. Right-clickon<username>5. Select'Delete'
84|P a g e
2.Toremovegroupsfromyourdatabaseenvironment:
Linux:
groupdel <group name>
Windows:
1. Runcompmgmt.msc2. Click'LocalUsersandGroups'3. Doubleclick'Groups'4. Right-clickon<groupname>5. Select'Delete'
3.Toremoverolesorrolemembersfromyourdatabaseenvironment
a.AttachtoDB2Instance:
db2 => attach to $DB2INSTANCE
b.ConnecttoDB2database:
db2 => connect to $DBNAME
c.Toremoverolemembersfromroles:
db2 => revoke role <role name> from <user/group/role member>
d.Toremoveroles:
db2 => drop role <role name>
85|P a g e
4.4ReviewRowPermissionlogicaccordingtopolicy(NotScored)
ProfileApplicability:
•Level2-RDBMS
Description:
Thelogicbehindinstitutingrowpermissionsiscrucialforasuccessfulsecuritypolicy.Inspectingthislogicandcomparingittothesecuritypolicywillassurethatallaspectsofthedataaccesscontrolsarebeingadheredto.
Rationale:
MissingorincompleteDB2RCACSecurityPolicieswillincreasetheriskstotheorganization'sprotecteddataandwillpreventeffortstomonitor,alert,andrespondtotheserisksinthefuture.
Audit:
1.AttachtotheDB2Instance:
db2 => attach to $DB2INSTANCE
2.Connecttodatabaseenvironment:
db2 => connect to $DBNAME
3.Runthefollowingandreviewtheresultstoconfirmthattherowpermissionsarecorrectandthattheycomplywiththeexistingsecuritypolicy:
db2 => select role.rolename, control.ruletext from syscat.roles role inner join syscat.controls control on locate(role.rolename,control.ruletext) <> 0 where enable = 'Y' and enforced = 'A' and valid = 'Y' and controltype = 'R'
Remediation:
1.CreateRCACPoliciesforeach'gap'listedfromtheAuditprocedure.
2.ReviewthenewlycreatedDB2RCACpolicyagainsttheorganization'spolicy
References:
1. http://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.admin.sec.doc/doc/c0057423.html?lang=en
86|P a g e
4.5ReviewColumnMasklogicaccordingtopolicy(NotScored)
ProfileApplicability:
•Level2-RDBMS
Description:
Thelogicbehindinstitutingcolumnmasksiscrucialforasuccessfulsecuritypolicy.Inspectingthislogicandcomparingittothesecuritypolicywillassurethatallaspectsofthedataaccesscontrolsarebeingadheredto.
Rationale:
MissingorincompleteDB2RCACsecuritypolicieswillincreasetheriskstotheorganization'sprotecteddataandwillpreventeffortstomonitor,alert,andrespondtotheserisksinthefuture.
Audit:
1.AttachtotheDB2Instance:
db2 => attach to $DB2INSTANCE
2.Connecttodatabaseenvironment:
db2 => connect to $DBNAME
3.Runthefollowingandreviewtheresultstoverifythatthepermissionsarecorrectandthattheycomplywiththeorganization'sexistingsecuritypolicy:
db2 => select role.rolename, control.colname, control.ruletext from syscat.roles role inner join syscat.controls control on locate(role.rolename,control.ruletext) <> 0 where enable = 'Y' and enforced = 'A' and valid = 'Y' and controltype = 'C'
Remediation:
1.CreateRCACPoliciesforeach'gap'listedfromtheAuditprocedure.
2.ReviewthenewlycreatedDB2RCACpolicyagainsttheorganization'swrittenpolicy.
References:
1. http://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.admin.sec.doc/doc/c0057423.html?lang=en
87|P a g e
5DatabaseMaintenance
Thissectionprovidesguidanceonprotectingandmaintainingthedatabaseinstance.
5.1EnableBackupRedundancy(NotScored)
ProfileApplicability:
•Level1-RDBMS
•Level2-RDBMS
Description:
Backupredundancyensuresthatmultipleinstancesofdatabasebackupsexist.
Rationale:
MaintainingredundantcopiesofdatabasebackupswillincreasebusinesscontinuitycapabilitiesshouldaDB2servicefailurecoincidewithacorruptbackup.
Audit:
Reviewthereplicationofyourbackupsbasedonorganizationpolicy.
Remediation:
Defineandimplementaprocesstoreplicateyourbackupsontomultiplelocations.
88|P a g e
5.2ProtectingBackups(NotScored)
ProfileApplicability:
•Level1-RDBMS
Description:
Backupsofyourdatabaseshouldbestoredsecurelyinalocationwithfullaccessforadministrators,readandexecuteaccessforgroup,andnoaccessforusers.
Rationale:
Backupsmaycontainsensitivedatathatattackerscanusetoretrievevaluableinformationabouttheorganization.
Audit:
Reviewtheprivilegesappliedtoyourbackups.
Remediation:
Defineasecuritypolicyforallbackupsthatspecifiestheprivilegestheyshouldbeassigned.
89|P a g e
5.3EnableAutomaticDatabaseMaintenance(Scored)
ProfileApplicability:
•Level1-RDBMS
•Level2-RDBMS
Description:
EnableautomaticdatabasemaintenanceonyourDB2instance.ItisrecommendedthattheDB2AutomaticMaintenancetoolbeusedtoensurethattheinstanceisperformingoptimally.
Rationale:
Awell-maintainedDB2instancewillprovideaccesstothedataandreducedatabaseoutages.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1. ConnecttotheDB2database:
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => update database configuration
3. Locatethisvalueintheoutput:
db2 => get database configuration db2 => … Automatic maintenance (AUTO_MAINT) = ON
Note:AUTO_MAINT issettoON intheaboveoutput.
90|P a g e
Remediation:
1. ConnecttotheDB2database:
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => update database configuration using auto_maint on
91|P a g e
6SecuringDatabaseObjects
Note:SYSCAT viewshaveunderlyingSYSIBM tablesthatarealsograntedaccessbythePUBLIC groupbydefault.Ensurethatpermissionsappliedtothesetablesrevokeaccessfromunnecessaryusers.IfthedatabasewascreatedusingtheRESTRICTIVE option,thengrantstoPUBLIC arevoided.
6.1RestrictAccesstoSYSCAT.AUDITPOLICIES(Scored)
ProfileApplicability:
•Level1-RDBMS
•Level2-RDBMS
Description:
TheSYSCAT.AUDITPOLICIES viewcontainsallauditpoliciesforadatabase.ItisrecommendedthatthePUBLIC roleberestrictedfromaccessingthisview.
Rationale:
Thisviewcontainssensitiveinformationabouttheauditingsecurityforthisdatabase.Accesstotheauditpoliciesmayaidattackersinavoidingdetection.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => select grantee from sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'AUDITPOLICIES' and grantee = 'PUBLIC'
3. Reviewprivilegesgrantedtousers,groups,androles.IftheoutputisBLANK,thenitisconsideredasuccessfulfinding.
92|P a g e
Remediation:
PerformthefollowingtorevokeaccessfromPUBLIC.
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => REVOKE SELECT ON SYSCAT.AUDITPOLICIES FROM PUBLIC
References:
1. http://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.sql.ref.doc/doc/r0050610.html?cp=SSEPGG_10.5.0%2F2-12-8-2&lang=en
93|P a g e
6.2RestrictAccesstoSYSCAT.AUDITUSE(Scored)
ProfileApplicability:
•Level1-RDBMS
•Level2-RDBMS
Description:
TheSYSCAT.AUDITUSE viewcontainsdatabaseauditpolicyforallnon-databaseobjects,suchasauthority,groups,roles,andusers.ItisrecommendedthatthePUBLIC roleberestrictedfromaccessingthisview.
Rationale:
Thisviewcontainssensitiveinformationaboutthetypesofobjectsbeingaudited.Accesstotheauditpolicymayaidattackersinavoidingdetection.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => select grantee from sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'AUDITUSE' and grantee = 'PUBLIC'
3. Reviewprivilegesgrantedtousers,groups,androles.IftheoutputisBLANK,thenitisconsideredasuccessfulfinding.
Remediation:
RevokeaccessfromPUBLIC.
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => REVOKE SELECT ON SYSCAT.AUDITUSE FROM PUBLIC
94|P a g e
6.3RestrictAccesstoSYSCAT.DBAUTH(Scored)
ProfileApplicability:
•Level1-RDBMS
•Level2-RDBMS
Description:
TheSYSCAT.DBAUTH viewcontainsinformationonauthoritiesgrantedtousersorgroupsofusers.ItisrecommendedthatthePUBLIC roleberestrictedfromaccessingthisview.
Rationale:
Thisviewcontainsallthegrantsinthedatabaseandmaybeusedasanattackvector.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => select grantee from sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'DBAUTH' and grantee = 'PUBLIC'
3. Reviewprivilegesgrantedtousers,groups,androles.IftheoutputisBLANK,thenitisconsideredasuccessfulfinding.
Remediation:
PerformthefollowingtorevokeaccessfromPUBLIC.
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => REVOKE SELECT ON SYSCAT.DBAUTH FROM PUBLIC
95|P a g e
References:
1. http://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.sql.ref.doc/doc/r0001041.html?cp=SSEPGG_10.5.0%2F2-12-8-30&lang=en
96|P a g e
6.4RestrictAccesstoSYSCAT.COLAUTH(Scored)
ProfileApplicability:
•Level1-RDBMS
•Level2-RDBMS
Description:
TheSYSCAT.COLAUTHviewcontainsthecolumnprivilegesgrantedtotheuser,group,orroleinthedatabase.
Rationale:
TheSYSCAT.COLAUTHviewcontainsthecolumnprivilegesgrantedtotheuseroragroupofusers.ItisrecommendedthatthePUBLICroleberestrictedfromaccessingthisview.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => select grantee from sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'COLAUTH' and grantee = 'PUBLIC'
3. Reviewprivilegesgrantedtousers,groups,androles.IftheoutputisBLANK,thenitisconsideredasuccessfulfinding.
Remediation:
PerformthefollowingtorevokeaccessfromPUBLIC.
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => REVOKE SELECT ON SYSCAT.COLAUTH FROM PUBLIC
97|P a g e
References:
1. http://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.admin.dbobj.doc/doc/t0005379.html?lang=en
98|P a g e
6.5RestrictAccesstoSYSCAT.EVENTS(Scored)
ProfileApplicability:
•Level2-RDBMS
Description:
TheSYSCAT.EVENTS viewcontainsalltypesofeventsthatthedatabaseiscurrentlymonitoring.ItisrecommendedthatthePUBLIC roleberestrictedfromaccessingthisview.
Rationale:
Thetypesofeventsthatthedatabaseismonitoringshouldnotbemadereadilyavailabletothepublic.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => select grantee from sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'EVENTS' and grantee = 'PUBLIC'
3. Reviewprivilegesgrantedtousers,groups,androles.IftheoutputisBLANK,thenitisconsideredasuccessfulfinding.
Remediation:
PerformthefollowingtorevokeaccessfromPUBLIC.
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => REVOKE SELECT ON SYSCAT.EVENTS FROM PUBLIC
99|P a g e
References:
1. http://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.sql.ref.doc/doc/r0001043.html?cp=SSEPGG_10.5.0%2F2-12-8-34&lang=en
100|P a g e
6.6RestrictAccesstoSYSCAT.EVENTTABLES(Scored)
ProfileApplicability:
•Level2-RDBMS
Description:
TheSYSCAT.EVENTTABLES viewcontainsthenameofthedestinationtablethatwillreceivethemonitoringevents.ItisrecommendedthatthePUBLIC roleberestrictedfromaccessingthisview.
