STIGQter STIGQter: STIG Summary: IBM DB2 V10.5 LUW Security Technical Implementation Guide Version: 1 Release: 4 Benchmark Date: 25 Oct 2019: DB2 must provide an immediate real-time alert to appropriate support staff of all audit failure events requiring real-time alerts.

DISA Rule

SV-89247r1_rule

Vulnerability Number

V-74573

Group Title

SRG-APP-000360-DB-000320

Rule Version

DB2X-00-007700

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Run the following command to alter the audit policies and to set the ERRORTYPE to audit:
DB2>ALTER AUDIT POLICY <DB audit policy name> CATEGORIES AUDIT STATUS BOTH ERROR TYPE AUDIT

Monitor the diagnostic log file for audit failure error using the following command:

$db2diag -g msg:="Write to audit log failed"

Check Contents

If the audit policies are created with ERRORTYPE=Audit and if there is a failure in writing the audit event log for the policy, audit failure is logged in the diagnostic.log file and user action is not completed.

Run the following statement to find the error type for each policy:
DB2> SELECT AUDITPOLICYNAME, ERRORTYPE AS ERRORTYPE
FROM SYSCAT.AUDITPOLICIES

If ERRORTYPE value is not set to 'A', this is a finding.

Run the following command to monitor the database diagnostic log file for audit failure errors:

$db2diag -g msg:="Write to audit log failed"

If the diagnostic log file is not being monitored for audit failure errors, this is a finding.

Vulnerability Number

V-74573

Documentable

False

Rule Version

DB2X-00-007700

Severity Override Guidance

If the audit policies are created with ERRORTYPE=Audit and if there is a failure in writing the audit event log for the policy, audit failure is logged in the diagnostic.log file and user action is not completed.

Run the following statement to find the error type for each policy:
DB2> SELECT AUDITPOLICYNAME, ERRORTYPE AS ERRORTYPE
FROM SYSCAT.AUDITPOLICIES

If ERRORTYPE value is not set to 'A', this is a finding.

Run the following command to monitor the database diagnostic log file for audit failure errors:

$db2diag -g msg:="Write to audit log failed"

If the diagnostic log file is not being monitored for audit failure errors, this is a finding.

Check Content Reference

M

Target Key

3161

Comments