CIS IBM DB2 Benchmark v1.1.0
CIS IBM DB2 Benchmark v1.1.0
CIS IBM DB2 Benchmark v1.1.0
2|Page
3|Page
Table of Contents
Table of Contents................................................................................................................................................... 4
Overview................................................................................................................................................................... 8
Consensus Guidance ...................................................................................................................................................... 8
Intended Audience ......................................................................................................................................................... 8
Acknowledgements ....................................................................................................................................................... 8
Typographic Conventions ........................................................................................................................................... 9
Configuration Levels ..................................................................................................................................................... 9
Level-I Benchmark settings/actions .................................................................................................................. 9
Level-II Benchmark settings/actions................................................................................................................. 9
Scoring Status .................................................................................................................................................................. 9
Scorable ......................................................................................................................................................................... 9
Not Scorable................................................................................................................................................................. 9
Database Version Affected ....................................................................................................................................... 10
1. Installation and Patches ......................................................................................................................... 10
1.0.1 Install the latest Fixpak (Level 2, Scorable, 8, 9, 9.5) .............................................................. 10
1.0.2 Use IP address rather than hostname (Level 1, Scorable, 8, 9, 9.5) ................................... 10
1.0.3 Leverage a least privilege principle (Level 1, Not Scorable, 8, 9, 9.5) ............................... 11
1.0.4 Use non-standard account names (Level 1, Scorable, 8, 9, 9.5) ........................................... 12
2. DB2 Directory and File Permissions ................................................................................................. 12
2.0.1 Secure DB2 Runtime Library (Level 1, Scorable, 8, 9, 9.5) .................................................... 12
2.0.2 Secure all database containers (Level 1, Scorable, 8, 9, 9.5) ................................................. 13
2.0.3 Set umask value for DB2 admin user .profile file (Level 1, Scorable, 8, 9, 9.5) .............. 14
3. DB2 Configurations .................................................................................................................................. 14
3.1 DB2 Instance Parameter Settings ................................................................................................................ 14
3.1.1 Enable audit buffer (Level 2, Scorable, 8, 9, 9.5) ............................................................................. 14
3.1.2 Encrypt user data across the network (Level 2, Scorable, 8, 9, 9.5) .................................. 15
3.1.3 Require explicit authorization for cataloging (Level 2, Scorable, 8, 9, 9.5) ..................... 16
3.1.4 Disable data links support (Level 2, Scorable, 8) ...................................................................... 17
3.1.5 Secure default database location (Level 2, Scorable, 8, 9, 9.5) ............................................. 18
3.1.6 Secure permission of default database location (Level 1, Scorable, 8, 9, 9.5) ................ 19
3.1.7 Set diagnostic logging to capture errors and warnings (Level 2, Scorable, 8, 9, 9.5) . 20
3.1.8 Secure all diagnostic logs (Level 1, Scorable, 8, 9, 9.5) ............................................................ 21
3.1.9 Require instance name for discovery requests (Level 2, Scorable, 8, 9, 9.5) .................. 22
3.1.10
Disable instance discoverability (Level 2, Scorable, 8, 9, 9.5) .......................................... 23
3.1.11
Authenticate federated users at the instance level (Level 2, Scorable, 8, 9, 9.5) ...... 24
3.1.12
Enable instance health monitoring (Level 2, Scorable, 8, 9, 9.5) .................................... 25
3.1.13
Retain fenced model processes (Level 2, Scorable, 8, 9, 9.5)............................................ 26
3.1.14
Set maximum connection limits (Level 2, Scorable, 8, 9, 9.5) .......................................... 27
3.1.15
Set administrative notification level (Level 2, Scorable, 8, 9, 9.5) .................................. 29
3.1.16
Enable server-based authentication (Level 2, Scorable, 8, 9, 9.5) .................................. 30
3.2.1 Set failed archive retry delay (Level 2, Scorable, 8, 9, 9.5) .................................................... 31
3.2.2 Auto-restart after abnormal termination (Level 2, Scorable, 8, 9, 9.5)............................. 32
3.2.3 Disable database discovery (Level 2, Scorable, 8, 9, 9.5) ....................................................... 33
3.2.4 Establish secure archive log location (Level 1, Scorable, 8, 9, 9.5) ..................................... 34
3.2.5 Secure permission of the primary archive log location (Level 1, Scorable, 8, 9, 9.5) .. 35
3.2.6 Establish secure secondary archive location (Level 1, Scorable, 8, 9, 9.5) ...................... 36
3.2.7 Secure permission of the secondary archive location (Level 1, Scorable, 8, 9, 9.5) ..... 37
3.2.8 Establish secure tertiary archive log location (Level 1, Scorable, 8, 9, 9.5) .................... 38
3.2.9 Secure permission of the tertiary archive location (Level 1, Scorable, 8, 9, 9.5) .......... 39
3.2.10
