STIGQter STIGQter: STIG Summary: IBM DB2 V10.5 LUW Security Technical Implementation Guide Version: 1 Release: 4 Benchmark Date: 25 Oct 2019:

DB2 must separate user functionality (including user interface services) from database management functionality.

DISA Rule

SV-89169r1_rule

Vulnerability Number

V-74495

Group Title

SRG-APP-000211-DB-000122

Rule Version

DB2X-00-004800

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Remove general users from the privileged groups, SYSADM_GROUP, SYSCTRL_GROUP, SYSMAINT_GROUP, SYSMON_GROUP using OS utilities/interface.

On Windows systems, set the SYSADM_GROUP database manager configuration parameter to the appropriate value.

Check Contents

Run the following command to find the privileged groups and get the value of SYSADM_GROUP, SYSCTRL_GROUP, SYSMAINT_GROUP, SYSMON_GROUP:

$db2 get dbm cfg

If general users are part of any of above groups, this is a finding.

On Windows systems, if the SYSADM_GROUP database manager configuration parameter is not specified, this is a finding.

Note: On UNIX to find the members of a group from the following two files or system admin utilities provided by LINUX/UNIX vendors.

/etc/passwd
/etc/group
e.g. if value of SYSADM_GROUP is DB2IADM1
From operating system files find out who is member of DB2IADM1

ON WINDOWS
You can use lusrmgr.msc or any other OS utility to manage user group memberships.

Vulnerability Number

V-74495

Documentable

False

Rule Version

DB2X-00-004800

Severity Override Guidance

Run the following command to find the privileged groups and get the value of SYSADM_GROUP, SYSCTRL_GROUP, SYSMAINT_GROUP, SYSMON_GROUP:

$db2 get dbm cfg

If general users are part of any of above groups, this is a finding.

On Windows systems, if the SYSADM_GROUP database manager configuration parameter is not specified, this is a finding.

Note: On UNIX to find the members of a group from the following two files or system admin utilities provided by LINUX/UNIX vendors.

/etc/passwd
/etc/group
e.g. if value of SYSADM_GROUP is DB2IADM1
From operating system files find out who is member of DB2IADM1

ON WINDOWS
You can use lusrmgr.msc or any other OS utility to manage user group memberships.

Check Content Reference

M

Target Key

3161

Comments