cis ibm db2 10 benchmark v1.1.0 - itsecure€¦ · this document, security configuration benchmark...

CISIBMDB210Benchmark

v1.1.0-08-31-2016

1|P a g e

ThisworkislicensedunderaCreativeCommonsAttribution-NonCommercial-ShareAlike4.0InternationalPublicLicense.Thelinktothelicensetermscanbefoundathttps://creativecommons.org/licenses/by-nc-sa/4.0/legalcode.

TofurtherclarifytheCreativeCommonslicenserelatedtoCISBenchmarkcontent,youareauthorizedtocopyandredistributethecontentforusebyyou,withinyourorganizationandoutsideyourorganizationfornon-commercialpurposesonly,providedthat(i)appropriatecreditisgiventoCIS,(ii)alinktothelicenseisprovided.Additionally,ifyouremix,transformorbuildupontheCISBenchmark(s),youmayonlydistributethemodifiedmaterialsiftheyaresubjecttothesamelicensetermsastheoriginalBenchmarklicenseandyourderivativewillnolongerbeaCISBenchmark.CommercialuseofCISBenchmarksissubjecttothepriorapprovaloftheCenterforInternetSecurity.

2|P a g e

TableofContents

Overview......................................................................................................................................................................7

IntendedAudience..............................................................................................................................................7

ConsensusGuidance...........................................................................................................................................7

TypographicalConventions............................................................................................................................8

ScoringInformation............................................................................................................................................8

ProfileDefinitions................................................................................................................................................9

Acknowledgements..........................................................................................................................................11

Recommendations.................................................................................................................................................12

1InstallationandPatches.............................................................................................................................12

1.1Installthelatestfixpacks(NotScored).................................................................................12

1.2UseIPaddressratherthanhostname(Scored).................................................................13

1.3Leveragetheleastprivilegeprinciple(NotScored).........................................................15

1.4Usenon-defaultaccountnames(Scored).............................................................................16

1.5ConfigureDB2tousenon-standardports(NotScored)................................................17

1.6CreatingthedatabasewiththeRESTERICTIVEclause(NotScored)........................19

2DB2DirectoryandFilePermissions.....................................................................................................22

2.1SecureDB2RuntimeLibrary(Scored)...................................................................................22

2.2Securethedatabasecontainerdirectory(Scored)...........................................................24

2.3SetumaskvalueforDB2adminuser.profilefile(Scored)............................................25

2.4VerifythegroupswithintheDB2_GRP_LOOKUPenvironmentvariableareappropriate(Windowsonly)(NotScored)..................................................................................26

2.5VerifythedomainswithintheDB2DOMAINLISTenvironmentvariableareappropriate(Windowsonly)(NotScored)..................................................................................27

3DB2Configurations......................................................................................................................................28

3.1.1Enableauditbuffer(Scored)...................................................................................................28

3.1.2Encryptuserdataacrossthenetwork(Scored).............................................................30

3.1.3Requireexplicitauthorizationforcataloging(Scored)...............................................32

3.1.4Disabledatalinkssupport(Scored).....................................................................................34

3.1.5Securepermissionsfordefaultdatabasefilepath(Scored).....................................36

3.1.6Setdiagnosticloggingtocaptureerrorsandwarnings(Scored)...........................39

3|P a g e

3.1.7Securepermissionsforalldiagnosticlogs(Scored).....................................................41

3.1.8Requireinstancenamefordiscoveryrequests(Scored)............................................43

3.1.9Disableinstancediscoverability(Scored).........................................................................45

3.1.10Authenticatefederatedusersattheinstancelevel(Scored).................................46

3.1.11Setmaximumconnectionlimits(Scored)......................................................................48

3.1.12Setadministrativenotificationlevel(Scored)..............................................................51

3.1.13Enableserver-basedauthentication(Scored)..............................................................53

3.1.14Setfailedarchiveretrydelay(Scored)............................................................................55

3.1.15Auto-restartafterabnormaltermination(Scored)....................................................57

3.1.16Disabledatabasediscovery(Scored)................................................................................58

3.1.17Securepermissionsfortheprimaryarchiveloglocation(Scored).....................60

3.1.18Securepermissionsforthesecondaryarchiveloglocation(Scored)................62

3.1.19Securepermissionsforthetertiaryarchiveloglocation(Scored)......................64

3.1.20Securepermissionsforthelogmirrorlocation(Scored)........................................66

3.1.21Establishretentionsetsizeforbackups(Scored).......................................................68

3.1.22Setarchivelogfailoverretrylimit(Scored)..................................................................70

3.2DatabaseManagerConfigurationparameters.........................................................................72

3.2.1TCP/IPservicename-svcename(Scored).......................................................................72

3.2.2SSLservicename-ssl_svcename(Scored).......................................................................73

3.2.3Authenticationtypeforincomingconnectionsattheserver-srvcon_auth(Scored).......................................................................................................................................................74

3.2.4DatabaseManagerConfigurationparameter:trust_allclnts(NotScored).........75

3.2.5DatabaseManagerConfigurationparameter:trust_clntauth(NotScored).......77

4RowandColumnAccessControl(RCAC)...........................................................................................79

4.1ReviewOrganization'sPoliciesagainstDB2RCACPolicies(NotScored)..............79

4.2SecureSECADMAuthority(NotScored)...............................................................................81

4.3ReviewUsers,Groups,andRoles(NotScored)..................................................................82

4.4ReviewRowPermissionlogicaccordingtopolicy(NotScored)................................85

4.5ReviewColumnMasklogicaccordingtopolicy(NotScored)......................................86

5DatabaseMaintenance................................................................................................................................87

5.1EnableBackupRedundancy(NotScored)............................................................................87

4|P a g e

5.2ProtectingBackups(NotScored).............................................................................................88

5.3EnableAutomaticDatabaseMaintenance(Scored).........................................................89

6SecuringDatabaseObjects........................................................................................................................91

6.1RestrictAccesstoSYSCAT.AUDITPOLICIES(Scored)......................................................91

6.2RestrictAccesstoSYSCAT.AUDITUSE(Scored).................................................................93

6.3RestrictAccesstoSYSCAT.DBAUTH(Scored).....................................................................94

6.4RestrictAccesstoSYSCAT.COLAUTH(Scored)..................................................................96

6.5RestrictAccesstoSYSCAT.EVENTS(Scored)......................................................................98

6.6RestrictAccesstoSYSCAT.EVENTTABLES(Scored).....................................................100

6.7RestrictAccesstoSYSCAT.ROUTINES(Scored)..............................................................102

6.8RestrictAccesstoSYSCAT.INDEXAUTH(Scored)..........................................................103

6.9RestrictAccesstoSYSCAT.PACKAGEAUTH(Scored)...................................................105

6.10RestrictAccesstoSYSCAT.PACKAGES(Scored)...........................................................106

6.11RestrictAccesstoSYSCAT.PASSTHRUAUTH(Scored)..............................................107

6.12RestrictAccesstoSYSCAT.SECURITYPOLICIES(Scored).........................................109

6.13RestrictAccesstoSYSCAT.SECURITYPOLICYEXEMPTIONS(Scored)................111

6.14RestrictAccesstoSYSCAT.SURROGATEAUTHIDS(Scored)...................................113

6.15RestrictAccesstoSYSCAT.ROLEAUTH(Scored)..........................................................115

6.16RestrictAccesstoSYSCAT.ROLES(Scored)....................................................................117

6.17RestrictAccesstoSYSCAT.ROUTINEAUTH(Scored).................................................119

6.18RestrictAccesstoSYSCAT.SCHEMAAUTH(Scored)...................................................121

6.19RestrictAccesstoSYSCAT.SCHEMATA(Scored).........................................................122

6.20RestrictAccesstoSYSCAT.SEQUENCEAUTH(Scored)..............................................124

6.21RestrictAccesstoSYSCAT.STATEMENTS(Scored)....................................................126

6.22RestrictAccesstoSYSCAT.TABAUTH(Scored)............................................................128

6.23RestrictAccesstoSYSCAT.TBSPACEAUTH(Scored)..................................................130

6.24RestrictAccesstoTablespaces(Scored).........................................................................132

6.25RestrictAccesstoSYSCAT.MODULEAUTH(Scored)..................................................134

6.26RestrictAccesstoSYSCAT.VARIABLEAUTH(Scored)...............................................136

6.27RestrictAccesstoSYSCAT.WORKLOADAUTH(Scored)...........................................138

5|P a g e

6.28RestrictAccesstoSYSCAT.XSROBJECTAUTH(Scored).............................................140

6.29RestrictAccesstoSYSCAT.AUTHORIZATIONIDS(Scored)......................................142

6.30RestrictAccesstoSYSIBMADM.OBJECTOWNERS(Scored)....................................144

6.31RestrictAccesstoSYSIBMADM.PRIVILEGES(Scored)..............................................146

7DB2Authorities..........................................................................................................................................148

7.1SecureSYSADMauthority(Scored)......................................................................................148

7.2SecureSYSCTRLauthority(Scored).....................................................................................150

7.3SecureSYSMAINTAuthority(Scored).................................................................................152

7.4SecureSYSMONAuthority(Scored).....................................................................................154

7.5SecureSECADMAuthority(Scored).....................................................................................156

7.6SecureDBADMAuthority(Scored).......................................................................................158

7.7SecureSQLADMAuthority(Scored).....................................................................................160

7.8SecureDATAACCESSAuthority(Scored)...........................................................................161

7.9SecureACCESSCTRLAuthority(Scored)............................................................................162

7.10SecureWLMADMauthority(Scored)................................................................................163

7.11SecureCREATABAuthority(Scored)................................................................................164

7.12SecureBINDADDAuthority(Scored)................................................................................166

7.13SecureCONNECTAuthority(Scored)...............................................................................168

7.14SecureLOADAuthority(Scored)........................................................................................170

7.15SecureEXTERNALROUTINEAuthority(Scored).........................................................172

7.16SecureQUIESCECONNECTAuthority(Scored).............................................................174

8DB2Roles......................................................................................................................................................176

8.1ReviewRoles(Scored)...............................................................................................................176

8.2ReviewRoleMembers(Scored).............................................................................................178

8.3NestedRoles(Scored)................................................................................................................180

8.4ReviewRolesgrantedtoPUBLIC(Scored)........................................................................181

8.5ReviewRoleGranteeswithWITHADMINOPTION(Scored)....................................183

9GeneralPolicyandProcedures............................................................................................................184

9.1StartandStopDB2Instance(NotScored).........................................................................184

9.2RemoveUnusedSchemas(NotScored)..............................................................................186

6|P a g e

9.3ReviewSystemTablespaces(Scored).................................................................................187

9.4RemoveDefaultDatabases(Scored)....................................................................................188

9.5EnableSSLcommunicationwithLDAPserver(Scored).............................................190

9.6SecurethepermissionoftheIBMLDAPSecurity.inifile(Scored)............................191

9.7SecurethepermissionoftheSSLconfig.inifile(Scored).............................................193

9.8EnsureTrustedContextsareenabled(NotScored)......................................................195

9.9Secureplug-inlibrarylocations(NotScored)..................................................................196

9.10Ensurethatsecurityplug-insupportfortwo-partuserIDsisenabled(NotScored)......................................................................................................................................................198

9.11Ensurepermissionsoncommunicationexitlibrarylocations(NotScored)...200

9.12Ensureauditpoliciesareenabledwithinthedatabase(NotScored).................202

Appendix:SummaryTable.............................................................................................................................203

Appendix:ChangeHistory..............................................................................................................................207

7|P a g e

OverviewThisdocument,SecurityConfigurationBenchmarkforIBMDB2,providesprescriptiveguidanceforestablishingasecureconfigurationpostureforDB2versions10.xrunningonLinuxandWindows.ThisguidewastestedagainstDB2version10.5installedonWindowsServer2008R2andCentOS6.Toobtainthelatestversionofthisguide,pleasevisithttp://cisecurity.org.Ifyouhavequestionsorcomments,orhaveidentifiedwaystoimprovethisguide,[email protected].

IntendedAudience

Thisdocumentisintendedforsystemandapplicationadministrators,securityspecialists,auditors,helpdesk,andplatformdeploymentpersonnel,whoplantodevelop,deploy,assess,orsecuresolutionsthatincorporateDB2onLinuxandWindowsplatforms.

ConsensusGuidance

Thisbenchmarkwascreatedusingaconsensusreviewprocesscomprisedofsubjectmatterexperts.Consensusparticipantsprovideperspectivefromadiversesetofbackgroundsincludingconsulting,softwaredevelopment,auditandcompliance,securityresearch,operations,government,andlegal.

EachCISbenchmarkundergoestwophasesofconsensusreview.Thefirstphaseoccursduringinitialbenchmarkdevelopment.Duringthisphase,subjectmatterexpertsconvenetodiscuss,create,andtestworkingdraftsofthebenchmark.Thisdiscussionoccursuntilconsensushasbeenreachedonbenchmarkrecommendations.Thesecondphasebeginsafterthebenchmarkhasbeenpublished.Duringthisphase,allfeedbackprovidedbytheInternetcommunityisreviewedbytheconsensusteamforincorporationinthebenchmark.Ifyouareinterestedinparticipatingintheconsensusprocess,pleasevisithttps://community.cisecurity.org.

8|P a g e

TypographicalConventions

Thefollowingtypographicalconventionsareusedthroughoutthisguide:

Convention Meaning

Stylized Monospace font Usedforblocksofcode,command,andscriptexamples.Textshouldbeinterpretedexactlyaspresented.

Monospacefont Usedforinlinecode,commands,orexamples.Textshouldbeinterpretedexactlyaspresented.

<italicfontinbrackets> Italictextssetinanglebracketsdenoteavariablerequiringsubstitutionforarealvalue.

Italicfont Usedtodenotethetitleofabook,article,orotherpublication.

Note Additionalinformationorcaveats

ScoringInformation

Ascoringstatusindicateswhethercompliancewiththegivenrecommendationimpactstheassessedtarget'sbenchmarkscore.Thefollowingscoringstatusesareusedinthisbenchmark:

Scored

Failuretocomplywith"Scored"recommendationswilldecreasethefinalbenchmarkscore.Compliancewith"Scored"recommendationswillincreasethefinalbenchmarkscore.

NotScored

Failuretocomplywith"NotScored"recommendationswillnotdecreasethefinalbenchmarkscore.Compliancewith"NotScored"recommendationswillnotincreasethefinalbenchmarkscore.

9|P a g e

ProfileDefinitions

ThefollowingconfigurationprofilesaredefinedbythisBenchmark:

• Level1-RDBMS

ItemsinthisprofileapplytotheRDBMSproperandintendto:

o Bepracticalandprudent;o Provideaclearsecuritybenefit;ando Notinhibittheutilityofthetechnologybeyondacceptablemeans.

• Level2-RDBMS

Thisprofileextendsthe"Level1"profile.Itemsinthisprofileexhibitoneormoreofthefollowingcharacteristics:

o Areintendedforenvironmentsorusecaseswheresecurityisparamounto Actsasdefenseindepthmeasureo Maynegativelyinhibittheutilityorperformanceofthetechnology

• Level1-WindowsHostOS

ItemsinthisprofileapplytotheWindowsHostOSproperandintendto:

o Bepracticalandprudent;o Provideaclearsecuritybenefit;ando Notinhibittheutilityofthetechnologybeyondacceptablemeans.

• Level2-WindowsHostOS

Thisprofileextends"Level1-WindowsHostOS".Itemsinthisprofileexhibitoneormoreofthefollowingcharacteristics:

o Areintendedforenvironmentsorusecaseswheresecurityisparamounto Actsasdefenseindepthmeasureo Maynegativelyinhibittheutilityorperformanceofthetechnology

• Level1-LinuxHostOS

ItemsinthisprofileapplytotheLinuxHostOSproperandintendto:

o Bepracticalandprudent;

10|P a g e

o Provideaclearsecuritybenefit;ando Notinhibittheutilityofthetechnologybeyondacceptablemeans.

• Level2-LinuxHostOS

Thisprofileextends"Level1-LinuxHostOS".Itemsinthisprofileexhibitoneormoreofthefollowingcharacteristics:

o areintendedforenvironmentsorusecaseswheresecurityisparamounto actsasdefenseindepthmeasureo maynegativelyinhibittheutilityorperformanceofthetechnology

11|P a g e

Acknowledgements

Thisbenchmarkexemplifiesthegreatthingsacommunityofusers,vendors,andsubjectmatterexpertscanaccomplishthroughconsensuscollaboration.TheCIScommunitythankstheentireconsensusteamwithspecialrecognitiontothefollowingindividualswhocontributedgreatlytothecreationofthisguide:

ContributorAdamMontvilleTimothyHarrisonEditorKarenScarfoneChrisBielinski

12|P a g e

Recommendations1InstallationandPatches

[Thisspaceintentionallyleftblank]

1.1Installthelatestfixpacks(NotScored)

ProfileApplicability:

•Level1-RDBMS

•Level2-RDBMS

Description:

Periodically,IBMreleasesfixpackstoenhancefeaturesandresolvedefects,includingsecuritydefects.ItisrecommendedthattheDB2instanceremaincurrentwithallfixpacks.

Rationale:

InstallingthelatestDB2fixpackwillhelpprotectthedatabasefromknownvulnerabilitiesaswellasreducedowntimethatmayotherwiseresultfromfunctionaldefects.

Audit:

PerformthefollowingDB2commandstoobtaintheversion:

1. OpentheDB2CommandWindowandtypeindb2level:

$ db2level DB21085I Instance "DB2" uses "32" bits and DB2 code release "SQL09050" with level identifier "03010107". Informational tokens are "DB2 v9.5.0.808", "s071001", "NT3295", and Fix Pack "3".

Remediation:

ApplythelatestfixpackasofferedfromIBM.

13|P a g e

1.2UseIPaddressratherthanhostname(Scored)


•Level1-WindowsHostOS

•Level1-LinuxHostOS

Description:

UseanIPaddressratherthanahostnametoconnecttothehostoftheDB2instance.

Rationale:

UsingahostnametoconnecttoaDB2instancecandisplayusefulinformationaboutthehosttoanattacker.Forexample,hostnamesforDB2instancesoftencontaintheDB2versionnumber,hosttype,oroperatingsystemtype.

Audit:

Windows:

1. RunDB2CommandPrompt-Administrator2. Type'db2listnodedirectoryshowdetail'3. Verifythatthe'HOSTNAME'valuesforallnodeslistedareinIPaddressformand

nothostnames

Linux:

1. LogintoDB2asDB2Instanceowner2. Type'db2listnodedirectoryshowdetail'3. Verifythatthe'HOSTNAME'valuesforallnodeslistedareinIPaddressformand

nothostnames

Sample:

Node Directory Number of entries in the directory = 2 Node 1 entry: Node name = SAMPLE Comment = Directory entry type = LDAP Protocol = TCPIP Hostname = 192.168.145.10 Service name = 50000

14|P a g e

Remediation:

1. Dropallexistingnodes2. RecreatenodedirectoryusingIPaddressesandnothostnames

DefaultValue:

IPaddress

15|P a g e

1.3Leveragetheleastprivilegeprinciple(NotScored)


•Level1-RDBMS

Description:

TheDB2databaseinstancewillexecuteunderthecontextofagivensecurityprinciple.Itisrecommendedthatthisservicehavetheleastprivilegespossible.Furthermore,itisadvisabletohavetheDB2serviceexecutedusingtheDB2instanceownerandmonitorsuchaccountsforunauthorizedaccesstothesensitivedata.