Establish secure log mirror location (Level 1, Scorable, 8, 9) .......................................... 40
3.2.11
Establish retention set size for backups (Level 2, Scorable, 8, 9, 9.5)........................... 40
3.2.12
Set archive log failover retry limit (Level 2, Scorable, 8, 9, 9.5) ...................................... 41
3.3 Database Administration Server Settings ............................................................................................. 42
3.3.1 Establish DAS administrative group (Level 1, Scorable, 8, 9, 9.5) ...................................... 42
3.3.2 Set a generic system name (Level 2, Scorable, 8, 9, 9.5) ......................................................... 43
3.3.3 Disable DAS discoverability (Level 2, Scorable, 8, 9, 9.5) ....................................................... 44
3.3.4 Do not execute expired tasks (Level 2, Scorable, 8, 9, 9.5) .................................................... 45
3.3.5 Secure the JDK runtime library (Level 2, Scorable, 8, 9, 9.5) ................................................ 46
2.3.6 Secure the JDK 64-bit runtime library (Level 2, Scorable, 8, 9, 9.5) ................................... 47
3.3.7 Disable unused task scheduler (Level 2, Scorable, 8, 9, 9.5) ................................................. 48
4. Label-Based Access Controls (LBAC) .......................................................................................................... 49
4.0.1 Enforce Label-Based Access Controls Implementation (Level 2, Not Scorable, 9, 9.5)
49
4.0.2 Review Security Rule Exemptions (Level 1, Not Scorable, 9, 9.5)....................................... 49
4.0.3 Review Security Label Component (Level 1, Not Scorable, 9, 9.5) ..................................... 50
4.0.4 Review Security Label Policies (Level 1, Not Scorable, 9, 9.5) ............................................. 50
4.0.5 Review Security Labels (Level 1, Not Scorable, 9, 9.5) ............................................................ 50
5. Database Maintenance ...................................................................................................................................... 51
5.0.1 Enable Redundancy (Level 2, Not Scorable, 8, 9, 9.5) .............................................................. 51
5.0.2 Protecting Backups (Level 1, Not Scorable, 8, 9, 9.5) ............................................................... 51
5.0.3 Enable Database Maintenance (Level 2, Scorable, 8, 9, 9.5).................................................. 51
5.0.4 Schedule Runstat and Reorg (Level 1, Not Scorable, 8, 9, 9.5) ............................................. 52
6. Securing Database Objects .............................................................................................................................. 53
6.0.1 Restrict Access to SYSCAT.AUDITPOLICIES (Level 2, Scorable, 8, 9, 9.5)................. 53
6.0.2 Restrict Access to SYSCAT.AUDITUSE (Level 2, Scorable, 8, 9, 9.5) ............................... 53
6.0.3 Restrict Access to SYSCAT.DBAUTH (Level 2, Scorable, 8, 9, 9.5) ................................... 54
6.0.4 Restrict Access to SYSCAT.COLAUTH (Level 2, Scorable, 8, 9, 9.5) .................................. 55
6.0.5 Restrict Access to SYSCAT.EVENTS (Level 2, Scorable, 8, 9, 9.5)..................................... 55
6.0.6 Restrict Access to SYSCAT.EVENTTABLES (Level 2, Scorable, 8, 9, 9.5) ...................... 56
6.0.7 Restrict Access to SYSCAT.ROUTINES (Level 2, Scorable, 8, 9, 9.5) ............................... 57
6.0.8 Restrict Access to SYSCAT.INDEXAUTH (Level 2, Scorable, 8, 9, 9.5) .......................... 57
6.0.9 Restrict Access to SYSCAT.PACKAGEAUTH (Level 2, Scorable, 8, 9, 9.5) ...................... 58
6.0.10
Restrict Access to SYSCAT.PACKAGES (Level 2, Scorable, 8, 9, 9.5) .......................... 59
6.0.11
Restrict Access to SYSCAT.PASSTHRUAUTH (Level 2, Scorable, 8, 9, 9.5) ............... 59
6.0.12
Restrict Access to SYSCAT.SECURITYLABELACCESS (Level 2, Scorable, 8, 9, 9.5)
60
6.0.13
Restrict Access to SYSCAT.SECURITYLABELCOMPONENTELEMENTS (Level 2,
Scorable, 8, 9, 9.5)................................................................................................................................................... 61
5|Page
6.0.14
Restrict Access to SYSCAT.SECURITYLABELCOMPONENTS (Level 2, Scorable, 8,
9, 9.5)
61
6.0.15
Restrict Access to SYSCAT.SECURITYLABELS (Level 2, Scorable, 8, 9, 9.5) ......... 62
6.0.16
Restrict Access to SYSCAT.SECURITYPOLICIES (Level 2, Scorable, 8, 9, 9.5).... 63
6.0.17
Restrict Access to SYSCAT.SECURITYPOLICYCOMPONENTRULES (Level 2,
Scorable, 8, 9, 9.5)................................................................................................................................................... 63
6.0.18
Restrict Access to SYSCAT.SECURITYPOLICYEXEMPTIONS (Level 2, Scorable, 8,
9, 9.5)
64
6.0.19
Restrict Access to SYSCAT.SURROGATEAUTHIDS (Level 2, Scorable, 8, 9, 9.5).... 65
6.0.20
Restrict Access to SYSCAT.ROLEAUTH (Level 2, Scorable, 9.5) .................................... 66
6.0.21
Restrict Access to SYSCAT.ROLES (Level 2, Scorable, 8, 9, 9.5) ................................... 66
6.0.22
Restrict Access to SYSCAT.ROUTINEAUTH (Level 2, Scorable, 8, 9, 9.5) .................. 67
6.0.23
Restrict Access to SYSCAT.SCHEMAAUTH (Level 2, Scorable, 8, 9, 9.5) ..................... 68
6.0.24
Restrict Access to SYSCAT.SCHEMATA (Level 2, Scorable, 8, 9, 9.5) .......................... 68
6.0.25
Restrict Access to SYSCAT.SEQUENCEAUTH (Level 2, Scorable, 8, 9, 9.5) ............... 69
6.0.26
Restrict Access to SYSCAT.STATEMENTS (Level 2, Scorable, 8, 9, 9.5) ..................... 70
6.0.27
Restrict Access to SYSCAT.PROCEDURES (Level 2, Scorable, 8, 9, 9.5) ..................... 70
6.0.28
Restrict Access to SYSCAT.TABAUTH (Level 2, Scorable, 8, 9, 9.5) ............................. 71
6.0.29
Restrict Access to SYSCAT.TBSPACEAUTH (Level 2, Scorable, 8, 9, 9.5) .................. 72
6.0.30
Restrict Access to Tablespaces (Level 2, Scorable, 8, 9, 9.5) ............................................ 72
7. Entitlements .......................................................................................................................................................... 73
7.0.1 Establish an administrator group (Level 2, Scorable, 8, 9, 9.5) ............................................... 73
7.0.2 Establish system control group (Level 2, Scorable, 8, 9, 9.5) .................................................. 74
