STIGQter: STIG Summary: IBM DB2 V10.5 LUW Security Technical Implementation Guide Version: 1 Release: 4 Benchmark Date: 25 Oct 2019: STIGQter: STIG Summary: IBM DB2 V10.5 LUW Security Technical Implementation Guide Version: 1 Release: 4 Benchmark Date: 25 Oct 2019:SV-89177r1_rule
V-74503
SRG-APP-000233-DB-000124
DB2X-00-005500
CAT II
10
Where possible, locate security-related database objects and code in a separate database, schema, or other separate security domain from database objects and code implementing application logic.
In all cases, use GRANT, REVOKE, ALTER ROLE, DROP ROLE, statements to add and remove permissions on security-related objects to provide effective isolation.
Determine application-specific security objects (lists of permissions, additional authentication information, stored procedures, application specific auditing, etc.) which are being housed inside DB2 database in addition to the built-in security objects.
Review permissions, both direct and indirect, on the security objects, both built-in and application-specific. The following functions and views provided can help with this:
DB2> SELECT LIBNAME, OWNER, LIBSCHEMA FROM SYSCAT.LIBRARIES
DB2> SELECT MODULENAME, OWNER, MODULESCHEMA FROM SYSCAT.MODULES
DB2> SELECT PKGNAME, OWNER, PKGSCHEMA FROM SYSCAT.PACKAGES
DB2> SELECT ROUTINENAME, OWNER, ROUTINESCHEMA FROM SYSCAT.ROUTINES
DB2> SELECT TRIGNAME, OWNER, TRIGSCHEMA FROM SYSCAT.TRIGGERS
DB2> SELECT * FROM SYSIBMADM.PRIVILEGES
If the database(s), schema(s) and permissions on security objects are not organized to provide effective isolation of security functions from nonsecurity functions, this is a finding.
V-74503
False
DB2X-00-005500
Determine application-specific security objects (lists of permissions, additional authentication information, stored procedures, application specific auditing, etc.) which are being housed inside DB2 database in addition to the built-in security objects.
Review permissions, both direct and indirect, on the security objects, both built-in and application-specific. The following functions and views provided can help with this:
DB2> SELECT LIBNAME, OWNER, LIBSCHEMA FROM SYSCAT.LIBRARIES
DB2> SELECT MODULENAME, OWNER, MODULESCHEMA FROM SYSCAT.MODULES
DB2> SELECT PKGNAME, OWNER, PKGSCHEMA FROM SYSCAT.PACKAGES
DB2> SELECT ROUTINENAME, OWNER, ROUTINESCHEMA FROM SYSCAT.ROUTINES
DB2> SELECT TRIGNAME, OWNER, TRIGSCHEMA FROM SYSCAT.TRIGGERS
DB2> SELECT * FROM SYSIBMADM.PRIVILEGES
If the database(s), schema(s) and permissions on security objects are not organized to provide effective isolation of security functions from nonsecurity functions, this is a finding.
M
3161