STIGQter: STIG Summary: IBM DB2 V10.5 LUW Security Technical Implementation Guide Version: 1 Release: 4 Benchmark Date: 25 Oct 2019: STIGQter: STIG Summary: IBM DB2 V10.5 LUW Security Technical Implementation Guide Version: 1 Release: 4 Benchmark Date: 25 Oct 2019:SV-89239r1_rule
V-74565
SRG-APP-000340-DB-000304
DB2X-00-007000
CAT I
10
Use appropriate OS utility to remove the non-authorized users form privileged groups.
Use REVOKE command to revoke database level or object privileges from non-authorized users.
Note: The following views and table functions list information about privileges held by users, identities of users granting privileges, and object ownership:
SYSCAT.COLAUTH: Lists the column privileges
SYSCAT.DBAUTH: Lists the database privileges
SYSCAT.INDEXAUTH: Lists the index privileges
SYSCAT.MODULEAUTH: Lists the module privileges
SYSCAT.PACKAGEAUTH: Lists the package privileges
SYSCAT.PASSTHRUAUTH: Lists the server privilege
SYSCAT.ROLEAUTH: Lists the role privileges
SYSCAT.ROUTINEAUTH: Lists the routine (functions, methods, and stored procedures) privileges
SYSCAT.SCHEMAAUTH: Lists the schema privileges
SYSCAT.SEQUENCEAUTH: Lists the sequence privileges
SYSCAT.SURROGATEAUTHIDS: Lists the authorization IDs for which another authorization ID can act as a surrogate.
SYSCAT.TABAUTH: Lists the table and view privileges
SYSCAT.TBSPACEAUTH: Lists the table space privileges
SYSCAT.VARIABLEAUTH: Lists the variable privileges
SYSCAT.WORKLOADAUTH: Lists the workload privileges
SYSCAT.XSROBJECTAUTH: Lists the XSR object privileges
Review the system documentation to obtain the definition of the DB2 functionality considered privileged in the context of the system in question.
Run the following command to find the privileged groups to get the value of SYSADM_GROUP, SYSCTRL_GROUP, SYSMAINT_GROUP, SYSMON_GROUP:
$db2 get dbm cfg
If non-privileged users are members of any of these groups, this is a finding.
Run the following SQL command to find the database authorities:
DB2> SELECT * FROM SYSCAT.DBAUTH
If non-privileged users have any database authority, this is a finding.
Query the following system catalog views to find out the authorities on all database objects:
SYSCAT.COLAUTH: Lists the column privileges
SYSCAT.DBAUTH: Lists the database privileges
SYSCAT.INDEXAUTH: Lists the index privileges
SYSCAT.MODULEAUTH: Lists the module privileges
SYSCAT.PACKAGEAUTH: Lists the package privileges
SYSCAT.PASSTHRUAUTH: Lists the server privilege
SYSCAT.ROLEAUTH: Lists the role privileges
SYSCAT.ROUTINEAUTH: Lists the routine (functions, methods, and stored procedures) privileges
SYSCAT.SCHEMAAUTH: Lists the schema privileges
SYSCAT.SEQUENCEAUTH: Lists the sequence privileges
SYSCAT.SURROGATEAUTHIDS: Lists the authorization IDs for which another authorization ID can act as a surrogate.
SYSCAT.TABAUTH: Lists the table and view privileges
SYSCAT.TBSPACEAUTH: Lists the table space privileges
SYSCAT.VARIABLEAUTH: Lists the variable privileges
SYSCAT.WORKLOADAUTH: Lists the workload privileges
SYSCAT.XSROBJECTAUTH: Lists the XSR object privileges
If non-privileged users have any authority, this is a finding.
V-74565
False
DB2X-00-007000
Review the system documentation to obtain the definition of the DB2 functionality considered privileged in the context of the system in question.
Run the following command to find the privileged groups to get the value of SYSADM_GROUP, SYSCTRL_GROUP, SYSMAINT_GROUP, SYSMON_GROUP:
$db2 get dbm cfg
If non-privileged users are members of any of these groups, this is a finding.
Run the following SQL command to find the database authorities:
DB2> SELECT * FROM SYSCAT.DBAUTH
If non-privileged users have any database authority, this is a finding.
Query the following system catalog views to find out the authorities on all database objects:
SYSCAT.COLAUTH: Lists the column privileges
SYSCAT.DBAUTH: Lists the database privileges
SYSCAT.INDEXAUTH: Lists the index privileges
SYSCAT.MODULEAUTH: Lists the module privileges
SYSCAT.PACKAGEAUTH: Lists the package privileges
SYSCAT.PASSTHRUAUTH: Lists the server privilege
SYSCAT.ROLEAUTH: Lists the role privileges
SYSCAT.ROUTINEAUTH: Lists the routine (functions, methods, and stored procedures) privileges
SYSCAT.SCHEMAAUTH: Lists the schema privileges
SYSCAT.SEQUENCEAUTH: Lists the sequence privileges
SYSCAT.SURROGATEAUTHIDS: Lists the authorization IDs for which another authorization ID can act as a surrogate.
SYSCAT.TABAUTH: Lists the table and view privileges
SYSCAT.TBSPACEAUTH: Lists the table space privileges
SYSCAT.VARIABLEAUTH: Lists the variable privileges
SYSCAT.WORKLOADAUTH: Lists the workload privileges
SYSCAT.XSROBJECTAUTH: Lists the XSR object privileges
If non-privileged users have any authority, this is a finding.
M
3161