7.0.3 Establish system maintenance group (Level 1, Scorable, 8, 9, 9.5) ........................................ 75
7.0.4 Establish system monitoring group (Level 1, Scorable, 8, 9, 9.5) .......................................... 76
7.0.5 Secure SECADM Authority (Level 1, Scorable, 9, 9.5).................................................................. 77
7.0.6 Secure DBADM Authority (Level 1, Scorable, 9, 9.5) ................................................................... 78
7.0.7 Secure CREATAB Authority (Level 1, Scorable, 9, 9.5) ................................................................ 79
7.0.8 Secure BINDADD Authority (Level 1, Scorable, 9, 9.5) ................................................................ 80
7.0.9 Secure CONECT Authority (Level 1, Scorable, 9, 9.5) ................................................................... 81
7.0.10 Secure NOFENCE Authority (Level 1, Scorable, 9, 9.5) .............................................................. 81
7.0.11 Secure IMPLSCHEMA Authority (Level 1, Scorable, 9, 9.5) ...................................................... 82
7.0.12 Secure LOAD Authority (Level 1, Scorable, 9, 9.5) ....................................................................... 83
7.0.13 Secure EXTERNALROUTINE Authority (Level 1, Scorable, 9, 9.5)......................................... 84
7.0.14 Secure QUIESCECONNECT Authority (Level 1, Scorable, 9, 9.5) ............................................ 85
8. General Policy and Procedures ...................................................................................................................... 85
8.0.1 Start and Stop DB2 Instance (Level 1, Not Scorable, 8, 9, 9.5) ............................................. 85
8.0.2 Start and Stop DB2 Administrator Server (Level 2, Not Scorable, 8, 9, 9.5) ................... 86
8.0.3 Remove Unused Schemas (Level 1, Not Scorable, 8, 9, 9.5) .................................................. 86
8.0.4 Review System Tablespaces (Level 1, Not Scorable, 8, 9, 9.5) ............................................. 87
8.0.5 Remove Default Databases (Level 2, Scorable, 8, 9, 9.5) ........................................................ 88
8.0.6 Enable SSL communication with LDAP server (Level 2, Scorable, 9.1, 9.5) .................... 89
8.0.7 Secure the permission of the IBMLDAPSecurity.ini file (Level 2, Scorable, 9.1, 9.5)... 89
8.0.8 Secure the permission of the SSLconfig.ini file (Level 2, Scorable, 9.1, 9.5) ................... 91
6|Page
7|Page
Overview
This document, Security Configuration Benchmark for DB2, provides prescriptive guidance
for establishing a secure configuration posture for DB2 versions 8, 9 & 9.5 running on
Linux, UNIX, and Windows. This guide was tested against DB2 versions 9 and 9.5, as
installed by Fixpak 3a. To obtain the latest version of this guide, please visit
http://cisecurity.org. If you have questions, comments, or have identified ways to improve
this guide, please write us at [email protected].
Consensus Guidance
This guide was created using a consensus review process comprised of volunteer and
contract subject matter experts. Consensus participants provide perspective from a diverse
set of backgrounds including consulting, software development, audit and compliance,
security research, operations, government, and legal.
Each CIS benchmark undergoes two phases of consensus review. The first phase occurs
during initial benchmark development. During this phase, subject matter experts convene
to discuss, create, and test working drafts of the benchmark. This discussion occurs until
consensus has been reached on benchmark recommendations. The second phase begins
after the benchmark has been released to the public Internet. During this phase, all
feedback provided by the Internet community is reviewed by the consensus team for
incorporation in the CIS benchmark. If you are interested in participating in the consensus
review process, please send us a note to [email protected].
Intended Audience
This document is intended for system and application administrators, security specialists,
auditors, help desk, and platform deployment personnel, who plan to develop, deploy,
assess, or secure solutions that incorporate DB2 on Linux, UNIX, and Windows platforms.
Acknowledgements
This benchmark exemplifies the great things a community of users, vendors, and subject
matter experts can accomplish through consensus collaboration. The CIS community
thanks the entire consensus team with special recognition to the following individuals who
contributed greatly to the creation of this guide:
Authors
Nam Wu, Qualys, Inc.
Contributors and Reviews
Paul Griffiths, Goldman Sachs
David Futter, JPMorgan Chase
Blake Frantz, Center for Internet Security
Walid Rjaibi, IBM
Typographic Conventions
The following typographical conventions are used throughout this guide:
Convention
Stylized Monospace font
Monospace font
<italic font in brackets>
Italic font
Note
Meaning
Used for blocks of code, command, and script examples.
Text should be interpreted exactly as presented.
Used for inline code, commands, or examples. Text should
be interpreted exactly as presented.
Italic texts set in angle brackets denote a variable
requiring substitution for a real value.
Used to denote the title of a book, article, or other
publication.
Additional information or caveats
Configuration Levels
This section defines the configuration levels that are associated with each benchmark
recommendation. Configuration levels represent increasing levels of security assurance.
Scoring Status
This section defines the scoring statuses used within this document. The scoring status
indicates whether compliance with the given recommendation is discernable in an
automated manner.
Scorable
The platforms compliance with the given recommendation can be determined via
automated means.
Not Scorable
The platforms compliance with the given recommendation cannot be determined via
automated means.
9|Page
DB2 UDB v8
DB2 UDB v9
DB2 UDB v9.5
References:
1. http://www.ibm.com/products/finder/us/finders?Ne=5000000&finderN=100018
8&pg=ddfinder&C1=5000002&C2=5000049
10 | P a g e
Remediation:
Reconfigure the connection string using the DB2 Configuration Assistant.
1. Launch the DB2 Configuration Assistant:
Default Value:
The default value in the hostname field is an IP address.
11 | P a g e
Audit:
1. For MS Windows: right-click over the ($DB2 software directory) and select
Properties from the menu. Go to the Security tab and review all groups or user
names that access to this directory.