Rationale:
PUBLICshouldnothaveaccesstoseethetargetnameoftheeventmonitoringtable.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => select grantee from sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'EVENTTABLES' and grantee = 'PUBLIC'
3. Reviewprivilegesgrantedtousers,groups,androles.IftheoutputisBLANK,thenitisconsideredasuccessfulfinding.
Remediation:
PerformthefollowingtorevokeaccessfromPUBLIC.
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => REVOKE SELECT ON SYSCAT.EVENTTABLES FROM PUBLIC
101|P a g e
References:
1. http://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.sql.ref.doc/doc/r0007483.html?cp=SSEPGG_10.5.0%2F2-12-8-35&lang=en
102|P a g e
6.7RestrictAccesstoSYSCAT.ROUTINES(Scored)
ProfileApplicability:
•Level1-RDBMS
•Level2-RDBMS
Description:
TheSYSCAT.ROUTINES viewcontainsalluser-definedroutines,functions,andstoredproceduresinthedatabase.ItisrecommendedthatthePUBLIC roleberestrictedfromaccessingthisview.
Rationale:
User-definedfunctionsandroutinesshouldnotbeexposedtothepublicforexploits.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => select grantee from sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'ROUTINES' and grantee = 'PUBLIC'
3. Reviewprivilegesgrantedtousers,groups,androles.IftheoutputisBLANK,thenitisconsideredasuccessfulfinding.
Remediation:
PerformthefollowingtorevokeaccessfromPUBLIC.
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => REVOKE SELECT ON SYSCAT.ROUTINES FROM PUBLIC
103|P a g e
6.8RestrictAccesstoSYSCAT.INDEXAUTH(Scored)
ProfileApplicability:
•Level2-RDBMS
Description:
TheSYSCAT.INDEXAUTH viewcontainsalistofusersorgroupsthathaveCONTROL accessonanindex.ItisrecommendedthatthePUBLIC roleberestrictedfromaccessingthisview.
Rationale:
Thelistofalluserswithaccesstoanindexshouldnotbeexposedtothepublic.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => select grantee from sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'INDEXAUTH' and grantee = 'PUBLIC'
3. Reviewprivilegesgrantedtousers,groups,androles.IftheoutputisBLANK,thenitisconsideredasuccessfulfinding.
Remediation:
RevokeaccessfromPUBLIC.
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => REVOKE SELECT ON SYSCAT.INDEXAUTH FROM PUBLIC
104|P a g e
References:
1. http://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.sql.ref.doc/doc/r0001046.html?cp=SSEPGG_10.5.0%2F2-12-8-44&lang=en
105|P a g e
6.9RestrictAccesstoSYSCAT.PACKAGEAUTH(Scored)
ProfileApplicability:
•Level1-RDBMS
•Level2-RDBMS
Description:
TheSYSCAT.PACKAGEAUTH viewcontainsalistofusersorgroupsthathasEXECUTE privilegeonapackage.ItisrecommendedthatthePUBLIC roleberestrictedfromaccessingthisview.
Rationale:
Thelistofalluserswithaccesstoapackageshouldnotbeexposedtothepublic.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => select grantee from sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'PACKAGEAUTH' and grantee = 'PUBLIC'
3. Reviewprivilegesgrantedtousers,groups,androles.IftheoutputisBLANK,thenitisconsideredasuccessfulfinding.
Remediation:
PerformthefollowingtorevokeaccessfromPUBLIC.
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => REVOKE SELECT ON SYSCAT.PACKAGEAUTH FROM PUBLIC
106|P a g e
6.10RestrictAccesstoSYSCAT.PACKAGES(Scored)
ProfileApplicability:
•Level1-RDBMS
•Level2-RDBMS
Description:
TheSYSCAT.PACKAGES viewcontainsthenamesofallpackagescreatedinthedatabaseinstance.ItisrecommendedthatthePUBLIC roleberestrictedfromaccessingthisview.
Rationale:
Thenamesofpackagescreatedinthedatabasecanbeusedasanentrypointifavulnerablepackageexists.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => select grantee from sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'PACKAGES' and grantee = 'PUBLIC'
3. Reviewprivilegesgrantedtousers,groups,androles.IftheoutputisBLANK,thenitisconsideredasuccessfulfinding.
Remediation:
PerformthefollowingtorevokeaccessfromPUBLIC.
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => REVOKE SELECT ON SYSCAT.PACKAGES FROM PUBLIC
107|P a g e
6.11RestrictAccesstoSYSCAT.PASSTHRUAUTH(Scored)
ProfileApplicability:
•Level1-RDBMS
•Level2-RDBMS
Description:
TheSYSCAT.PASSTHRUAUTH viewcontainsthenamesofuserorgroupthathavepass-throughauthorizationtoquerythedatasource.ItisrecommendedthatthePUBLIC roleberestrictedfromaccessingthisview.
Rationale:
Theabilitytoseewhichaccountshavethepass-throughprivilegecouldallowanattackertoexploittheseaccountstoaccessanotherdatasource.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => select grantee from sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'PASSTHRUAUTH' and grantee = 'PUBLIC'
3. Reviewprivilegesgrantedtousers,groups,androles.IftheoutputisBLANK,thenitisconsideredasuccessfulfinding.
108|P a g e
Remediation:
PerformthefollowingtorevokeaccessfromPUBLIC.
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => REVOKE SELECT ON SYSCAT.PASSTHRUAUTH FROM PUBLIC
References:
1. http://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.sql.ref.doc/doc/r0002184.html?cp=SSEPGG_10.5.0%2F2-12-8-70&lang=en
109|P a g e
6.12RestrictAccesstoSYSCAT.SECURITYPOLICIES(Scored)
ProfileApplicability:
•Level1-RDBMS
•Level2-RDBMS
Description:
TheSYSCAT.SECURITYPOLICIES viewcontainsalldatabasesecuritypolicies.ItisrecommendedthatthePUBLIC roleberestrictedfromaccessingthisview.
Rationale:
PUBLIC shouldnotbeabletoviewallthedatabasesecuritypolicies.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => select grantee from sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'SECURITYPOLICIES' and grantee = 'PUBLIC'
3. Reviewprivilegesgrantedtousers,groups,androles.IftheoutputisBLANK,thenitisconsideredasuccessfulfinding.
Remediation:
PerformthefollowingtorevokeaccessfromPUBLIC.
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => REVOKE SELECT ON SYSCAT SYSCAT.SECURITYPOLICIES FROM PUBLIC
110|P a g e
References:
1. http://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.sql.ref.doc/doc/r0020048.html?cp=SSEPGG_10.5.0%2F2-12-8-91&lang=en
111|P a g e
6.13RestrictAccesstoSYSCAT.SECURITYPOLICYEXEMPTIONS(Scored)
ProfileApplicability:
•Level1-RDBMS
•Level2-RDBMS
Description:
TheSYSCAT.SECURITYPOLICYEXEMPTIONS containstheexemptiontoasecuritypolicythatwasgrantedtoadatabaseaccount.ItisrecommendedthatthePUBLIC roleberestrictedfromaccessingthisview.
Rationale:
Publicshouldnotbeabletoviewalltheexemptionstothedatabasesecuritypolicies.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => select grantee from sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'SECURITYPOLICYEXEMPTIONS' and grantee = 'PUBLIC'
3. Reviewprivilegesgrantedtousers,groups,androles.IftheoutputisBLANK,thenitisconsideredasuccessfulfinding.
Remediation:
PerformthefollowingtorevokeaccessfromPUBLIC.
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => REVOKE SELECT ON SYSCAT.SECURITYPOLICYEXEMPTIONS FROM PUBLIC
112|P a g e
References:
1. http://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.sql.ref.doc/doc/r0020042.html?cp=SSEPGG_10.5.0%2F2-12-8-93&lang=en
113|P a g e
6.14RestrictAccesstoSYSCAT.SURROGATEAUTHIDS(Scored)
ProfileApplicability:
•Level1-RDBMS
•Level2-RDBMS
Description:
TheSYSCAT.SURROGATEAUTHIDS containsthenamesofallaccountsthathavebeengrantedSETSESSIONUSER privilegeonauserortoPUBLIC.ItisrecommendedthatthePUBLIC roleberestrictedfromaccessingthisview.
Rationale:
PublicshouldnotbeabletoviewthenamesofallthesurrogateaccountswithSETSESSIONUSER privilege.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => select grantee from sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'SURROGATEAUTHIDS' and grantee = 'PUBLIC'
3. Reviewprivilegesgrantedtousers,groups,androles.IftheoutputisBLANK,thenitisconsideredasuccessfulfinding.
Remediation:
PerformthefollowingtorevokeaccessfromPUBLIC.
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => REVOKE SELECT ON SYSCAT.SURROGATEAUTHIDS FROM PUBLIC
114|P a g e
References:
1. http://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.sql.ref.doc/doc/r0020044.html?cp=SSEPGG_10.5.0%2F2-12-8-102&lang=en
115|P a g e
6.15RestrictAccesstoSYSCAT.ROLEAUTH(Scored)
ProfileApplicability:
•Level1-RDBMS
•Level2-RDBMS
Description:
TheSYSCAT.ROLEAUTH viewcontainsinformationonallrolesandtheirrespectivegrantees.ItisrecommendedthatthePUBLIC roleberestrictedfromaccessingthisview.
Rationale:
PUBLICshouldnothaveaccesstoseethegrantsoftherolesbecausethiscouldbeusedasapointofexploit.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => select grantee from sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'ROLEAUTH' and grantee = 'PUBLIC'
3. Reviewprivilegesgrantedtousers,groups,androles.IftheoutputisBLANK,thenitisconsideredasuccessfulfinding.
Remediation:
PerformthefollowingtorevokeaccessfromPUBLIC.
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => REVOKE SELECT ON SYSCAT.ROLEAUTH FROM PUBLIC
116|P a g e
References:
1. http://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.sql.ref.doc/doc/r0050619.html?cp=SSEPGG_10.5.0%2F2-12-8-74&lang=en
117|P a g e
6.16RestrictAccesstoSYSCAT.ROLES(Scored)
ProfileApplicability:
•Level1-RDBMS
•Level2-RDBMS
Description:
TheSYSCAT.ROLES viewcontainsallrolesavailableinthedatabase.ItisrecommendedthatthePUBLIC roleberestrictedfromaccessingthisview.
Rationale:
PUBLICshouldnothaveaccesstoseealltherolesbecausethiscouldbeusedasapointofexploit.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => select grantee from sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'ROLES' and grantee = 'PUBLIC'
3. Reviewprivilegesgrantedtousers,groups,androles.IftheoutputisBLANK,thenitisconsideredasuccessfulfinding.
Remediation:
PerformthefollowingtorevokeaccessfromPUBLIC.
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => REVOKE SELECT ON SYSCAT.ROLES FROM PUBLIC
118|P a g e
References:
1. http://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.sql.ref.doc/doc/r0050612.html?cp=SSEPGG_10.5.0%2F2-12-8-75&lang=en
119|P a g e
6.17RestrictAccesstoSYSCAT.ROUTINEAUTH(Scored)
ProfileApplicability:
•Level1-RDBMS
•Level2-RDBMS
Description:
TheSYSCAT.ROUTINEAUTH viewcontainsalistofallusersthathaveEXECUTE privilegeonaroutine(function,method,orprocedure).ItisrecommendedthatthePUBLIC roleberestrictedfromaccessingthisview.
Rationale:
PUBLICshouldnothaveaccesstoseealltheusersbecausethiscouldbeusedasapointofexploit.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => select grantee from sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'ROUTINEAUTH' and grantee = 'PUBLIC'
3. Reviewprivilegesgrantedtousers,groups,androles.IftheoutputisBLANK,thenitisconsideredasuccessfulfinding.
Remediation:
PerformthefollowingtorevokeaccessfromPUBLIC.