Rationale:

LeveragingaleastprivilegeaccountfortheDB2servicewillreduceanattacker'sabilitytocompromisethehostoperatingsystemshouldtheDB2serviceprocessbecomecompromised.

Audit:

ReviewallaccountsthathaveaccesstotheDB2databaseservicetoensureleastprivilegeisapplied.

Remediation:

Ensurethatallaccountshavetheabsoluteminimalprivilegegrantedtoperformtheirtasks.

16|P a g e

1.4Usenon-defaultaccountnames(Scored)




Description:

TheDB2serviceisinstalledwithdefaultaccountswithwell-knownnamessuchasdb2admin,db2inst1,dasusr1,ordb2fenc1.Itisrecommendedthattheuseoftheseaccountnamesbeavoided.Thedefaultaccountsmayberenamedandthenused.

Rationale:

TheuseofdefaultaccountnamesmayincreasetheDB2service'ssusceptibilitytounauthorizedaccessbyanattacker.

Audit:

ForWindows:

1. Reviewthelistofusersforthesystemandconfirmthatnoneoftheaccountnamesaredb2admin,db2inst1,dasusr1,ordb2fenc1.

ForLinux:

1. Review/etc/passwdandconfirmthatnoneoftheaccountnamesaredb2admin,db2inst1,dasusr1,ordb2fenc1.

Remediation:

Foreachaccountwithadefaultname,eitherchangethenametoanamethatisnotwell-knownordeletetheaccountifitisnotneeded.

17|P a g e

1.5ConfigureDB2tousenon-standardports(NotScored)






Description:

Ifenabled,thedefaultDB2instancewillbeassignedadefaultportofTCP:50000forTCP/IPcommunication.TCP:50000isawidelyknownDB2port,sothisportassignmentshouldbechanged.Thoughdeprecated,ifyoustillusetheDAS,itsdefaultportusesTCP:523andshouldbechanged.

Rationale:

Usinganon-defaultporthelpsreducethenumberofattacksdirectedatthedatabasethroughitsport.

Audit:

Usetheappropriatecommandbelowtoidentifytheassignedportandconfirmthatitdoesnotusethedefaultvalueof50000.

Linux:

cat etc/services | grep db2

Windows:

netstat -bao

Remediation:

Assignanon-defaultport(avalueotherthan50000)tothedefaultDB2instance.

Impact:

Changingtheportwillbreakconnectivityforanyservers,clients,etc.configuredtoaccesstheDBinstanceattheoriginalport.Anyportnumberchangesneedtobecoordinatedtopreventinadvertentoutages.

18|P a g e

References:

1. http://www.ibm.com/support/knowledgecenter/en/SSEPGG_10.5.0/com.ibm.db2.luw.admin.config.doc/doc/c0060794.html

19|P a g e

1.6CreatingthedatabasewiththeRESTERICTIVEclause(NotScored)


•Level1-RDBMS

•Level2-RDBMS

Description:

ThisparameterindicateswhetherthedatabasewascreatedwiththeRESTRICTIVEclauseintheCREATEDATABASEstatement.Whencreatingadatabase,theuseoftheRESTRICTIVEclausewillcausecertaincommandstoberevokedfromPUBLIC.

Rationale:

AllowingthedefaultprivilegesgrantedtothegroupPUBLICtoremainintackcanhavenegativeimpactsonthedatabaseaswellasunderminemeasuresputinplacetolimitaccesstoauthorizedusers.

Audit:

db2=> select case when value = '-1' then 'automatic' when value = '' then 'NULL' else value end as value from sysibmadm.dbcfg where name = 'restrict_access'

Remediation:

There is no remediation for this parameter due to the fact that the placement of the RESTRICTIVE clause happens within the CREATE DATABASE statement. Unless your backup strategies allow for a complete overhaul of your environment where you are able to recreate the database with the RESTRICTIVE clause, we do not recommend changing this parameter. However, if you would like to align your database configuration to that which the RESTRICTIVE clause would provide, please ensure the following:

1. SYSCAT.DBAUTH – Ensure PUBLIC is NOT granted the following authorities:

• CREATETAB• BINDADD• CONNECT• IMPLICIT_SCHEMA

20|P a g e

2. SYSCAT.TABAUTH – Ensure PUBLIC is NOT granted the following privileges:

• SELECTonallSYSCATandSYSIBMtables• SELECTandUPDATEonallSYSSTATtables• SELECTonthefollowingviewsinschemaSYSIBMADM:

o ALL_*o USER_*o ROLE_*o SESSION_*o DICTIONARYo TAB

3. SYSCAT.ROUTINEAUTH – Ensure PUBLIC is NOT granted the following privileges:

• EXECUTEwithGRANTonallproceduresinschemaSQLJ• EXECUTEwithGRANTonallfunctionsandproceduresinschemaSYSFUN• EXECUTEwithGRANTonallfunctionsandproceduresinschemaSYSPROC• EXECUTEonalltablefunctionsinschemaSYSIBM• EXECUTEonallotherproceduresinschemaSYSIBM

4. SYSCAT.MODULEAUTH – Ensure PUBLIC is NOT granted the following privileges:

• EXECUTEonthefollowingmodulesinschemaSYSIBMADM:o DBMS_DDLo DBMS_JOBo DBMS_LOBo DBMS_OUTPUTo DBMS_SQLo DBMS_STANDARDo DBMS_UTILITY

5. SYSCAT.PACKAGEAUTH – Ensure PUBLIC is NOT granted the following privileges:

• BINDonallpackagescreatedintheNULLIDschema• EXECUTEonallpackagescreatedintheNULLIDschema

6. SYSCAT.SCHEMAAUTH – Ensure PUBLIC is NOT granted the following privileges:

• CREATEINonschemaSQLJ• CREATEINonschemaNULLID

7. SYSCAT.TBSPACEAUTH – Ensure PUBLIC is NOT granted the USE privilege on table space USERSPACE1.

8. SYSCAT.WORKLOADAUTH – Ensure PUBLIC is NOT granted the USAGE privilege on SYSDEFAULTUSERWORKLOAD.

21|P a g e

9.SYSCAT.VARIABLEAUTH–EnsurePUBLICisNOTgrantedtheREADprivilegeonschemaglobalvariablesintheSYSIBMschema.

References:

1. https://www.ibm.com/support/knowledgecenter/en/SSEPGG_10.5.0/com.ibm.db2.luw.admin.cmd.doc/doc/r0001941.html

2. https://www.ibm.com/support/knowledgecenter/en/SSEPGG_10.5.0/com.ibm.db2.luw.admin.sec.doc/doc/c0054269.html

22|P a g e

2DB2DirectoryandFilePermissions

ThissectionprovidesguidanceonsecuringalloperatingsystemspecificobjectsforDB2.

2.1SecureDB2RuntimeLibrary(Scored)




Description:

ADB2softwareinstallationwillplaceallexecutablesunderthedefault<DB2PATH>\sqllibdirectory.Thisdirectoryneedstobesecuredsoitgrantsonlythenecessaryaccesstoauthorizedusersandadministrators.

Rationale:

TheDB2runtimeiscomprisedoffilesthatareexecutedaspartoftheDB2service.Iftheseresourcesarenotsecured,anattackermayalterthemtoexecutearbitrarycode.

Audit:

Performthefollowingtoobtainthevalueforthissetting:ForWindows:

1. ConnecttotheDB2host2. Right-clickontheNODE000x/sqldbdirdirectory3. ChooseProperties4. SelecttheSecuritytab5. DeterminethepermissionsforDBadministratoraccountsandallotheraccounts

ForLinux:

1. ConnecttotheDB2host2. ChangetotheNODE000x/sqldbdirdirectory3. Determinethepermissionsforthedirectory

OS => ls -al

23|P a g e

Remediation:

ForWindows:

1. ConnecttotheDB2host2. Right-clickonthe\NODE000x\sqldbdirdirectory3. ChooseProperties4. SelecttheSecuritytab5. SelectallDBadministratoraccountsandgrantthemtheFullControlauthority6. SelectallotheraccountsandrevokeallprivilegesotherthanReadandExecute

ForLinux:

1. ConnecttotheDB2host2. Changetothe/NODE000x/sqldbdirdirectory3. Changethepermissionlevelofthedirectorytothisrecommendedvalue

OS => chmod -R 755

24|P a g e

2.2Securethedatabasecontainerdirectory(Scored)


•Level1-RDBMS

Description:

ADB2databasecontaineristhephysicalstorageofthedata.

Rationale:

Thecontainersareneededinorderforthedatabasetooperateproperly.Thelossofthecontainerscancausedowntime.Also,allowingexcessiveaccesstothecontainersmayhelpanattackertogainaccesstotheircontents.Therefore,securethelocation(s)ofthecontainersbyrestrictingtheaccessandownership.Allowonlytheinstanceownertohaveaccesstothetablespacecontainers.

Audit:

ReviewallusersthathaveaccesstothedirectoryofthecontainerstoensureonlyDB2administratorshavefullaccess.Allotherusersshouldhaveread-onlyaccess.

Remediation:

SettheprivilegesforthedirectoryofthecontainerssothatonlyDB2administratorshavefullaccess,andallotherusershaveread-onlyaccess.

25|P a g e

2.3SetumaskvalueforDB2adminuser.profilefile(Scored)



Description:

TheDB2Admin.profilefileinLinuxsetstheenvironmentvariablesandthesettingsfortheuser.

Rationale:

Theumask valueshouldbesetto022 fortheowneroftheDB2softwareatalltimes.

Audit:

Ensurethattheumask 022 settingexistsinthe.profile.

Remediation:

Addumask 022 tothe.profile file.

26|P a g e

2.4VerifythegroupswithintheDB2_GRP_LOOKUPenvironmentvariableareappropriate(Windowsonly)(NotScored)




Description:

TheDB2_GRP_LOOKUPenvironmentvariablemanageswhichgroupsareidentifiedonalocalmachine/domainlevel.

Rationale:

Periodicreviewofthesegroupsisrequiredtoensurethatnon-essentialgroupsdonothaveunnecessaryauthorization.

Audit:

VerifythattheDB2_GRP_LOOKUPenvironmentvariableincludesonlytheappropriategroupslistedwithinthelocalmachine/domain.

db2set -all

Remediation:

AlterthevalueoftheDB2_GRP_LOOKUPenvironmentvariablesothatitincludesonlytheappropriategroupslistedwithinthelocalmachine/domain.

References:

1. http://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.admin.sec.doc/doc/t0005914.html

27|P a g e

2.5VerifythedomainswithintheDB2DOMAINLISTenvironmentvariableareappropriate(Windowsonly)(NotScored)




Description:

Itispossibletohaveauseridberepresentedacrossmultipledomains.Issuescouldarisewhentryingtoauthenticatesuchauserid.Topreventtheseissues,alistingofdomainsshouldbedefinedwithintheDB2DOMAINLISTenvironmentvariable.Note:theDB2DOMAINLISTisonlyeffectiveiftheauthenticationparameterissettoCLIENT.

Rationale:

PeriodicreviewofthedomainlistassignedtotheDB2DOMAINLISTenvironmentvariablehelpsensurethatnon-essentialdomainsdonothaveunnecessaryauthorizations.

Audit:

VerifythattheDB2DOMAINLISTenvironmentvariableincludesonlytheappropriatedomains.

db2set -all

Remediation:

AlterthevalueoftheDB2DOMAINLISTenvironmentvariablesothatitincludesonlytheappropriatedomains.

References:

1. https://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.admin.sec.doc/doc/t0011962.html?lang=en

28|P a g e

3DB2Configurations


3.1DB2InstanceParameterSettings

ThissectionprovidesguidanceonhowDB2willcontrolthedatainthedatabasesandthesystemresourcesthatareallocatedtotheinstance.

3.1.1Enableauditbuffer(Scored)


•Level1-RDBMS

•Level2-RDBMS

Description:

DB2canbeconfiguredtouseanauditbuffer.Itisrecommendedthattheauditbuffersizebesettoatleast1000.

Rationale:

Increasingtheauditbuffersizetogreaterthan0willallocatespacefortheauditrecordsgeneratedbytheauditfacility.Atscheduledintervals,orwhentheauditbufferisfull,thedb2auditdauditdaemonemptiestheauditbuffertodisk,writingtheauditrecordsasynchronously.

Audit:

Performthefollowingtodetermineiftheauditbufferissetasrecommended:

1. AttachtotheDB2instance.

db2 => attach to $DB2INSTANCE

2. RunthefollowingcommandfromtheDB2commandwindow:

db2 => get database manager configuration

29|P a g e

3. LocateAUDIT_BUF_SZ valueintheoutput:

db2 => get database manager configuration db2 => … Audit buffer size (4KB) (AUDIT_BUF_SZ) = 1000

EnsureAUDIT_BUF_SZisgreaterthanorequalto1000.

Remediation:

Performthefollowingtoestablishanauditbuffer:

1. AttachtotheDB2instance



db2 => update database manager configuration using audit_buf_sz 1000

30|P a g e

3.1.2Encryptuserdataacrossthenetwork(Scored)


•Level1-RDBMS

•Level2-RDBMS

Description:

DB2supportsanumberofauthenticationmechanisms.ItisrecommendedthattheDATA_ENCRYPTauthenticationmechanismbeused.

Rationale:

TheDATA_ENCRYPT authenticationmechanismemployscryptographicalgorithmstoprotecttheconfidentialityofauthenticationcredentialsanduserdataastheytraversethenetworkbetweentheDB2clientandserver.

Audit:

Performthefollowingtodetermineiftheauthenticationmechanismissetasrecommended:





3. LocatetheAUTHENTICATION valueintheoutput:

db2 => get database manager configuration db2 => … Database manager authentication (AUTHENTICATION) = DATA_ENCRYPT

Note:AUTHENTICATION issettoDATA_ENCRYPT intheaboveoutput.

31|P a g e

Remediation:

SuggestedvalueisDATA_ENCRYPTsothatauthenticationoccursattheserver.




db2 => update database manager configuration using authentication data_encrypt

32|P a g e

3.1.3Requireexplicitauthorizationforcataloging(Scored)


•Level1-RDBMS

•Level2-RDBMS

Description:

DB2canbeconfiguredtoallowusersthatdonotpossesstheSYSADM authoritytocataloganduncatalogdatabasesandnodes.Itisrecommendedthatthecatalog_noauth parameterbesettoNO.

Rationale:

Catalogingadatabaseistheprocessofregisteringadatabasefromaremoteclienttoallowremotecallandaccess.Settingcatalog-noauth toYES bypassesallpermissionschecksandallowsanyonetocataloganduncatalogdatabases.

Audit:

Performthefollowingtodetermineifauthorizationisexplicitlyrequiredtocataloganduncatalogdatabasesandnodes:





3. LocatethevalueofCATALOG_NOAUTHintheoutput:

db2 => get database manager configuration db2 => … Cataloging allowed without authority (CATALOG_NOAUTH) = NO

Note:CATALOG_NOAUTH issettoNO intheaboveoutput.

33|P a g e

Remediation:

Performthefollowingtorequireexplicitauthorizationtocataloganduncatalogdatabasesandnodes.




db2 => update database manager configuration using catalog_noauth no

References:

1. http://www-01.ibm.com/support/knowledgecenter/SSEPGG_9.1.0/com.ibm.db2.udb.admin.doc/doc/r0000143.htm?cp=SSEPGG_9.1.0%2F11-0-0-4-3

34|P a g e

3.1.4Disabledatalinkssupport(Scored)


•Level1-RDBMS

•Level2-RDBMS

Description:

Datalinks enablesthedatabasetosupporttheDataLinksManagertomanageunstructureddata,suchasimages,largefilesandotherunstructuredfilesonthehost.Itisrecommendedthatdatalinkssupportbedisabled.

Rationale:

Disabledatalinks ifthereisnouseforthemasthiswillreducetheattacksurfaceoftheDB2service.

Audit:

PerformthefollowingDB2commandstoobtainthevalueforthissetting:





3. LocatethisvalueofDATALINKS intheoutput:

db2 => get database manager configuration db2 => … Data Links support (DATALINKS) = NO

Note:DATALINKSissettoNOintheaboveoutput.

35|P a g e

Remediation:




db2 => update database manager configuration using datalinks no

36|P a g e

3.1.5Securepermissionsfordefaultdatabasefilepath(Scored)


•Level1-RDBMS

•Level2-RDBMS



Description:

Thedftdbpath parametercontainsthedefaultfilepathusedtocreateDB2databases.ItisrecommendedthatthepermissionsforthisdirectorybesettofullaccessforDB2administratorsandreadandexecuteaccessonlyforallotheraccounts.ItisalsorecommendedthatthisdirectorybeownedbytheDB2Administrator.

Rationale:

Restrictingaccesstothedirectoryusedasthedefaultfilepaththroughpermissionswillhelpensurethattheconfidentiality,integrity,andavailabilityofthefilesthereareprotected.

Audit:

ForWindowsandLinux:



2.RunthefollowingcommandfromtheDB2commandwindow:


3.Locatethisvalueintheoutputtofindthedefaultfilepath:

db2 => get database manager configuration db2 => … Default database path (DFTDBPATH) = <valid directory>

37|P a g e

AdditionalstepsforWindows:

1. ConnecttotheDB2host2. Right-clickoverthedirectoryusedforthedefaultfilepath3. ChooseProperties4. SelecttheSecuritytab5. Reviewandverifytheprivilegesforallaccounts.6. ReviewandverifythattheDB2Administratoristheownerofthedirectory.

AdditionalstepsforLinux:

1. ConnecttotheDB2host2. Changetothedirectoryusedasthedefaultfilepath3. Reviewandverifythepermissionsforthedirectoryforallusers;alsoensurethat

theDB2Administratoristheowner.

OS => ls -al

Remediation:

ForWindowsandLinux:



2.RunthefollowingcommandfromtheDB2commandwindowtochangethedefaultfilepath,ifnecessary:

db2 => update database manager configuration using dftdbpath <valid directory>


1. ConnecttotheDB2host2. Right-clickoverthedirectoryusedasthedefaultfilepath3. ChooseProperties4. SelecttheSecuritytab5. AssignownershipofthedirectorytotheDB2Administrator6. GrantallDBadministratoraccountstheFullControlauthority7. Grantonlyreadandexecuteprivilegestoallotherusers(revokeallotherprivileges)

38|P a g e


1. ConnecttotheDB2host2. Changetothedirectoryusedasthedefaultfilepath3. AssigntheDB2Administratortobetheownerofthedirectoryusingthechown

command4. Changethepermissionsforthedirectory

OS => chmod -R 755

39|P a g e

3.1.6Setdiagnosticloggingtocaptureerrorsandwarnings(Scored)


•Level1-RDBMS

•Level2-RDBMS

Description:

Thediaglevel parameterspecifiesthetypeofdiagnosticerrorsthatwillberecordedinthedb2diag.log file.Itisrecommendedthatthediaglevel parameterbesettoatleast3.