For Unix: ls al {$DB2 software directory} and review all groups or user names
that access to this directory.
12 | P a g e
1.
2.
3.
4.
5.
For Unix:
1. Connect to the DB2 host
2. Change to the file directory
3. Change the permission level of the directory to this recommended value
OS => chmod R 740
Audit:
Perform the following DB2 command to obtain the value for this setting:
For MS Windows:
1.
2.
3.
4.
5.
For Unix:
1. Connect to the DB2 host
2. Change to the file directory
3. Change the permission level of the directory
OS => ls -al
Default Value:
Unix: <$DB2 Directory>/sqllib owned by the DB2 administrator with read, write, and
execute access.
MS Windows: <Drive:>\Program Files\IBM\SQLLIB owned by the DB2 administrator
with read, write, and execute access.
13 | P a g e
The containers are needed in order for the database to operate properly. The loss of the
containers can cause down time and possibly allow hackers to read sensitive data stored in
the containers. Therefore, secure the location(s) of the containers by restricting the access
and ownership. Allow only the instance owner to have access to the tablespace containers.
Remediation:
Secure the directory of the containers. The recommended value is read-only to all nonDB2 administrator accounts.
Audit:
Review all users that have access to the directory of the containers.
2.0.3 Set umask value for DB2 admin user .profile file (Level 1, Scorable, 8, 9,
9.5)
Description:
The DB2 Admin .profile file in UNIX sets the environment variables and the settings for the
user.
Rationale:
Ensure the umask value is 022 for the owner of the DB2 software before installing DB2.
Regardless of where the umask is set, umask must be set to 022 before installing DB2.
Remediation:
Add umask 022 to the .profile profile.
Audit:
Ensure that the umask 022 setting exists in the .profile.
3. DB2 Configurations
3.1 DB2 Instance Parameter Settings
This section provides guidance on how DB2 will control the data in the databases and the
system resources that are allocated to the instance.
14 | P a g e
Audit:
Perform the following to determine if the audit buffer is set as recommended:
1. Attach to the DB2 instance.
db2 => attach to $DB2INSTANCE
(AUDIT_BUF_SZ) = 1000
3.1.2 Encrypt user data across the network (Level 2, Scorable, 8, 9, 9.5)
Description:
DB2 supports a number of authentication mechanisms. It is recommended that the
DATA_ENCRYPT authentication mechanism be used.
Rationale:
The DATA_ENCRYPT authentication mechanism employs cryptographic algorithms to protect
both the authentication credentials and user data as it traverses the network. Given this,
the confidentiality of authentication credentials and user data is ensured while in transit
between the DB2 client and server.
Remediation:
Suggested value is DATA_ENCRYPT so that authentication occurs at the server.
15 | P a g e
Audit:
Perform the following to determine if the authentication mechanism is set as
recommended:
1. Attach to the DB2 instance.
db2 => attach to $DB2INSTANCE
16 | P a g e
Remediation:
Perform the following to require explicit authorization to catalog and uncatalog databases
and nodes.
1. Attach to the DB2 instance
db2 => attach to $DB2INSTANCE
Audit:
Perform the following to determine if explicitly authorization is required to catalog and
uncatalog databases and nodes:
1. Attach to the DB2 instance.
db2 => attach to $DB2INSTANCE
(CATALOG_NOAUTH) = NO
17 | P a g e
Disable datalinks if there is no use for them. Datalinks can be a point of attack from
hackers using corrupted or infected files.
Remediation:
1. Attach to the DB2 instance
db2 => attach to $DB2INSTANCE
Audit:
Perform the following DB2 command to obtain the value for this setting:
1. Attach to the DB2 instance.
db2 => attach to $DB2INSTANCE
18 | P a g e
Audit:
Perform the following DB2 command to obtain the value for this setting:
1. Attach to the DB2 instance.
db2 => attach to $DB2INSTANCE
For Unix:
1. Connect to the DB2 host
2. Change to the file directory
3. Change the permission level of the directory
19 | P a g e
Audit:
Perform the following DB2 command to obtain the value for this setting:
For MS Windows:
1.
2.
3.
4.
5.
For Unix:
1. Connect to the DB2 host
2. Change to the file directory
3. Change the permission level of the directory
OS => ls -al
Default Value:
The default value for this directory is read-and-write access to non-administrator accounts.
3.1.7 Set diagnostic logging to capture errors and warnings (Level 2, Scorable,
8, 9, 9.5)
Description:
The diaglevel parameter specifies the type of diagnostic errors that will be recorded in
the db2diag.log file. It is recommended that the diaglevel parameter be set to at least 3.
Rationale:
The recommended diagnostic level setting is 3. This will allow the DB2 instance to capture
all errors and warnings that occur on the system.
Remediation:
1. Attach to the DB2 instance
db2 => attach to $DB2INSTANCE
Audit:
Perform the following DB2 command to obtain the value for this setting:
20 | P a g e
(DIAGLEVEL) = 3
Audit:
Perform the following DB2 command to obtain the value for this setting:
1. Attach to the DB2 instance.
21 | P a g e
3.1.9 Require instance name for discovery requests (Level 2, Scorable, 8, 9, 9.5)
Description:
The discover parameter determines what kind of discovery requests, if any, the DB2
server will fulfill. It is recommended that the DB2 server only fulfill requests from clients
that know the given instance name.
Rationale:
Discovery capabilities may be used by a malicious entity to derive the names of and target
DB2 instances. In this configuration, the client has to specify a known instance name to be
able to detect the instance.
Remediation:
The recommended value is KNOWN. Note: this requires a db2 restart.