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => REVOKE SELECT ON SYSCAT.ROUTINEAUTH FROM PUBLIC
120|P a g e
References:
1. http://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.sql.ref.doc/doc/r0007491.html?cp=SSEPGG_10.5.0%2F2-12-8-76&lang=en
121|P a g e
6.18RestrictAccesstoSYSCAT.SCHEMAAUTH(Scored)
ProfileApplicability:
•Level1-RDBMS
•Level2-RDBMS
Description:
TheSYSCAT.SCHEMAAUTH viewcontainsalistofallusersthathaveoneormoreprivilegesoraccesstoaparticularschema.ItisrecommendedthatthePUBLIC roleberestrictedfromaccessingthisview.
Rationale:
PUBLICshouldnothaveaccesstoseealltheusersbecausethiscouldbeusedasapointofexploit.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => select grantee from sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'SCHEMAAUTH' and grantee = 'PUBLIC'
3. Reviewprivilegesgrantedtousers,groups,androles.IftheoutputisBLANK,thenitisconsideredasuccessfulfinding.
Remediation:
PerformthefollowingtorevokeaccessfromPUBLIC.
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => REVOKE SELECT ON SYSCAT.SCHEMAAUTH FROM PUBLIC
122|P a g e
6.19RestrictAccesstoSYSCAT.SCHEMATA(Scored)
ProfileApplicability:
•Level1-RDBMS
•Level2-RDBMS
Description:
TheSYSCAT.SCHEMATA viewcontainsallschemanamesinthedatabase.ItisrecommendedthatthePUBLIC roleberestrictedfromaccessingthisview.
Rationale:
PUBLICshouldnothaveaccesstoseealltheschemanamesinthedatabasebecausethiscouldbeusedasapointofexploit.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => select grantee from sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'SCHEMATA' and grantee = 'PUBLIC'
3. Reviewprivilegesgrantedtousers,groups,androles.IftheoutputisBLANK,thenitisconsideredasuccessfulfinding.
Remediation:
PerformthefollowingtorevokeaccessfromPUBLIC.
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => REVOKE SELECT ON SYSCAT.SCHEMATA FROM PUBLIC
123|P a g e
References:
1. http://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.sql.ref.doc/doc/r0001059.html?cp=SSEPGG_10.5.0%2F2-12-8-85&lang=en
124|P a g e
6.20RestrictAccesstoSYSCAT.SEQUENCEAUTH(Scored)
ProfileApplicability:
•Level1-RDBMS
•Level2-RDBMS
Description:
TheSYSCAT.SEQUENCEAUTH viewcontainsusers,groups,orrolesgrantedprivilege(s)onasequence.ItisrecommendedthatthePUBLIC roleberestrictedfromaccessingthisview.
Rationale:
PUBLICshouldnothaveaccesstoseeallthegrantedaccessofasequenceinthedatabasebecausethiscouldbeusedasapointofexploit.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => select grantee from sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'SEQUENCEAUTH' and grantee = 'PUBLIC'
3. Reviewprivilegesgrantedtousers,groups,androles.IftheoutputisBLANK,thenitisconsideredasuccessfulfinding.
Remediation:
PerformthefollowingtorevokeaccessfromPUBLIC.
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => REVOKE SELECT ON SYSCAT.SEQUENCEAUTH FROM PUBLIC
125|P a g e
References:
1. http://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.sql.ref.doc/doc/r0008181.html?cp=SSEPGG_10.5.0%2F2-12-8-94&lang=en
126|P a g e
6.21RestrictAccesstoSYSCAT.STATEMENTS(Scored)
ProfileApplicability:
•Level1-RDBMS
•Level2-RDBMS
Description:
TheSYSCAT.STATEMENTS viewcontainsallSQLstatementsofacompiledpackage.ItisrecommendedthatthePUBLIC roleberestrictedfromaccessingthisview.
Rationale:
PUBLICshouldnothaveaccesstotheSQLstatementsofadatabasepackage.Thiscouldleadtoanexploit.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => select grantee from sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'STATEMENTS' and grantee = 'PUBLIC'
3. Reviewprivilegesgrantedtousers,groups,androles.IftheoutputisBLANK,thenitisconsideredasuccessfulfinding.
Remediation:
PerformthefollowingtorevokeaccessfromPUBLIC.
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => REVOKE SELECT ON SYSCAT.STATEMENTS FROM PUBLIC
127|P a g e
References:
1. http://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.sql.ref.doc/doc/r0001060.html?cp=SSEPGG_10.5.0%2F2-12-8-99&lang=en
128|P a g e
6.22RestrictAccesstoSYSCAT.TABAUTH(Scored)
ProfileApplicability:
•Level1-RDBMS
•Level2-RDBMS
Description:
TheSYSCAT.TABAUTH viewcontainsusersorgroupsthathavebeengrantedoneormoreprivilegesonatableorview.ItisrecommendedthatthePUBLIC roleberestrictedfromaccessingthisview.
Rationale:
PUBLICshouldnothaveaccesstothegrantsofviewsandtablesinadatabase.Thiscouldleadtoanexploit.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1.ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2.RunthefollowingcommandfromtheDB2commandwindow:
db2 => select grantee from sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'TABAUTH' and grantee = 'PUBLIC'
3.Reviewprivilegesgrantedtousers,groups,androles.IftheoutputisBLANK,thenitisconsideredasuccessfulfinding.
Remediation:
PerformthefollowingtorevokeaccessfromPUBLIC.
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => REVOKE SELECT ON SYSCAT.TABAUTH FROM PUBLIC
129|P a g e
References:
1. http://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.sql.ref.doc/doc/r0001061.html?cp=SSEPGG_10.5.0%2F2-12-8-103&lang=en
130|P a g e
6.23RestrictAccesstoSYSCAT.TBSPACEAUTH(Scored)
ProfileApplicability:
•Level1-RDBMS
•Level2-RDBMS
Description:
TheSYSCAT.TBSPACEAUTH containsusersorgroupsthathavebeengrantedtheUSEprivilegeonaparticulartablespaceinthedatabase.ItisrecommendedthatthePUBLIC roleberestrictedfromaccessingthisview.
Rationale:
PUBLICshouldnothaveaccesstothegrantsofthetablespacesinadatabase.Thiscouldleadtoanexploit.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => select grantee from sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'TBSPACEAUTH' and grantee = 'PUBLIC'
3. Reviewprivilegesgrantedtousers,groups,androles.IftheoutputisBLANK,thenitisconsideredasuccessfulfinding.
Remediation:
PerformthefollowingtorevokeaccessfromPUBLIC.
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => REVOKE SELECT ON SYSCAT.TBSPACEAUTH FROM PUBLIC
131|P a g e
References:
1. http://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.sql.ref.doc/doc/r0002201.html?cp=SSEPGG_10.5.0%2F2-12-8-110&lang=en
132|P a g e
6.24RestrictAccesstoTablespaces(Scored)
ProfileApplicability:
•Level1-RDBMS
•Level2-RDBMS
Description:
Atablespaceiswherethedataisphysicallystored.Itisrecommendedthattablespaceusageberestrictedtoauthorizedusers.
Rationale:
GranttheUSE oftablespaceprivilegetoonlyauthorizedusers.RestricttheprivilegefromPUBLIC,whereapplicable,asamalicioususercancauseadenialofserviceatthetablespacelevelbyoverloadingitwithcorrupteddata.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => select grantee, tbspace from sysibm.systbspaceauth where grantee = 'PUBLIC'
3. Reviewprivilegesgrantedtousers,groups,androles.IftheoutputisBLANK,thenitisconsideredasuccessfulfinding.
Remediation:
PerformthefollowingtorevokeaccessfromPUBLIC.
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => REVOKE USE OF TABLESPACE [$tablespace_name] FROM PUBLIC
133|P a g e
References:
1. http://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.sql.ref.doc/doc/r0001064.html?cp=SSEPGG_10.5.0%2F2-12-8-108&lang=en
134|P a g e
6.25RestrictAccesstoSYSCAT.MODULEAUTH(Scored)
ProfileApplicability:
•Level2-RDBMS
Description:
TheSYSCAT.MODULEAUTHviewcontainsallgrantedprivilegesonamoduleforusers,groups,orrolesandisreadonly.
Rationale:
AnydatabasescreatedwithouttheRESTRICToptionautomaticallyGRANTtheSELECTprivilegetoPUBLICforSYSCATviews.Therefore,itisstronglyrecommendedtoexplicitlyREVOKEtheSELECTprivilegeontheSYSCAT.MODULEAUTHviewfromPUBLICtoreducerisktotheorganization'sdata.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => select rtrim(grantee) as grantee, controlauth, alterauth, deleteauth, indexauth, insertauth, selectauth, updateauth, refauth from sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'MODULEAUTH'
3. Reviewprivilegesgrantedtousers,groups,androles.IftheoutputisBLANK,thenitisconsideredasuccessfulfinding.
Remediation:
PerformthefollowingtorevokeaccessfromPUBLIC.
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => revoke select on syscat.moduleauth from public
135|P a g e
References:
1. http://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.sql.ref.doc/doc/r0054748.html?lang=en
136|P a g e
6.26RestrictAccesstoSYSCAT.VARIABLEAUTH(Scored)
ProfileApplicability:
•Level2-RDBMS
Description:
TheSYSCAT.VARIABLEAUTHviewcontainsthegrantedprivilegesonaglobalvariableforusers,groups,orrolesandisreadonly.
Rationale:
AnydatabasescreatedwithouttheRESTRICToptionautomaticallyGRANTtheSELECTprivilegetoPUBLICforSYSCATviews.Therefore,itisstronglyrecommendedtoexplicitlyREVOKEtheSELECTprivilegeontheSYSCAT.VARIABLEAUTHviewfromPUBLICtoreducerisktotheorganization'sdata.
Audit:
DetermineifSYSCAT.VARIABLEAUTHprivilegesforusers,groups,androlesarecorrectlyset.
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => select rtrim(grantee) as grantee, controlauth, alterauth, deleteauth, indexauth, insertauth, selectauth, updateauth, refauth from sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'VARIABLEAUTH'
3. Reviewprivilegesforusers,groups,androles.IftheoutputisBLANK,thenitisconsideredasuccessfulfinding.
137|P a g e
Remediation:
PerformthefollowingtorevokeaccessfromPUBLIC.
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => revoke select on syscat.variableauth from public
References:
1. http://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.sql.ref.doc/doc/r0050504.html?lang=en
138|P a g e
6.27RestrictAccesstoSYSCAT.WORKLOADAUTH(Scored)
ProfileApplicability:
•Level2-RDBMS
Description:
TheSYSCAT.WORKLOADAUTHcatalogrepresentstheusers,groups,orrolesthathavebeengrantedtheUSAGEprivilegeonaworkload.
Rationale:
AnydatabasescreatedwithouttheRESTRICToptionautomaticallyGRANTtheSELECTprivilegetoPUBLICforSYSCATviews.Therefore,itisstronglyrecommendedtoexplicitlyREVOKEtheSELECTprivilegeontheSYSCAT.WORKLOADAUTHfromPUBLICtoreducerisktotheorganization'sdata.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => select rtrim(grantee) as grantee, controlauth, alterauth, deleteauth, indexauth, insertauth, selectauth, updateauth, refauth from sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'WORKLOADAUTH'
3. Reviewprivilegesgrantedtousers,groups,androles.IftheoutputisBLANK,thenitisconsideredasuccessfulfinding.
Remediation:
PerformthefollowingtorevokeaccessfromPUBLIC.
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => db2 => revoke select on syscat.workloadauth from public
139|P a g e
References:
1. http://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.sql.ref.doc/doc/r0050558.html?cp=SSEPGG_10.5.0%2F2-12-8-127&lang=en
140|P a g e
6.28RestrictAccesstoSYSCAT.XSROBJECTAUTH(Scored)
ProfileApplicability:
•Level2-RDBMS
Description:
TheSYSCAT.XSROBJECTAUTHviewcontainsgrantedUSAGEprivilegesonaparticularXSRobjectforusers,groups,orrolesandisreadonly.