Rationale:

Therecommendeddiaglevelsettingis3,butanyvaluegreaterthan3isalsoacceptable.Avalueofatleast3willallowtheDB2instancetocaptureallerrorsandwarningsthatoccuronthesystem.

Audit:






3. LocatetheDIAGLEVEL valueintheoutput:

db2 => get database manager configuration db2 => … Diagnostic error capture level (DIAGLEVEL) = 3

EnsureDIAGLEVELisgreaterthanorequalto3.

40|P a g e

Remediation:




db2 => update database manager configuration using diaglevel 3

41|P a g e

3.1.7Securepermissionsforalldiagnosticlogs(Scored)


•Level1-RDBMS

•Level2-RDBMS

Description:

Thediagpath parameterspecifiesthelocationofthediagnosticfilesfortheDB2instance.Thedirectoryatthislocationshouldbesecuredsothatusershavereadandexecuteprivilegesonly(nowriteprivileges).AllDB2administratorsshouldhavefullaccesstothedirectory.

Rationale:

Securingthedirectorywillensurethattheconfidentiality,integrity,andavailabilityofthediagnosticfilescontainedinthedirectoryarepreserved.

Audit:

ForbothWindowsandLinux,performthefollowingDB2commandstoobtainthelocationofthedirectory:





3. LocatetheDIAGPATH valueintheoutput:

db2 => get database manager configuration db2 => … Diagnostic data directory path (DIAGPATH) = <valid directory>


1. ConnecttotheDB2host2. Right-clickoverthediagnosticlogdirectory3. ChooseProperties4. SelecttheSecuritytab5. Reviewtheaccessforallaccounts

42|P a g e


1. ConnecttotheDB2host2. Changetothediagnosticlogdirectory3. Reviewthepermissionsofthedirectory

OS => ls -al

Remediation:

ForWindowsandLinux,tochangethedirectoryforthediagnosticlogs:




db2 => update database manager configuration using diagpath <valid directory>


1. ConnecttotheDB2host2. Right-clickoverthediagnosticlogdirectory3. ChooseProperties4. SelecttheSecuritytab5. GranttheFullControlauthoritytoallDB2administratoraccounts6. Grantonlyreadandexecuteprivilegestoallotheraccounts(revokeanyother

privileges)


1. ConnecttotheDB2host2. Changetothediagnosticlogdirectory3. Changethepermissionsofthedirectory

OS => chmod -R 755

43|P a g e

3.1.8Requireinstancenamefordiscoveryrequests(Scored)


•Level1-RDBMS

•Level2-RDBMS

Description:

Thediscover parameterdetermineswhatkindofdiscoveryrequests,ifany,theDB2serverwillfulfill.ItisrecommendedthattheDB2serveronlyfulfillrequestsfromclientsthatknowthegiveninstancename(discover parametervalueofknown).

Rationale:

DiscoverycapabilitiesmaybeusedbyamaliciousentitytoderivethenamesofandtargetDB2instances.Inthisconfiguration,theclienthastospecifyaknowninstancenametobeabletodetecttheinstance.

Audit:






3. LocatetheDISCOVER valueintheoutput:

db2 => get database manager configuration db2 => … Discovery mode (DISCOVER) = KNOWN

Note:DISCOVER issettoKNOWN intheaboveoutput.

44|P a g e

Remediation:

TherecommendedvalueisKNOWN.Note:thisrequiresaDB2restart.




db2 => update database manager configuration using discover known

3. RestarttheDB2instance.

db2 => db2stop db2 => db2start

Impact:

Itisimportanttobeawarethattheimplementationofthisrecommendationresultsinabriefdowntime.Itisadvisabletoensurethatthesettingisimplementedduringanapprovedmaintenancewindow.

45|P a g e

3.1.9Disableinstancediscoverability(Scored)


•Level1-RDBMS

•Level2-RDBMS

Description:

Thediscover_inst parameterspecifieswhethertheinstancecanbediscoveredinthenetwork.Itisrecommendedthatinstancesnotbediscoverable.

Rationale:

DiscoverycapabilitiesmaybeusedbyamaliciousentitytoderivethenamesofandtargetDB2instances.

Audit:






3. LocatetheDISCOVER_INSTvalueintheoutput:

db2 => get database manager configuration db2 => … Discover server instance (DISCOVER_INST) = DISABLE

Note:DISCOVER_INSTissettoDISABLEintheaboveoutput.

Remediation:




db2 => update database manager configuration using discover_inst disable

46|P a g e

3.1.10Authenticatefederatedusersattheinstancelevel(Scored)


•Level1-RDBMS

•Level2-RDBMS

Description:

Thefed_noauth parameterdetermineswhetherfederatedauthenticationwillbebypassedattheinstance.Itisrecommendedthatthisparameterbesettono.

Rationale:

Settingfed_noauth tono willensurethatauthenticationischeckedattheinstancelevel.Thiswillpreventanyfederatedauthenticationfrombypassingtheclientandtheserver.

Audit:






3. LocatetheFED_NOAUTHvalueintheoutput:

db2 => get database manager configuration db2 => … Bypass federated authentication (FED_NOAUTH) = NO

Note:FED_NOAUTH issettoNO intheaboveoutput.

47|P a g e

Remediation:




db2 => update database manager configuration using fed_noauth no

48|P a g e

3.1.11Setmaximumconnectionlimits(Scored)


•Level1-RDBMS

•Level2-RDBMS

Description:

Themax_connections parameterindicatesthemaximumnumberofclientconnectionsallowedperdatabasepartition.Itisrecommendedthatthisparameterbesetequaltothemax_coordagents parameter.Themax_coordagents parameterequalsthemaximumnumberofagentsneededtoperformconnectionstothedatabaseorattachmentstotheinstance.

NOTE:Ensurethatdependentparameters,suchasmaxappls,aresetlessthanthemax_coordagents parameter.Thiswouldensurethatthelocklimitisn'treached,whichwouldresultinlockescalationissues.

Rationale:

Bydefault,DB2allowsanunlimitednumberofuserstoaccesstheDB2instance.InadditiontogivingaccesstotheDB2instancetoauthorizedusersonly,itisrecommendedtosetalimittothenumberofusersallowedtoaccessaDB2instance.Thishelpspreventdenialofserviceconditionsshouldanauthorizedprocessmalfunctionandattemptalargenumberofsimultaneousconnections.

Audit:

PerformthefollowingDB2commandstoobtainthevalue(s)forthesesettings:





49|P a g e

3. LocatetheMAX_CONNECTIONS andMAX_COORDAGENTS valuesintheoutput:

db2 => get database manager configuration db2 => … Max number of client connections (MAX_CONNECTIONS) = 150 Max number of existing agents (MAX_COORDAGENTS) = 150

Note:MAX_CONNECTIONS issetto150 andtheMAX_COORDAGENTS issetto150 intheaboveoutput.

PerformthefollowingDB2commandstoobtainthevalueoftheMAXAPPLSparameter:

1. ConnecttotheDB2database.

db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD


db2 => get database configuration

3. LocatetheMAXAPPLS valueintheoutput:

db2 => get database configuration db2 => … Max Number of Active Applications (MAXAPPLS) = [99]

Note:MAXAPPLS issetto99 intheaboveoutput.

50|P a g e

Remediation:

Thedefaultvalueformax_coordagents issettoAUTOMATIC.Allowablerangeis1to64,000,or-1forunlimited.Therecommendedvalueis100.Thefollowingcommandwillsetthemax_coordagents to100,aswellassetthemax_connections toAUTOMATIC whichisalsorecommended.




db2 => update database manager configuration using max_coordagents 100 AUTOMATIC

Ifmaxappls isNOTlessthanthevalueformax_coordagents,thenadjustthevalueofmaxapplsaccordingly:

db2 => update database configuration using maxappls <a number less then max_coordagents>

DefaultValue:

Thedefaultvalueformax_connections isAUTOMATIC.

Thedefaultvalueformax_coordagents isAUTOMATIC.

ThedefaultvalueformaxapplsisAUTOMATIC.

51|P a g e

3.1.12Setadministrativenotificationlevel(Scored)


•Level1-RDBMS

•Level2-RDBMS

Description:

Thenotifylevel parameterspecifiesthetypeofadministrationnotificationmessagesthatarewrittentotheadministrationnotificationlog.Itisrecommendedthatthisparameterbesetgreaterthanorequalto3.Asettingof3,whichincludessettings1&2,willlogallfatalerrors,failingservices,systemintegrity,aswellassystemhealth.

Rationale:

ThesystemshouldbemonitoringallHealthMonitoralarms,warnings,andattentions.ThismaygiveanindicationofanymalicioususageontheDB2instance.

Audit:






3. LocatetheNOTIFYLEVEL valueintheoutput:

db2 => get database manager configuration db2 => … Notify Level (NOTIFYLEVEL) = 3

Note:NOTIFYLEVEL issetto3 intheaboveoutput.

52|P a g e

Remediation:




db2 => update database manager configuration using notifylevel 3

DefaultValue:

Thedefaultvalueofnotifylevelis3.

53|P a g e

3.1.13Enableserver-basedauthentication(Scored)


•Level1-RDBMS

•Level2-RDBMS

Description:

Thesrvcon_auth parameterspecifieshowandwhereauthenticationistotakeplaceforincomingconnectionstotheserver.ItisrecommendedthatthisparameterisnotsettoCLIENT.

Rationale:

Thisparameterwilltakeprecedenceoverandoverridetheauthenticationlevel.Authenticationshouldbesetontheserverside.

Audit:






3. LocatetheSRVCON_AUTH valueintheoutput:

db2 => get database manager configuration db2 => … Server Connection Authentication (SRVCON_AUTH) = SERVER

Note:SRVCON_AUTH issettoSERVER intheaboveoutput.

54|P a g e

Remediation:

TherecommendedvalueisSERVER.Note:thiswillrequireaDB2restart.




db2 => update database manager configuration using srvcon_auth server

3. RestarttheDB2instance.

db2 => db2stop db2 => db2start

Impact:

Itisimportanttobeawarethattheimplementationofthisrecommendationresultsinabriefdowntime.Itisadvisabletoensurethatthesettingisimplementedduringanapprovedmaintenancewindow.

55|P a g e

3.1.14Setfailedarchiveretrydelay(Scored)


•Level1-RDBMS

•Level2-RDBMS

Description:

Thearchretrydelay parameterspecifiesthenumberofsecondstheDB2servicewillwaitbeforeitreattemptstoarchivelogfilesafterafailure.Itisrecommendedthatthisparameterbesetanywhereintherangeof10-30.Youdonotwantthedelaytobesoshortthatthedatabaseendsupinadenialofservicescenario,butyoudon'twantthedelaytobetoolongifanoutsideattackhappensatthesametime.

Rationale:

Ensurethatthevalueisnon-zero,otherwisearchiveloggingwillnotretryafterthefirstfailure.Adenialofserviceattackcanrenderthedatabasewithoutanarchivelogifthissettingisnotset.Anarchivelogwillensurethatalltransactionscansafelyberestoredorloggedforauditing.

Audit:






3. LocatetheARCHRETRYDELAY valueintheoutput:

db2 => get database configuration db2 => … Log archive retry Delay (secs) (ARCHRETRYDELAY) = 20

Note:ARCHRETRYDELAY issetto20 intheaboveoutput.

56|P a g e

Remediation:

1. ConnecttotheDB2database


2. Tosuccessfullysetthearchretrydelay withinthe10-30range,runthefollowingcommandfromtheDB2commandwindow:

db2 => update database configuration using archretrydelay nn (where nn is a range between 10-30)

DefaultValue:

Thedefaultvalueforarchretrydelayis20

57|P a g e

3.1.15Auto-restartafterabnormaltermination(Scored)


•Level1-RDBMS

•Level2-RDBMS

Description:

Theautorestart parameterspecifiesifthedatabaseinstanceshouldrestartafteranabnormaltermination.ItisrecommendedthatthisparameterbesettoON.

Rationale:

Settingthedatabasetoauto-restartwillreducethedowntimeofthedatabase.

Audit:






3. LocatetheAUTORESTART valueintheoutput:

db2 => get database configuration db2 => … Auto restart enabled (AUTORESTART) = ON

Note:AUTORESTART issettoON intheaboveoutput.

Remediation:




db2 => update database configuration using autorestart on

58|P a g e

3.1.16Disabledatabasediscovery(Scored)


•Level1-RDBMS

•Level2-RDBMS

Description:

Thediscover_db parameterspecifiesifthedatabasewillrespondtoadiscoveryrequestfromaclient.ItisrecommendedthatthisparameterbesettoDISABLE.

Rationale:

Settingthedatabasediscoverytodisabledcanhideadatabasewithsensitivedata.

Audit:






3. LocatetheDISCOVER_DB valueintheoutput:

db2 => get database configuration db2 => … Discovery support for this database (DISCOVER_DB) = DISABLE

Note:DISCOVER_DB issettoDISABLE intheaboveoutput.

59|P a g e

Remediation:




db2 => update database configuration using discover_db disable

60|P a g e

3.1.17Securepermissionsfortheprimaryarchiveloglocation(Scored)


•Level1-RDBMS

•Level2-RDBMS



Description:

Thelogarchmeth1 parameterspecifiesthetypeofmediaandthelocationusedastheprimarydestinationofarchivedlogs.ItisrecommendedthatthedirectoryusedforthearchivedlogsbesettofullaccessforDB2administratoraccountsandreadandexecuteforallotheraccounts.

Rationale:

Restrictingaccesstothecontentsoftheprimaryarchivelogdirectorywillhelpensurethattheconfidentiality,integrity,andavailabilityofarchivelogsareprotected.Althoughtherearemanywaystoensurethatyourprimarylogswillbearchived,werecommendusingthevalueofDISKaspartofthelogarchmeth1 parameter.Thiswillproperlyensurethattheprimarylogsarearchived.AfindingofOFFisnotacceptable.

Audit:

ForWindowsandLinux:

1.AttachtotheDB2instance.




3.Locatethisvalueintheoutputtofindtheprimaryarchivelogdirectory:

db2 => get database manager configuration db2 => ... Default database path (LOGARCHMETH1) = <valid directory>

61|P a g e


1. ConnecttotheDB2host2. Right-clickontheprimaryarchivelogdirectory3. ChooseProperties4. SelecttheSecuritytab5. Reviewandverifytheprivilegesforallaccounts


1. ConnecttotheDB2host2. Changetotheprimaryarchivelogdirectory3. Reviewandverifythepermissionsforthedirectoryforallusers.

OS => ls -al

Remediation:

ForWindowsandLinux:

1. AttachtotheDB2instance.2. RunthefollowingcommandfromtheDB2commandwindowtochangetheprimary

archivelogdirectory,ifnecessary:

db2 => update database configuration using logarchmeth1 <valid directory>

AdditionalstepsforWindows(assumingthatthelogarchmeth1parameterincludesDISK):

1. ConnecttotheDB2host2. Right-clickontheprimaryarchivelogdirectory3. ChooseProperties4. SelecttheSecuritytab5. GrantallDB2administratoraccountstheFullControlauthority6. Grantallotheraccountsreadandexecuteprivilegesonly(revokeallother

privileges)

AdditionalstepsforLinux(assumingthatthelogarchmeth1parameterincludesDISK):

1. ConnecttotheDB2host2. Changetotheprimaryarchivelogdirectory3. Changethepermissionsforthedirectory

OS => chmod -R 755

62|P a g e

3.1.18Securepermissionsforthesecondaryarchiveloglocation(Scored)




Description:

Thelogarchmeth2 parameterspecifiesthetypeofmediaandthelocationusedasthesecondarydestinationforarchivedlogs.ItisrecommendedthatthedirectoryusedforthearchivedlogsbesettofullaccessforDB2administratoraccountsandreadandexecuteonlyforallotheraccounts.

Rationale:

Restrictingaccesstothecontentsofthesecondaryarchivelogdirectorywillhelpensurethattheconfidentiality,integrity,andavailabilityofarchivelogsareprotected.Althoughtherearemanywaystoensurethatyourlogswillbearchived,werecommendusingthevalueofDISKaspartofthelogarchmeth2parameter.Thiswillproperlyensurethatthelogsarearchived.AfindingofOFFisnotacceptable.

Audit:

ForWindowsandLinux:





3.Locatethisvalueintheoutputtofindthesecondaryarchivelogdirectory:

db2 => get database manager configuration db2 => ... Default database path (LOGARCHMETH2) = <valid directory>


1. ConnecttotheDB2host2. Right-clickonthesecondaryarchivelogdirectory3. ChooseProperties4. SelecttheSecuritytab5. Reviewandverifytheprivilegesforallaccounts

63|P a g e


1. ConnecttotheDB2host2. Changetothesecondaryarchivelogdirectory3. Reviewandverifythepermissionsforthedirectoryforallusers

OS => ls -al

Remediation:

ForWindowsandLinux:

1. AttachtotheDB2instance.2. RunthefollowingcommandfromtheDB2commandwindowtochangethe

secondaryarchivelogdirectory,ifnecessary:

db2 => update database configuration using logarchmeth2 <valid directory>

AdditionalstepsforWindows(assumingthatthelogarchmeth2parameterincludesDISK):

1. ConnecttotheDB2host2. Right-clickonthesecondaryarchivelogdirectory3. ChooseProperties4. SelecttheSecuritytab5. GrantallDB2administratoraccountstheFullControlauthority6. Grantallotheraccountsreadandexecuteprivilegesonly(revokeallother

privileges)

AdditionalstepsforLinux(assumingthatthelogarchmeth2parameterincludesDISK):

1. ConnecttotheDB2host2. Changetothesecondaryarchivelogdirectory3. Changethepermissionsforthedirectory

OS => chmod -R 755

64|P a g e

3.1.19Securepermissionsforthetertiaryarchiveloglocation(Scored)


•Level1-RDBMS



Description:

Thefailarchpath parameterspecifiesthetypeofmediaandthelocationusedasthetertiarydestinationofarchivedlogs.ItisrecommendedthatthedirectoryusedforthearchivedlogsbesettofullaccessforDB2administratoraccountsandreadandexecuteonlyforallotheraccounts.

Rationale:

Restrictingaccesstothecontentsofthetertiaryarchivelogdirectorywillhelpensurethattheconfidentiality,integrity,andavailabilityofarchivelogsareprotected.Althoughtherearemanywaystoensurethatyourlogswillbearchived,werecommendusingthevalueofDISKaspartofthefailarchpathparameter.Thiswillproperlyensurethatthelogsarearchived.AfindingofOFFisnotacceptable.