1. Attach to the DB2 instance
db2 => attach to $DB2INSTANCE
22 | P a g e
Audit:
Perform the following DB2 command to obtain the value for this setting:
1. Attach to the DB2 instance.
db2 => attach to $DB2INSTANCE
(DISCOVER) = KNOWN
23 | P a g e
Audit:
Perform the following DB2 command to obtain the value for this setting:
1. Attach to the DB2 instance.
db2 => attach to $DB2INSTANCE
(DISCOVER_INST) = DISABLE
Audit:
24 | P a g e
Perform the following DB2 command to obtain the value for this setting:
1. Attach to the DB2 instance.
db2 => attach to $DB2INSTANCE
(FED_NOAUTH) = NO
Audit:
Perform the following DB2 command to obtain the value for this setting:
25 | P a g e
(HEALTH_MON) = ON
26 | P a g e
(KEEPFENCED) = NO
27 | P a g e
Audit:
Perform the following DB2 command to obtain the value for this setting:
1. Attach to the DB2 instance.
db2 => attach to $DB2INSTANCE
Note: MAX_CONNECTIONS is set to 150 and the MAXAGENTS is set to 150 in the above
output.
1. Connect to the DB2 database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
(MAXAPPLS) = [99]
28 | P a g e
Audit:
Perform the following DB2 command to obtain the value for this setting:
1. Attach to the DB2 instance.
db2 => attach to $DB2INSTANCE
29 | P a g e
(NOTIFYLEVEL) = 3
Audit:
30 | P a g e
Perform the following DB2 command to obtain the value for this setting:
1. Attach to the DB2 instance.
db2 => attach to $DB2INSTANCE
Audit:
31 | P a g e
Perform the following DB2 command to obtain the value for this setting:
1. Connect to the DB2 database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
(ARCHRETRYDELAY) = 20
Audit:
Perform the following DB2 command to obtain the value for this setting:
1. Connect to the DB2 database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
32 | P a g e
(AUTORESTART) = ON
Audit:
Perform the following DB2 command to obtain the value for this setting:
1. Connect to the DB2 database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
(DISCOVER_DB) = DISABLE
33 | P a g e
Audit:
Perform the following DB2 command to obtain the value for this setting:
1. Connect to the DB2 database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
(LOGARCHMETH1) = DISK:C:\DB2LOGS
34 | P a g e
3.2.5 Secure permission of the primary archive log location (Level 1, Scorable, 8,
9, 9.5)
Description:
The logarchmeth1 parameter specifies where the type of media used for the primary
destination for archived logs. It is recommended that the archive log permission setting be
set to read-only for non-administrator accounts.
Rationale:
Recommended value is ready-only (RO) to Everyone/Other/Users/Domain Users. This will
ensure that the archive logs are protected.
Remediation:
For MS Windows:
1.
2.
3.
4.
5.
For Unix:
1. Connect to the DB2 host
2. Change to the file directory
3. Change the permission level of the directory
OS => chmod R 744
Audit:
Perform the following DB2 command to obtain the value for this setting:
For MS Windows:
1.
2.
3.
4.
5.
For Unix:
1. Connect to the DB2 host
2. Change to the file directory
3. Change the permission level of the directory
OS => ls -al
35 | P a g e
Default Value:
The default value for a directory is read-and-write access.
Audit:
Perform the following DB2 command to obtain the value for this setting:
1. Connect to the DB2 database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
(LOGARCHMETH2) = DISK:C:\DB2LOGS2
36 | P a g e
For Unix:
1. Connect to the DB2 host
2. Change to the file directory
3. Change the permission level of the directory
OS => chmod R 744
Audit:
Perform the following DB2 command to obtain the value for this setting:
For MS Windows:
1.
2.
3.
4.
5.
For Unix:
1. Connect to the DB2 host
2. Change to the file directory
3. Change the permission level of the directory
OS => ls -al
37 | P a g e
Default Value:
The default value for a directory is read-and-write access.
3.2.8 Establish secure tertiary archive log location (Level 1, Scorable, 8, 9, 9.5)
Description:
The failarchpath parameter specifies the location for the archive logs if the primary or
the secondary archive destination is not available. It is recommended that this parameter
be set to point to a secure location.
Rationale:
Ensure that a valid path is specified for this setting so that archive logs can have an
alternate failover destination due to media problems. Access to the destination location
should only be granted to the DB2 system administrator; and give read-only privilege to
non-privileged users.
Remediation:
1. Connect to the DB2 database
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
Audit:
Perform the following DB2 command to obtain the value for this setting:
1. Connect to the DB2 database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
38 | P a g e
3.2.9
Description:
The failarchpath parameter specifies where the type of media used for the tertiary
destination for archived logs. It is recommended that the archive log permission setting be
set to read-only for non-administrator accounts.
Rationale:
Recommended value is ready-only (RO) to Everyone/Other/Users/Domain Users. This will
ensure that the archive logs are protected.
Remediation:
For MS Windows:
1.
2.
3.
4.
5.
For Unix:
1. Connect to the DB2 host
2. Change to the file directory
3. Change the permission level of the directory
OS => chmod R 744
Audit:
Perform the following DB2 command to obtain the value for this setting:
For MS Windows:
1.
2.
3.
4.
5.
For Unix:
1. Connect to the DB2 host
2. Change to the file directory
3. Change the permission level of the directory
OS => ls -al
39 | P a g e
Default Value:
The default value for a directory is read-and-write access.
Audit:
Perform the following DB2 command to obtain the value for this setting:
1. Connect to the DB2 database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
(MIRRORLOGPATH) = C:\DB2MIRRORLOGS
3.2.11 Establish retention set size for backups (Level 2, Scorable, 8, 9, 9.5)
Description:
40 | P a g e
The num_db_backups parameter specifies the number of backups to retain for a database
before the old backups is marked deleted. It is recommended that this parameter be set to
at least 12.
Rationale:
Retain multiple copies of the database backup to ensure that the database can recover from
an unexpected failure. This parameter should not be set to 0. Multiple backups should be
kept to ensure that all logs and transactions can be used for auditing.