Rationale:
AnydatabasescreatedwithouttheRESTRICToptionautomaticallyGRANTtheSELECTprivilegetoPUBLICforSYSCATviews.Therefore,itisstronglyrecommendedtoexplicitlyREVOKEtheSELECTprivilegeontheSYSCAT.XSROBJECTAUTHviewfromPUBLICtoreducerisktotheorganization'sdata.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => select rtrim(grantee) as grantee, controlauth, alterauth, deleteauth, indexauth, insertauth, selectauth, updateauth, refauth from sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'XSROBJECTAUTH'
3. Reviewprivilegesgrantedtousers,groups,androles.IftheoutputisBLANK,thenitisconsideredasuccessfulfinding.
Remediation:
PerformthefollowingtorevokeaccessfromPUBLIC.
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => revoke select on syscat.xsrmoduleauth from public
141|P a g e
References:
1. http://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.sql.ref.doc/doc/r0021693.html?cp=SSEPGG_10.5.0%2F2-12-8-135&lang=en
142|P a g e
6.29RestrictAccesstoSYSCAT.AUTHORIZATIONIDS(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
SYSCAT.AUTHORIZATIONIDSisanadministrativeviewforthecurrentlyconnectedserver.
Rationale:
DatabasescreatedwithouttheRESTRICToptionautomaticallyGRANTtheSELECTprivilegetoPUBLICforSYSCATviews.Therefore,itisstronglyrecommendedtoexplicitlyREVOKEtheSELECTprivilegeontheSYSCAT.AUTHORIZATIONIDSviewfromPUBLICtoreducerisktotheorganization'sdata.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => select rtrim(grantee) as grantee, controlauth, alterauth, deleteauth, indexauth, insertauth, selectauth, updateauth, refauth from sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'AUTHORIZATIONIDS'
3. Reviewprivilegesgrantedtousers,groups,androles.IftheoutputisBLANK,thenitisconsideredasuccessfulfinding.
Remediation:
PerformthefollowingtorevokeaccessfromPUBLIC.
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => revoke select on syscat.AUTHORIZATIONIDS from public
143|P a g e
References:
1. http://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.sql.rtn.doc/doc/r0021977.html?lang=en
144|P a g e
6.30RestrictAccesstoSYSIBMADM.OBJECTOWNERS(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
TheSYSIBMADM.OBJECTOWNERSadministrativeviewshowsthecompleteobjectownershipinformationforeachauthorizationIDforUSERowningasystemcatalogdefinedobjectfromtheconnecteddatabase.
Rationale:
AnydatabasescreatedwithouttheRESTRICToptionautomaticallyGRANTtheSELECTprivilegetoPUBLICforviews.Therefore,itisstronglyrecommendedtoexplicitlyREVOKEtheSELECTprivilegeontheSYSIBMADM.OBJECTOWNERSviewfromPUBLICtoreducerisktotheorganization'sdata.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => select rtrim(grantee) as grantee, controlauth, alterauth, deleteauth, indexauth, insertauth, selectauth, updateauth, refauth from sysibm.systabauth where tcreator = 'SYSIBMADM' and ttname = 'OBJECTOWNERS'
3. Reviewprivilegesgrantedtousers,groups,androles.IftheoutputisBLANK,thenitisconsideredasuccessfulfinding.
145|P a g e
Remediation:
PerformthefollowingtorevokeaccessfromPUBLIC.
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => revoke select on SYSIBMADM.OBJECTOWNERS from public
References:
1. http://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.sql.rtn.doc/doc/r0021979.html?cp=SSEPGG_10.5.0%2F3-6-1-3-12-6&lang=en
146|P a g e
6.31RestrictAccesstoSYSIBMADM.PRIVILEGES(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
TheSYSIBMADM.PRIVILEGESadministrativeviewdisplaysallexplicitprivilegesforallauthorizationIDsinthecurrentlyconnecteddatabases'systemcatalogs.PRIVILEGESschemaisSYSIBMADM.
Rationale:
AnydatabasescreatedwithouttheRESTRICToptionautomaticallyGRANTtheSELECTprivilegetoPUBLICforcatalogviews.Therefore,itisstronglyrecommendedtoexplicitlyREVOKEtheSELECTprivilegeonSYSIBMADM.PRIVILEGESfromPUBLICtoreducerisktotheorganization'sdata.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => select rtrim(grantee) as grantee, controlauth, alterauth, deleteauth, indexauth, insertauth, selectauth, updateauth, refauth from sysibm.systabauth where tcreator = 'SYSIBMADM' and ttname = 'PRIVILEGES'
3. Reviewprivilegesgrantedtousers,groups,androles.IftheoutputisBLANK,thenitisconsideredasuccessfulfinding.
147|P a g e
Remediation:
PerformthefollowingtorevokeaccessfromPUBLIC.
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => revoke select on SYSIBMADM.PRIVILEGES from public
References:
1. http://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.sql.rtn.doc/doc/r0021978.html?cp=SSEPGG_10.5.0%2F3-6-1-3-12-7&lang=en
148|P a g e
7DB2Authorities
ThissectionprovidesguidanceonsecuringtheauthoritiesthatexistintheDB2instanceanddatabase.
7.1SecureSYSADMauthority(Scored)
ProfileApplicability:
•Level2-RDBMS
•Level2-WindowsHostOS
•Level2-LinuxHostOS
Description:
Thesysadm_group parameterdefinesthesystemadministratorgroup(SYSADM)authority.Itisrecommendedthatthesysadm_group groupcontainsauthorizedusersonly.
Rationale:
Ifanaccountthatpossessesthisauthorityiscompromisedorusedinamaliciousmanner,theconfidentiality,integrity,andavailabilityofdataintheDB2instancewillbeatincreasedrisk.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1.AttachtotheDB2instance.
db2 => attach to $DB2INSTANCE
2.RunthefollowingcommandfromtheDB2commandwindow:
db2 => get database manager configuration
3.Locatethesysadm_group valueintheoutputandensurethevalueisnotNULL:
db2 => get database manager configuration db2 => … SYSADM group name (SYSADM_GROUP) = DB2ADM
Note:sysadm_group issettoDB2ADMintheaboveoutput.
149|P a g e
4.Reviewthemembersofthesysadm_group ontheoperatingsystem.
Linux:
cat /etc/group | grep <sysadm group name>
Windows:
1. 1. Runcompmgmt.msc2. Click'LocalUsersandGroups'3. Doubleclick'Groups'4. Doubleclick5. Reviewgroupmembers
Remediation:
DefineavalidgroupnamefortheSYSADMgroup.
1.AttachtotheDB2instance.
db2 => attach to $DB2INSTANCE
2.RunthefollowingcommandfromtheDB2commandwindow:
db2 => update database manager configuration using sysadm_group <sys adm group name>
DefaultValue:
Thedefaultvalueforsysadm_group isNULL.
150|P a g e
7.2SecureSYSCTRLauthority(Scored)
ProfileApplicability:
•Level2-RDBMS
Description:
Thesysctrl_group parameterdefinesthesystemadministratorgroupwithsystemcontrol(SYSCTRL)authority.Itisrecommendedthatthesysctrl_group groupcontainsauthorizedusersonly.
Rationale:
Ifanaccountthatpossessesthisauthorityiscompromisedorusedinamaliciousmanner,theconfidentiality,integrity,andavailabilityofdataintheDB2instancewillbeatincreasedrisk.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1.AttachtotheDB2instance.
db2 => attach to $DB2INSTANCE
2.RunthefollowingcommandfromtheDB2commandwindow:
db2 => get database manager configuration
3.Locatethesysctrl_group valueintheoutputandensurethevalueisnotNULL:
db2 => get database manager configuration db2 => … SYSCTRL group name (SYSCTRL_GROUP) = DB2CTRL
Note:sysctrl_group issettoDB2CTRLintheaboveoutput.
4.Reviewthemembersofthesysctrl_group ontheoperatingsystem.
Linux:
cat /etc/group | grep <sysctrl group name>
Windows:
1. Runcompmgmt.msc2. Click'LocalUsersandGroups'3. Doubleclick'Groups'4. Doubleclick<sysctrlgroupname>5. Reviewgroupmembers
151|P a g e
Remediation:
DefineavalidgroupnamefortheSYSCTRLgroup.
1.AttachtotheDB2instance.
db2 => attach to $DB2INSTANCE
2.RunthefollowingcommandfromtheDB2commandwindow:
db2 => update database manager configuration using sysctrl_group <sys control group name>
DefaultValue:
Thedefaultvalueforsysctrl_group isNULL.
152|P a g e
7.3SecureSYSMAINTAuthority(Scored)
ProfileApplicability:
•Level1-RDBMS
•Level1-WindowsHostOS
•Level1-LinuxHostOS
Description:
Thesysmaint_groupparameterdefinesthesystemadministratorgroupthatpossessesthesystemmaintenance(SYSMAINT)authority.Itisrecommendedthatthesysmaint_group groupcontainsauthorizedusersonly.
Rationale:
Ifanaccountthatpossessesthisauthorityiscompromisedorusedinamaliciousmanner,theconfidentiality,integrity,andavailabilityofdataintheDB2instancewillbeatincreasedrisk.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1.AttachtotheDB2instance.
db2 => attach to $DB2INSTANCE
2.RunthefollowingcommandfromtheDB2commandwindow:
db2 => get database manager configuration
3.Locatethesysmaint_group valueintheoutputandensurethevalueisnotNULL:
db2 => get database manager configuration db2 => … SYSMAINT group name (SYSMAINT_GROUP) = DB2MAINT
Note:sysmaint_group issettoDB2MAINTintheaboveoutput.
4.Reviewthemembersofthesysmaint_group ontheoperatingsystem.
Linux:
cat /etc/group | grep <sysmaint group name>
153|P a g e
Windows:
1. Runcompmgmt.msc2. Click'LocalUsersandGroups'3. Doubleclick'Groups'4. Doubleclick<sysmaintgroupname>5. Reviewgroupmembers
Remediation:
DefineavalidgroupnamefortheSYSMAINTgroup.
1.AttachtotheDB2instance.
db2 => attach to $DB2INSTANCE
2.RunthefollowingcommandfromtheDB2commandwindow:
db2 => update database manager configuration using sysmaint_group <sys maintenance group name>
DefaultValue:
Thedefaultvalueforsysmaint_group isNULL.
154|P a g e
7.4SecureSYSMONAuthority(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
Thesysmon_group parameterdefinestheoperatingsystemgroupswithsystemmonitor(SYSMON)authority.Itisrecommendedthatthesysmon_group groupcontainauthorizedusersonly.
Rationale:
Ifanaccountthatpossessesthisauthorityiscompromisedorusedinamaliciousmanner,theconfidentiality,integrity,andavailabilityofdataintheDB2instancewillbeatincreasedrisk.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1.AttachtotheDB2instance.
db2 => attach to $DB2INSTANCE
2.RunthefollowingcommandfromtheDB2commandwindow:
db2 => get database manager configuration
3.Locatethesysmon_group valueintheoutputandensurethevalueisnotNULL:
db2 => get database manager configuration db2 => … SYSMON group name (SYSMON_GROUP) = DB2MON
Note:sysmon_group issettoDB2MONintheaboveoutput.
4.Reviewthemembersofthesysmon_group ontheoperatingsystem.
Linux:
cat /etc/group | grep <sysmon group name>
Windows:
1. Runcompmgmt.msc2. Click'LocalUsersandGroups'3. Doubleclick'Groups'4. Doubleclick5. Reviewgroupmembers
155|P a g e
Remediation:
DefineavalidgroupnamefortheSYSMONgroup.
