# (C) 2016 Tenable Network Security, Inc.
#
# This script is released under the Tenable Subscription License and
# may not be used from within scripts released under another license
# without authorization from Tenable Network Security Inc.
#
# See the following licenses for details:
#
# http://static.tenable.com/prod_docs/Nessus_6_SLA_and_Subscription_Agreement.pdf
#
# @PROFESSIONALFEED@
#
# $Revision: 1.2 $
# $Date: Tue May 31 18:29:39 2016 -0400 $
#
# Description : This .audit is designed against the CIS Security Configuration
# Benchmark For DB2 10.x for Linux, UNIX, and Windows
# Version 1.0.0 December 29, 2015.
#
# NOTE : The audits contained in this document audit are for Level 1 items
# of the CIS DB2 10.x for Linux, UNIX, and Windows for the Database.
#
#
#
#CIS v1.0.0 IBM DB2 v10 Database Level 1
#
# CIS
# IBM DB2 10 Database Level 1
# 1.0.0
# https://benchmarks.cisecurity.org/tools2/db2/CIS_IBM_DB2_10_Benchmark_v1.0.0.pdf
#
#database,cis,ibm,db2
#
type : SQL_POLICY
description : "6.1 Restrict Access to SYSCAT.AUDITPOLICIES"
info : "The SYSCAT.AUDITPOLICIES view contains all audit policies for a database. It is recommended that the PUBLIC role be restricted from accessing this view."
solution : "Perform the following to revoke access from PUBLIC.
1. Connect to the DB2 database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. Run the following command from the DB2 command window-
db2 => REVOKE SELECT ON SYSCAT.AUDITPOLICIES FROM PUBLIC"
see_also : "https://benchmarks.cisecurity.org/tools2/db2/CIS_IBM_DB2_10_Benchmark_v1.0.0.pdf"
reference : "800-53|AC-6,800-171|3.1.5,CSF|PR.AC-4,CSF|PR.DS-5,LEVEL|1S"
sql_request : "select grantee from sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'AUDITPOLICIES' and grantee = 'PUBLIC'"
sql_types : POLICY_VARCHAR
sql_expect : NULL
type : SQL_POLICY
description : "6.2 Restrict Access to SYSCAT.AUDITUSE"
info : "The SYSCAT.AUDITUSE view contains database audit policy for all non-database objects, such as authority, groups, roles, and users. It is recommended that the PUBLIC role be restricted from accessing this view."
solution : "Revoke access from PUBLIC.
1. Connect to the DB2 database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. Run the following command from the DB2 command window-
db2 => REVOKE SELECT ON SYSCAT.AUDITUSE FROM PUBLIC"
see_also : "https://benchmarks.cisecurity.org/tools2/db2/CIS_IBM_DB2_10_Benchmark_v1.0.0.pdf"
reference : "800-53|AC-6,800-171|3.1.5,CSF|PR.AC-4,CSF|PR.DS-5,LEVEL|1S"
sql_request : "select grantee from sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'AUDITUSE' and grantee = 'PUBLIC'"
sql_types : POLICY_VARCHAR
sql_expect : NULL
type : SQL_POLICY
description : "6.3 Restrict Access to SYSCAT.DBAUTH"
info : "The SYSCAT.DBAUTH view contains information on authorities granted to users or groups of users. It is recommended that the PUBLIC role be restricted from accessing this view."
solution : "Perform the following to revoke access from PUBLIC.
1. Connect to the DB2 database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. Run the following command from the DB2 command window-
db2 => REVOKE SELECT ON SYSCAT.DBAUTH FROM PUBLIC"
see_also : "https://benchmarks.cisecurity.org/tools2/db2/CIS_IBM_DB2_10_Benchmark_v1.0.0.pdf"
reference : "800-53|AC-6,800-171|3.1.5,CSF|PR.AC-4,CSF|PR.DS-5,LEVEL|1S"
sql_request : "select grantee from sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'DBAUTH' and grantee = 'PUBLIC'"
sql_types : POLICY_VARCHAR
sql_expect : NULL
type : SQL_POLICY
description : "6.4 Restrict Access to SYSCAT.COLAUTH"
info : "The SYSCAT.COLAUTH view contains the column privileges granted to the user, group, or role in the database."
solution : "Perform the following to revoke access from PUBLIC.