Remediation:
1. Connect to the DB2 database
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
Audit:
Perform the following DB2 command to obtain the value for this setting:
1. Connect to the DB2 database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
(NUM_DB_BACKUPS) = 12
3.2.12 Set archive log failover retry limit (Level 2, Scorable, 8, 9, 9.5)
Description:
The numarchretry parameter determines how many times a database will try to archive
the log file to the primary or the secondary archive destination before trying the failover
directory. It is recommended that this parameter be set to 5.
Rationale:
41 | P a g e
Establish a failover retry time limit will ensure that the database will always have a mean
to recover from an abnormal termination. This parameter should not be set to 0. The
recommended value is 5.
Remediation:
1. Connect to the DB2 database
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
Audit:
Perform the following DB2 command to obtain the value for this setting:
1. Connect to the DB2 database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
(NUMARCHRETRY) = 5
42 | P a g e
Rationale:
The DAS is a special administrative tool that enables remote administration of DB2 servers.
DASADM authority is the highest level of authority within the DAS. Restrict non-essential
users from this group since it may allow malicious users to tamper with the administration
of the DB2 servers.
Remediation:
1. Attach to the DB2 instance
db2 => attach to $DB2INSTANCE
Audit:
Perform the following DB2 command to obtain the value for this setting:
1. Attach to the DB2 instance
db2 => attach to $DB2INSTANCE
43 | P a g e
Remediation:
1. Attach to the DB2 instance
db2 => attach to $DB2INSTANCE
Audit:
Perform the following DB2 command to obtain the value for this setting:
1. Attach to the DB2 instance
db2 => attach to $DB2INSTANCE
(DB2SYSTEM) = QANODE1
44 | P a g e
Audit:
Perform the following DB2 command to obtain the value for this setting:
1. Attach to the DB2 instance
db2 => attach to $DB2INSTANCE
(DISCOVER) = DISABLE
Audit:
Perform the following DB2 command to obtain the value for this setting:
45 | P a g e
(EXEC_EXP_TASK) = NO
Audit:
Perform the following DB2 command to obtain the value for this setting:
1. Attach to the DB2 instance
db2 => attach to $DB2INSTANCE
46 | P a g e
(JDK_PATH) =
2.3.6 Secure the JDK 64-bit runtime library (Level 2, Scorable, 8, 9, 9.5)
Description:
The jdk_64_path parameter specifies the 64-Bit Software Developer's Kit (SDK) for Java
directory for the DB2 administration server. It is recommended that the location pointed
to by this parameter contain a current version of the JDK and be secured.
Rationale:
Maintaining JDK currency will ensure known exploitable conditions are mitigated. Ensuring
that the location of the JDK is secure will help prevent malicious entities from
compromising the integrity of Java runtime and therefore the administrative facilities of
the DB server.
Remediation:
1. Attach to the DB2 instance
db2 => attach to $DB2INSTANCE
Audit:
Perform the following DB2 command to obtain the value for this setting:
1. Attach to the DB2 instance
db2 => attach to $DB2INSTANCE
47 | P a g e
(JDK_64_PATH) =
Audit:
Perform the following DB2 command to obtain the value for this setting:
1. Attach to the DB2 instance
db2 => attach to $DB2INSTANCE
48 | P a g e
(SCHED_ENABLE) = OFF
4.
This section provides guidance on a new feature in DB2 V9.1 that can control read and
write access of a user at the table column and row level. This feature is a separately
licensed component of DB2; therefore, apply these settings where appropriate.
49 | P a g e
50 | P a g e
5.
Database Maintenance
This section provides guidance on protecting and maintaining the database instance.
51 | P a g e
Audit:
Perform the following DB2 command to obtain the value for this setting:
1. Connect to the DB2 database:
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
(AUTO_MAINT) = ON
52 | P a g e
Audit:
Perform the following DB2 command to obtain the value for this setting:
1. Connect to the DB2 database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
53 | P a g e
This view contains sensitive information about on the types of objects are being audited.
Access to the audit usage may aid in avoiding detection.
Remediation:
Revoke access from PUBLIC.
1. Connect to the DB2 database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
Audit:
Perform the following DB2 command to obtain the value for this setting:
1. Connect to the DB2 database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
Audit:
Perform the following DB2 command to obtain the value for this setting:
1. Connect to the DB2 database.
54 | P a g e
Audit:
Perform the following DB2 command to obtain the value for this setting:
1. Connect to the DB2 database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
55 | P a g e
Remediation:
Perform the following to revoke access from PUBLIC.
1. Connect to the DB2 database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
Audit:
Perform the following DB2 command to obtain the value for this setting:
1. Connect to the DB2 database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
Audit:
Perform the following DB2 command to obtain the value for this setting:
1. Connect to the DB2 database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
56 | P a g e
Audit:
Perform the following DB2 command to obtain the value for this setting:
1. Connect to the DB2 database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
Description:
The SYSCAT.INDEXAUTH view contains a list of user or group that has CONTROL access on an
index. It is recommended that the PUBLIC role be restricted from accessing this view.
Rationale:
The list of all users with access to an index shall not be exposed to the public.
Remediation:
Revoke access from PUBLIC.
57 | P a g e
Audit:
Perform the following DB2 command to obtain the value for this setting:
1. Connect to the DB2 database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
Audit:
Perform the following DB2 command to obtain the value for this setting:
1. Connect to the DB2 database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
58 | P a g e
Audit:
Perform the following DB2 command to obtain the value for this setting:
1. Connect to the DB2 database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
59 | P a g e
Audit:
Perform the following DB2 command to obtain the value for this setting:
1. Connect to the DB2 database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
Audit:
Perform the following DB2 command to obtain the value for this setting:
1. Connect to the DB2 database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
60 | P a g e
Audit:
Perform the following DB2 command to obtain the value for this setting:
1. Connect to the DB2 database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
61 | P a g e
Rationale:
Public should not be able to view all the security components and the database security
policy.
Remediation:
Perform the following to revoke access from PUBLIC.