Audit:

ForWindowsandLinux:





3.Locatethisvalueintheoutputtofindthetertiaryarchivelogdirectory:

db2 => get database manager configuration db2 => ... Default database path (FAILARCHPATH) = <valid directory>

65|P a g e


1. ConnecttotheDB2host2. Right-clickonthetertiaryarchivelogdirectory3. ChooseProperties4. SelecttheSecuritytab5. Reviewandverifytheprivilegesforallaccounts


1. ConnecttotheDB2host2. Changetothetertiaryarchivelogdirectory3. Reviewandverifythepermissionsforthedirectoryforallusers.

OS => ls -al

Remediation:

ForWindowsandLinux:

1. AttachtotheDB2instance.2. RunthefollowingcommandfromtheDB2commandwindowtochangethetertiary

archivelogdirectory,ifnecessary:

db2 => update database configuration using failarchpath

AdditionalstepsforWindows(assumingthatthefailarchpathparameterincludesDISK):

1. ConnecttotheDB2host2. Right-clickonthetertiaryarchivelogdirectory3. ChooseProperties4. SelecttheSecuritytab5. GrantallDB2administratoraccountstheFullControlauthority6. Grantallotheraccountsreadandexecuteprivilegesonly(revokeallother

privileges)

ForLinux(assumingthatthefailarchpathparameterincludesDISK):

1. ConnecttotheDB2host2. Changetothetertiaryarchivelogdirectory3. Changethepermissionsforthedirectory

OS => chmod -R 755

66|P a g e

3.1.20Securepermissionsforthelogmirrorlocation(Scored)


•Level1-RDBMS

Description:

Themirrorlogpath parameterspecifiesthetypeofmediaandthelocationusedtostorethemirrorcopyofthelogs.ItisrecommendedthatthedirectoryusedforthemirrorcopyofthelogsbesettofullaccessforDB2administratoraccountsandreadandexecuteonlyforallotheraccounts.

Rationale:

Amirrorlogpathshouldnotbeemptyanditshouldbeavalidpath.Themirrorlogpathstoresasecondcopyoftheactivelogfiles.Accesstothedirectorypointedtobythatpathshouldberestrictedthroughpermissionstohelpensurethattheconfidentiality,integrity,andavailabilityofthemirrorlogsareprotected.

Audit:

ForWindowsandLinux,performthefollowingDB2commandstoobtainthedirectorylocation:





3. LocatetheMIRRORLOGPATH valueintheoutput:

db2 => get database configuration db2 => … Mirror log path (MIRRORLOGPATH) = C:\DB2MIRRORLOGS

Note:MIRRORLOGPATH issettoC:\DB2MIRRORLOGSintheaboveoutput.

67|P a g e


1. ConnecttotheDB2host2. Right-clickonthemirrorlogdirectory3. ChooseProperties4. SelecttheSecuritytab5. Reviewandverifytheprivilegesforallaccounts


1. ConnecttotheDB2host2. Changetothemirrorlogdirectory3. Reviewandverifythepermissionsforthedirectoryforallusers.

OS => ls -al

Remediation:

ForWindowsandLinux:



2. RunthefollowingcommandfromtheDB2commandwindowtochangethemirrorlogdirectory,ifnecessary:

db2 => update database configuration using mirrorlogpath <valid path>


1. ConnecttotheDB2host2. Right-clickontheprimaryarchivelogdirectory3. ChooseProperties4. SelecttheSecuritytab5. GrantallDB2administratoraccountstheFullControlauthority6. Grantallotheraccountsreadandexecuteprivilegesonly(revokeallother

privileges)


1. ConnecttotheDB2host2. Changetothemirrorlogdirectory3. Changethepermissionsforthedirectory

OS => chmod -R 755

68|P a g e

3.1.21Establishretentionsetsizeforbackups(Scored)


•Level1-RDBMS

•Level2-RDBMS

Description:

Thenum_db_backups parameterspecifiesthenumberofbackupstoretainforadatabasebeforemarkingtheoldestbackupasdeleted.Itisrecommendedthatthisparameterbesettoatleast12.

Rationale:

Retainmultiplecopiesofthedatabasebackuptoensurethatthedatabasecanrecoverfromanunexpectedfailure.Thisparametershouldnotbesetto0.Multiplebackupsshouldbekepttoensurethatalllogsandtransactionscanbeusedforauditing.

Audit:






3. LocatetheNUM_DB_BACKUPS valueintheoutput:

db2 => get database configuration db2 => … Number of database backups to retain (NUM_DB_BACKUPS) = 12

Note:NUM_DB_BACKUPS issetto12 intheaboveoutput.

69|P a g e

Remediation:




db2 => update database configuration using num_db_backups 12

70|P a g e

3.1.22Setarchivelogfailoverretrylimit(Scored)


•Level1-RDBMS

•Level2-RDBMS

Description:

Thenumarchretry parameterdetermineshowmanytimesadatabasewilltrytoarchivethelogfiletotheprimaryorthesecondaryarchivedestinationbeforetryingthefailoverdirectory.Itisrecommendedthatthisparameterbesetto5.

Rationale:

Establishingafailoverretrytimelimitwillensurethatthedatabasewillalwayshaveameanstorecoverfromanabnormaltermination.Thisparametershouldnotbesetto0.

Audit:






3. LocatetheNUMARCHRETRY valueintheoutput:

db2 => get database configuration db2 => … Number of log archive retries on error (NUMARCHRETRY) = 5

Note:NUMARCHRETRY issetto5 intheaboveoutput.

71|P a g e

Remediation:




db2 => update database configuration using numarchretry 5

72|P a g e

3.2DatabaseManagerConfigurationparameters

DatabaseConfigurationParameterssetseveralresourcelimits[values]tobeallocatedtoadatabase.Manydatabaseconfigurationparameterscanbemodifiedtooptimizeperformanceandcapacity.

3.2.1TCP/IPservicename-svcename(Scored)


•Level2-RDBMS

Description:

Thesvcename parameterreservestheportnumber(orname,onLinuxhosts)forlisteningtoincomingcommunicationsfromaDataServerRuntimeClient.BoththedatabaseserverportnumberornameandtheTCP/IPservicenamemustbedefinedonthedatabaseclient.

Rationale:

Whenthedatabaseserverisstarted,aportnumberornameisrequiredtolistenforincomingconnectionrequests.Thesvcename parameterdefinestheportnumberornameforincomingconnectionrequests.OnLinuxsystems,theservicesfileisfoundat:/etc/services

Audit:

1.Runthefollowingcommandtodetermineifthesvcename parametervalueiscorrectlysetandisnotthedefaultport(50000).

select name, value from sysibmadm.dbmcfg where name = 'svcename'

Remediation:

1.Runthefollowingcommandtosetthesvcename parametervalue.

update dbm cfg using svcename <value> immediate or deferred

References:

1. https://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.admin.config.doc/doc/r0000273.html?lang=en

73|P a g e

3.2.2SSLservicename-ssl_svcename(Scored)


•Level2-RDBMS

Description:

Thessl_svcename configurationparameterdefinesthenameornumberoftheportthedatabaseserverlistensforcommunicationsfromremoteclientnodesusingSSLprotocol.Thessl_svcename andthesvcenameportnumberscannotbethesame.

OnLinuxoperatingsystems,thessl_svcenamefileislocatedin:/etc/services

Rationale:

ThedatabaserequiresadefinedporttolistenforincomingremoteclientsusingtheSSLprotocol.Thessl_svcename configurationparameterdefinestheportforcommunicatingwithremoteclients.

Considerusinganon-defaultporttohelpprotectthedatabasefromattacksdirectedtoadefaultport.

Audit:

1.Runthefollowingcommandtodetermineifthecurrentssl_svcename parametervalueiscorrectlysetandisnotadefaultport(50000).

select name, value from sysibmadm.dbmcfg where name = 'ssl_svcename'

Remediation:

1.Runthefollowingcommandtosetthessl_svcename parametervalue.

update dbm cfg using ssl_svcename <value> immediate or deferred

DefaultValue:

Null

References:

1. http://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.admin.config.doc/doc/r0053615.html

74|P a g e

3.2.3Authenticationtypeforincomingconnectionsattheserver-srvcon_auth(Scored)


•Level2-RDBMS

Description:

Thesrvcon_authparameterdefineswhereandhowuserauthenticationisdoneforincomingconnectionsattheserver.Ifnovalueisused,DB2usesthedatabasemanagerconfigurationparameterauthentication.

Rationale:

IncomingconnectionstotheDB2servermustfollowanauthenticationprotocol.Thesrvcon_authserverconfigurationparameterdefineshowandwhereuserauthenticationisdone.

Audit:

1.Runthefollowingcommandtoidentifythecurrentvalueofthesrvcon_authdatabaseconfigurationparameter:

select name, value from sysibmadm.dbmcfg where name = 'srvcon_auth'

Remediation:

1.Runthefollowingcommandtoupdatethecurrentvalueofthesrvcon_authdatabaseconfigurationparametertothecorrectvalue:

db2 => update dbm cfg using srvcon_auth <any supported authentication>

DefaultValue:

Notspecified

References:

1. http://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.admin.config.doc/doc/r0011454.html?lang=en

75|P a g e

3.2.4DatabaseManagerConfigurationparameter:trust_allclnts(NotScored)






Description:

Thisparameterisusedtodeterminewhereusersarevalidatedwithinthedatabaseenvironment(client-sideauthentication).Iftheparameterissetto'YES',theserverassumesthattheclientsideishandlingauthenticationtothedatabase.Iftheparameterissetto'NO',theclientmustprovideauthenticationtotheserveronbehalfoftheuser.ThisparameterisonlyactivewhentheauthenticationparameterissettoCLIENT.

Rationale:

Thisparameterisreliedupontodeterminewhethereachuser(client)needstobeauthenticatedbytheserveroriftheservershouldassumethateachuser(client)hasalreadybeensufficientlyauthenticated.

Audit:

Issuethefollowingcommandtocheckthevalueoftheparameter:

db2=> select name, value from sysibmadm.dbmcfg where name = 'trust_allclnts'

Thevalueshouldbe'YES'forclient-sideauthenticationand'NO'forserver-sideauthentication.

76|P a g e

Remediation:

Tospecifyclient-sideauthentication,issuethefollowingcommandtosettheparameterto'YES':

db2=> update dbm cfg using trust_allclnts YES

Tospecifyserver-sideauthentication,issuethefollowingcommandtosettheparameterto'NO':

db2=> update dbm cfg using trust_allclnts NO

References:

1. http://www.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.admin.config.doc/doc/r0000380.html

77|P a g e

3.2.5DatabaseManagerConfigurationparameter:trust_clntauth(NotScored)






Description:

Thisparameterspecifieswhereatrustedclientisauthenticated(attheserverortheclient)ifitprovidesauserIDandpassword.

Iftheparameterissetto'CLIENT',theuserIDandpasswordarenotneeded,butiftheyareprovided,authenticationwilloccurattheclient.

Iftheparameterissetto'SERVER',theuserIDandpasswordareneededandwillbeauthenticatedattheserver.

Thisparameterisonlyactiveiftheauthenticationparameterissetto'CLIENT'.

Rationale:

ThisparameterisreliedupontodeterminewhethereachtrustedclientneedstobeauthenticatedbytheserverortheclientafterprovidingauserIDandpassword.

Audit:

Issuethefollowingcommandtocheckthevalueoftheparameter:

db2=> select name, value from sysibmadm.dbmcfg where name = 'trust_clntauth'

Thevalueshouldbe'CLIENT'forclient-sideauthenticationand'SERVER'forserver-sideauthentication.

Remediation:

Issuethefollowingcommandtosettheparameterto'CLIENT'or'SERVER':

db2=> update dbm cfg using trust_clntauth <CLIENT/SERVER>

78|P a g e

References:

1. http://www.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.admin.config.doc/doc/r0000381.html

79|P a g e

4RowandColumnAccessControl(RCAC)

DB2RCACcontrolsaccesstoatableattherowandcolumnlevel.Rowandcolumnaccesscontrolissometimesreferredtoasfine-grainedaccesscontrolorFGAC.Identifyandgathertheorganization'ssecuritypolicies,managementandstaffroles,anduserandgroupliststocompareagainstexistingDB2RCACpoliciesforcompliance.

4.1ReviewOrganization'sPoliciesagainstDB2RCACPolicies(NotScored)


•Level2-RDBMS

Description:

DB2RowandColumnAccessControl(RCAC)PoliciescontrolaccesstoDB2tables.Theyshouldmatchtheorganization'ssecurityanddatabaseaccesspolicies,andtheyshouldberegularlyreviewedforgaps.

Rationale:

Missing,incomplete,orincorrectDB2RCACpolicieswillincreasetheriskstotheorganization'sprotecteddataandwillpreventeffortstomonitor,alert,andrespondtotheserisksinthefuture.

Audit:

ScheduleandcompletearegularreviewofallorganizationsecurityanddataaccessdatabasepoliciesagainstthecurrentDB2policiestodetermineifgapsexist.

1. Identifyeachwrittenorganizationpolicy.2. FindthematchingDB2RCACpolicy.3. DetermineiftheRCACpolicyappliesandcorrectlysupportsthewrittenpolicy.4. IfnomatchingDB2RCACpolicyisfound,recorda'gap'forfutureremediation.

Remediation:

1. CreateRCACpoliciesforeach'gap'listedfromtheAuditprocedure.2. ReviewthenewlycreatedDB2RCACpolicyagainsttheorganization'swritten

policies.

80|P a g e

DefaultValue:

Notinstalled

References:

1. http://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.admin.sec.doc/doc/c0057423.html?lang=en

81|P a g e

4.2SecureSECADMAuthority(NotScored)


•Level1-RDBMS

Description:

TheSECADM (securityadministrator)rolegrantstheauthoritytocreate,alter(whereapplicable),anddroproles,trustedcontexts,auditpolicies,securitylabelcomponents,securitypoliciesandsecuritylabels.Itisalsotheauthorityrequiredtograntandrevokeroles,securitylabelsandexemptions,andtheSETSESSIONUSERprivilege.SECADM authorityhasnoinherentprivilegetoaccessdatastoredintables.ItisrecommendedthattheSECADM rolebegrantedtoauthorizedusersonly.

Rationale:

Ifanaccountthatpossessesthisauthorityiscompromisedorusedinamaliciousmanner,theconfidentiality,integrity,andavailabilityofdataintheDB2instancewillbeatincreasedrisk.

Audit:

ItisimportanttoconsiderreviewingthemembersoftheSECADM authoritywhenimplementingthisrecommendation.SuchconsiderationofthisreviewisaddressedinSection7.5ofthisdocument.

Remediation:

ItisimportanttoconsiderreviewingthemembersoftheSECADM authoritywhenimplementingthisrecommendation.SuchconsiderationofthisreviewisaddressedinSection7.5ofthisdocument.

References:

1. https://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.1.0/com.ibm.db2.luw.admin.sec.doc/doc/c0021054.html?lang=en

82|P a g e

4.3ReviewUsers,Groups,andRoles(NotScored)




Description:

Withrowandcolumnaccesscontrol,individualsarepermittedaccesstoonlythesubsetofdatathatisrequiredtoperformtheirjobtasks.Periodicreviewoftheseindividualsiscrucialwhentryingtokeepdatasecure.Asbusinessneedsmoveforward,requirementsbehindaccessingthedatamaychange,leadingtoarevisioninsecuritypolicy.Byinspectingthelistofusers,groups,androles,youareidentifyingexcessiveprivilegesthatcouldposepossiblesecuritythreatswithinyourinfrastructure.

Rationale:

Ifauser(eitherbyhimselforpartofagrouporrole)isnolongerrequiredaccesstothedatathatisprotectedbyrowandcolumnaccesscontrols,allowingthatindividualtomaintainaccessallowsthatindividualtocompromisetheconfidentiality,integrity,and/oravailabilityofthedataintheDB2instance.

Audit:

1.Reviewtheuserswithinyourdatabaseenvironment:

Linux:

cat /etc/passwd

Windows:

1. Runcompmgmt.msc2. Click'LocalUsersandGroups'3. Doubleclick'Users'4. Reviewusers

83|P a g e

2.Reviewthegroupswithinyourdatabaseenvironment:

Linux:

cat /etc/group

Windows:

1. Runcompmgmt.msc2. Click'LocalUsersandGroups'3. Doubleclick'Groups'4. Reviewgroups

3.Reviewtherolesandrolememberswithinyourdatabaseenvironment:

a.AttachtoDB2Instance:


b.ConnecttoDB2database:

db2 => connect to $DBNAME

c.Runthecommand:

db2 => select rolename, grantee from syscat.roleauth where grantortype <> 'S'

Remediation:

1.Toremoveusersfromyourdatabaseenvironment:

Linux:

userdel -r <user name>

Windows:

1. Runcompmgmt.msc2. Click'LocalUsersandGroups'3. Doubleclick'Users'4. Right-clickon<username>5. Select'Delete'

84|P a g e

2.Toremovegroupsfromyourdatabaseenvironment:

Linux:

groupdel <group name>

Windows:

1. Runcompmgmt.msc2. Click'LocalUsersandGroups'3. Doubleclick'Groups'4. Right-clickon<groupname>5. Select'Delete'

3.Toremoverolesorrolemembersfromyourdatabaseenvironment

a.AttachtoDB2Instance:


b.ConnecttoDB2database:


c.Toremoverolemembersfromroles:

db2 => revoke role <role name> from <user/group/role member>

d.Toremoveroles:

db2 => drop role <role name>

85|P a g e

4.4ReviewRowPermissionlogicaccordingtopolicy(NotScored)


•Level2-RDBMS

Description:

Thelogicbehindinstitutingrowpermissionsiscrucialforasuccessfulsecuritypolicy.Inspectingthislogicandcomparingittothesecuritypolicywillassurethatallaspectsofthedataaccesscontrolsarebeingadheredto.

Rationale:

MissingorincompleteDB2RCACSecurityPolicieswillincreasetheriskstotheorganization'sprotecteddataandwillpreventeffortstomonitor,alert,andrespondtotheserisksinthefuture.

Audit:

1.AttachtotheDB2Instance:


2.Connecttodatabaseenvironment:


3.Runthefollowingandreviewtheresultstoconfirmthattherowpermissionsarecorrectandthattheycomplywiththeexistingsecuritypolicy:

db2 => select role.rolename, control.ruletext from syscat.roles role inner join syscat.controls control on locate(role.rolename,control.ruletext) <> 0 where enable = 'Y' and enforced = 'A' and valid = 'Y' and controltype = 'R'

Remediation:

1.CreateRCACPoliciesforeach'gap'listedfromtheAuditprocedure.

2.ReviewthenewlycreatedDB2RCACpolicyagainsttheorganization'spolicy

References:


86|P a g e

4.5ReviewColumnMasklogicaccordingtopolicy(NotScored)


•Level2-RDBMS

Description:

Thelogicbehindinstitutingcolumnmasksiscrucialforasuccessfulsecuritypolicy.Inspectingthislogicandcomparingittothesecuritypolicywillassurethatallaspectsofthedataaccesscontrolsarebeingadheredto.

Rationale:

MissingorincompleteDB2RCACsecuritypolicieswillincreasetheriskstotheorganization'sprotecteddataandwillpreventeffortstomonitor,alert,andrespondtotheserisksinthefuture.