1.AttachtotheDB2instance.
db2 => attach to $DB2INSTANCE
2.RunthefollowingcommandfromtheDB2commandwindow:
db2 => update database manager configuration using sysmon_group <sys monitor group name>
DefaultValue:
Thedefaultvalueforsysmon_groupisNULL.
156|P a g e
7.5SecureSECADMAuthority(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
TheSECADM (securityadministrator)rolegrantstheauthoritytocreate,alter(whereapplicable),anddroproles,trustedcontexts,auditpolicies,securitylabelcomponents,securitypoliciesandsecuritylabels.Itisalsotheauthorityrequiredtograntandrevokeroles,securitylabelsandexemptions,andtheSETSESSIONUSERprivilege.SECADM authorityhasnoinherentprivilegetoaccessdatastoredintables.ItisrecommendedthattheSECADM rolebegrantedtoauthorizedusersonly.
Rationale:
Ifanaccountthatpossessesthisauthorityiscompromisedorusedinamaliciousmanner,theconfidentiality,integrity,andavailabilityofdataintheDB2instancewillbeatincreasedrisk.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => select distinct grantee, granteetype from syscat.dbauth where securityadmauth = 'Y'
3. Reviewthelistofusersintheaboveoutputtoensureonlyapprovedusersareassigned.
157|P a g e
Remediation:
Revokethispermissionfromanyunauthorizedusers.
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => REVOKE SECADM ON DATABASE FROM USER <username>
References:
1. http://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.admin.sec.doc/doc/c0021054.html?lang=en
158|P a g e
7.6SecureDBADMAuthority(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
TheDBADM (databaseadministration)rolegrantstheauthoritytoausertoperformadministrativetasksonaspecificdatabase.ItisrecommendedthattheDBADM rolebegrantedtoauthorizedusersonly.
Rationale:
Ifanaccountthatpossessesthisauthorityiscompromisedorusedinamaliciousmanner,theconfidentiality,integrity,andavailabilityofdatainthedatabasewillbeatincreasedrisk.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => select distinct grantee, granteetype from syscat.dbauth where dbadmauth = 'Y'
3. Reviewthelistofusersintheaboveoutputtoensureonlyapprovedusersareassigned.
Remediation:
Revokethispermissionfromanyunauthorizedusers.
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => REVOKE DBADM ON DATABASE FROM USER <username>
159|P a g e
References:
1. http://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.admin.sec.doc/doc/c0005521.html?lang=en
160|P a g e
7.7SecureSQLADMAuthority(Scored)
ProfileApplicability:
•Level1-RDBMS
•Level2-RDBMS
Description:
TheSQLADMauthorityisrequiredtomonitor,tune,andalterSQLstatements.
Rationale:
TheSQLADMauthoritycanCREATE,SET,FLUSH,DROPEVENTMONITORSandperformRUNSTATSandREORGINDEXESandTABLES.SQLADMcanbegrantedtousers,groups,orrolesorPUBLIC.SQLADMauthorityisasubsetoftheDBADMauthorityandcanbegrantedbytheSECADMauthority.
Audit:
1.RunthefollowingcommandfromtheDB2commandwindow:
select distinct grantee, granteetype from syscat.dbauth where sqladmauth = 'Y'
2.Reviewthelistofusersintheaboveoutputtoensureonlyapprovedusersareassigned.
Remediation:
1.RevokeSQLADMauthorityfromanyunauthorizedusers.
REVOKE SQLADM ON DATABASE FROM USER <username>
References:
1. http://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.admin.sec.doc/doc/c0053931.html?lang=en
161|P a g e
7.8SecureDATAACCESSAuthority(Scored)
ProfileApplicability:
•Level1-RDBMS
•Level2-RDBMS
Description:
Grantstheauthoritytoaccessdata.TheDATAACCESSauthorityallowsthegranteetoleverageDMLlevelcommandsi.e.SELECT,INSERT,UPDATE,DELETE,LOAD,andEXECUTEanypackageorroutine.
TheDATAACCESSauthoritycannotbegrantedtoPUBLIC.
Rationale:
TheDATAACCESSauthoritygivesthegranteereadaccessandalsocontrolovermanipulatingthedata.DATAACCESScanbegrantedtousers,groups,orroles,butnotPUBLIC.DATAACCESSauthorityisasubsetoftheDBADMauthorityandcanbegrantedbytheSECADMauthority.
Audit:
1.RunthefollowingcommandfromtheDB2commandwindow:
select distinct grantee, granteetype from syscat.dbauth where dataaccessauth = 'Y'
2.Reviewthelistofusersintheaboveoutputtoensureonlyapprovedusersareassigned.
Remediation:
1.RevokeDATAACCESSauthorityfromanyunauthorizedusers.
REVOKE DATAACCESS ON DATABASE FROM USER <username>
References:
1. https://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.admin.sec.doc/doc/c0005524.html?lang=en
162|P a g e
7.9SecureACCESSCTRLAuthority(Scored)
ProfileApplicability:
•Level1-RDBMS
•Level2-RDBMS
Description:
ACCESSCTRLauthorityistheauthorityrequiredtograntandrevokeprivilegesonobjectswithinaspecificdatabase.SomeoftheseprivilegesincludeBINDADD,CONNECT,CREATETAB,CREATE_EXTERNAL_ROUTINE,LOAD,andQUIESCE_CONNECT.Ithasnoinherentprivilegetoaccessdatastoredintables,exceptthecatalogtablesandviews.
TheACCESSCTRLauthoritycannotbegrantedtoPUBLIC.
Rationale:
TheACCESSCTRLauthoritygivesthegranteeaccesscontroltoaspecifieddatabase.Withthisauthority,thegranteecangrant/revokeprivilegestootherusers.ACCESSCTRLcanbegrantedtousers,groups,orroles,butnotPUBLIC.ACCESSCTRLauthoritycanonlybegrantedbytheSECADMauthority.
Audit:
1.RunthefollowingcommandfromtheDB2commandwindow:
select distinct grantee, granteetype from syscat.dbauth where accessctrlauth = 'Y'
2.Reviewthelistofusersintheaboveoutputtoensureonlyapprovedusersareassigned.
Remediation:
1.RevokeACCESSCTRLauthorityfromanyunauthorizedusers.
REVOKE ACCESSCTRL ON DATABASE FROM USER <username>
References:
1. https://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.admin.sec.doc/doc/c0053933.html?lang=en
163|P a g e
7.10SecureWLMADMauthority(Scored)
ProfileApplicability:
•Level1-RDBMS
•Level2-RDBMS
Description:
TheWLMADMauthoritymanagesworkloadobjectsforadatabase.HoldersofDBADMauthorityimplicitlyalsoholdWLMADMauthority.
Rationale:
TheWLMADMauthorityenablescreating,altering,dropping,commenting,granting,andrevokingaccesstoworkloadobjectsforadatabase.
Audit:
1.RunthefollowingcommandfromtheDB2commandwindow:
select grantee, wlmadmauth from syscat.dbauth
2.Determineifthegrantee(s)arecorrectlyset.
Remediation:
1.RevokeanyuserwhoshouldNOThaveWLMADMauthority:
REVOKE WLMADM ON DATABASE FROM USER <username>
References:
1. http://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.admin.sec.doc/doc/c0053932.html?lang=en
164|P a g e
7.11SecureCREATABAuthority(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
TheCREATAB (createtable)rolegrantstheauthoritytoausertocreatetableswithinaspecificdatabase.ItisrecommendedthattheCREATAB rolebegrantedtoauthorizedusersonly.
Rationale:
Reviewallusersthathaveaccesstothisauthoritytoavoidtheadditionofunnecessaryand/orinappropriateusers.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => select distinct grantee, granteetype from syscat.dbauth where creatabauth = 'Y'
3. Reviewthelistofusersintheaboveoutputtoensureonlyapprovedusersareassigned.
Remediation:
Revokethispermissionfromanyunauthorizedusers.
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => REVOKE CREATAB ON DATABASE FROM USER <username>
165|P a g e
References:
1. http://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.admin.sec.doc/doc/c0054269.html?lang=en
166|P a g e
7.12SecureBINDADDAuthority(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
TheBINDADD (bindapplication)rolegrantstheauthoritytoausertocreatepackagesonaspecificdatabase.ItisrecommendedthattheBINDADD rolebegrantedtoauthorizedusersonly.
Rationale:
Ifanaccountthatpossessesthisauthorityiscompromisedorusedinamaliciousmanner,theconfidentiality,integrity,andavailabilityofdatainthedatabasewillbeatincreasedrisk.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => select distinct grantee, granteetype from syscat.dbauth where bindaddauth = 'Y'
3. Reviewthelistofusersintheaboveoutputtoensureonlyapprovedusersareassigned.
Remediation:
Revokethispermissionfromanyunauthorizedusers.
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => REVOKE BINDADD ON DATABASE FROM USER <username>
167|P a g e
References:
1. http://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.admin.sec.doc/doc/c0005524.html?lang=en
168|P a g e
7.13SecureCONNECTAuthority(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
TheCONNECT rolegrantstheauthoritytoausertoconnecttomainframeandmidrangedatabasesfromWindows,Unix,andLinuxoperatingsystems.ItisrecommendedthattheCONNECT rolebegrantedtoauthorizedusersonly.
Rationale:
Allusersthathaveaccesstothisauthorityshouldberegularlyreviewed.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => select distinct grantee, granteetype from syscat.dbauth where connectauth = 'Y'
3. Reviewthelistofusersintheaboveoutputtoensureonlyapprovedusersareassigned.
Remediation:
Revokethispermissionfromanyunauthorizedusers.
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => REVOKE CONNECT ON DATABASE FROM USER <username>
169|P a g e
References:
1. http://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.qb.dbconn.doc/doc/r0059046.html?cp=SSEPGG_10.5.0%2F6&lang=en
170|P a g e
7.14SecureLOADAuthority(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
TheLOAD rolegrantstheauthoritytoausertoloaddataintotables.ItisrecommendedthattheLOAD rolebegrantedtoauthorizedusersonly.
Rationale:
Allusersthathaveaccesstothisauthorityshouldberegularlyreviewed.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => select distinct grantee, granteetype from syscat.dbauth where loadauth = 'Y'
3. Reviewthelistofusersintheaboveoutputtoensureonlyapprovedusersareassigned.
Remediation:
Revokethispermissionfromanyunauthorizedusers.
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => REVOKE LOAD ON DATABASE FROM USER <username>
171|P a g e
References:
1. http://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.admin.sec.doc/doc/c0005522.html?lang=en
172|P a g e
7.15SecureEXTERNALROUTINEAuthority(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
TheEXTERNALROUTINE authoritygrantsausertheprivilegetocreateuser-definedfunctionsandproceduresinaspecificdatabase.
Rationale:
Alluserswiththisauthorityshouldberegularlyreviewedandapproved.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => select distinct grantee, granteetype from syscat.dbauth where externalroutineauth = 'Y'
3. Reviewthelistofusersintheaboveoutputtoensureonlyapprovedusersareassigned.
Remediation:
Revokethispermissionfromanyunauthorizedusers.
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => REVOKE CREATE_EXTERNAL_ROUTINE ON DATABASE FROM USER <username>
173|P a g e
References:
1. http://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.apdv.routines.doc/doc/c0009198.html?lang=en
174|P a g e
7.16SecureQUIESCECONNECTAuthority(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
TheQUIESCECONNECT rolegrantstheauthoritytoausertoaccessadatabaseeveninthequiescedstate.
Rationale:
ItisrecommendedthattheQUIESCECONNECT rolebegrantedtoauthorizedusersonly.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => select distinct grantee, granteetype from syscat.dbauth where quiesceconnectauth = 'Y'
3. Reviewthelistofusersintheaboveoutputtoensureonlyapprovedusersareassigned.
Remediation:
Revokethispermissionfromanyunauthorizedusers.