1. Connect to the DB2 database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
Audit:
Perform the following DB2 command to obtain the value for this setting:
1. Connect to the DB2 database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
Audit:
62 | P a g e
Perform the following DB2 command to obtain the value for this setting:
1. Connect to the DB2 database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
Audit:
Perform the following DB2 command to obtain the value for this setting:
1. Connect to the DB2 database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
63 | P a g e
Audit:
Perform the following DB2 command to obtain the value for this setting:
1. Connect to the DB2 database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
64 | P a g e
Audit:
Perform the following DB2 command to obtain the value for this setting:
1. Connect to the DB2 database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
Audit:
Perform the following DB2 command to obtain the value for this setting:
1. Connect to the DB2 database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
65 | P a g e
Audit:
Perform the following DB2 command to obtain the value for this setting:
1. Connect to the DB2 database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
66 | P a g e
Audit:
Perform the following DB2 command to obtain the value for this setting:
1. Connect to the DB2 database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
Audit:
Perform the following DB2 command to obtain the value for this setting:
1. Connect to the DB2 database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
67 | P a g e
Audit:
Perform the following DB2 command to obtain the value for this setting:
1. Connect to the DB2 database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
68 | P a g e
Audit:
Perform the following DB2 command to obtain the value for this setting:
1. Connect to the DB2 database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
Audit:
Perform the following DB2 command to obtain the value for this setting:
1. Connect to the DB2 database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
69 | P a g e
Audit:
Perform the following DB2 command to obtain the value for this setting:
1. Connect to the DB2 database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
70 | P a g e
Audit:
Perform the following DB2 command to obtain the value for this setting:
1. Connect to the DB2 database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
Audit:
Perform the following DB2 command to obtain the value for this setting:
1. Connect to the DB2 database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
71 | P a g e
Audit:
Perform the following DB2 command to obtain the value for this setting:
1. Connect to the DB2 database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
72 | P a g e
Grant the USE of tablespace privilege to only authorized users. Restrict the privilege from
PUBLIC, where applicable, since a malicious user can cause a denial of service at the
tablespace level by overloading it with corrupted data.
Remediation:
Perform the following to revoke access from PUBLIC.
1. Connect to the DB2 database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
Audit:
Perform the following DB2 command to obtain the value for this setting:
1. Connect to the DB2 database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
7. Entitlements
This section provides guidance on securing the entitlements that exist in the DB2 instance
and database.
73 | P a g e
Audit:
Perform the following DB2 command to obtain the value for this setting:
1. Attach to the DB2 instance.
db2 => attach to $DB2INSTANCE
(SYSADM_GROUP) = DB2SYS
74 | P a g e
Audit:
Perform the following DB2 command to obtain the value for this setting:
1. Attach to the DB2 instance.
db2 => attach to $DB2INSTANCE
(SYSCTRL_GROUP) = DB2CTRL
75 | P a g e
Remediation:
Define a valid group name to the SYSMAINT group. Note: this parameter does not apply on
MS Windows.
1. Attach to the DB2 instance
db2 => attach to $DB2INSTANCE
Audit:
Perform the following DB2 command to obtain the value for this setting:
1. Attach to the DB2 instance.
db2 => attach to $DB2INSTANCE
(SYSMAINT_GROUP) = DB2MAINT
76 | P a g e
Review all users belonging to the assigned group for the SYSMON authority since it has the
ability to perform system snapshots at both the database and instance level.
Remediation:
Define a valid group name to the SYSMON group.
1. Attach to the DB2 instance.
db2 => attach to $DB2INSTANCE
Audit:
Perform the following DB2 command to obtain the value for this setting:
1. Attach to the DB2 instance.
db2 => attach to $DB2INSTANCE
(SYSMON_GROUP) = DB2MON
77 | P a g e
authority has no inherent privilege to access data stored in tables. It is recommended that
secadm role be granted to authorize users only.
Rationale:
Review all users that have access to this authority.
Remediation:
Revoke this permission from any unauthorized users.
1. Connect to the DB2 database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
Audit:
Perform the following DB2 command to obtain the value for this setting:
1. Connect to the DB2 database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
78 | P a g e
Audit:
Perform the following DB2 command to obtain the value for this setting:
1. Connect to the DB2 database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
Audit:
Perform the following DB2 command to obtain the value for this setting:
79 | P a g e
Audit:
Perform the following DB2 command to obtain the value for this setting:
1. Connect to the DB2 database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
80 | P a g e
References:
http://publib.boulder.ibm.com/infocenter/db2luw/v9/topic/com.ibm.db2.udb.admin.doc
/doc/r0000103.htm?resultof=bindadd
Audit:
Perform the following DB2 command to obtain the value for this setting:
1. Connect to the DB2 database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
81 | P a g e
Audit:
Perform the following DB2 command to obtain the value for this setting:
1. Connect to the DB2 database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
82 | P a g e
Audit:
Perform the following DB2 command to obtain the value for this setting:
1. Connect to the DB2 database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
Audit:
Perform the following DB2 command to obtain the value for this setting:
1. Connect to the DB2 database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
83 | P a g e
Audit:
Perform the following DB2 command to obtain the value for this setting:
1. Connect to the DB2 database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
84 | P a g e
Audit:
Perform the following DB2 command to obtain the value for this setting:
1. Connect to the DB2 database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
85 | P a g e
Only privileged users should have access to start and stop the DB2 instance. This will
ensure that the DB2 instance is controlled by authorized administrators.
Remediation:
Revoke access from any unnecessary users.
1. Connect to the host
2. Review users and groups that have access to start and stop the DB2 instance
Audit:
On MS Windows: go to Start, then to the Run option. Type in services.msc in the
command prompt. Locate the DB2 service and identify the user/group that can start and
stop the service.
On Unix: Identify the members of the local DB2 admin group that has access to stop and
start the DB2 instance.
8.0.2 Start and Stop DB2 Administrator Server (Level 2, Not Scorable, 8, 9, 9.5)
Description:
The DB2 administration server responds to remote requests from administration tools and
client utilities. It is recommended that only administrators are allowed to start and stop
the DB2 administration server.