Audit:

1.AttachtotheDB2Instance:


2.Connecttodatabaseenvironment:


3.Runthefollowingandreviewtheresultstoverifythatthepermissionsarecorrectandthattheycomplywiththeorganization'sexistingsecuritypolicy:

db2 => select role.rolename, control.colname, control.ruletext from syscat.roles role inner join syscat.controls control on locate(role.rolename,control.ruletext) <> 0 where enable = 'Y' and enforced = 'A' and valid = 'Y' and controltype = 'C'

Remediation:

1.CreateRCACPoliciesforeach'gap'listedfromtheAuditprocedure.

2.ReviewthenewlycreatedDB2RCACpolicyagainsttheorganization'swrittenpolicy.

References:


87|P a g e

5DatabaseMaintenance

Thissectionprovidesguidanceonprotectingandmaintainingthedatabaseinstance.

5.1EnableBackupRedundancy(NotScored)


•Level1-RDBMS

•Level2-RDBMS

Description:

Backupredundancyensuresthatmultipleinstancesofdatabasebackupsexist.

Rationale:

MaintainingredundantcopiesofdatabasebackupswillincreasebusinesscontinuitycapabilitiesshouldaDB2servicefailurecoincidewithacorruptbackup.

Audit:

Reviewthereplicationofyourbackupsbasedonorganizationpolicy.

Remediation:

Defineandimplementaprocesstoreplicateyourbackupsontomultiplelocations.

88|P a g e

5.2ProtectingBackups(NotScored)


•Level1-RDBMS

Description:

Backupsofyourdatabaseshouldbestoredsecurelyinalocationwithfullaccessforadministrators,readandexecuteaccessforgroup,andnoaccessforusers.

Rationale:

Backupsmaycontainsensitivedatathatattackerscanusetoretrievevaluableinformationabouttheorganization.

Audit:

Reviewtheprivilegesappliedtoyourbackups.

Remediation:

Defineasecuritypolicyforallbackupsthatspecifiestheprivilegestheyshouldbeassigned.

89|P a g e

5.3EnableAutomaticDatabaseMaintenance(Scored)


•Level1-RDBMS

•Level2-RDBMS

Description:

EnableautomaticdatabasemaintenanceonyourDB2instance.ItisrecommendedthattheDB2AutomaticMaintenancetoolbeusedtoensurethattheinstanceisperformingoptimally.

Rationale:

Awell-maintainedDB2instancewillprovideaccesstothedataandreducedatabaseoutages.

Audit:


1. ConnecttotheDB2database:



db2 => update database configuration

3. Locatethisvalueintheoutput:

db2 => get database configuration db2 => … Automatic maintenance (AUTO_MAINT) = ON

Note:AUTO_MAINT issettoON intheaboveoutput.

90|P a g e

Remediation:

1. ConnecttotheDB2database:



db2 => update database configuration using auto_maint on

91|P a g e

6SecuringDatabaseObjects

Note:SYSCAT viewshaveunderlyingSYSIBM tablesthatarealsograntedaccessbythePUBLIC groupbydefault.Ensurethatpermissionsappliedtothesetablesrevokeaccessfromunnecessaryusers.IfthedatabasewascreatedusingtheRESTRICTIVE option,thengrantstoPUBLIC arevoided.

6.1RestrictAccesstoSYSCAT.AUDITPOLICIES(Scored)


•Level1-RDBMS

•Level2-RDBMS

Description:

TheSYSCAT.AUDITPOLICIES viewcontainsallauditpoliciesforadatabase.ItisrecommendedthatthePUBLIC roleberestrictedfromaccessingthisview.

Rationale:

Thisviewcontainssensitiveinformationabouttheauditingsecurityforthisdatabase.Accesstotheauditpoliciesmayaidattackersinavoidingdetection.

Audit:





db2 => select grantee from sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'AUDITPOLICIES' and grantee = 'PUBLIC'

3. Reviewprivilegesgrantedtousers,groups,androles.IftheoutputisBLANK,thenitisconsideredasuccessfulfinding.

92|P a g e

Remediation:

PerformthefollowingtorevokeaccessfromPUBLIC.




db2 => REVOKE SELECT ON SYSCAT.AUDITPOLICIES FROM PUBLIC

References:

1. http://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.sql.ref.doc/doc/r0050610.html?cp=SSEPGG_10.5.0%2F2-12-8-2&lang=en

93|P a g e

6.2RestrictAccesstoSYSCAT.AUDITUSE(Scored)


•Level1-RDBMS

•Level2-RDBMS

Description:

TheSYSCAT.AUDITUSE viewcontainsdatabaseauditpolicyforallnon-databaseobjects,suchasauthority,groups,roles,andusers.ItisrecommendedthatthePUBLIC roleberestrictedfromaccessingthisview.

Rationale:

Thisviewcontainssensitiveinformationaboutthetypesofobjectsbeingaudited.Accesstotheauditpolicymayaidattackersinavoidingdetection.

Audit:





db2 => select grantee from sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'AUDITUSE' and grantee = 'PUBLIC'


Remediation:

RevokeaccessfromPUBLIC.




db2 => REVOKE SELECT ON SYSCAT.AUDITUSE FROM PUBLIC

94|P a g e

6.3RestrictAccesstoSYSCAT.DBAUTH(Scored)


•Level1-RDBMS

•Level2-RDBMS

Description:

TheSYSCAT.DBAUTH viewcontainsinformationonauthoritiesgrantedtousersorgroupsofusers.ItisrecommendedthatthePUBLIC roleberestrictedfromaccessingthisview.

Rationale:

Thisviewcontainsallthegrantsinthedatabaseandmaybeusedasanattackvector.

Audit:





db2 => select grantee from sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'DBAUTH' and grantee = 'PUBLIC'


Remediation:





db2 => REVOKE SELECT ON SYSCAT.DBAUTH FROM PUBLIC

95|P a g e

References:


96|P a g e

6.4RestrictAccesstoSYSCAT.COLAUTH(Scored)


•Level1-RDBMS

•Level2-RDBMS

Description:

TheSYSCAT.COLAUTHviewcontainsthecolumnprivilegesgrantedtotheuser,group,orroleinthedatabase.

Rationale:

TheSYSCAT.COLAUTHviewcontainsthecolumnprivilegesgrantedtotheuseroragroupofusers.ItisrecommendedthatthePUBLICroleberestrictedfromaccessingthisview.

Audit:





db2 => select grantee from sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'COLAUTH' and grantee = 'PUBLIC'


Remediation:





db2 => REVOKE SELECT ON SYSCAT.COLAUTH FROM PUBLIC

97|P a g e

References:

1. http://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.admin.dbobj.doc/doc/t0005379.html?lang=en

98|P a g e

6.5RestrictAccesstoSYSCAT.EVENTS(Scored)


•Level2-RDBMS

Description:

TheSYSCAT.EVENTS viewcontainsalltypesofeventsthatthedatabaseiscurrentlymonitoring.ItisrecommendedthatthePUBLIC roleberestrictedfromaccessingthisview.

Rationale:

Thetypesofeventsthatthedatabaseismonitoringshouldnotbemadereadilyavailabletothepublic.

Audit:





db2 => select grantee from sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'EVENTS' and grantee = 'PUBLIC'


Remediation:





db2 => REVOKE SELECT ON SYSCAT.EVENTS FROM PUBLIC

99|P a g e

References:


100|P a g e

6.6RestrictAccesstoSYSCAT.EVENTTABLES(Scored)


•Level2-RDBMS

Description:

TheSYSCAT.EVENTTABLES viewcontainsthenameofthedestinationtablethatwillreceivethemonitoringevents.ItisrecommendedthatthePUBLIC roleberestrictedfromaccessingthisview.

Rationale:

PUBLICshouldnothaveaccesstoseethetargetnameoftheeventmonitoringtable.

Audit:





db2 => select grantee from sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'EVENTTABLES' and grantee = 'PUBLIC'


Remediation:





db2 => REVOKE SELECT ON SYSCAT.EVENTTABLES FROM PUBLIC

101|P a g e

References:


102|P a g e

6.7RestrictAccesstoSYSCAT.ROUTINES(Scored)


•Level1-RDBMS

•Level2-RDBMS

Description:

TheSYSCAT.ROUTINES viewcontainsalluser-definedroutines,functions,andstoredproceduresinthedatabase.ItisrecommendedthatthePUBLIC roleberestrictedfromaccessingthisview.

Rationale:

User-definedfunctionsandroutinesshouldnotbeexposedtothepublicforexploits.

Audit:





db2 => select grantee from sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'ROUTINES' and grantee = 'PUBLIC'


Remediation:





db2 => REVOKE SELECT ON SYSCAT.ROUTINES FROM PUBLIC

103|P a g e

6.8RestrictAccesstoSYSCAT.INDEXAUTH(Scored)


•Level2-RDBMS

Description:

TheSYSCAT.INDEXAUTH viewcontainsalistofusersorgroupsthathaveCONTROL accessonanindex.ItisrecommendedthatthePUBLIC roleberestrictedfromaccessingthisview.

Rationale:

Thelistofalluserswithaccesstoanindexshouldnotbeexposedtothepublic.

Audit:





db2 => select grantee from sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'INDEXAUTH' and grantee = 'PUBLIC'


Remediation:

RevokeaccessfromPUBLIC.




db2 => REVOKE SELECT ON SYSCAT.INDEXAUTH FROM PUBLIC

104|P a g e

References:


105|P a g e

6.9RestrictAccesstoSYSCAT.PACKAGEAUTH(Scored)


•Level1-RDBMS

•Level2-RDBMS

Description:

TheSYSCAT.PACKAGEAUTH viewcontainsalistofusersorgroupsthathasEXECUTE privilegeonapackage.ItisrecommendedthatthePUBLIC roleberestrictedfromaccessingthisview.

Rationale:

Thelistofalluserswithaccesstoapackageshouldnotbeexposedtothepublic.

Audit:





db2 => select grantee from sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'PACKAGEAUTH' and grantee = 'PUBLIC'


Remediation:





db2 => REVOKE SELECT ON SYSCAT.PACKAGEAUTH FROM PUBLIC

106|P a g e

6.10RestrictAccesstoSYSCAT.PACKAGES(Scored)


•Level1-RDBMS

•Level2-RDBMS

Description:

TheSYSCAT.PACKAGES viewcontainsthenamesofallpackagescreatedinthedatabaseinstance.ItisrecommendedthatthePUBLIC roleberestrictedfromaccessingthisview.

Rationale:

Thenamesofpackagescreatedinthedatabasecanbeusedasanentrypointifavulnerablepackageexists.

Audit:





db2 => select grantee from sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'PACKAGES' and grantee = 'PUBLIC'


Remediation:





db2 => REVOKE SELECT ON SYSCAT.PACKAGES FROM PUBLIC

107|P a g e

6.11RestrictAccesstoSYSCAT.PASSTHRUAUTH(Scored)


•Level1-RDBMS

•Level2-RDBMS

Description:

TheSYSCAT.PASSTHRUAUTH viewcontainsthenamesofuserorgroupthathavepass-throughauthorizationtoquerythedatasource.ItisrecommendedthatthePUBLIC roleberestrictedfromaccessingthisview.

Rationale:

Theabilitytoseewhichaccountshavethepass-throughprivilegecouldallowanattackertoexploittheseaccountstoaccessanotherdatasource.

Audit:





db2 => select grantee from sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'PASSTHRUAUTH' and grantee = 'PUBLIC'


108|P a g e

Remediation:





db2 => REVOKE SELECT ON SYSCAT.PASSTHRUAUTH FROM PUBLIC

References:


109|P a g e

6.12RestrictAccesstoSYSCAT.SECURITYPOLICIES(Scored)


•Level1-RDBMS

•Level2-RDBMS

Description:

TheSYSCAT.SECURITYPOLICIES viewcontainsalldatabasesecuritypolicies.ItisrecommendedthatthePUBLIC roleberestrictedfromaccessingthisview.

Rationale:

PUBLIC shouldnotbeabletoviewallthedatabasesecuritypolicies.

Audit:





db2 => select grantee from sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'SECURITYPOLICIES' and grantee = 'PUBLIC'


Remediation:





db2 => REVOKE SELECT ON SYSCAT SYSCAT.SECURITYPOLICIES FROM PUBLIC

110|P a g e

References:


111|P a g e

6.13RestrictAccesstoSYSCAT.SECURITYPOLICYEXEMPTIONS(Scored)


•Level1-RDBMS

•Level2-RDBMS

Description:

TheSYSCAT.SECURITYPOLICYEXEMPTIONS containstheexemptiontoasecuritypolicythatwasgrantedtoadatabaseaccount.ItisrecommendedthatthePUBLIC roleberestrictedfromaccessingthisview.

Rationale:

Publicshouldnotbeabletoviewalltheexemptionstothedatabasesecuritypolicies.

Audit:





db2 => select grantee from sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'SECURITYPOLICYEXEMPTIONS' and grantee = 'PUBLIC'


Remediation:





db2 => REVOKE SELECT ON SYSCAT.SECURITYPOLICYEXEMPTIONS FROM PUBLIC

112|P a g e

References:


113|P a g e

6.14RestrictAccesstoSYSCAT.SURROGATEAUTHIDS(Scored)


•Level1-RDBMS

•Level2-RDBMS

Description:

TheSYSCAT.SURROGATEAUTHIDS containsthenamesofallaccountsthathavebeengrantedSETSESSIONUSER privilegeonauserortoPUBLIC.ItisrecommendedthatthePUBLIC roleberestrictedfromaccessingthisview.

Rationale:

PublicshouldnotbeabletoviewthenamesofallthesurrogateaccountswithSETSESSIONUSER privilege.

Audit:





db2 => select grantee from sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'SURROGATEAUTHIDS' and grantee = 'PUBLIC'


Remediation:





db2 => REVOKE SELECT ON SYSCAT.SURROGATEAUTHIDS FROM PUBLIC

114|P a g e

References:


115|P a g e

6.15RestrictAccesstoSYSCAT.ROLEAUTH(Scored)


•Level1-RDBMS

•Level2-RDBMS

Description:

TheSYSCAT.ROLEAUTH viewcontainsinformationonallrolesandtheirrespectivegrantees.ItisrecommendedthatthePUBLIC roleberestrictedfromaccessingthisview.

Rationale:

PUBLICshouldnothaveaccesstoseethegrantsoftherolesbecausethiscouldbeusedasapointofexploit.

Audit:





db2 => select grantee from sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'ROLEAUTH' and grantee = 'PUBLIC'


Remediation:





db2 => REVOKE SELECT ON SYSCAT.ROLEAUTH FROM PUBLIC

116|P a g e

References:


117|P a g e

6.16RestrictAccesstoSYSCAT.ROLES(Scored)


•Level1-RDBMS

•Level2-RDBMS

Description:

TheSYSCAT.ROLES viewcontainsallrolesavailableinthedatabase.ItisrecommendedthatthePUBLIC roleberestrictedfromaccessingthisview.

Rationale:

PUBLICshouldnothaveaccesstoseealltherolesbecausethiscouldbeusedasapointofexploit.

Audit:





db2 => select grantee from sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'ROLES' and grantee = 'PUBLIC'


Remediation:





db2 => REVOKE SELECT ON SYSCAT.ROLES FROM PUBLIC

118|P a g e

References:


119|P a g e

6.17RestrictAccesstoSYSCAT.ROUTINEAUTH(Scored)


•Level1-RDBMS

•Level2-RDBMS

Description:

TheSYSCAT.ROUTINEAUTH viewcontainsalistofallusersthathaveEXECUTE privilegeonaroutine(function,method,orprocedure).ItisrecommendedthatthePUBLIC roleberestrictedfromaccessingthisview.

Rationale:

PUBLICshouldnothaveaccesstoseealltheusersbecausethiscouldbeusedasapointofexploit.

Audit:





db2 => select grantee from sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'ROUTINEAUTH' and grantee = 'PUBLIC'


Remediation:





db2 => REVOKE SELECT ON SYSCAT.ROUTINEAUTH FROM PUBLIC

120|P a g e

References:


121|P a g e

6.18RestrictAccesstoSYSCAT.SCHEMAAUTH(Scored)


•Level1-RDBMS

•Level2-RDBMS

Description:

TheSYSCAT.SCHEMAAUTH viewcontainsalistofallusersthathaveoneormoreprivilegesoraccesstoaparticularschema.ItisrecommendedthatthePUBLIC roleberestrictedfromaccessingthisview.

Rationale:

PUBLICshouldnothaveaccesstoseealltheusersbecausethiscouldbeusedasapointofexploit.

Audit:





db2 => select grantee from sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'SCHEMAAUTH' and grantee = 'PUBLIC'


Remediation:





db2 => REVOKE SELECT ON SYSCAT.SCHEMAAUTH FROM PUBLIC

122|P a g e

6.19RestrictAccesstoSYSCAT.SCHEMATA(Scored)


•Level1-RDBMS

•Level2-RDBMS

Description:

TheSYSCAT.SCHEMATA viewcontainsallschemanamesinthedatabase.ItisrecommendedthatthePUBLIC roleberestrictedfromaccessingthisview.

Rationale:

PUBLICshouldnothaveaccesstoseealltheschemanamesinthedatabasebecausethiscouldbeusedasapointofexploit.

Audit:





db2 => select grantee from sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'SCHEMATA' and grantee = 'PUBLIC'


Remediation:





db2 => REVOKE SELECT ON SYSCAT.SCHEMATA FROM PUBLIC

123|P a g e

References:


124|P a g e

6.20RestrictAccesstoSYSCAT.SEQUENCEAUTH(Scored)


•Level1-RDBMS

•Level2-RDBMS

Description:

TheSYSCAT.SEQUENCEAUTH viewcontainsusers,groups,orrolesgrantedprivilege(s)onasequence.ItisrecommendedthatthePUBLIC roleberestrictedfromaccessingthisview.

Rationale:

PUBLICshouldnothaveaccesstoseeallthegrantedaccessofasequenceinthedatabasebecausethiscouldbeusedasapointofexploit.

Audit:





db2 => select grantee from sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'SEQUENCEAUTH' and grantee = 'PUBLIC'


Remediation:





db2 => REVOKE SELECT ON SYSCAT.SEQUENCEAUTH FROM PUBLIC

125|P a g e

References:


126|P a g e

6.21RestrictAccesstoSYSCAT.STATEMENTS(Scored)


•Level1-RDBMS

•Level2-RDBMS

Description:

TheSYSCAT.STATEMENTS viewcontainsallSQLstatementsofacompiledpackage.ItisrecommendedthatthePUBLIC roleberestrictedfromaccessingthisview.

Rationale:

PUBLICshouldnothaveaccesstotheSQLstatementsofadatabasepackage.Thiscouldleadtoanexploit.