1. Connect to the DB2 database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. Run the following command from the DB2 command window-
db2 => REVOKE SELECT ON SYSCAT.COLAUTH FROM PUBLIC"
see_also : "https://benchmarks.cisecurity.org/tools2/db2/CIS_IBM_DB2_10_Benchmark_v1.0.0.pdf"
reference : "800-53|AC-6,800-171|3.1.5,CSF|PR.AC-4,CSF|PR.DS-5,LEVEL|1S"
sql_request : "select grantee from sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'COLAUTH' and grantee = 'PUBLIC'"
sql_types : POLICY_VARCHAR
sql_expect : NULL
type : SQL_POLICY
description : "6.7 Restrict Access to SYSCAT.ROUTINES"
info : "The SYSCAT.ROUTINES view contains all user-defined routines, functions, and stored procedures in the database. It is recommended that the PUBLIC role be restricted from accessing this view."
solution : "Perform the following to revoke access from PUBLIC.
1. Connect to the DB2 database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. Run the following command from the DB2 command window-
db2 => REVOKE SELECT ON SYSCAT.ROUTINES FROM PUBLIC"
see_also : "https://benchmarks.cisecurity.org/tools2/db2/CIS_IBM_DB2_10_Benchmark_v1.0.0.pdf"
reference : "800-53|AC-6,800-171|3.1.5,CSF|PR.AC-4,CSF|PR.DS-5,LEVEL|1S"
sql_request : "select grantee from sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'ROUTINES' and grantee = 'PUBLIC'"
sql_types : POLICY_VARCHAR
sql_expect : NULL
type : SQL_POLICY
description : "6.9 Restrict Access to SYSCAT.PACKAGEAUTH"
info : "The SYSCAT.PACKAGEAUTH view contains a list of users or groups that has EXECUTE privilege on a package. It is recommended that the PUBLIC role be restricted from accessing this view."
solution : "Perform the following to revoke access from PUBLIC.
1. Connect to the DB2 database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. Run the following command from the DB2 command window-
db2 => REVOKE SELECT ON SYSCAT.PACKAGEAUTH FROM PUBLIC"
see_also : "https://benchmarks.cisecurity.org/tools2/db2/CIS_IBM_DB2_10_Benchmark_v1.0.0.pdf"
reference : "800-53|AC-6,800-171|3.1.5,CSF|PR.AC-4,CSF|PR.DS-5,LEVEL|1S"
sql_request : "select grantee from sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'PACKAGEAUTH' and grantee = 'PUBLIC'"
sql_types : POLICY_VARCHAR
sql_expect : NULL
type : SQL_POLICY
description : "6.10 Restrict Access to SYSCAT.PACKAGES"
info : "The SYSCAT.PACKAGES view contains the names of all packages created in the database instance. It is recommended that the PUBLIC role be restricted from accessing this view."
solution : "Perform the following to revoke access from PUBLIC.
1. Connect to the DB2 database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. Run the following command from the DB2 command window-
db2 => REVOKE SELECT ON SYSCAT.PACKAGES FROM PUBLIC"
see_also : "https://benchmarks.cisecurity.org/tools2/db2/CIS_IBM_DB2_10_Benchmark_v1.0.0.pdf"
reference : "800-53|AC-6,800-171|3.1.5,CSF|PR.AC-4,CSF|PR.DS-5,LEVEL|1S"
sql_request : "select grantee from sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'PACKAGES' and grantee = 'PUBLIC'"
sql_types : POLICY_VARCHAR
sql_expect : NULL
type : SQL_POLICY
description : "6.11 Restrict Access to SYSCAT.PASSTHRUAUTH"
info : "The SYSCAT.PASSTHRUAUTH view contains the names of user or group that have pass-through authorization to query the data source. It is recommended that the PUBLIC role be restricted from accessing this view."
solution : "Perform the following to revoke access from PUBLIC.
1. Connect to the DB2 database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. Run the following command from the DB2 command window-
db2 => REVOKE SELECT ON SYSCAT.PASSTHRUAUTH FROM PUBLIC"
see_also : "https://benchmarks.cisecurity.org/tools2/db2/CIS_IBM_DB2_10_Benchmark_v1.0.0.pdf"
reference : "800-53|AC-6,800-171|3.1.5,CSF|PR.AC-4,CSF|PR.DS-5,LEVEL|1S"
sql_request : "select grantee from sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'PASSTHRUAUTH' and grantee = 'PUBLIC'"
sql_types : POLICY_VARCHAR
sql_expect : NULL
type : SQL_POLICY
description : "6.12 Restrict Access to SYSCAT.SECURITYPOLICIES"
info : "The SYSCAT.SECURITYPOLICIES view contains all database security policies. It is recommended that the PUBLIC role be restricted from accessing this view."
solution : "Perform the following to revoke access from PUBLIC.