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => REVOKE QUIESCE_CONNECT ON DATABASE FROM USER <username>
175|P a g e
References:
1. http://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.apdv.api.doc/doc/r0009331.html?lang=en
176|P a g e
8DB2Roles
Roles simplify the administration and management of privileges by offering an equivalent capability as groups but without the same restrictions. A role is a database object that groups together one or more privileges and can be assigned to users, groups, PUBLIC, or other roles by using a GRANT statement. All the roles assigned to a user are enabled when that user establishes a connection, so all privileges and authorities granted to roles are taken into account when a user connects. Roles cannot be explicitly enabled or disabled.
8.1ReviewRoles(Scored)
ProfileApplicability:
•Level1-RDBMS
•Level2-RDBMS
Description:
Rolesprovideseveraladvantagesthatmakeiteasiertomanageprivilegesinadatabasesystem.Securityadministratorscancontrolaccesstotheirdatabasesinawaythatmirrorsthestructureoftheirorganizations(theycancreaterolesinthedatabasethatmapdirectlytothejobfunctionsintheirorganizations).Theassignmentofprivilegesissimplified.Insteadofgrantingthesamesetofprivilegestoeachindividualuserinaparticularjobfunction,theadministratorcangrantthissetofprivilegestoarolerepresentingthatjobfunctionandthengrantthatroletoeachuserinthatjobfunction.
Rationale:
Reviewingtheroleswithinadatabasehelpsminimizethepossibilityofunwantedaccess.
Audit:
1.AttachtoaDB2Instance:
db2 => attach to $DB2INSTANCE
2.ConnecttoDB2database:
db2 => connect to $DBNAME
3.Runthefollowingandreviewtheresultstodetermineifeachrolenamestillhasabusinessrequirementtoaccessthedata:
db2 => select rolename from syscat.roleauth where grantortype <> 'S' group by rolename
177|P a g e
Remediation:
Toremovearolefromthedatabase:
1.AttachtoaDB2Instance:
db2 => attach to $DB2INSTANCE
2ConnecttoDB2database:
db2 => connect to $DBNAME
3.Runthefollowing:
db2 => drop role <role name>
References:
1. https://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.admin.sec.doc/doc/c0050531.html
178|P a g e
8.2ReviewRoleMembers(Scored)
ProfileApplicability:
•Level1-RDBMS
•Level2-RDBMS
Description:
Havingrolesthathavebeengrantedspecificprivileges,thenassigninguserstotheroles,isusuallyconsideredthebestwaytograntapplicationaccess.Becausegrantingprivilegestoindividualuserscanbemoredifficulttotrackandmaintainagainstunauthorizedaccess,usersshouldbeassignedtoorganization-defineddatabaserolesaccordingtotheneedsofthebusiness.Asusersleavetheorganizationorchangeresponsibilitieswithintheorganization,theappropriaterolesforthemchangeaswell,sorolemembershipneedstobereviewedandverifiedperiodically.
Rationale:
Userswhohaveexcessiveprivilegesnotneededtodotheirjobsposeanunnecessaryrisktotheorganizationasaninsiderthreat.
Audit:
1.AttachtoaDB2Instance:
db2 => attach to $DB2INSTANCE
2.ConnecttoDB2database:
db2 => connect to $DBNAME
3.Runthefollowingtoreviewandverifythattherolemembersarecorrectforeachrole:
db2 => select rolename,grantee from syscat.roleauth where grantortype <> 'S' group by rolename, grantee
179|P a g e
Remediation:
Toremovearolememberfromaparticularrole:
1.AttachtoaDB2Instance:
db2 => attach to $DB2INSTANCE
2.ConnecttoDB2database:
db2 => connect to $DBNAME
3.Runthefollowing:
db2 => revoke role <role name> from <role member>
References:
1. https://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.admin.sec.doc/doc/c0050531.html
180|P a g e
8.3NestedRoles(Scored)
ProfileApplicability:
•Level2-RDBMS
Description:
Theuser-definedrolesinDB2canbenestedinthesamefashionasWindowssecuritygroups--anestedgrouphasbothitsdirectlyassignedpermissionsaswellastheassignedgrouppermissions.Bynestingroles,thedatabaseadministratorissavingtimebyonlyhavingtoassignagroupofusersversusassigningthemindividually.Nestingrolesproperlycanofteneasetheapplicationofthesecuritymodelifit'skeptfairlyshallow,andiftherolesarelogicallynamed.Ifthesearealltrue,thennestingofrolesisagoodidea.
Rationale:
Astrackingmultiplelevelsofpermissionscanresultinunauthorizedaccesstodataresources,thiscapabilityshouldberestrictedaccordingtotheneedsofthebusiness.
Audit:
1.AttachtoDB2Instance:
db2 => attach to $DB2INSTANCE
2.ConnecttoDB2database:
db2 => connect to $DBNAME
3.Runthefollowingtoidentifyanynestedroles:
db2 => select grantee, rolename from syscat.roleauth where grantee in (select rolename from syscat.roles)
NOTE:Ifvalueisblank,thiswouldbeconsideredpassing.
Remediation:
Toremoveanestedrole,performthefollowing:
1.AttachtoDB2Instance:
db2 => attach to $DB2INSTANCE
2.ConnecttoDB2database:
db2 => connect to $DBNAME
3.Runthefollowing:
db2 => revoke role <role name> from role <role>
181|P a g e
8.4ReviewRolesgrantedtoPUBLIC(Scored)
ProfileApplicability:
•Level1-RDBMS
•Level2-RDBMS
Description:
GrantingtoPUBLICincreasestheriskofunauthorizedentryintothedatabase.BecausePUBLICisaccessiblebyanydatabaseuser,itisimportanttounderstandtheexposureithasonalldatabaseobjects.ItwouldmakesensetograntrolemembershiptoPUBLICifallusersrequiredalltheprivilegesgrantedthroughthatrole.
Rationale:
AsanyrolegrantedtoPUBLICcanpotentiallyallowthecompromiseofdatabaseavailability,confidentiality,orintegrity,theserolesshouldberestrictedaccordingtotheneedsofthebusiness.
Audit:
1.AttachtoaDB2Instance:
db2 => attach to $DB2INSTANCE
2.ConnecttoDB2database:
db2 => connect to $DBNAME
3.Runthefollowing:
db2 => select grantee, rolename from syscat.roleauth where grantee = 'PUBLIC'
NOTE:Ifthevaluereturnedisblank,thatisconsideredapassablefinding.
182|P a g e
Remediation:
Toremovearolememberfromaparticularrole:
1.AttachtoaDB2Instance:
db2 => attach to $DB2INSTANCE
2.ConnecttoDB2database:
db2 => connect to $DBNAME
3.Runthefollowing:
db2 => revoke role <role name> from PUBLIC
References:
1. https://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.admin.sec.doc/doc/c0050531.html
183|P a g e
8.5ReviewRoleGranteeswithWITHADMINOPTION(Scored)
ProfileApplicability:
•Level2-RDBMS
Description:
UsingtheWITHADMINOPTIONclauseoftheGRANT(Role)SQLstatement,thesecurityadministratorcandelegatethemanagementandcontrolofmembershipinaroletosomeoneelse.
Rationale:
TheWITHADMINOPTIONclausegivesanotherusertheauthoritytograntmembershipintheroletootherusers,torevokemembershipintherolefromothermembersoftherole,andtocommentonarole,butnottodroptherole.
Audit:
1.AttachtoDB2Instance:
db2 => attach to $DB2INSTANCE
2.ConnecttoDB2database:
db2 => connect to $DBNAME
3.Performthefollowingquery:
db2 => select rolename, grantee, admin from syscat.roleauth where grantortype <> 'S' and admin = 'Y'
NOTE:Ifthevaluereturnedisblank,thatisconsideredapassablefinding.
Remediation:
1.AttachtoDB2Instance:
db2 => attach to $DB2INSTANCE
2.ConnecttoDB2database:
db2 => connect to $DBNAME
3.Performthefollowingquery:
db2=> revoke admin option for role <role name> from user <user name>
184|P a g e
9GeneralPolicyandProcedures
[Thisspaceintentionallyleftblank]
9.1StartandStopDB2Instance(NotScored)
ProfileApplicability:
•Level1-WindowsHostOS
•Level1-LinuxHostOS
Description:
TheDB2instancemanagesthedatabaseenvironmentandsetstheconfigurationparameters.ItisrecommendedthatonlyadministratorsareallowedtostartandstoptheDB2instance.
Rationale:
OnlyprivilegedusersshouldhaveaccesstostartandstoptheDB2instance.ThiswillensurethattheDB2instanceiscontrolledbyauthorizedadministrators.
Audit:
OnWindows:
1. GotoStart,thentotheRunoption.2. Typeinservices.msc inthecommandprompt.3. LocatetheDB2serviceandidentifytheusers/groupsthatcanstartandstopthe
service.
OnLinux:
1. IdentifythenameofthelocalDB2admingroup.2. Identifythemembersofthatgroup.3. IdentifythemembersthathaveaccesstostopandstarttheDB2instance.
185|P a g e
Remediation:
Revokeaccessfromanyunnecessaryusers.
1. Connecttothehost2. ReviewusersandgroupsthathaveaccesstostartandstoptheDB2instance.3. Removestartandstopprivilegesfromallusersandgroupsthatshouldnothave
them.
186|P a g e
9.2RemoveUnusedSchemas(NotScored)
ProfileApplicability:
•Level1-RDBMS
Description:
Aschemaisalogicalgroupingofdatabaseobjects.Itisrecommendedthatunusedschemasberemovedfromthedatabase.
Rationale:
Unusedschemascanbeleftunmonitoredandmaybesubjectedtoabuseandthereforeshouldberemoved.
Audit:
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => select schemaname from syscat.schemata
3. Reviewthelistofschemas
Remediation:
Remoteunnecessaryschemas.
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => drop scheme <scheme name> restrict
3. Reviewunusedschemasandremoveifnecessary
187|P a g e
9.3ReviewSystemTablespaces(Scored)
ProfileApplicability:
•Level1-RDBMS
Description:
Systemtablespacesstoreallsystemobjectdatawithinthatdatabase.Itisrecommendedthatsystemtablespacesareusedtostoredsystemdataonlyandnotuserdata.
Rationale:
Usersshouldnothaveprivilegestocreateuserdataobjectswithinthesystemtablespaces.Userdataobjectscreatedwithinthesystemtablespacesshouldberemoved.
Audit:
1. ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => select tabschema,tabname,tbspace from syscat.tables where tabschema not in ('ADMINISTRATOR','SYSIBM','SYSTOOLS') and tbspace in ('SYSCATSPACE','SYSTOOLSPACE','SYSTOOLSTMPSPACE','TEMPSPACE')
3. Reviewthelistofsystemtablespaces.IftheoutputisBLANK,thatisconsideredasuccessfulfinding.
Remediation:
1.ConnecttotheDB2database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2.Reviewthesystemtablespacestoidentifyanyuserdataobjectswithinthem.
3.Drop,migrate,orotherwiseremovealluserdataobjects(tables,schemas,etc.)fromwithinthesystemtablespaces.
4.Revokewriteaccessforthesystemtablespacesfromallusers.
188|P a g e
9.4RemoveDefaultDatabases(Scored)
ProfileApplicability:
•Level1-RDBMS
•Level2-RDBMS
Description:
ADB2instancemaycomeinstalledwithdefaultdatabases.ItisrecommendedthattheSAMPLE databaseberemoved.
Rationale:
Removingunused,well-knowndatabaseswillreducetheattacksurfaceofthesystem.