Rationale:
Only privileged users should have access to start and stop the DB2 administration server.
This will ensure that the DB2 administration server is controlled by authorized
administrators.
Remediation:
Revoke access from any unnecessary users.
1. Connect to the host
2. Review users and groups that have access to start and stop the DB2 instance
Audit:
On MS Windows: go to Start, then to the Run option. Type in services.msc in the
command prompt. Locate the DB2DAS service and identify the user/group that can start
and stop the service.
On Unix: Identify the members of the local DB2 admin group that has access to stop and
start the db2admin command.
86 | P a g e
Rationale:
Unused schemas can be left unmonitored and may be subjected to abuse and therefore
should be removed.
Remediation:
Revoke access from any unnecessary users.
1. Connect to the DB2 database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
Audit:
1. Connect to the DB2 database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. Review unused users and user objects that are stored in the system tablespaces
Audit:
1. Connect to the DB2 database.
87 | P a g e
Audit:
Perform the following DB2 command to obtain the list of databases:
1. Attach to the DB2 instance
db2 => attach to $DB2INSTANCE
=
=
=
=
=
=
=
SAMPLE
SAMPLE
C:
c.00
Indirect
0
88 | P a g e
8.0.6 Enable SSL communication with LDAP server (Level 2, Scorable, 9.1, 9.5)
Description:
The communication later between a DB2 instance and the LDAP server should be
encrypted. It is recommended that the ENABLE_SSL parameter in the IBMLDAPSecurity.ini
file be set to TRUE.
Rationale:
SSL should be enabled between the DB2 instance and the LDAP server to prevent userid
and password be set in plain text.
Note: the file is located under INSTANCE_HOME/sqllib/cfg/, for Unix; and %DB2PATH%\cfg\,
for MS Windows.
Remediation:
Verify the parameter
1. Connect to the DB2 host
2. Edit the IBMLDAPSecurity.ini file
3. Add or modify the file to include the following parameter:
ENABLE_SSL = TRUE
Audit:
Perform the following command to obtain the parameter setting:
1. Connect to the DB2 host
2. Edit the IBMLDAPSecurity.ini file
3. Verify the existence of this parameter :
ENABLE_SSL = TRUE
89 | P a g e
Note: the file is located under INSTANCE_HOME/sqllib/cfg/, for Unix; and %DB2PATH%\cfg\,
for MS Windows.
Remediation:
For MS Windows:
1. Connect to the DB2 host
2. Right-click over the file directory
3. Choose Properties
4. Select the Security tab
5. Select all non-administrator accounts and revoke the Full Control authority
For Unix:
1. Connect to the DB2 host
2. Change to the file directory
3. Change the permission level of the directory
OS => chmod R 740
Audit:
Perform the following DB2 command to obtain the value for this setting:
For MS Windows:
1. Connect to the DB2 host
2. Right-click over the file directory
3. Choose Properties
4. Select the Security tab
5. Review access from all non-administrator accounts
For Unix:
1. Connect to the DB2 host
2. Change to the file directory
3. Change the permission level of the directory
90 | P a g e
OS => ls -al
Default Value: The default value for this directory is read-and-write access to nonadministrator accounts.
8.0.8 Secure the permission of the SSLconfig.ini file (Level 2, Scorable, 9.1, 9.5)
Description:
The SSLconfig.ini file contains the SSL configuration parameters for the DB2 instance,
including the password for KeyStore.
Rationale:
Recommended value is ready-only (RO) to Everyone/Other/Users/Domain Users. This will
ensure that the parameter file is protected.
Note: the file is located under INSTANCE_HOME/cfg/, for Unix; and %INSTHOME%\, for MS
Windows. Only the instance owner should have access to this file.
Remediation:
For MS Windows:
1. Connect to the DB2 host
2. Right-click over the file directory
3. Choose Properties
4. Select the Security tab
5. Select all non-administrator accounts and revoke the Full Control authority
For Unix:
1. Connect to the DB2 host
2. Change to the file directory
3. Change the permission level of the directory
OS => chmod R 740
Audit:
Perform the following DB2 command to obtain the value for this setting:
For MS Windows:
1. Connect to the DB2 host
2. Right-click over the file directory
91 | P a g e
3. Choose Properties
4. Select the Security tab
5. Review access from all non-administrator accounts
For Unix:
1. Connect to the DB2 host
2. Change to the file directory
3. Change the permission level of the directory
OS => ls -al
Default Value: The default value for this directory is read-and-write access to nonadministrator accounts.
9.0.2 Secure DB2 Configuration Assistant Utility (Level 1, Not Scorable, 8, 9, 9.5)
Description:
The DB2 Configuration Assistant is a management tool that manages all connectivity setup
to the DB2 instances and databases. It is recommended that the Configuration Assistance
utility be granted to authorize users only.
92 | P a g e
Rationale:
Secure this application where applicable, since it has access to the DB2 instance name, the
host it resides on, and the database name, and the port number.
Remediation:
Revoke access from any unnecessary users.
1. Connect to the host
2. Review users and groups that have access to start the DB2 Configuration Assistant
Audit:
Locate the <DB2 install>\SQLLIB\BIN\db2ca executable and identify the users/groups
that have access to it.
9.0.3 Secure DB2 Health Monitor Utility (Level 1, Not Scorable, 8, 9, 9.5)
Description:
The DB2 Health Monitor is a management tool that manages information about the
database manager, database, tablespace and table space containers. It is recommended
that the DB2 Health Monitor utility be granted to authorize users only.
Rationale:
Secure this application where applicable, since it has sensitive information about the health
of the database.
Remediation:
Revoke access from any unnecessary users.
1. Connect to the host
2. Review users and groups that have access to start the DB2 Health Center
Audit:
Locate the <DB2 install>\SQLLIB\BIN\db2hc executable and identify the users /groups
that have access to it.
93 | P a g e
94 | P a g e
95 | P a g e
96 | P a g e