Audit:





db2 => select grantee from sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'STATEMENTS' and grantee = 'PUBLIC'


Remediation:





db2 => REVOKE SELECT ON SYSCAT.STATEMENTS FROM PUBLIC

127|P a g e

References:


128|P a g e

6.22RestrictAccesstoSYSCAT.TABAUTH(Scored)


•Level1-RDBMS

•Level2-RDBMS

Description:

TheSYSCAT.TABAUTH viewcontainsusersorgroupsthathavebeengrantedoneormoreprivilegesonatableorview.ItisrecommendedthatthePUBLIC roleberestrictedfromaccessingthisview.

Rationale:

PUBLICshouldnothaveaccesstothegrantsofviewsandtablesinadatabase.Thiscouldleadtoanexploit.

Audit:


1.ConnecttotheDB2database.



db2 => select grantee from sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'TABAUTH' and grantee = 'PUBLIC'

3.Reviewprivilegesgrantedtousers,groups,androles.IftheoutputisBLANK,thenitisconsideredasuccessfulfinding.

Remediation:





db2 => REVOKE SELECT ON SYSCAT.TABAUTH FROM PUBLIC

129|P a g e

References:


130|P a g e

6.23RestrictAccesstoSYSCAT.TBSPACEAUTH(Scored)


•Level1-RDBMS

•Level2-RDBMS

Description:

TheSYSCAT.TBSPACEAUTH containsusersorgroupsthathavebeengrantedtheUSEprivilegeonaparticulartablespaceinthedatabase.ItisrecommendedthatthePUBLIC roleberestrictedfromaccessingthisview.

Rationale:

PUBLICshouldnothaveaccesstothegrantsofthetablespacesinadatabase.Thiscouldleadtoanexploit.

Audit:





db2 => select grantee from sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'TBSPACEAUTH' and grantee = 'PUBLIC'


Remediation:





db2 => REVOKE SELECT ON SYSCAT.TBSPACEAUTH FROM PUBLIC

131|P a g e

References:


132|P a g e

6.24RestrictAccesstoTablespaces(Scored)


•Level1-RDBMS

•Level2-RDBMS

Description:

Atablespaceiswherethedataisphysicallystored.Itisrecommendedthattablespaceusageberestrictedtoauthorizedusers.

Rationale:

GranttheUSE oftablespaceprivilegetoonlyauthorizedusers.RestricttheprivilegefromPUBLIC,whereapplicable,asamalicioususercancauseadenialofserviceatthetablespacelevelbyoverloadingitwithcorrupteddata.

Audit:





db2 => select grantee, tbspace from sysibm.systbspaceauth where grantee = 'PUBLIC'


Remediation:





db2 => REVOKE USE OF TABLESPACE [$tablespace_name] FROM PUBLIC

133|P a g e

References:


134|P a g e

6.25RestrictAccesstoSYSCAT.MODULEAUTH(Scored)


•Level2-RDBMS

Description:

TheSYSCAT.MODULEAUTHviewcontainsallgrantedprivilegesonamoduleforusers,groups,orrolesandisreadonly.

Rationale:

AnydatabasescreatedwithouttheRESTRICToptionautomaticallyGRANTtheSELECTprivilegetoPUBLICforSYSCATviews.Therefore,itisstronglyrecommendedtoexplicitlyREVOKEtheSELECTprivilegeontheSYSCAT.MODULEAUTHviewfromPUBLICtoreducerisktotheorganization'sdata.

Audit:





db2 => select rtrim(grantee) as grantee, controlauth, alterauth, deleteauth, indexauth, insertauth, selectauth, updateauth, refauth from sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'MODULEAUTH'


Remediation:





db2 => revoke select on syscat.moduleauth from public

135|P a g e

References:

1. http://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.sql.ref.doc/doc/r0054748.html?lang=en

136|P a g e

6.26RestrictAccesstoSYSCAT.VARIABLEAUTH(Scored)


•Level2-RDBMS

Description:

TheSYSCAT.VARIABLEAUTHviewcontainsthegrantedprivilegesonaglobalvariableforusers,groups,orrolesandisreadonly.

Rationale:

AnydatabasescreatedwithouttheRESTRICToptionautomaticallyGRANTtheSELECTprivilegetoPUBLICforSYSCATviews.Therefore,itisstronglyrecommendedtoexplicitlyREVOKEtheSELECTprivilegeontheSYSCAT.VARIABLEAUTHviewfromPUBLICtoreducerisktotheorganization'sdata.

Audit:

DetermineifSYSCAT.VARIABLEAUTHprivilegesforusers,groups,androlesarecorrectlyset.





db2 => select rtrim(grantee) as grantee, controlauth, alterauth, deleteauth, indexauth, insertauth, selectauth, updateauth, refauth from sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'VARIABLEAUTH'

3. Reviewprivilegesforusers,groups,androles.IftheoutputisBLANK,thenitisconsideredasuccessfulfinding.

137|P a g e

Remediation:





db2 => revoke select on syscat.variableauth from public

References:

1. http://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.sql.ref.doc/doc/r0050504.html?lang=en

138|P a g e

6.27RestrictAccesstoSYSCAT.WORKLOADAUTH(Scored)


•Level2-RDBMS

Description:

TheSYSCAT.WORKLOADAUTHcatalogrepresentstheusers,groups,orrolesthathavebeengrantedtheUSAGEprivilegeonaworkload.

Rationale:

AnydatabasescreatedwithouttheRESTRICToptionautomaticallyGRANTtheSELECTprivilegetoPUBLICforSYSCATviews.Therefore,itisstronglyrecommendedtoexplicitlyREVOKEtheSELECTprivilegeontheSYSCAT.WORKLOADAUTHfromPUBLICtoreducerisktotheorganization'sdata.

Audit:





db2 => select rtrim(grantee) as grantee, controlauth, alterauth, deleteauth, indexauth, insertauth, selectauth, updateauth, refauth from sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'WORKLOADAUTH'


Remediation:





db2 => db2 => revoke select on syscat.workloadauth from public

139|P a g e

References:


140|P a g e

6.28RestrictAccesstoSYSCAT.XSROBJECTAUTH(Scored)


•Level2-RDBMS

Description:

TheSYSCAT.XSROBJECTAUTHviewcontainsgrantedUSAGEprivilegesonaparticularXSRobjectforusers,groups,orrolesandisreadonly.

Rationale:

AnydatabasescreatedwithouttheRESTRICToptionautomaticallyGRANTtheSELECTprivilegetoPUBLICforSYSCATviews.Therefore,itisstronglyrecommendedtoexplicitlyREVOKEtheSELECTprivilegeontheSYSCAT.XSROBJECTAUTHviewfromPUBLICtoreducerisktotheorganization'sdata.

Audit:





db2 => select rtrim(grantee) as grantee, controlauth, alterauth, deleteauth, indexauth, insertauth, selectauth, updateauth, refauth from sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'XSROBJECTAUTH'


Remediation:





db2 => revoke select on syscat.xsrmoduleauth from public

141|P a g e

References:


142|P a g e

6.29RestrictAccesstoSYSCAT.AUTHORIZATIONIDS(Scored)


•Level1-RDBMS

Description:

SYSCAT.AUTHORIZATIONIDSisanadministrativeviewforthecurrentlyconnectedserver.

Rationale:

DatabasescreatedwithouttheRESTRICToptionautomaticallyGRANTtheSELECTprivilegetoPUBLICforSYSCATviews.Therefore,itisstronglyrecommendedtoexplicitlyREVOKEtheSELECTprivilegeontheSYSCAT.AUTHORIZATIONIDSviewfromPUBLICtoreducerisktotheorganization'sdata.

Audit:





db2 => select rtrim(grantee) as grantee, controlauth, alterauth, deleteauth, indexauth, insertauth, selectauth, updateauth, refauth from sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'AUTHORIZATIONIDS'


Remediation:





db2 => revoke select on syscat.AUTHORIZATIONIDS from public

143|P a g e

References:

1. http://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.sql.rtn.doc/doc/r0021977.html?lang=en

144|P a g e

6.30RestrictAccesstoSYSIBMADM.OBJECTOWNERS(Scored)


•Level1-RDBMS

Description:

TheSYSIBMADM.OBJECTOWNERSadministrativeviewshowsthecompleteobjectownershipinformationforeachauthorizationIDforUSERowningasystemcatalogdefinedobjectfromtheconnecteddatabase.

Rationale:

AnydatabasescreatedwithouttheRESTRICToptionautomaticallyGRANTtheSELECTprivilegetoPUBLICforviews.Therefore,itisstronglyrecommendedtoexplicitlyREVOKEtheSELECTprivilegeontheSYSIBMADM.OBJECTOWNERSviewfromPUBLICtoreducerisktotheorganization'sdata.

Audit:





db2 => select rtrim(grantee) as grantee, controlauth, alterauth, deleteauth, indexauth, insertauth, selectauth, updateauth, refauth from sysibm.systabauth where tcreator = 'SYSIBMADM' and ttname = 'OBJECTOWNERS'


145|P a g e

Remediation:





db2 => revoke select on SYSIBMADM.OBJECTOWNERS from public

References:

1. http://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.sql.rtn.doc/doc/r0021979.html?cp=SSEPGG_10.5.0%2F3-6-1-3-12-6&lang=en

146|P a g e

6.31RestrictAccesstoSYSIBMADM.PRIVILEGES(Scored)


•Level1-RDBMS

Description:

TheSYSIBMADM.PRIVILEGESadministrativeviewdisplaysallexplicitprivilegesforallauthorizationIDsinthecurrentlyconnecteddatabases'systemcatalogs.PRIVILEGESschemaisSYSIBMADM.

Rationale:

AnydatabasescreatedwithouttheRESTRICToptionautomaticallyGRANTtheSELECTprivilegetoPUBLICforcatalogviews.Therefore,itisstronglyrecommendedtoexplicitlyREVOKEtheSELECTprivilegeonSYSIBMADM.PRIVILEGESfromPUBLICtoreducerisktotheorganization'sdata.

Audit:





db2 => select rtrim(grantee) as grantee, controlauth, alterauth, deleteauth, indexauth, insertauth, selectauth, updateauth, refauth from sysibm.systabauth where tcreator = 'SYSIBMADM' and ttname = 'PRIVILEGES'


147|P a g e

Remediation:





db2 => revoke select on SYSIBMADM.PRIVILEGES from public

References:

1. http://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.sql.rtn.doc/doc/r0021978.html?cp=SSEPGG_10.5.0%2F3-6-1-3-12-7&lang=en

148|P a g e

7DB2Authorities

ThissectionprovidesguidanceonsecuringtheauthoritiesthatexistintheDB2instanceanddatabase.

7.1SecureSYSADMauthority(Scored)


•Level2-RDBMS



Description:

Thesysadm_group parameterdefinesthesystemadministratorgroup(SYSADM)authority.Itisrecommendedthatthesysadm_group groupcontainsauthorizedusersonly.

Rationale:


Audit:






3.Locatethesysadm_group valueintheoutputandensurethevalueisnotNULL:

db2 => get database manager configuration db2 => … SYSADM group name (SYSADM_GROUP) = DB2ADM

Note:sysadm_group issettoDB2ADMintheaboveoutput.

149|P a g e

4.Reviewthemembersofthesysadm_group ontheoperatingsystem.

Linux:

cat /etc/group | grep <sysadm group name>

Windows:

1. 1. Runcompmgmt.msc2. Click'LocalUsersandGroups'3. Doubleclick'Groups'4. Doubleclick5. Reviewgroupmembers

Remediation:

DefineavalidgroupnamefortheSYSADMgroup.




db2 => update database manager configuration using sysadm_group <sys adm group name>

DefaultValue:

Thedefaultvalueforsysadm_group isNULL.

150|P a g e

7.2SecureSYSCTRLauthority(Scored)


•Level2-RDBMS

Description:

Thesysctrl_group parameterdefinesthesystemadministratorgroupwithsystemcontrol(SYSCTRL)authority.Itisrecommendedthatthesysctrl_group groupcontainsauthorizedusersonly.

Rationale:


Audit:






3.Locatethesysctrl_group valueintheoutputandensurethevalueisnotNULL:

db2 => get database manager configuration db2 => … SYSCTRL group name (SYSCTRL_GROUP) = DB2CTRL

Note:sysctrl_group issettoDB2CTRLintheaboveoutput.

4.Reviewthemembersofthesysctrl_group ontheoperatingsystem.

Linux:

cat /etc/group | grep <sysctrl group name>

Windows:

1. Runcompmgmt.msc2. Click'LocalUsersandGroups'3. Doubleclick'Groups'4. Doubleclick<sysctrlgroupname>5. Reviewgroupmembers

151|P a g e

Remediation:

DefineavalidgroupnamefortheSYSCTRLgroup.




db2 => update database manager configuration using sysctrl_group <sys control group name>

DefaultValue:

Thedefaultvalueforsysctrl_group isNULL.

152|P a g e

7.3SecureSYSMAINTAuthority(Scored)


•Level1-RDBMS



Description:

Thesysmaint_groupparameterdefinesthesystemadministratorgroupthatpossessesthesystemmaintenance(SYSMAINT)authority.Itisrecommendedthatthesysmaint_group groupcontainsauthorizedusersonly.

Rationale:


Audit:






3.Locatethesysmaint_group valueintheoutputandensurethevalueisnotNULL:

db2 => get database manager configuration db2 => … SYSMAINT group name (SYSMAINT_GROUP) = DB2MAINT

Note:sysmaint_group issettoDB2MAINTintheaboveoutput.

4.Reviewthemembersofthesysmaint_group ontheoperatingsystem.

Linux:

cat /etc/group | grep <sysmaint group name>

153|P a g e

Windows:

1. Runcompmgmt.msc2. Click'LocalUsersandGroups'3. Doubleclick'Groups'4. Doubleclick<sysmaintgroupname>5. Reviewgroupmembers

Remediation:

DefineavalidgroupnamefortheSYSMAINTgroup.




db2 => update database manager configuration using sysmaint_group <sys maintenance group name>

DefaultValue:

Thedefaultvalueforsysmaint_group isNULL.

154|P a g e

7.4SecureSYSMONAuthority(Scored)


•Level1-RDBMS

Description:

Thesysmon_group parameterdefinestheoperatingsystemgroupswithsystemmonitor(SYSMON)authority.Itisrecommendedthatthesysmon_group groupcontainauthorizedusersonly.

Rationale:


Audit:






3.Locatethesysmon_group valueintheoutputandensurethevalueisnotNULL:

db2 => get database manager configuration db2 => … SYSMON group name (SYSMON_GROUP) = DB2MON

Note:sysmon_group issettoDB2MONintheaboveoutput.

4.Reviewthemembersofthesysmon_group ontheoperatingsystem.

Linux:

cat /etc/group | grep <sysmon group name>

Windows:

1. Runcompmgmt.msc2. Click'LocalUsersandGroups'3. Doubleclick'Groups'4. Doubleclick5. Reviewgroupmembers

155|P a g e

Remediation:

DefineavalidgroupnamefortheSYSMONgroup.




db2 => update database manager configuration using sysmon_group <sys monitor group name>

DefaultValue:

Thedefaultvalueforsysmon_groupisNULL.

156|P a g e

7.5SecureSECADMAuthority(Scored)


•Level1-RDBMS

Description:

TheSECADM (securityadministrator)rolegrantstheauthoritytocreate,alter(whereapplicable),anddroproles,trustedcontexts,auditpolicies,securitylabelcomponents,securitypoliciesandsecuritylabels.Itisalsotheauthorityrequiredtograntandrevokeroles,securitylabelsandexemptions,andtheSETSESSIONUSERprivilege.SECADM authorityhasnoinherentprivilegetoaccessdatastoredintables.ItisrecommendedthattheSECADM rolebegrantedtoauthorizedusersonly.

Rationale:


Audit:





db2 => select distinct grantee, granteetype from syscat.dbauth where securityadmauth = 'Y'

3. Reviewthelistofusersintheaboveoutputtoensureonlyapprovedusersareassigned.

157|P a g e

Remediation:

Revokethispermissionfromanyunauthorizedusers.




db2 => REVOKE SECADM ON DATABASE FROM USER <username>

References:


158|P a g e

7.6SecureDBADMAuthority(Scored)


•Level1-RDBMS

Description:

TheDBADM (databaseadministration)rolegrantstheauthoritytoausertoperformadministrativetasksonaspecificdatabase.ItisrecommendedthattheDBADM rolebegrantedtoauthorizedusersonly.

Rationale:

Ifanaccountthatpossessesthisauthorityiscompromisedorusedinamaliciousmanner,theconfidentiality,integrity,andavailabilityofdatainthedatabasewillbeatincreasedrisk.

Audit:





db2 => select distinct grantee, granteetype from syscat.dbauth where dbadmauth = 'Y'


Remediation:





db2 => REVOKE DBADM ON DATABASE FROM USER <username>

159|P a g e

References:


160|P a g e

7.7SecureSQLADMAuthority(Scored)


•Level1-RDBMS

•Level2-RDBMS

Description:

TheSQLADMauthorityisrequiredtomonitor,tune,andalterSQLstatements.

Rationale:

TheSQLADMauthoritycanCREATE,SET,FLUSH,DROPEVENTMONITORSandperformRUNSTATSandREORGINDEXESandTABLES.SQLADMcanbegrantedtousers,groups,orrolesorPUBLIC.SQLADMauthorityisasubsetoftheDBADMauthorityandcanbegrantedbytheSECADMauthority.

Audit:


select distinct grantee, granteetype from syscat.dbauth where sqladmauth = 'Y'

2.Reviewthelistofusersintheaboveoutputtoensureonlyapprovedusersareassigned.

Remediation:

1.RevokeSQLADMauthorityfromanyunauthorizedusers.

REVOKE SQLADM ON DATABASE FROM USER <username>

References:


161|P a g e

7.8SecureDATAACCESSAuthority(Scored)


•Level1-RDBMS

•Level2-RDBMS

Description:

Grantstheauthoritytoaccessdata.TheDATAACCESSauthorityallowsthegranteetoleverageDMLlevelcommandsi.e.SELECT,INSERT,UPDATE,DELETE,LOAD,andEXECUTEanypackageorroutine.

TheDATAACCESSauthoritycannotbegrantedtoPUBLIC.

Rationale:

TheDATAACCESSauthoritygivesthegranteereadaccessandalsocontrolovermanipulatingthedata.DATAACCESScanbegrantedtousers,groups,orroles,butnotPUBLIC.DATAACCESSauthorityisasubsetoftheDBADMauthorityandcanbegrantedbytheSECADMauthority.

Audit:


select distinct grantee, granteetype from syscat.dbauth where dataaccessauth = 'Y'


Remediation:

1.RevokeDATAACCESSauthorityfromanyunauthorizedusers.

REVOKE DATAACCESS ON DATABASE FROM USER <username>

References:


162|P a g e

7.9SecureACCESSCTRLAuthority(Scored)


•Level1-RDBMS

•Level2-RDBMS

Description:

ACCESSCTRLauthorityistheauthorityrequiredtograntandrevokeprivilegesonobjectswithinaspecificdatabase.SomeoftheseprivilegesincludeBINDADD,CONNECT,CREATETAB,CREATE_EXTERNAL_ROUTINE,LOAD,andQUIESCE_CONNECT.Ithasnoinherentprivilegetoaccessdatastoredintables,exceptthecatalogtablesandviews.