Audit:
PerformthefollowingDB2commandstoobtainthelistofdatabases:
1. AttachtotheDB2instance.
db2 => attach to $DB2INSTANCE
2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => list database directory
3. Locatethisvalueintheoutput:
db2 => Database 3 entry: Database alias = SAMPLE Database name = SAMPLE Local database directory = C: Database release level = c.00 Comment = Directory entry type = Indirect Catalog database partition number = 0 Alternate server hostname =
4. ReviewtheoutputaboveandidentifytheSAMPLEdatabase.IfthereisnoSAMPLEdatabase,thenitisconsideredasuccessfulfinding.
189|P a g e
Remediation:
Dropunusedsampledatabases:
1. ConnecttotheDB2instance.2. RunthefollowingcommandfromtheDB2commandwindow:
db2 => drop database sample
190|P a g e
9.5EnableSSLcommunicationwithLDAPserver(Scored)
ProfileApplicability:
•Level1-WindowsHostOS
•Level1-LinuxHostOS
Description:
ThecommunicationlayerbetweenaDB2instanceandtheLDAPservershouldbeencrypted.ItisrecommendedthattheENABLE_SSL parameterintheIBMLDAPSecurity.ini filebesettoTRUE.
Rationale:
EnablingSSLwillhelpensuretheconfidentialityofauthenticationcredentialsandotherinformationthatissentbetweentheDB2instanceandtheLDAPserver.
Note:ThefileislocatedunderINSTANCE_HOME/sqllib/cfg/,forLinux;and%DB2PATH%\cfg\,forWindows.
Audit:
Performthefollowingcommandstoobtaintheparametersetting:
1. ConnecttotheDB2host2. EdittheIBMLDAPSecurity.ini file3. Verifytheexistenceofthisparameter:
ENABLE_SSL = TRUE
Remediation:
Verifytheparameter:
1. ConnecttotheDB2host2. EdittheIBMLDAPSecurity.ini file3. Addormodifythefiletoincludethefollowingparameter:
ENABLE_SSL = TRUE
DefaultValue:
Thedefaultvalueistheomissionofthisparameter.
191|P a g e
9.6SecurethepermissionoftheIBMLDAPSecurity.inifile(Scored)
ProfileApplicability:
•Level1-WindowsHostOS
•Level1-LinuxHostOS
Description:
TheIBMLDAPSecurity.inifilecontainstheIBMLDAPsecurityplug-inconfigurations.
Rationale:
RecommendedvalueisreadandwriteaccesstoDB2administratorsonlyandread-onlytoEveryone/Other/Users/DomainUsers.Thiswillensurethattheparameterfileisprotected.Note:thefileislocatedunderINSTANCE_HOME/sqllib/cfg/,forLinux;and%DB2PATH%\cfg\,forWindows.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:ForWindows:
1. ConnecttotheDB2host2. Right-clickoverthefiledirectory3. ChooseProperties4. SelecttheSecuritytab5. Reviewaccessforallaccounts
ForLinux:
1. ConnecttotheDB2host2. Changetothefiledirectory3. Checkthepermissionsofthedirectory
OS => ls -al
192|P a g e
Remediation:
ForWindows:
1. ConnecttotheDB2host2. Right-clickoverthefiledirectory3. ChooseProperties4. SelecttheSecuritytab5. SelectalladministratoraccountsandgrantthemReadandWriteauthorityonly
(revokeallothers).6. Selectallnon-administratoraccountsandgrantthemReadauthorityonly(revoke
allothers).
ForLinux:
1. ConnecttotheDB2host2. Changetothefiledirectory3. Changethepermissionlevelofthedirectory
OS => chmod -R 664
193|P a g e
9.7SecurethepermissionoftheSSLconfig.inifile(Scored)
ProfileApplicability:
•Level1-WindowsHostOS
•Level1-LinuxHostOS
Description:
TheSSLconfig.inifilecontainstheSSLconfigurationparametersfortheDB2instance,includingthepasswordforKeyStore.
Rationale:
RecommendedvalueisfullaccesstoDB2administratorsonly,readandwriteaccessonlytomembersoftheSYSADMgroup,andnoaccesstootherusers.Thiswillensurethattheparameterfileisprotected.
Note:thefileislocatedunderINSTANCE_HOME/sqllib/cfg/,forLinux;and%INSTHOME%\,forWindows.
Audit:
PerformthefollowingDB2commandstoobtainthevalueforthissetting:ForWindows:
1. ConnecttotheDB2host2. Right-clickoverthefiledirectory3. ChooseProperties4. SelecttheSecuritytab5. Reviewaccessforallaccounts
ForLinux:
1. ConnecttotheDB2host2. Changetothefiledirectory3. Checkthepermissionsofthedirectory
OS => ls -al
194|P a g e
Remediation:
ForWindows:
1. ConnecttotheDB2host2. Right-clickoverthefiledirectory3. ChooseProperties4. SelecttheSecuritytab5. SelectalladministratoraccountsandgrantthemtheFullControlauthority6. SelecttheSYSADMgroupandgrantitReadandWriteauthorityonly(revokeall
others)7. Selectallotheraccountsandrevokeallprivilegestothedirectory
ForUnix:
1. ConnecttotheDB2host2. Changetothefiledirectory3. Changethepermissionlevelofthedirectory
OS => chmod -R 760
195|P a g e
9.8EnsureTrustedContextsareenabled(NotScored)
ProfileApplicability:
•Level1-WindowsHostOS
•Level2-WindowsHostOS
•Level1-LinuxHostOS
•Level2-LinuxHostOS
Description:
ATrustedContextobjectprovidesameansofenforcingencryption,assigningprivilegesbasedonroles,andensuringthattheactionsperformedonbehalfofauserareperformedinthecontextoftheuser’sIDandprivileges.
Rationale:
CreatingTrustedContextobjectstoenforceencryptionandassignroleswillprotectdataintransitandlimitaccesstoinformationonaperuser/rolebasis.Additionally,itensuresactionscanbetracedbacktotheuser.
Audit:
IssuethefollowingcommandtoverifythataTrustedContextobjectisenabled:
select contextname, enabled from syscat.contexts where enabled = 'Y'
Remediation:
IfthereisnoenabledTrustedContextobject,createaTrustedContextobjectifneededandenableit.
References:
1. http://www.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.admin.sec.doc/doc/c0050514.html
196|P a g e
9.9Secureplug-inlibrarylocations(NotScored)
ProfileApplicability:
•Level1-WindowsHostOS
•Level2-WindowsHostOS
•Level1-LinuxHostOS
•Level2-LinuxHostOS
Description:
Whetherdevelopingyourownsecurityplug-insormigratingestablishedplug-insintoyourenvironment,itisimportanttoensurethattheplug-indirectoriesaresecure.
Rationale:
Ifplug-indirectoriesarenotsecure,theplug-inscouldbemisused,tamperedwith,orotherwiseaccessedinwaysthatcouldjeopardizethesecurityoftheserver.
Audit:
Linux32-bit:
Reviewtheprivilegesassignedtotheplug-indirectoriestoensuretheyaresetto755.
• Forclient-sideplug-ins:$DB2PATH/security32/plugin/client• Forserver-sideplug-ins:$DB2PATH/security32/plugin/server• Forgroupplug-ins:$DB2PATH/security32/plugin/group
Linux64-bit:
Reviewtheprivilegesassignedtotheplug-indirectoriestoensuretheyaresetto755.
• Forclient-sideplug-ins:$DB2PATH/security64/plugin/client• Forserver-sideplug-ins:$DB2PATH/security64/plugin/server• Forgroupplug-ins:$DB2PATH/security64/plugin/group
197|P a g e
Windows32-bitand64-bit:
Reviewtheprivilegesassignedtotheplug-indirectoriestoensuretheyaresetto755.Note:Thesub-directories'instancename'and'client','server',and'group'arenotcreatedautomatically.Theinstanceownerhastomanuallycreatethem.
• Forclient-sideplug-ins:$DB2PATH\security\plugin\instancename\client• Forserver-sideplug-ins:$DB2PATH\security\plugin\instancename\server• Forgroupplug-ins:$DB2PATH\security\plugin\instancename\group
Remediation:
Changetheprivilegesforallplug-indirectoriessotheyaresetto755.
OnaLinuxsystem,performthefollowingforeachdirectoryneedingitsprivilegeschanged:
[db2inst1@tgt-db2-101-abc123 IBM]$ chmod 755 <directory>
198|P a g e
9.10Ensurethatsecurityplug-insupportfortwo-partuserIDsisenabled(NotScored)
ProfileApplicability:
•Level1-WindowsHostOS
•Level2-WindowsHostOS
•Level1-LinuxHostOS
•Level2-LinuxHostOS
Description:
TheDB2databasemanageronWindowssupportstheuseoftwo-partuserIDsandthemappingoftwo-partuserIDstotwo-partauthorizationIDs.
Rationale:
Havingatwo-partauthorizationschemeincreasesthesecurityofuserIDsbymakingthemhardertocompromise.
Audit:
Issuethefollowingcommandandconfirmthattheclnt_pw_plugin,srvcon_gssplugin_list,andsrvcon_pw_pluginparametersareallsetto'DISABLED':
db2=> select name, case when ((name = 'srvcon_pw_plugin' AND value in ('IBMOSauthserverTwoPart','IBMOSauthserverTwoPart64')) AND (name = 'clnt_pw_plugin' and value in ('IBMOSauthclientTwoPart','IBMOSauthclientTwoPart64'))) OR ((name = 'srvcon_gssplugin_list' AND value in ('IBMOSkrb5TwoPart','IBMOSkrb5TwoPart64')) AND (name = 'clnt_krb_plugin' and value in ('IBMkrb5TwoPart','IBMkrb5TwoPart64')))then 'ENABLED' else 'DISABLED' end as Status from sysibmadm.dbmcfg where (name = 'srvcon_pw_plugin' OR name = 'srvcon_gssplugin_list' OR name = 'clnt_pw_plugin')
199|P a g e
Remediation:
Toenableserverauthenticationthatmapstwo-partuserIDstotwo-partauthorizationIDs,youmustset:
• srvcon_pw_plugintoIBMOSauthserverTwoPart• clnt_pw_plugintoIBMOSauthclientTwoPart
Toenableclientauthenticationthatmapstwo-partuserIDstotwo-partauthorizationIDs,youmustset:
• srvcon_pw_plugintoIBMOSauthserverTwoPart• clnt_pw_plugintoIBMOSauthclientTwoPart
ToenableKerberosauthenticationthatmapstwo-partuserIDstotwo-partauthorizationIDs,youmustset:
• srvcon_gssplugin_listtoIBMOSkrb5TwoPart• clnt_krb_plugintoIBMkrb5TwoPart
Forexample:
db2=> update dbm cfg using srvcon_pw_plugin IBMOSauthserverTwoPart
References:
1. http://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.admin.sec.doc/doc/c0012039.html
200|P a g e
9.11Ensurepermissionsoncommunicationexitlibrarylocations(NotScored)
ProfileApplicability:
•Level1-WindowsHostOS
•Level2-WindowsHostOS
•Level1-LinuxHostOS
•Level2-LinuxHostOS
Description:
DB2communicationexitlibrariesmustexistinspecificdirectories.Thereshouldbeproperpermissionsonthesedirectories.
Rationale:
IfthepermissionsontheDB2communicationexitlibrarydirectoriesarenotsetproperly,thecontentsofthosedirectoriescouldbemisused,tamperedwith,orotherwiseaccessedtonegativelyimpactthesecurityoftheserver.
