STIGQter: STIG Summary: IBM DB2 V10.5 LUW Security Technical Implementation Guide Version: 1 Release: 4 Benchmark Date: 25 Oct 2019: STIGQter: STIG Summary: IBM DB2 V10.5 LUW Security Technical Implementation Guide Version: 1 Release: 4 Benchmark Date: 25 Oct 2019:SV-89107r2_rule
V-74433
SRG-APP-000033-DB-000084
DB2X-00-000400
CAT II
10
If a privilege is granted directly to PUBLIC, revoke it using the appropriate variation of the REVOKE statement specific to the object on which the privilege is granted. For example, if PUBLIC has EXECUTE privileges are on a package X.Y, revoke them using the REVOKE (package privileges).
DB2> REVOKE EXECUTE ON PACKAGE X.Y FROM PUBLIC
If a privilege has been granted indirectly to PUBLIC through membership in a database role, revoke membership in that database role from PUBLIC using the REVOKE (role) statement.
DB2> REVOKE ROLE <role name> FROM PUBLIC
If an authority is granted directly to PUBLIC, revoke it using the appropriate variation of the REVOKE (database authorities) statement. For example, if the CONNECT row shows a ‘Y’ value in the D_PUBLIC column, revoke CONNECT authority using this statement:
DB2> REVOKE CONNECT ON DATABASE FROM PUBLIC
If an authority is granted indirectly to PUBLIC through a database role, revoke membership in that database role from PUBLIC using the REVOKE (role) statement.
DB2> REVOKE ROLE <role name> FROM PUBLIC
To determine what database roles PUBLIC belongs, issue this query:
DB2> SELECT ROLENAME FROM TABLE (SYSPROC.AUTH_LIST_ROLES_FOR_AUTHID ('PUBLIC', 'G') )
Notes: To prevent the default assignment of authorities and privileges to PUBLIC when a database is created, one should use the restrictive option on the create database statement as demonstrated below:
DB2> CREATE DATABASE <dbname> RESTRICTIVE
One can determine if a database was created with restrictive by looking at the value of restrict_access database configuration parameter using the following command at the command prompt:
$db2 get db cfg
http://www.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.sql.ref.doc/doc/r0000981.html?cp=SSEPGG_10.5.0%2F2-12-7-181&lang=en
As authorities and privileges can be granted to PUBLIC after the database is created, it is recommended to run the above checks on a regular basis.
Use the following query to determine if PUBLIC has been directly granted any privileges on objects in the database:
DB2> SELECT PRIVILEGE, OBJECTNAME, OBJECTSCHEMA, OBJECTTYPE FROM SYSIBMADM.PRIVILEGES WHERE AUTHID = 'PUBLIC'
If any rows are returned, this is a finding.
Use the following query to determine if PUBLIC has been granted membership in any database roles:
DB2> SELECT ROLENAME FROM TABLE (SYSPROC.AUTH_LIST_ROLES_FOR_AUTHID ('PUBLIC', 'G') )
For each role returned by this query, determine if any privileges have been granted to it with the following query:
DB2> SELECT PRIVILEGE, OBJECTNAME, OBJECTSCHEMA, OBJECTTYPE FROM SYSIBMADM.PRIVILEGES WHERE AUTHID = '<rolename>' AND AUTHIDTYPE = 'R'
If any rows are returned, this is a finding.
Use the following query to determine if PUBLIC has been granted any database authorities directly or indirectly through a database role:
DB2> SELECT AUTHORITY, D_PUBLIC, ROLE_PUBLIC FROM TABLE(SYSPROC.AUTH_LIST_AUTHORITIES_FOR_AUTHID ('PUBLIC', 'G') )
If any of the rows have a ‘Y’ value in the D_PUBLIC column, this is a finding. If any of the rows have a ‘Y’ value in the ROLE_PUBLIC column, this is a finding.
V-74433
False
DB2X-00-000400
Use the following query to determine if PUBLIC has been directly granted any privileges on objects in the database:
DB2> SELECT PRIVILEGE, OBJECTNAME, OBJECTSCHEMA, OBJECTTYPE FROM SYSIBMADM.PRIVILEGES WHERE AUTHID = 'PUBLIC'
If any rows are returned, this is a finding.
Use the following query to determine if PUBLIC has been granted membership in any database roles:
DB2> SELECT ROLENAME FROM TABLE (SYSPROC.AUTH_LIST_ROLES_FOR_AUTHID ('PUBLIC', 'G') )
For each role returned by this query, determine if any privileges have been granted to it with the following query:
DB2> SELECT PRIVILEGE, OBJECTNAME, OBJECTSCHEMA, OBJECTTYPE FROM SYSIBMADM.PRIVILEGES WHERE AUTHID = '<rolename>' AND AUTHIDTYPE = 'R'
If any rows are returned, this is a finding.
Use the following query to determine if PUBLIC has been granted any database authorities directly or indirectly through a database role:
DB2> SELECT AUTHORITY, D_PUBLIC, ROLE_PUBLIC FROM TABLE(SYSPROC.AUTH_LIST_AUTHORITIES_FOR_AUTHID ('PUBLIC', 'G') )
If any of the rows have a ‘Y’ value in the D_PUBLIC column, this is a finding. If any of the rows have a ‘Y’ value in the ROLE_PUBLIC column, this is a finding.
M
3161