STIGQter: STIG Summary: IBM DB2 V10.5 LUW Security Technical Implementation Guide Version: 1 Release: 4 Benchmark Date: 25 Oct 2019:

DB2 must protect the confidentiality and integrity of all information at rest.

DISA Rule

SV-89175r2_rule

Vulnerability Number

V-74501

Group Title

SRG-APP-000231-DB-000154

Rule Version

DB2X-00-005400

Severity

CAT II

CCI(s)

• CCI-001199 - The information system protects the confidentiality and/or integrity of organization-defined information at rest.

Weight

10

Fix Recommendation

To create the database using DB2 native encryption run the following command:

$db2 create db <database name> encrypt

Note: Select the following link for details on how to set up DB2 native encryption:
http://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.admin.sec.doc/doc/t0061766.html?lang=en

If a third-party tool is used for database encryption (IBM highly recommends using IBM Guardium) use the third-party tool's specific check and fix.

Check Contents

If the application owner and Authorizing Official have determined that encryption of data at rest is NOT required, this is not a finding.

To protect the confidentiality and integrity of information at rest, the database must be encrypted. DB2 native encryption can encrypt the data at rest; or third-party tools, like IBM Guardium, can provide encryption for data at rest.

To find if a database is encrypted with DB2 native encryption, run the following SQL Query:
DB2> SELECT SUBSTR(OBJECT_NAME,1,8) AS NAME, SUBSTR(ALGORITHM,1,8) ALGORITHM
FROM TABLE(SYSPROC.ADMIN_GET_ENCRYPTION_INFO())
WHERE OBJECT_TYPE='DATABASE'

If the value of Algorithm is NULL for the database, this is a finding.

If the database is not encrypted with native encryption or any third-party tool, this is a finding.

Vulnerability Number

V-74501

Documentable

False

Rule Version

DB2X-00-005400

Severity Override Guidance

If the application owner and Authorizing Official have determined that encryption of data at rest is NOT required, this is not a finding.

To protect the confidentiality and integrity of information at rest, the database must be encrypted. DB2 native encryption can encrypt the data at rest; or third-party tools, like IBM Guardium, can provide encryption for data at rest.

To find if a database is encrypted with DB2 native encryption, run the following SQL Query:
DB2> SELECT SUBSTR(OBJECT_NAME,1,8) AS NAME, SUBSTR(ALGORITHM,1,8) ALGORITHM
FROM TABLE(SYSPROC.ADMIN_GET_ENCRYPTION_INFO())
WHERE OBJECT_TYPE='DATABASE'

If the value of Algorithm is NULL for the database, this is a finding.

If the database is not encrypted with native encryption or any third-party tool, this is a finding.

Check Content Reference

M

Target Key

3161

Comments