STIGQter: STIG Summary: IBM DB2 V10.5 LUW Security Technical Implementation Guide Version: 1 Release: 4 Benchmark Date: 25 Oct 2019:

DB2 must implement cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest (to include, at a minimum, PII and classified information) on organization-defined information system components.

DISA Rule

SV-89275r1_rule

Vulnerability Number

V-74601

Group Title

SRG-APP-000428-DB-000386

Rule Version

DB2X-00-008800

Severity

CAT II

CCI(s)

• CCI-002475 - The information system implements cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest on organization-defined information system components.

Weight

10

Fix Recommendation

To create the database using DB2 native encryption run the following command:

$db2 create db <database name> encrypt

See the detailed instructions in the link in the note section below to create the encrypted database.

Note: Select the following link for details on how to set up DB2 native encryption:
http://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.admin.sec.doc/doc/t0061766.html?lang=en

If a third-party tool is used for database encryption (IBM highly recommends using IBM Guardium) use the third-party tool's specific check and fix.

Check Contents

Review the system documentation to determine whether the organization has defined the information at rest that is to be protected from disclosure; which must include, at a minimum, PII and classified information.

If the documentation indicates no information requires such protections, this is not a finding.

DB2 native encryption can encrypt the data at rest; or third-party tools, like IBM Guardium, can provide encryption for data at rest.

To find if a database is encrypted with DB2 native encryption, run the following SQL Query:
DB2> SELECT * FROM TABLE(SYSPROC.ADMIN_GET_ENCRYPTION_INFO())

If the value of Algorithm is NULL for the database, this is a finding.

If the database is not encrypted with native encryption or any third-party tool, this is a finding.

Vulnerability Number

V-74601

Documentable

False

Rule Version

DB2X-00-008800

Severity Override Guidance

Review the system documentation to determine whether the organization has defined the information at rest that is to be protected from disclosure; which must include, at a minimum, PII and classified information.

If the documentation indicates no information requires such protections, this is not a finding.

DB2 native encryption can encrypt the data at rest; or third-party tools, like IBM Guardium, can provide encryption for data at rest.

To find if a database is encrypted with DB2 native encryption, run the following SQL Query:
DB2> SELECT * FROM TABLE(SYSPROC.ADMIN_GET_ENCRYPTION_INFO())

If the value of Algorithm is NULL for the database, this is a finding.

If the database is not encrypted with native encryption or any third-party tool, this is a finding.

Check Content Reference

M

Target Key

3161

Comments