TheACCESSCTRLauthoritycannotbegrantedtoPUBLIC.

Rationale:

TheACCESSCTRLauthoritygivesthegranteeaccesscontroltoaspecifieddatabase.Withthisauthority,thegranteecangrant/revokeprivilegestootherusers.ACCESSCTRLcanbegrantedtousers,groups,orroles,butnotPUBLIC.ACCESSCTRLauthoritycanonlybegrantedbytheSECADMauthority.

Audit:


select distinct grantee, granteetype from syscat.dbauth where accessctrlauth = 'Y'


Remediation:

1.RevokeACCESSCTRLauthorityfromanyunauthorizedusers.

REVOKE ACCESSCTRL ON DATABASE FROM USER <username>

References:


163|P a g e

7.10SecureWLMADMauthority(Scored)


•Level1-RDBMS

•Level2-RDBMS

Description:

TheWLMADMauthoritymanagesworkloadobjectsforadatabase.HoldersofDBADMauthorityimplicitlyalsoholdWLMADMauthority.

Rationale:

TheWLMADMauthorityenablescreating,altering,dropping,commenting,granting,andrevokingaccesstoworkloadobjectsforadatabase.

Audit:


select grantee, wlmadmauth from syscat.dbauth

2.Determineifthegrantee(s)arecorrectlyset.

Remediation:

1.RevokeanyuserwhoshouldNOThaveWLMADMauthority:

REVOKE WLMADM ON DATABASE FROM USER <username>

References:


164|P a g e

7.11SecureCREATABAuthority(Scored)


•Level1-RDBMS

Description:

TheCREATAB (createtable)rolegrantstheauthoritytoausertocreatetableswithinaspecificdatabase.ItisrecommendedthattheCREATAB rolebegrantedtoauthorizedusersonly.

Rationale:

Reviewallusersthathaveaccesstothisauthoritytoavoidtheadditionofunnecessaryand/orinappropriateusers.

Audit:





db2 => select distinct grantee, granteetype from syscat.dbauth where creatabauth = 'Y'


Remediation:





db2 => REVOKE CREATAB ON DATABASE FROM USER <username>

165|P a g e

References:


166|P a g e

7.12SecureBINDADDAuthority(Scored)


•Level1-RDBMS

Description:

TheBINDADD (bindapplication)rolegrantstheauthoritytoausertocreatepackagesonaspecificdatabase.ItisrecommendedthattheBINDADD rolebegrantedtoauthorizedusersonly.

Rationale:

Ifanaccountthatpossessesthisauthorityiscompromisedorusedinamaliciousmanner,theconfidentiality,integrity,andavailabilityofdatainthedatabasewillbeatincreasedrisk.

Audit:





db2 => select distinct grantee, granteetype from syscat.dbauth where bindaddauth = 'Y'


Remediation:





db2 => REVOKE BINDADD ON DATABASE FROM USER <username>

167|P a g e

References:


168|P a g e

7.13SecureCONNECTAuthority(Scored)


•Level1-RDBMS

Description:

TheCONNECT rolegrantstheauthoritytoausertoconnecttomainframeandmidrangedatabasesfromWindows,Unix,andLinuxoperatingsystems.ItisrecommendedthattheCONNECT rolebegrantedtoauthorizedusersonly.

Rationale:

Allusersthathaveaccesstothisauthorityshouldberegularlyreviewed.

Audit:





db2 => select distinct grantee, granteetype from syscat.dbauth where connectauth = 'Y'


Remediation:





db2 => REVOKE CONNECT ON DATABASE FROM USER <username>

169|P a g e

References:

1. http://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.qb.dbconn.doc/doc/r0059046.html?cp=SSEPGG_10.5.0%2F6&lang=en

170|P a g e

7.14SecureLOADAuthority(Scored)


•Level1-RDBMS

Description:

TheLOAD rolegrantstheauthoritytoausertoloaddataintotables.ItisrecommendedthattheLOAD rolebegrantedtoauthorizedusersonly.

Rationale:

Allusersthathaveaccesstothisauthorityshouldberegularlyreviewed.

Audit:





db2 => select distinct grantee, granteetype from syscat.dbauth where loadauth = 'Y'


Remediation:





db2 => REVOKE LOAD ON DATABASE FROM USER <username>

171|P a g e

References:


172|P a g e

7.15SecureEXTERNALROUTINEAuthority(Scored)


•Level1-RDBMS

Description:

TheEXTERNALROUTINE authoritygrantsausertheprivilegetocreateuser-definedfunctionsandproceduresinaspecificdatabase.

Rationale:

Alluserswiththisauthorityshouldberegularlyreviewedandapproved.

Audit:





db2 => select distinct grantee, granteetype from syscat.dbauth where externalroutineauth = 'Y'


Remediation:





db2 => REVOKE CREATE_EXTERNAL_ROUTINE ON DATABASE FROM USER <username>

173|P a g e

References:

1. http://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.apdv.routines.doc/doc/c0009198.html?lang=en

174|P a g e

7.16SecureQUIESCECONNECTAuthority(Scored)


•Level1-RDBMS

Description:

TheQUIESCECONNECT rolegrantstheauthoritytoausertoaccessadatabaseeveninthequiescedstate.

Rationale:

ItisrecommendedthattheQUIESCECONNECT rolebegrantedtoauthorizedusersonly.

Audit:





db2 => select distinct grantee, granteetype from syscat.dbauth where quiesceconnectauth = 'Y'


Remediation:





db2 => REVOKE QUIESCE_CONNECT ON DATABASE FROM USER <username>

175|P a g e

References:

1. http://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.apdv.api.doc/doc/r0009331.html?lang=en

176|P a g e

8DB2Roles

Roles simplify the administration and management of privileges by offering an equivalent capability as groups but without the same restrictions. A role is a database object that groups together one or more privileges and can be assigned to users, groups, PUBLIC, or other roles by using a GRANT statement. All the roles assigned to a user are enabled when that user establishes a connection, so all privileges and authorities granted to roles are taken into account when a user connects. Roles cannot be explicitly enabled or disabled.

8.1ReviewRoles(Scored)


•Level1-RDBMS

•Level2-RDBMS

Description:

Rolesprovideseveraladvantagesthatmakeiteasiertomanageprivilegesinadatabasesystem.Securityadministratorscancontrolaccesstotheirdatabasesinawaythatmirrorsthestructureoftheirorganizations(theycancreaterolesinthedatabasethatmapdirectlytothejobfunctionsintheirorganizations).Theassignmentofprivilegesissimplified.Insteadofgrantingthesamesetofprivilegestoeachindividualuserinaparticularjobfunction,theadministratorcangrantthissetofprivilegestoarolerepresentingthatjobfunctionandthengrantthatroletoeachuserinthatjobfunction.

Rationale:

Reviewingtheroleswithinadatabasehelpsminimizethepossibilityofunwantedaccess.

Audit:

1.AttachtoaDB2Instance:


2.ConnecttoDB2database:


3.Runthefollowingandreviewtheresultstodetermineifeachrolenamestillhasabusinessrequirementtoaccessthedata:

db2 => select rolename from syscat.roleauth where grantortype <> 'S' group by rolename

177|P a g e

Remediation:

Toremovearolefromthedatabase:



2ConnecttoDB2database:


3.Runthefollowing:

db2 => drop role <role name>

References:

1. https://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.admin.sec.doc/doc/c0050531.html

178|P a g e

8.2ReviewRoleMembers(Scored)


•Level1-RDBMS

•Level2-RDBMS

Description:

Havingrolesthathavebeengrantedspecificprivileges,thenassigninguserstotheroles,isusuallyconsideredthebestwaytograntapplicationaccess.Becausegrantingprivilegestoindividualuserscanbemoredifficulttotrackandmaintainagainstunauthorizedaccess,usersshouldbeassignedtoorganization-defineddatabaserolesaccordingtotheneedsofthebusiness.Asusersleavetheorganizationorchangeresponsibilitieswithintheorganization,theappropriaterolesforthemchangeaswell,sorolemembershipneedstobereviewedandverifiedperiodically.

Rationale:

Userswhohaveexcessiveprivilegesnotneededtodotheirjobsposeanunnecessaryrisktotheorganizationasaninsiderthreat.

Audit:





3.Runthefollowingtoreviewandverifythattherolemembersarecorrectforeachrole:

db2 => select rolename,grantee from syscat.roleauth where grantortype <> 'S' group by rolename, grantee

179|P a g e

Remediation:

Toremovearolememberfromaparticularrole:





3.Runthefollowing:

db2 => revoke role <role name> from <role member>

References:


180|P a g e

8.3NestedRoles(Scored)


•Level2-RDBMS

Description:

Theuser-definedrolesinDB2canbenestedinthesamefashionasWindowssecuritygroups--anestedgrouphasbothitsdirectlyassignedpermissionsaswellastheassignedgrouppermissions.Bynestingroles,thedatabaseadministratorissavingtimebyonlyhavingtoassignagroupofusersversusassigningthemindividually.Nestingrolesproperlycanofteneasetheapplicationofthesecuritymodelifit'skeptfairlyshallow,andiftherolesarelogicallynamed.Ifthesearealltrue,thennestingofrolesisagoodidea.

Rationale:

Astrackingmultiplelevelsofpermissionscanresultinunauthorizedaccesstodataresources,thiscapabilityshouldberestrictedaccordingtotheneedsofthebusiness.

Audit:

1.AttachtoDB2Instance:




3.Runthefollowingtoidentifyanynestedroles:

db2 => select grantee, rolename from syscat.roleauth where grantee in (select rolename from syscat.roles)

NOTE:Ifvalueisblank,thiswouldbeconsideredpassing.

Remediation:

Toremoveanestedrole,performthefollowing:





3.Runthefollowing:

db2 => revoke role <role name> from role <role>

181|P a g e

8.4ReviewRolesgrantedtoPUBLIC(Scored)


•Level1-RDBMS

•Level2-RDBMS

Description:

GrantingtoPUBLICincreasestheriskofunauthorizedentryintothedatabase.BecausePUBLICisaccessiblebyanydatabaseuser,itisimportanttounderstandtheexposureithasonalldatabaseobjects.ItwouldmakesensetograntrolemembershiptoPUBLICifallusersrequiredalltheprivilegesgrantedthroughthatrole.

Rationale:

AsanyrolegrantedtoPUBLICcanpotentiallyallowthecompromiseofdatabaseavailability,confidentiality,orintegrity,theserolesshouldberestrictedaccordingtotheneedsofthebusiness.

Audit:





3.Runthefollowing:

db2 => select grantee, rolename from syscat.roleauth where grantee = 'PUBLIC'

NOTE:Ifthevaluereturnedisblank,thatisconsideredapassablefinding.

182|P a g e

Remediation:

Toremovearolememberfromaparticularrole:





3.Runthefollowing:

db2 => revoke role <role name> from PUBLIC

References:


183|P a g e

8.5ReviewRoleGranteeswithWITHADMINOPTION(Scored)


•Level2-RDBMS

Description:

UsingtheWITHADMINOPTIONclauseoftheGRANT(Role)SQLstatement,thesecurityadministratorcandelegatethemanagementandcontrolofmembershipinaroletosomeoneelse.

Rationale:

TheWITHADMINOPTIONclausegivesanotherusertheauthoritytograntmembershipintheroletootherusers,torevokemembershipintherolefromothermembersoftherole,andtocommentonarole,butnottodroptherole.

Audit:





3.Performthefollowingquery:

db2 => select rolename, grantee, admin from syscat.roleauth where grantortype <> 'S' and admin = 'Y'

NOTE:Ifthevaluereturnedisblank,thatisconsideredapassablefinding.

Remediation:





3.Performthefollowingquery:

db2=> revoke admin option for role <role name> from user <user name>

184|P a g e

9GeneralPolicyandProcedures


9.1StartandStopDB2Instance(NotScored)




Description:

TheDB2instancemanagesthedatabaseenvironmentandsetstheconfigurationparameters.ItisrecommendedthatonlyadministratorsareallowedtostartandstoptheDB2instance.

Rationale:

OnlyprivilegedusersshouldhaveaccesstostartandstoptheDB2instance.ThiswillensurethattheDB2instanceiscontrolledbyauthorizedadministrators.

Audit:

OnWindows:

1. GotoStart,thentotheRunoption.2. Typeinservices.msc inthecommandprompt.3. LocatetheDB2serviceandidentifytheusers/groupsthatcanstartandstopthe

service.

OnLinux:

1. IdentifythenameofthelocalDB2admingroup.2. Identifythemembersofthatgroup.3. IdentifythemembersthathaveaccesstostopandstarttheDB2instance.

185|P a g e

Remediation:

Revokeaccessfromanyunnecessaryusers.

1. Connecttothehost2. ReviewusersandgroupsthathaveaccesstostartandstoptheDB2instance.3. Removestartandstopprivilegesfromallusersandgroupsthatshouldnothave

them.

186|P a g e

9.2RemoveUnusedSchemas(NotScored)


•Level1-RDBMS

Description:

Aschemaisalogicalgroupingofdatabaseobjects.Itisrecommendedthatunusedschemasberemovedfromthedatabase.

Rationale:

Unusedschemascanbeleftunmonitoredandmaybesubjectedtoabuseandthereforeshouldberemoved.

Audit:




db2 => select schemaname from syscat.schemata

3. Reviewthelistofschemas

Remediation:

Remoteunnecessaryschemas.




db2 => drop scheme <scheme name> restrict

3. Reviewunusedschemasandremoveifnecessary

187|P a g e

9.3ReviewSystemTablespaces(Scored)


•Level1-RDBMS

Description:

Systemtablespacesstoreallsystemobjectdatawithinthatdatabase.Itisrecommendedthatsystemtablespacesareusedtostoredsystemdataonlyandnotuserdata.

Rationale:

Usersshouldnothaveprivilegestocreateuserdataobjectswithinthesystemtablespaces.Userdataobjectscreatedwithinthesystemtablespacesshouldberemoved.

Audit:




db2 => select tabschema,tabname,tbspace from syscat.tables where tabschema not in ('ADMINISTRATOR','SYSIBM','SYSTOOLS') and tbspace in ('SYSCATSPACE','SYSTOOLSPACE','SYSTOOLSTMPSPACE','TEMPSPACE')

3. Reviewthelistofsystemtablespaces.IftheoutputisBLANK,thatisconsideredasuccessfulfinding.

Remediation:

1.ConnecttotheDB2database.


2.Reviewthesystemtablespacestoidentifyanyuserdataobjectswithinthem.

3.Drop,migrate,orotherwiseremovealluserdataobjects(tables,schemas,etc.)fromwithinthesystemtablespaces.

4.Revokewriteaccessforthesystemtablespacesfromallusers.

188|P a g e

9.4RemoveDefaultDatabases(Scored)


•Level1-RDBMS

•Level2-RDBMS

Description:

ADB2instancemaycomeinstalledwithdefaultdatabases.ItisrecommendedthattheSAMPLE databaseberemoved.

Rationale:

Removingunused,well-knowndatabaseswillreducetheattacksurfaceofthesystem.

Audit:

PerformthefollowingDB2commandstoobtainthelistofdatabases:




db2 => list database directory

3. Locatethisvalueintheoutput:

db2 => Database 3 entry: Database alias = SAMPLE Database name = SAMPLE Local database directory = C: Database release level = c.00 Comment = Directory entry type = Indirect Catalog database partition number = 0 Alternate server hostname =

4. ReviewtheoutputaboveandidentifytheSAMPLEdatabase.IfthereisnoSAMPLEdatabase,thenitisconsideredasuccessfulfinding.

189|P a g e

Remediation:

Dropunusedsampledatabases:

1. ConnecttotheDB2instance.2. RunthefollowingcommandfromtheDB2commandwindow:

db2 => drop database sample

190|P a g e

9.5EnableSSLcommunicationwithLDAPserver(Scored)




Description:

ThecommunicationlayerbetweenaDB2instanceandtheLDAPservershouldbeencrypted.ItisrecommendedthattheENABLE_SSL parameterintheIBMLDAPSecurity.ini filebesettoTRUE.

Rationale:

EnablingSSLwillhelpensuretheconfidentialityofauthenticationcredentialsandotherinformationthatissentbetweentheDB2instanceandtheLDAPserver.

Note:ThefileislocatedunderINSTANCE_HOME/sqllib/cfg/,forLinux;and%DB2PATH%\cfg\,forWindows.

Audit:

Performthefollowingcommandstoobtaintheparametersetting:

1. ConnecttotheDB2host2. EdittheIBMLDAPSecurity.ini file3. Verifytheexistenceofthisparameter:

ENABLE_SSL = TRUE

Remediation:

Verifytheparameter:

1. ConnecttotheDB2host2. EdittheIBMLDAPSecurity.ini file3. Addormodifythefiletoincludethefollowingparameter:

ENABLE_SSL = TRUE

DefaultValue:

Thedefaultvalueistheomissionofthisparameter.

191|P a g e

9.6SecurethepermissionoftheIBMLDAPSecurity.inifile(Scored)




Description:

TheIBMLDAPSecurity.inifilecontainstheIBMLDAPsecurityplug-inconfigurations.

Rationale:

RecommendedvalueisreadandwriteaccesstoDB2administratorsonlyandread-onlytoEveryone/Other/Users/DomainUsers.Thiswillensurethattheparameterfileisprotected.Note:thefileislocatedunderINSTANCE_HOME/sqllib/cfg/,forLinux;and%DB2PATH%\cfg\,forWindows.

Audit:

PerformthefollowingDB2commandstoobtainthevalueforthissetting:ForWindows:

1. ConnecttotheDB2host2. Right-clickoverthefiledirectory3. ChooseProperties4. SelecttheSecuritytab5. Reviewaccessforallaccounts

ForLinux:

1. ConnecttotheDB2host2. Changetothefiledirectory3. Checkthepermissionsofthedirectory

OS => ls -al

192|P a g e

Remediation:

ForWindows:

1. ConnecttotheDB2host2. Right-clickoverthefiledirectory3. ChooseProperties4. SelecttheSecuritytab5. SelectalladministratoraccountsandgrantthemReadandWriteauthorityonly

(revokeallothers).6. Selectallnon-administratoraccountsandgrantthemReadauthorityonly(revoke

allothers).

ForLinux:

1. ConnecttotheDB2host2. Changetothefiledirectory3. Changethepermissionlevelofthedirectory

OS => chmod -R 664

193|P a g e

9.7SecurethepermissionoftheSSLconfig.inifile(Scored)




Description:

TheSSLconfig.inifilecontainstheSSLconfigurationparametersfortheDB2instance,includingthepasswordforKeyStore.

Rationale:

RecommendedvalueisfullaccesstoDB2administratorsonly,readandwriteaccessonlytomembersoftheSYSADMgroup,andnoaccesstootherusers.Thiswillensurethattheparameterfileisprotected.

Note:thefileislocatedunderINSTANCE_HOME/sqllib/cfg/,forLinux;and%INSTHOME%\,forWindows.