1. Connect to the DB2 database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. Run the following command from the DB2 command window-
db2 => REVOKE SELECT ON SYSCAT SYSCAT.SECURITYPOLICIES FROM PUBLIC"
see_also : "https://benchmarks.cisecurity.org/tools2/db2/CIS_IBM_DB2_10_Benchmark_v1.0.0.pdf"
reference : "800-53|AC-6,800-171|3.1.5,CSF|PR.AC-4,CSF|PR.DS-5,LEVEL|1S"
sql_request : "select grantee from sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'SECURITYPOLICIES' and grantee = 'PUBLIC'"
sql_types : POLICY_VARCHAR
sql_expect : NULL
type : SQL_POLICY
description : "6.13 Restrict Access to SYSCAT.SECURITYPOLICYEXEMPTIONS"
info : "The SYSCAT.SECURITYPOLICYEXEMPTIONS contains the exemption to a security policy that was granted to a database account. It is recommended that the PUBLIC role be restricted from accessing this view."
solution : "Perform the following to revoke access from PUBLIC.
1. Connect to the DB2 database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. Run the following command from the DB2 command window-
db2 => REVOKE SELECT ON SYSCAT.SECURITYPOLICYEXEMPTIONS FROM PUBLIC"
see_also : "https://benchmarks.cisecurity.org/tools2/db2/CIS_IBM_DB2_10_Benchmark_v1.0.0.pdf"
reference : "800-53|AC-6,800-171|3.1.5,CSF|PR.AC-4,CSF|PR.DS-5,LEVEL|1S"
sql_request : "select grantee from sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'SECURITYPOLICYEXEMPTIONS' and grantee = 'PUBLIC'"
sql_types : POLICY_VARCHAR
sql_expect : NULL
type : SQL_POLICY
description : "6.14 Restrict Access to SYSCAT.SURROGATEAUTHIDS"
info : "The SYSCAT.SURROGATEAUTHIDS contains the names of all accounts that have been granted SETSESSIONUSER privilege on a user or to PUBLIC. It is recommended that the PUBLIC role be restricted from accessing this view."
solution : "Perform the following to revoke access from PUBLIC.
1. Connect to the DB2 database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. Run the following command from the DB2 command window-
db2 => REVOKE SELECT ON SYSCAT.SURROGATEAUTHIDS FROM PUBLIC"
see_also : "https://benchmarks.cisecurity.org/tools2/db2/CIS_IBM_DB2_10_Benchmark_v1.0.0.pdf"
reference : "800-53|AC-6,800-171|3.1.5,CSF|PR.AC-4,CSF|PR.DS-5,LEVEL|1S"
sql_request : "select grantee from sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'SURROGATEAUTHIDS' and grantee = 'PUBLIC'"
sql_types : POLICY_VARCHAR
sql_expect : NULL
type : SQL_POLICY
description : "6.15 Restrict Access to SYSCAT.ROLEAUTH"
info : "The SYSCAT.ROLEAUTH view contains information on all roles and their respective grantees. It is recommended that the PUBLIC role be restricted from accessing this view."
solution : "Perform the following to revoke access from PUBLIC.
1. Connect to the DB2 database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. Run the following command from the DB2 command window-
db2 => REVOKE SELECT ON SYSCAT.ROLEAUTH FROM PUBLIC"
see_also : "https://benchmarks.cisecurity.org/tools2/db2/CIS_IBM_DB2_10_Benchmark_v1.0.0.pdf"
reference : "800-53|AC-6,800-171|3.1.5,CSF|PR.AC-4,CSF|PR.DS-5,LEVEL|1S"
sql_request : "select grantee from sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'ROLEAUTH' and grantee = 'PUBLIC'"
sql_types : POLICY_VARCHAR
sql_expect : NULL
type : SQL_POLICY
description : "6.16 Restrict Access to SYSCAT.ROLES"
info : "The SYSCAT.ROLES view contains all roles available in the database. It is recommended that the PUBLIC role be restricted from accessing this view."
solution : "Perform the following to revoke access from PUBLIC.
