STIGQter: STIG Summary: IBM DB2 V10.5 LUW Security Technical Implementation Guide Version: 1 Release: 4 Benchmark Date: 25 Oct 2019: STIGQter: STIG Summary: IBM DB2 V10.5 LUW Security Technical Implementation Guide Version: 1 Release: 4 Benchmark Date: 25 Oct 2019:SV-89119r1_rule
V-74445
SRG-APP-000092-DB-000208
DB2X-00-001000
CAT II
10
Define an audit policy using the CREATE AUDIT POLICY SQL statement:
DB2> CREATE AUDIT POLICY <user audit policy name>
CATEGORIES AUDIT STATUS BOTH, CHECKING STATUS BOTH, CONTEXT STATUS BOTH, EXECUTE WITH DATA STATUS BOTH, OBJMAINT STATUS BOTH, SECMAINT STATUS BOTH, SYSADMIN STATUS BOTH, VALIDATE STATUS BOTH ERROR TYPE AUDIT
To modify an existing audit policy, replace "CREATE" with "ALTER" in the preceding statement. Only the categories explicitly named in the statement will be affected. In this case, the changes take effect immediately.
If CREATE was used above, apply the correct audit policy to either the database as a whole or to the specific user using one of these two statements:
DB2> AUDIT DATABASE USING POLICY <user audit policy name>
Or
DB2> AUDIT USER <user name> USING POLICY <user audit policy name>
Note: This requirement is to audit suspicious user activity. For a targeted session activity use the AUDIT USER command after the policy has been created. For a general database level use the AUDIT DATABASE command.
Determine whether there are any individuals for whom the organization requires session auditing. If there are none, this is not a finding.
Type in the following command to check whether or not the user under investigation is being audited:
DB2> SELECT AUDITPOLICYNAME, OBJECTNAME, OBJECTTYPE
FROM SYSCAT.AUDITUSE
WHERE OBJECTTYPE IN ('i',' ')
If no rows are returned, this is a finding.
If a row with the OBJECTTYPE of ' ' (Database; value is a blank) exists in the output, it is a database level policy.
If a row with the OBJECTTYPE of 'i' exists in the output, it is a user level policy.
For each audit policy returned in the statement above, run the following SQL statement to confirm that all categories are part of that policy:
DB2> SELECT * FROM SYSCAT.AUDITPOLICIES
If there is an audit policy defined at the database level with the values for the all the audit category columns set to 'B' (Both) and the value in the ERRORTYPE column set to 'A' (Audit), EXECUTEWITHDATA to 'Y' this is not a finding.
If the database policy does not exist or does not cover all the categories with ERRORTYPE column set to 'A' (Audit), EXECUTEWITHDATA to 'Y' then check if the appropriate policies are defined for all the required users.
If the audit policy is defined on the users under investigation and does not have the values for all the audit category columns set to 'B' (Both) and the value in the ERRORTYPE column set to 'A' (Audit), EXECUTEWITHDATA to 'Y', this is a finding.
V-74445
False
DB2X-00-001000
Determine whether there are any individuals for whom the organization requires session auditing. If there are none, this is not a finding.
Type in the following command to check whether or not the user under investigation is being audited:
DB2> SELECT AUDITPOLICYNAME, OBJECTNAME, OBJECTTYPE
FROM SYSCAT.AUDITUSE
WHERE OBJECTTYPE IN ('i',' ')
If no rows are returned, this is a finding.
If a row with the OBJECTTYPE of ' ' (Database; value is a blank) exists in the output, it is a database level policy.
If a row with the OBJECTTYPE of 'i' exists in the output, it is a user level policy.
For each audit policy returned in the statement above, run the following SQL statement to confirm that all categories are part of that policy:
DB2> SELECT * FROM SYSCAT.AUDITPOLICIES
If there is an audit policy defined at the database level with the values for the all the audit category columns set to 'B' (Both) and the value in the ERRORTYPE column set to 'A' (Audit), EXECUTEWITHDATA to 'Y' this is not a finding.
If the database policy does not exist or does not cover all the categories with ERRORTYPE column set to 'A' (Audit), EXECUTEWITHDATA to 'Y' then check if the appropriate policies are defined for all the required users.
If the audit policy is defined on the users under investigation and does not have the values for all the audit category columns set to 'B' (Both) and the value in the ERRORTYPE column set to 'A' (Audit), EXECUTEWITHDATA to 'Y', this is a finding.
M
3161