Audit:
Linux64-bit:
Issuethefollowingcommandtocheckthepermissionsforthecommunicationexitlibrary:
[db2inst1@tgt-db2-101-abcd plugin]$ ll /opt/ibm/db2/V10.5/security64/plugin total 12 drwxr-x--- 2 db2iadm1 db2inst1 4096 Aug 17 2013 commexit
201|P a g e
Remediation:
Thedatabasemanagerlooksforcommunicationexitlibrariesinthefollowingdirectories:
• Linux32-bit:$DB2PATH/security32/plugin/commexit• Linux64-bit:$DB2PATH/security64/plugin/commexit• Windows32-bitand64-bit:$DB2PATH\security\plugin\commexit\instance_name
Afterlocatingthedirectory,updateitspermissions.ThefollowingisanexampleforaLinux64-bitsystem:
[db2inst1@tgt-db2-101-abcd plugin]$ pwd /opt/ibm/db2/V10.5/security64/plugin [db2inst1@tgt-db2-101-abcd IBM]$ chmod -R 750 commexit
References:
1. http://www.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.admin.sec.doc/doc/c0060264.html
202|P a g e
9.12Ensureauditpoliciesareenabledwithinthedatabase(NotScored)
ProfileApplicability:
•Level1-WindowsHostOS
•Level2-WindowsHostOS
•Level1-LinuxHostOS
•Level2-LinuxHostOS
Description:
Creatingandapplyingauditpoliciesiscrucialforsecuringanddiscoveringissueswithinyourdatabases.Auditpoliciescanhelptriggereventsforchangestodataobjects,tableDML,anduseraccess.
Rationale:
Ifauditpoliciesarenotenabled,issuesmaygoundiscovered,andcompromisesandotherincidentsmayoccurwithoutbeingquicklydetected.Itmayalsonotbepossibletoprovideevidenceofcompliancewithsecuritylaws,regulations,andotherrequirements.
Audit:
Issuethefollowingcommandtoensurethatatleastoneauditpolicyreturnsanauditstatusnotequalto'N'.Theassumptionisthatifthereisanactivepolicy,theninformationisbeingcapturedtoaudit.
db2=> select auditpolicyname, auditstatus from syscat.auditpolicies
Remediation:
Issuethefollowingcommandtocreateanauditpolicy:
db2=> create audit policy AUDIT_TEST CATEGORIES ALL STATUS BOTH
References:
1. http://www.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.sql.ref.doc/doc/r0050607.html
203|P a g e
Appendix:SummaryTableControl Set
CorrectlyYes No
1 InstallationandPatches1.1 Installthelatestfixpacks(NotScored) o o1.2 UseIPaddressratherthanhostname(Scored) o o1.3 Leveragetheleastprivilegeprinciple(NotScored) o o1.4 Usenon-defaultaccountnames(Scored) o o1.5 ConfigureDB2tousenon-standardports(NotScored) o o1.6 CreatingthedatabasewiththeRESTERICTIVEclause(Not
Scored) o o
2 DB2DirectoryandFilePermissions2.1 SecureDB2RuntimeLibrary(Scored) o o2.2 Securethedatabasecontainerdirectory(Scored) o o2.3 SetumaskvalueforDB2adminuser.profilefile(Scored) o o2.4 VerifythegroupswithintheDB2_GRP_LOOKUPenvironment
variableareappropriate(Windowsonly)(NotScored) o o
2.5 VerifythedomainswithintheDB2DOMAINLISTenvironmentvariableareappropriate(Windowsonly)(NotScored) o o
3 DB2Configurations3.1 DB2InstanceParameterSettings3.1.1 Enableauditbuffer(Scored) o o3.1.2 Encryptuserdataacrossthenetwork(Scored) o o3.1.3 Requireexplicitauthorizationforcataloging(Scored) o o3.1.4 Disabledatalinkssupport(Scored) o o3.1.5 Securepermissionsfordefaultdatabasefilepath(Scored) o o3.1.6 Setdiagnosticloggingtocaptureerrorsandwarnings
(Scored) o o
3.1.7 Securepermissionsforalldiagnosticlogs(Scored) o o3.1.8 Requireinstancenamefordiscoveryrequests(Scored) o o3.1.9 Disableinstancediscoverability(Scored) o o3.1.10 Authenticatefederatedusersattheinstancelevel(Scored) o o3.1.11 Setmaximumconnectionlimits(Scored) o o3.1.12 Setadministrativenotificationlevel(Scored) o o3.1.13 Enableserver-basedauthentication(Scored) o o3.1.14 Setfailedarchiveretrydelay(Scored) o o3.1.15 Auto-restartafterabnormaltermination(Scored) o o3.1.16 Disabledatabasediscovery(Scored) o o3.1.17 Securepermissionsfortheprimaryarchiveloglocation
(Scored) o o
204|P a g e
3.1.18 Securepermissionsforthesecondaryarchiveloglocation(Scored) o o
3.1.19 Securepermissionsforthetertiaryarchiveloglocation(Scored) o o
3.1.20 Securepermissionsforthelogmirrorlocation(Scored) o o3.1.21 Establishretentionsetsizeforbackups(Scored) o o3.1.22 Setarchivelogfailoverretrylimit(Scored) o o3.2 DatabaseManagerConfigurationparameters3.2.1 TCP/IPservicename-svcename(Scored) o o3.2.2 SSLservicename-ssl_svcename(Scored) o o3.2.3 Authenticationtypeforincomingconnectionsattheserver-
srvcon_auth(Scored) o o
3.2.4 DatabaseManagerConfigurationparameter:trust_allclnts(NotScored) o o
3.2.5 DatabaseManagerConfigurationparameter:trust_clntauth(NotScored) o o
4 RowandColumnAccessControl(RCAC)4.1 ReviewOrganization'sPoliciesagainstDB2RCACPolicies
(NotScored) o o
4.2 SecureSECADMAuthority(NotScored) o o4.3 ReviewUsers,Groups,andRoles(NotScored) o o4.4 ReviewRowPermissionlogicaccordingtopolicy(Not
Scored) o o
4.5 ReviewColumnMasklogicaccordingtopolicy(NotScored) o o5 DatabaseMaintenance5.1 EnableBackupRedundancy(NotScored) o o5.2 ProtectingBackups(NotScored) o o5.3 EnableAutomaticDatabaseMaintenance(Scored) o o6 SecuringDatabaseObjects6.1 RestrictAccesstoSYSCAT.AUDITPOLICIES(Scored) o o6.2 RestrictAccesstoSYSCAT.AUDITUSE(Scored) o o6.3 RestrictAccesstoSYSCAT.DBAUTH(Scored) o o6.4 RestrictAccesstoSYSCAT.COLAUTH(Scored) o o6.5 RestrictAccesstoSYSCAT.EVENTS(Scored) o o6.6 RestrictAccesstoSYSCAT.EVENTTABLES(Scored) o o6.7 RestrictAccesstoSYSCAT.ROUTINES(Scored) o o6.8 RestrictAccesstoSYSCAT.INDEXAUTH(Scored) o o6.9 RestrictAccesstoSYSCAT.PACKAGEAUTH(Scored) o o6.10 RestrictAccesstoSYSCAT.PACKAGES(Scored) o o6.11 RestrictAccesstoSYSCAT.PASSTHRUAUTH(Scored) o o6.12 RestrictAccesstoSYSCAT.SECURITYPOLICIES(Scored) o o6.13 RestrictAccesstoSYSCAT.SECURITYPOLICYEXEMPTIONS
(Scored) o o
205|P a g e
6.14 RestrictAccesstoSYSCAT.SURROGATEAUTHIDS(Scored) o o6.15 RestrictAccesstoSYSCAT.ROLEAUTH(Scored) o o6.16 RestrictAccesstoSYSCAT.ROLES(Scored) o o6.17 RestrictAccesstoSYSCAT.ROUTINEAUTH(Scored) o o6.18 RestrictAccesstoSYSCAT.SCHEMAAUTH(Scored) o o6.19 RestrictAccesstoSYSCAT.SCHEMATA(Scored) o o6.20 RestrictAccesstoSYSCAT.SEQUENCEAUTH(Scored) o o6.21 RestrictAccesstoSYSCAT.STATEMENTS(Scored) o o6.22 RestrictAccesstoSYSCAT.TABAUTH(Scored) o o6.23 RestrictAccesstoSYSCAT.TBSPACEAUTH(Scored) o o6.24 RestrictAccesstoTablespaces(Scored) o o6.25 RestrictAccesstoSYSCAT.MODULEAUTH(Scored) o o6.26 RestrictAccesstoSYSCAT.VARIABLEAUTH(Scored) o o6.27 RestrictAccesstoSYSCAT.WORKLOADAUTH(Scored) o o6.28 RestrictAccesstoSYSCAT.XSROBJECTAUTH(Scored) o o6.29 RestrictAccesstoSYSCAT.AUTHORIZATIONIDS(Scored) o o6.30 RestrictAccesstoSYSIBMADM.OBJECTOWNERS(Scored) o o6.31 RestrictAccesstoSYSIBMADM.PRIVILEGES(Scored) o o7 DB2Authorities7.1 SecureSYSADMauthority(Scored) o o7.2 SecureSYSCTRLauthority(Scored) o o7.3 SecureSYSMAINTAuthority(Scored) o o7.4 SecureSYSMONAuthority(Scored) o o7.5 SecureSECADMAuthority(Scored) o o7.6 SecureDBADMAuthority(Scored) o o7.7 SecureSQLADMAuthority(Scored) o o7.8 SecureDATAACCESSAuthority(Scored) o o7.9 SecureACCESSCTRLAuthority(Scored) o o7.10 SecureWLMADMauthority(Scored) o o7.11 SecureCREATABAuthority(Scored) o o7.12 SecureBINDADDAuthority(Scored) o o7.13 SecureCONNECTAuthority(Scored) o o7.14 SecureLOADAuthority(Scored) o o7.15 SecureEXTERNALROUTINEAuthority(Scored) o o7.16 SecureQUIESCECONNECTAuthority(Scored) o o8 DB2Roles8.1 ReviewRoles(Scored) o o8.2 ReviewRoleMembers(Scored) o o8.3 NestedRoles(Scored) o o8.4 ReviewRolesgrantedtoPUBLIC(Scored) o o8.5 ReviewRoleGranteeswithWITHADMINOPTION(Scored) o o9 GeneralPolicyandProcedures
206|P a g e
9.1 StartandStopDB2Instance(NotScored) o o9.2 RemoveUnusedSchemas(NotScored) o o9.3 ReviewSystemTablespaces(Scored) o o9.4 RemoveDefaultDatabases(Scored) o o9.5 EnableSSLcommunicationwithLDAPserver(Scored) o o9.6 SecurethepermissionoftheIBMLDAPSecurity.inifile
(Scored) o o
9.7 SecurethepermissionoftheSSLconfig.inifile(Scored) o o9.8 EnsureTrustedContextsareenabled(NotScored) o o9.9 Secureplug-inlibrarylocations(NotScored) o o9.10 Ensurethatsecurityplug-insupportfortwo-partuserIDsis
enabled(NotScored) o o
9.11 Ensurepermissionsoncommunicationexitlibrarylocations(NotScored) o o
9.12 Ensureauditpoliciesareenabledwithinthedatabase(NotScored) o o
207|P a g e
Appendix:ChangeHistoryDate Version Changesforthisversion
12-19-2015 1.0.0 InitialRelease
08-05-2016 1.1.0 Ticket#144:AddedarecommendationforDB2tousenon-standardports.
08-10-2016 1.1.0 Ticket#141:AddedarecommendationforTrustedContexts.
08-10-2016 1.1.0 Ticket#148:Addedarecommendationforthetrust_allclntsparameter.
08-10-2016 1.1.0 Ticket#152:Addedarecommendationforsecureplug-inlibrarylocations.
08-10-2016 1.1.0 Ticket#155:Addedarecommendationforsecurityplug-insupportoftwo-partuserIDs.
08-10-2016 1.1.0 Ticket#156:Addedarecommendationforthecommunicationexitlibrarylocation.
08-10-2016 1.1.0 Ticket#157:Addedarecommendationforenablingauditpolicies.
08-10-2016 1.1.0 Ticket#159:AddedarecommendationfortheDB2_GRP_LOOKUPenvironmentalvariable.
08-10-2016 1.1.0 Ticket#160:AddedarecommendationfortheDB2DOMAINLISTenvironmentalvariable.
08-17-2016 1.1.0 Ticket#146:AddedarecommendationfortheRESTRICTIVEparameter.
208|P a g e