1. Connect to the DB2 database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. Run the following command from the DB2 command window-
db2 => REVOKE SELECT ON SYSCAT.ROLES FROM PUBLIC"
see_also : "https://benchmarks.cisecurity.org/tools2/db2/CIS_IBM_DB2_10_Benchmark_v1.0.0.pdf"
reference : "800-53|AC-6,800-171|3.1.5,CSF|PR.AC-4,CSF|PR.DS-5,LEVEL|1S"
sql_request : "select grantee from sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'ROLES' and grantee = 'PUBLIC'"
sql_types : POLICY_VARCHAR
sql_expect : NULL
type : SQL_POLICY
description : "6.17 Restrict Access to SYSCAT.ROUTINEAUTH"
info : "The SYSCAT.ROUTINEAUTH view contains a list of all users that have EXECUTE privilege on a routine (function, method, or procedure). It is recommended that the PUBLIC role be restricted from accessing this view."
solution : "Perform the following to revoke access from PUBLIC.
1. Connect to the DB2 database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. Run the following command from the DB2 command window-
db2 => REVOKE SELECT ON SYSCAT.ROUTINEAUTH FROM PUBLIC"
see_also : "https://benchmarks.cisecurity.org/tools2/db2/CIS_IBM_DB2_10_Benchmark_v1.0.0.pdf"
reference : "800-53|AC-6,800-171|3.1.5,CSF|PR.AC-4,CSF|PR.DS-5,LEVEL|1S"
sql_request : "select grantee from sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'ROUTINEAUTH' and grantee = 'PUBLIC'"
sql_types : POLICY_VARCHAR
sql_expect : NULL
type : SQL_POLICY
description : "6.18 Restrict Access to SYSCAT.SCHEMAAUTH"
info : "The SYSCAT.SCHEMAAUTH view contains a list of all users that have one or more privileges or access to a particular schema. It is recommended that the PUBLIC role be restricted from accessing this view."
solution : "Perform the following to revoke access from PUBLIC.
1. Connect to the DB2 database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. Run the following command from the DB2 command window-
db2 => REVOKE SELECT ON SYSCAT.SCHEMAAUTH FROM PUBLIC"
see_also : "https://benchmarks.cisecurity.org/tools2/db2/CIS_IBM_DB2_10_Benchmark_v1.0.0.pdf"
reference : "800-53|AC-6,800-171|3.1.5,CSF|PR.AC-4,CSF|PR.DS-5,LEVEL|1S"
sql_request : "select grantee from sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'SCHEMAAUTH' and grantee = 'PUBLIC'"
sql_types : POLICY_VARCHAR
sql_expect : NULL
type : SQL_POLICY
description : "6.19 Restrict Access to SYSCAT.SCHEMATA"
info : "The SYSCAT.SCHEMATA view contains all schema names in the database. It is recommended that the PUBLIC role be restricted from accessing this view."
solution : "Perform the following to revoke access from PUBLIC.
1. Connect to the DB2 database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. Run the following command from the DB2 command window-
db2 => REVOKE SELECT ON SYSCAT.SCHEMATA FROM PUBLIC"
see_also : "https://benchmarks.cisecurity.org/tools2/db2/CIS_IBM_DB2_10_Benchmark_v1.0.0.pdf"
reference : "800-53|AC-6,800-171|3.1.5,CSF|PR.AC-4,CSF|PR.DS-5,LEVEL|1S"
sql_request : "select grantee from sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'SCHEMATA' and grantee = 'PUBLIC'"
sql_types : POLICY_VARCHAR
sql_expect : NULL
type : SQL_POLICY
description : "6.20 Restrict Access to SYSCAT.SEQUENCEAUTH"
info : "The SYSCAT.SEQUENCEAUTH view contains users, groups, or roles granted privilege(s) on a sequence. It is recommended that the PUBLIC role be restricted from accessing this view."
solution : "Perform the following to revoke access from PUBLIC.
1. Connect to the DB2 database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. Run the following command from the DB2 command window-
db2 => REVOKE SELECT ON SYSCAT.SEQUENCEAUTH FROM PUBLIC"
see_also : "https://benchmarks.cisecurity.org/tools2/db2/CIS_IBM_DB2_10_Benchmark_v1.0.0.pdf"
reference : "800-53|AC-6,800-171|3.1.5,CSF|PR.AC-4,CSF|PR.DS-5,LEVEL|1S"
sql_request : "select grantee from sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'SEQUENCEAUTH' and grantee = 'PUBLIC'"
sql_types : POLICY_VARCHAR
sql_expect : NULL
type : SQL_POLICY
description : "6.21 Restrict Access to SYSCAT.STATEMENTS"
info : "The SYSCAT.STATEMENTS view contains all SQL statements of a compiled package. It is recommended that the PUBLIC role be restricted from accessing this view."
solution : "Perform the following to revoke access from PUBLIC.
