STIGQter: STIG Summary: IBM DB2 V10.5 LUW Security Technical Implementation Guide Version: 1 Release: 4 Benchmark Date: 25 Oct 2019:

When supporting applications that require security labeling of data, DB2 must associate organization-defined types of security labels having organization-defined security label values with information in storage.

DISA Rule

SV-89235r1_rule

Vulnerability Number

V-74561

Group Title

SRG-APP-000311-DB-000308

Rule Version

DB2X-00-006600

Severity

CAT II

CCI(s)

• CCI-002262 - The organization provides the means to associate organization-defined types of security attributes having organization-defined security attribute values with information in storage.

Weight

10

Fix Recommendation

Use Create security Label statement to create the security labels:

See the following example to create the components, policy and then security labels:

Create the components for Security labels:
DB2> CREATE SECURITY LABEL COMPONENT LEVEL ARRAY ['Top Secret', 'Secret', 'Confidential', 'Unclassified'];
DB2> CREATE SECURITY LABEL COMPONENT COMPARTMENTS SET {'Collection', 'Research', 'Analysis'};

Create the Policy:
DB2> CREATE SECURITY POLICY DATA_ACCESS COMPONENTS LEVEL, COMPARTMENTS WITH DB2LBACRULES;

Create Security Label:
DB2> CREATE SECURITY LABEL DATA_ACCESS.EMPLOYEESECLABEL COMPONENT LEVEL 'Top Secret', COMPONENT COMPARTMENTS 'Research', 'Analysis'

After creating the security labels, use one of the following statements to attach the labels to the table:
DB2> CREATE TABLE
Or
DB2> ALTER TABLE

For advice and examples, see the tutorial at:
https://www.ibm.com/developerworks/data/tutorials/dm0605wong/
https://www.ibm.com/developerworks/data/tutorials/dm0605wong/section2.html

Note: Select the following knowledgebase link for information regarding LBAC Details:
http://www.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.admin.sec.doc/doc/c0021114.html

Select the following knowledgebase link for information regarding Create Security Label:
http://www.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.sql.ref.doc/doc/r0020026.html?cp=SSEPGG_10.5.0%2F2-12-7-94

Check Contents

If security labeling is not required, this is not a finding.

Query the system catalog to find out the existing security labels:
DB2> SELECT * FROM SYSCAT.SECURITYLABELS

If the required labels are not created in database this is a finding.

Query the following catalog views find details of existing security labels:
DB2> SELECT * FROM SYSCAT.SECURITYLABELACCESS
DB2> SELECT * FROM SYSCAT.SECURITYLABELCOMPONENTELEMENTS
DB2> SELECT * FROM SYSCAT.SECURITYLABELCOMPONENTS

If the security labels are not defined as per organization security policies, this is a finding.

Vulnerability Number

V-74561

Documentable

False

Rule Version

DB2X-00-006600

Severity Override Guidance

If security labeling is not required, this is not a finding.

Query the system catalog to find out the existing security labels:
DB2> SELECT * FROM SYSCAT.SECURITYLABELS

If the required labels are not created in database this is a finding.

Query the following catalog views find details of existing security labels:
DB2> SELECT * FROM SYSCAT.SECURITYLABELACCESS
DB2> SELECT * FROM SYSCAT.SECURITYLABELCOMPONENTELEMENTS
DB2> SELECT * FROM SYSCAT.SECURITYLABELCOMPONENTS

If the security labels are not defined as per organization security policies, this is a finding.

Check Content Reference

M

Target Key

3161

Comments