STIGQter: STIG Summary: IBM DB2 V10.5 LUW Security Technical Implementation Guide Version: 1 Release: 4 Benchmark Date: 25 Oct 2019: STIGQter: STIG Summary: IBM DB2 V10.5 LUW Security Technical Implementation Guide Version: 1 Release: 4 Benchmark Date: 25 Oct 2019:SV-89103r1_rule
V-74429
SRG-APP-000001-DB-000031
DB2X-00-000200
CAT II
10
Create the stored procedure per organization guidelines to restrict the number of concurrent sessions using the CREATE or REPLACE procedure:
DB2> CREATE or REPLACE PROCEDURE <DBINST1.MY_CONNECT> (Example below.)
Update the database CONNECT_PROC parameter to set to the procedure created in previous step:
$db2 update db cfg using CONNECT_PROC db2inst1.my_connect
Grant execute to the public to connect the procedure.
DB2> GRANT EXECUTE ON procedure <schema>.MY_CONNECT_MAIN TO PUBLIC
Note: This is an example. Modify and test to comply with organization policy.
CREATE OR REPLACE PROCEDURE db2inst1.my_connect_main()
BEGIN
DECLARE vcount integer;
DECLARE vcount_admin integer;
SELECT COUNT(*) INTO vcount FROM table(mon_get_connection(NULL, NULL, 0)) WHERE session_auth_id = session_user and application_handle != mon_get_application_handle();
SELECT COUNT(*) INTO vcount_admin FROM table (sysproc.auth_list_authorities_for_authid(session_user,'U')) as t WHERE authority in ('SYSMON','SYSADM','DBADM','SECADM','SYSCTRL','SYSMAINT')and (d_user='Y' OR d_group='Y' OR d_public='Y' OR role_user='Y' or role_group='Y' or role_public='Y' or d_role='Y');
IF (vcount_admin > 0 AND vcount > 5)
THEN
SIGNAL SQLSTATE '42502' SET MESSAGE_TEXT='Connection refused. More than 5 connections not allowed for admin!';
ELSEIF (vcount > 3 AND vcount_admin = 0)
THEN
SIGNAL SQLSTATE '42502' SET MESSAGE_TEXT='Connection refused. More than 3 connections not allowed!';
END IF;
END
@
Note: @ sign in above statement is statement terminator, using db2 –t option, statement terminator can be changed
DB2> GRANT EXECUTE ON PROCEDURE db2inst1.my_connect_main TO PUBLIC
$db2 UPDATE DB CFG USING CONNECT_PROC db2inst1. my_connect_main
Determine whether the system documentation specifies limits on the number of concurrent DBMS sessions per account by type of user. If it does not, assume a limit of 10 for database administrators and 2 for all other users.
The DB2 CONNECT_PROC configuration parameter allows the input of a two-part connect procedure name that will implicitly be executed every time an application connects to the database.
Find the value of CONNECT_PROC by running the following command:
$db2 get db cfg
If the value of CONNECT_PROC is null (i.e., not set), this is a finding.
If the value of CONNECT_PROC is set, run the following command to review the DDL for the connect procedure:
DB2> SELECT text FROM SYSCAT.ROUTINES WHERE ROUTINENAME=<MY_CONNECT>
If the connect procedure does not restrict the user sessions as per organization guidelines, this is a finding.
V-74429
False
DB2X-00-000200
Determine whether the system documentation specifies limits on the number of concurrent DBMS sessions per account by type of user. If it does not, assume a limit of 10 for database administrators and 2 for all other users.
The DB2 CONNECT_PROC configuration parameter allows the input of a two-part connect procedure name that will implicitly be executed every time an application connects to the database.
Find the value of CONNECT_PROC by running the following command:
$db2 get db cfg
If the value of CONNECT_PROC is null (i.e., not set), this is a finding.
If the value of CONNECT_PROC is set, run the following command to review the DDL for the connect procedure:
DB2> SELECT text FROM SYSCAT.ROUTINES WHERE ROUTINENAME=<MY_CONNECT>
If the connect procedure does not restrict the user sessions as per organization guidelines, this is a finding.
M
3161