1. Connect to the DB2 database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. Run the following command from the DB2 command window-
db2 => REVOKE SELECT ON SYSCAT.STATEMENTS FROM PUBLIC"
see_also : "https://benchmarks.cisecurity.org/tools2/db2/CIS_IBM_DB2_10_Benchmark_v1.0.0.pdf"
reference : "800-53|AC-6,800-171|3.1.5,CSF|PR.AC-4,CSF|PR.DS-5,LEVEL|1S"
sql_request : "select grantee from sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'STATEMENTS' and grantee = 'PUBLIC'"
sql_types : POLICY_VARCHAR
sql_expect : NULL
type : SQL_POLICY
description : "6.22 Restrict Access to SYSCAT.TABAUTH"
info : "The SYSCAT.TABAUTH view contains users or groups that have been granted one or more privileges on a table or view. It is recommended that the PUBLIC role be restricted from accessing this view."
solution : "Perform the following to revoke access from PUBLIC.
1. Connect to the DB2 database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. Run the following command from the DB2 command window-
db2 => REVOKE SELECT ON SYSCAT.TABAUTH FROM PUBLIC"
see_also : "https://benchmarks.cisecurity.org/tools2/db2/CIS_IBM_DB2_10_Benchmark_v1.0.0.pdf"
reference : "800-53|AC-6,800-171|3.1.5,CSF|PR.AC-4,CSF|PR.DS-5,LEVEL|1S"
sql_request : "select grantee from sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'TABAUTH' and grantee = 'PUBLIC'"
sql_types : POLICY_VARCHAR
sql_expect : NULL
type : SQL_POLICY
description : "6.23 Restrict Access to SYSCAT.TBSPACEAUTH"
info : "The SYSCAT.TBSPACEAUTH contains users or groups that have been granted the USE privilege on a particular tablespace in the database. It is recommended that the PUBLIC role be restricted from accessing this view."
solution : "Perform the following to revoke access from PUBLIC.
1. Connect to the DB2 database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. Run the following command from the DB2 command window-
db2 => REVOKE SELECT ON SYSCAT.TBSPACEAUTH FROM PUBLIC"
see_also : "https://benchmarks.cisecurity.org/tools2/db2/CIS_IBM_DB2_10_Benchmark_v1.0.0.pdf"
reference : "800-53|AC-6,800-171|3.1.5,CSF|PR.AC-4,CSF|PR.DS-5,LEVEL|1S"
sql_request : "select grantee from sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'TBSPACEAUTH' and grantee = 'PUBLIC'"
sql_types : POLICY_VARCHAR
sql_expect : NULL
type : SQL_POLICY
description : "6.24 Restrict Access to Tablespaces"
info : "A tablespace is where the data is physically stored. It is recommended that tablespace usage be restricted to authorized users."
solution : "Perform the following to revoke access from PUBLIC.
1. Connect to the DB2 database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. Run the following command from the DB2 command window-
db2 => REVOKE USE OF TABLESPACE [$tablespace_name] FROM PUBLIC"
see_also : "https://benchmarks.cisecurity.org/tools2/db2/CIS_IBM_DB2_10_Benchmark_v1.0.0.pdf"
reference : "800-53|AC-6,800-171|3.1.5,CSF|PR.AC-4,CSF|PR.DS-5,LEVEL|1S"
sql_request : "select grantee, tbspace from sysibm.systbspaceauth where grantee = 'PUBLIC'"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR
sql_expect : NULL, NULL
type : SQL_POLICY
description : "6.29 Restrict Access to SYSCAT.AUTHORIZATIONIDS"
info : "SYSCAT.AUTHORIZATIONIDS is an administrative view for the currently connected server."
solution : "Perform the following to revoke access from PUBLIC.