Audit:

PerformthefollowingDB2commandstoobtainthevalueforthissetting:ForWindows:

1. ConnecttotheDB2host2. Right-clickoverthefiledirectory3. ChooseProperties4. SelecttheSecuritytab5. Reviewaccessforallaccounts

ForLinux:

1. ConnecttotheDB2host2. Changetothefiledirectory3. Checkthepermissionsofthedirectory

OS => ls -al

194|P a g e

Remediation:

ForWindows:

1. ConnecttotheDB2host2. Right-clickoverthefiledirectory3. ChooseProperties4. SelecttheSecuritytab5. SelectalladministratoraccountsandgrantthemtheFullControlauthority6. SelecttheSYSADMgroupandgrantitReadandWriteauthorityonly(revokeall

others)7. Selectallotheraccountsandrevokeallprivilegestothedirectory

ForUnix:

1. ConnecttotheDB2host2. Changetothefiledirectory3. Changethepermissionlevelofthedirectory

OS => chmod -R 760

195|P a g e

9.8EnsureTrustedContextsareenabled(NotScored)






Description:

ATrustedContextobjectprovidesameansofenforcingencryption,assigningprivilegesbasedonroles,andensuringthattheactionsperformedonbehalfofauserareperformedinthecontextoftheuser’sIDandprivileges.

Rationale:

CreatingTrustedContextobjectstoenforceencryptionandassignroleswillprotectdataintransitandlimitaccesstoinformationonaperuser/rolebasis.Additionally,itensuresactionscanbetracedbacktotheuser.

Audit:

IssuethefollowingcommandtoverifythataTrustedContextobjectisenabled:

select contextname, enabled from syscat.contexts where enabled = 'Y'

Remediation:

IfthereisnoenabledTrustedContextobject,createaTrustedContextobjectifneededandenableit.

References:

1. http://www.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.admin.sec.doc/doc/c0050514.html

196|P a g e

9.9Secureplug-inlibrarylocations(NotScored)






Description:

Whetherdevelopingyourownsecurityplug-insormigratingestablishedplug-insintoyourenvironment,itisimportanttoensurethattheplug-indirectoriesaresecure.

Rationale:

Ifplug-indirectoriesarenotsecure,theplug-inscouldbemisused,tamperedwith,orotherwiseaccessedinwaysthatcouldjeopardizethesecurityoftheserver.

Audit:

Linux32-bit:

Reviewtheprivilegesassignedtotheplug-indirectoriestoensuretheyaresetto755.

• Forclient-sideplug-ins:$DB2PATH/security32/plugin/client• Forserver-sideplug-ins:$DB2PATH/security32/plugin/server• Forgroupplug-ins:$DB2PATH/security32/plugin/group

Linux64-bit:

Reviewtheprivilegesassignedtotheplug-indirectoriestoensuretheyaresetto755.

• Forclient-sideplug-ins:$DB2PATH/security64/plugin/client• Forserver-sideplug-ins:$DB2PATH/security64/plugin/server• Forgroupplug-ins:$DB2PATH/security64/plugin/group

197|P a g e

Windows32-bitand64-bit:

Reviewtheprivilegesassignedtotheplug-indirectoriestoensuretheyaresetto755.Note:Thesub-directories'instancename'and'client','server',and'group'arenotcreatedautomatically.Theinstanceownerhastomanuallycreatethem.

• Forclient-sideplug-ins:$DB2PATH\security\plugin\instancename\client• Forserver-sideplug-ins:$DB2PATH\security\plugin\instancename\server• Forgroupplug-ins:$DB2PATH\security\plugin\instancename\group

Remediation:

Changetheprivilegesforallplug-indirectoriessotheyaresetto755.

OnaLinuxsystem,performthefollowingforeachdirectoryneedingitsprivilegeschanged:

[db2inst1@tgt-db2-101-abc123 IBM]$ chmod 755 <directory>

198|P a g e

9.10Ensurethatsecurityplug-insupportfortwo-partuserIDsisenabled(NotScored)






Description:

TheDB2databasemanageronWindowssupportstheuseoftwo-partuserIDsandthemappingoftwo-partuserIDstotwo-partauthorizationIDs.

Rationale:

Havingatwo-partauthorizationschemeincreasesthesecurityofuserIDsbymakingthemhardertocompromise.

Audit:

Issuethefollowingcommandandconfirmthattheclnt_pw_plugin,srvcon_gssplugin_list,andsrvcon_pw_pluginparametersareallsetto'DISABLED':

db2=> select name, case when ((name = 'srvcon_pw_plugin' AND value in ('IBMOSauthserverTwoPart','IBMOSauthserverTwoPart64')) AND (name = 'clnt_pw_plugin' and value in ('IBMOSauthclientTwoPart','IBMOSauthclientTwoPart64'))) OR ((name = 'srvcon_gssplugin_list' AND value in ('IBMOSkrb5TwoPart','IBMOSkrb5TwoPart64')) AND (name = 'clnt_krb_plugin' and value in ('IBMkrb5TwoPart','IBMkrb5TwoPart64')))then 'ENABLED' else 'DISABLED' end as Status from sysibmadm.dbmcfg where (name = 'srvcon_pw_plugin' OR name = 'srvcon_gssplugin_list' OR name = 'clnt_pw_plugin')

199|P a g e

Remediation:

Toenableserverauthenticationthatmapstwo-partuserIDstotwo-partauthorizationIDs,youmustset:

• srvcon_pw_plugintoIBMOSauthserverTwoPart• clnt_pw_plugintoIBMOSauthclientTwoPart

Toenableclientauthenticationthatmapstwo-partuserIDstotwo-partauthorizationIDs,youmustset:

• srvcon_pw_plugintoIBMOSauthserverTwoPart• clnt_pw_plugintoIBMOSauthclientTwoPart

ToenableKerberosauthenticationthatmapstwo-partuserIDstotwo-partauthorizationIDs,youmustset:

• srvcon_gssplugin_listtoIBMOSkrb5TwoPart• clnt_krb_plugintoIBMkrb5TwoPart

Forexample:

db2=> update dbm cfg using srvcon_pw_plugin IBMOSauthserverTwoPart

References:

1. http://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.admin.sec.doc/doc/c0012039.html

200|P a g e

9.11Ensurepermissionsoncommunicationexitlibrarylocations(NotScored)






Description:

DB2communicationexitlibrariesmustexistinspecificdirectories.Thereshouldbeproperpermissionsonthesedirectories.

Rationale:

IfthepermissionsontheDB2communicationexitlibrarydirectoriesarenotsetproperly,thecontentsofthosedirectoriescouldbemisused,tamperedwith,orotherwiseaccessedtonegativelyimpactthesecurityoftheserver.

Audit:

Linux64-bit:

Issuethefollowingcommandtocheckthepermissionsforthecommunicationexitlibrary:

[db2inst1@tgt-db2-101-abcd plugin]$ ll /opt/ibm/db2/V10.5/security64/plugin total 12 drwxr-x--- 2 db2iadm1 db2inst1 4096 Aug 17 2013 commexit

201|P a g e

Remediation:

Thedatabasemanagerlooksforcommunicationexitlibrariesinthefollowingdirectories:

• Linux32-bit:$DB2PATH/security32/plugin/commexit• Linux64-bit:$DB2PATH/security64/plugin/commexit• Windows32-bitand64-bit:$DB2PATH\security\plugin\commexit\instance_name

Afterlocatingthedirectory,updateitspermissions.ThefollowingisanexampleforaLinux64-bitsystem:

[db2inst1@tgt-db2-101-abcd plugin]$ pwd /opt/ibm/db2/V10.5/security64/plugin [db2inst1@tgt-db2-101-abcd IBM]$ chmod -R 750 commexit

References:

1. http://www.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.admin.sec.doc/doc/c0060264.html

202|P a g e

9.12Ensureauditpoliciesareenabledwithinthedatabase(NotScored)






Description:

Creatingandapplyingauditpoliciesiscrucialforsecuringanddiscoveringissueswithinyourdatabases.Auditpoliciescanhelptriggereventsforchangestodataobjects,tableDML,anduseraccess.

Rationale:

Ifauditpoliciesarenotenabled,issuesmaygoundiscovered,andcompromisesandotherincidentsmayoccurwithoutbeingquicklydetected.Itmayalsonotbepossibletoprovideevidenceofcompliancewithsecuritylaws,regulations,andotherrequirements.

Audit:

Issuethefollowingcommandtoensurethatatleastoneauditpolicyreturnsanauditstatusnotequalto'N'.Theassumptionisthatifthereisanactivepolicy,theninformationisbeingcapturedtoaudit.

db2=> select auditpolicyname, auditstatus from syscat.auditpolicies

Remediation:

Issuethefollowingcommandtocreateanauditpolicy:

db2=> create audit policy AUDIT_TEST CATEGORIES ALL STATUS BOTH

References:

1. http://www.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.sql.ref.doc/doc/r0050607.html

203|P a g e

Appendix:SummaryTableControl Set

CorrectlyYes No

1 InstallationandPatches1.1 Installthelatestfixpacks(NotScored) o o1.2 UseIPaddressratherthanhostname(Scored) o o1.3 Leveragetheleastprivilegeprinciple(NotScored) o o1.4 Usenon-defaultaccountnames(Scored) o o1.5 ConfigureDB2tousenon-standardports(NotScored) o o1.6 CreatingthedatabasewiththeRESTERICTIVEclause(Not

Scored) o o

2 DB2DirectoryandFilePermissions2.1 SecureDB2RuntimeLibrary(Scored) o o2.2 Securethedatabasecontainerdirectory(Scored) o o2.3 SetumaskvalueforDB2adminuser.profilefile(Scored) o o2.4 VerifythegroupswithintheDB2_GRP_LOOKUPenvironment

variableareappropriate(Windowsonly)(NotScored) o o

2.5 VerifythedomainswithintheDB2DOMAINLISTenvironmentvariableareappropriate(Windowsonly)(NotScored) o o

3 DB2Configurations3.1 DB2InstanceParameterSettings3.1.1 Enableauditbuffer(Scored) o o3.1.2 Encryptuserdataacrossthenetwork(Scored) o o3.1.3 Requireexplicitauthorizationforcataloging(Scored) o o3.1.4 Disabledatalinkssupport(Scored) o o3.1.5 Securepermissionsfordefaultdatabasefilepath(Scored) o o3.1.6 Setdiagnosticloggingtocaptureerrorsandwarnings

(Scored) o o

3.1.7 Securepermissionsforalldiagnosticlogs(Scored) o o3.1.8 Requireinstancenamefordiscoveryrequests(Scored) o o3.1.9 Disableinstancediscoverability(Scored) o o3.1.10 Authenticatefederatedusersattheinstancelevel(Scored) o o3.1.11 Setmaximumconnectionlimits(Scored) o o3.1.12 Setadministrativenotificationlevel(Scored) o o3.1.13 Enableserver-basedauthentication(Scored) o o3.1.14 Setfailedarchiveretrydelay(Scored) o o3.1.15 Auto-restartafterabnormaltermination(Scored) o o3.1.16 Disabledatabasediscovery(Scored) o o3.1.17 Securepermissionsfortheprimaryarchiveloglocation

(Scored) o o

204|P a g e

3.1.18 Securepermissionsforthesecondaryarchiveloglocation(Scored) o o

3.1.19 Securepermissionsforthetertiaryarchiveloglocation(Scored) o o

3.1.20 Securepermissionsforthelogmirrorlocation(Scored) o o3.1.21 Establishretentionsetsizeforbackups(Scored) o o3.1.22 Setarchivelogfailoverretrylimit(Scored) o o3.2 DatabaseManagerConfigurationparameters3.2.1 TCP/IPservicename-svcename(Scored) o o3.2.2 SSLservicename-ssl_svcename(Scored) o o3.2.3 Authenticationtypeforincomingconnectionsattheserver-

srvcon_auth(Scored) o o

3.2.4 DatabaseManagerConfigurationparameter:trust_allclnts(NotScored) o o

3.2.5 DatabaseManagerConfigurationparameter:trust_clntauth(NotScored) o o

4 RowandColumnAccessControl(RCAC)4.1 ReviewOrganization'sPoliciesagainstDB2RCACPolicies

(NotScored) o o

4.2 SecureSECADMAuthority(NotScored) o o4.3 ReviewUsers,Groups,andRoles(NotScored) o o4.4 ReviewRowPermissionlogicaccordingtopolicy(Not

Scored) o o

4.5 ReviewColumnMasklogicaccordingtopolicy(NotScored) o o5 DatabaseMaintenance5.1 EnableBackupRedundancy(NotScored) o o5.2 ProtectingBackups(NotScored) o o5.3 EnableAutomaticDatabaseMaintenance(Scored) o o6 SecuringDatabaseObjects6.1 RestrictAccesstoSYSCAT.AUDITPOLICIES(Scored) o o6.2 RestrictAccesstoSYSCAT.AUDITUSE(Scored) o o6.3 RestrictAccesstoSYSCAT.DBAUTH(Scored) o o6.4 RestrictAccesstoSYSCAT.COLAUTH(Scored) o o6.5 RestrictAccesstoSYSCAT.EVENTS(Scored) o o6.6 RestrictAccesstoSYSCAT.EVENTTABLES(Scored) o o6.7 RestrictAccesstoSYSCAT.ROUTINES(Scored) o o6.8 RestrictAccesstoSYSCAT.INDEXAUTH(Scored) o o6.9 RestrictAccesstoSYSCAT.PACKAGEAUTH(Scored) o o6.10 RestrictAccesstoSYSCAT.PACKAGES(Scored) o o6.11 RestrictAccesstoSYSCAT.PASSTHRUAUTH(Scored) o o6.12 RestrictAccesstoSYSCAT.SECURITYPOLICIES(Scored) o o6.13 RestrictAccesstoSYSCAT.SECURITYPOLICYEXEMPTIONS

(Scored) o o

205|P a g e

6.14 RestrictAccesstoSYSCAT.SURROGATEAUTHIDS(Scored) o o6.15 RestrictAccesstoSYSCAT.ROLEAUTH(Scored) o o6.16 RestrictAccesstoSYSCAT.ROLES(Scored) o o6.17 RestrictAccesstoSYSCAT.ROUTINEAUTH(Scored) o o6.18 RestrictAccesstoSYSCAT.SCHEMAAUTH(Scored) o o6.19 RestrictAccesstoSYSCAT.SCHEMATA(Scored) o o6.20 RestrictAccesstoSYSCAT.SEQUENCEAUTH(Scored) o o6.21 RestrictAccesstoSYSCAT.STATEMENTS(Scored) o o6.22 RestrictAccesstoSYSCAT.TABAUTH(Scored) o o6.23 RestrictAccesstoSYSCAT.TBSPACEAUTH(Scored) o o6.24 RestrictAccesstoTablespaces(Scored) o o6.25 RestrictAccesstoSYSCAT.MODULEAUTH(Scored) o o6.26 RestrictAccesstoSYSCAT.VARIABLEAUTH(Scored) o o6.27 RestrictAccesstoSYSCAT.WORKLOADAUTH(Scored) o o6.28 RestrictAccesstoSYSCAT.XSROBJECTAUTH(Scored) o o6.29 RestrictAccesstoSYSCAT.AUTHORIZATIONIDS(Scored) o o6.30 RestrictAccesstoSYSIBMADM.OBJECTOWNERS(Scored) o o6.31 RestrictAccesstoSYSIBMADM.PRIVILEGES(Scored) o o7 DB2Authorities7.1 SecureSYSADMauthority(Scored) o o7.2 SecureSYSCTRLauthority(Scored) o o7.3 SecureSYSMAINTAuthority(Scored) o o7.4 SecureSYSMONAuthority(Scored) o o7.5 SecureSECADMAuthority(Scored) o o7.6 SecureDBADMAuthority(Scored) o o7.7 SecureSQLADMAuthority(Scored) o o7.8 SecureDATAACCESSAuthority(Scored) o o7.9 SecureACCESSCTRLAuthority(Scored) o o7.10 SecureWLMADMauthority(Scored) o o7.11 SecureCREATABAuthority(Scored) o o7.12 SecureBINDADDAuthority(Scored) o o7.13 SecureCONNECTAuthority(Scored) o o7.14 SecureLOADAuthority(Scored) o o7.15 SecureEXTERNALROUTINEAuthority(Scored) o o7.16 SecureQUIESCECONNECTAuthority(Scored) o o8 DB2Roles8.1 ReviewRoles(Scored) o o8.2 ReviewRoleMembers(Scored) o o8.3 NestedRoles(Scored) o o8.4 ReviewRolesgrantedtoPUBLIC(Scored) o o8.5 ReviewRoleGranteeswithWITHADMINOPTION(Scored) o o9 GeneralPolicyandProcedures

206|P a g e

9.1 StartandStopDB2Instance(NotScored) o o9.2 RemoveUnusedSchemas(NotScored) o o9.3 ReviewSystemTablespaces(Scored) o o9.4 RemoveDefaultDatabases(Scored) o o9.5 EnableSSLcommunicationwithLDAPserver(Scored) o o9.6 SecurethepermissionoftheIBMLDAPSecurity.inifile

(Scored) o o

9.7 SecurethepermissionoftheSSLconfig.inifile(Scored) o o9.8 EnsureTrustedContextsareenabled(NotScored) o o9.9 Secureplug-inlibrarylocations(NotScored) o o9.10 Ensurethatsecurityplug-insupportfortwo-partuserIDsis

enabled(NotScored) o o

9.11 Ensurepermissionsoncommunicationexitlibrarylocations(NotScored) o o

9.12 Ensureauditpoliciesareenabledwithinthedatabase(NotScored) o o

207|P a g e

Appendix:ChangeHistoryDate Version Changesforthisversion

12-19-2015 1.0.0 InitialRelease

08-05-2016 1.1.0 Ticket#144:AddedarecommendationforDB2tousenon-standardports.

08-10-2016 1.1.0 Ticket#141:AddedarecommendationforTrustedContexts.

08-10-2016 1.1.0 Ticket#148:Addedarecommendationforthetrust_allclntsparameter.

08-10-2016 1.1.0 Ticket#152:Addedarecommendationforsecureplug-inlibrarylocations.

08-10-2016 1.1.0 Ticket#155:Addedarecommendationforsecurityplug-insupportoftwo-partuserIDs.

08-10-2016 1.1.0 Ticket#156:Addedarecommendationforthecommunicationexitlibrarylocation.

08-10-2016 1.1.0 Ticket#157:Addedarecommendationforenablingauditpolicies.

08-10-2016 1.1.0 Ticket#159:AddedarecommendationfortheDB2_GRP_LOOKUPenvironmentalvariable.

08-10-2016 1.1.0 Ticket#160:AddedarecommendationfortheDB2DOMAINLISTenvironmentalvariable.

08-17-2016 1.1.0 Ticket#146:AddedarecommendationfortheRESTRICTIVEparameter.

208|P a g e

cis ibm db2 10 benchmark v1.1.0 - itsecure€¦ · this document, security configuration benchmark...

Documents