1. Connect to the DB2 database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. Run the following command from the DB2 command window-
db2 => revoke select on syscat.AUTHORIZATIONIDS from public"
see_also : "https://benchmarks.cisecurity.org/tools2/db2/CIS_IBM_DB2_10_Benchmark_v1.0.0.pdf"
reference : "800-53|AC-6,800-171|3.1.5,CSF|PR.AC-4,LEVEL|1S"
sql_request : "select rtrim(grantee) as grantee, controlauth, alterauth, deleteauth, indexauth, insertauth, selectauth, updateauth, refauth from sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'AUTHORIZATIONIDS'"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR, POLICY_VARCHAR, POLICY_VARCHAR, POLICY_VARCHAR, POLICY_VARCHAR, POLICY_VARCHAR, POLICY_VARCHAR, POLICY_VARCHAR
sql_expect : NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL
type : SQL_POLICY
description : "6.30 Restrict Access to SYSIBMADM.OBJECTOWNERS"
info : "The SYSIBMADM.OBJECTOWNERS administrative view shows the complete object ownership information for each authorization ID for USER owning a system catalog defined object from the connected database."
solution : "Perform the following to revoke access from PUBLIC.
1. Connect to the DB2 database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. Run the following command from the DB2 command window-
db2 => revoke select on SYSIBMADM.OBJECTOWNERS from public"
see_also : "https://benchmarks.cisecurity.org/tools2/db2/CIS_IBM_DB2_10_Benchmark_v1.0.0.pdf"
reference : "800-53|AC-6,800-171|3.1.5,CSF|PR.AC-4,LEVEL|1S"
sql_request : "select rtrim(grantee) as grantee, controlauth, alterauth, deleteauth, indexauth, insertauth, selectauth, updateauth, refauth from sysibm.systabauth where tcreator = 'SYSIBMADM' and ttname = 'OBJECTOWNERS' "
sql_types : POLICY_VARCHAR, POLICY_VARCHAR, POLICY_VARCHAR, POLICY_VARCHAR, POLICY_VARCHAR, POLICY_VARCHAR, POLICY_VARCHAR, POLICY_VARCHAR, POLICY_VARCHAR
sql_expect : NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL
type : SQL_POLICY
description : "6.31 Restrict Access to SYSIBMADM.PRIVILEGES"
info : "The SYSIBMADM.PRIVILEGES administrative view displays all explicit privileges for all authorization IDs in the currently connected databases' system catalogs. PRIVILEGES schema is SYSIBMADM."
solution : "Perform the following to revoke access from PUBLIC.
1. Connect to the DB2 database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. Run the following command from the DB2 command window-
db2 => revoke select on SYSIBMADM.PRIVILEGES from public"
see_also : "https://benchmarks.cisecurity.org/tools2/db2/CIS_IBM_DB2_10_Benchmark_v1.0.0.pdf"
reference : "800-53|AC-6,800-171|3.1.5,CSF|PR.AC-4,LEVEL|1S"
sql_request : "select rtrim(grantee) as grantee, controlauth, alterauth, deleteauth, indexauth, insertauth, selectauth, updateauth, refauth from sysibm.systabauth where tcreator = 'SYSIBMADM' and ttname = 'PRIVILEGES'"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR, POLICY_VARCHAR, POLICY_VARCHAR, POLICY_VARCHAR, POLICY_VARCHAR, POLICY_VARCHAR, POLICY_VARCHAR, POLICY_VARCHAR
sql_expect : NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL
type : SQL_POLICY
description : "8.1 Review Roles"
info : "Roles provide several advantages that make it easier to manage privileges in a database system. Security administrators can control access to their databases in a way that mirrors the structure of their organizations (they can create roles in the database that map directly to the job functions in their organizations). The assignment of privileges is simplified. Instead of granting the same set of privileges to each individual user in a particular job function, the administrator can grant this set of privileges to a role representing that job function and then grant that role to each user in that job function.
NOTE - Nessus has not performed this scan. Please review the output to ensure it matches with your company policy."
solution : "To remove a role from the database-
1. Attach to a DB2 Instance-
db2 => attach to $DB2INSTANCE
2 Connect to DB2 database-
db2 => connect to $DBNAME
3. Run the following-
db2 => drop role "
see_also : "https://benchmarks.cisecurity.org/tools2/db2/CIS_IBM_DB2_10_Benchmark_v1.0.0.pdf"
reference : "800-53|AC-6,CSF|PR.AC-4,LEVEL|1S"
sql_request : "select rolename from syscat.roleauth where grantortype <> 'S' group by rolename"
sql_types : POLICY_VARCHAR
sql_expect : regex:".+"
severity : MEDIUM
type : SQL_POLICY
description : "8.2 Review Role Members"
info : "Having roles that have been granted specific privileges, then assigning users to the roles, is usually considered the best way to grant application access. Because granting privileges to individual users can be more difficult to track and maintain against unauthorized access, users should be assigned to organization-defined database roles according to the needs of the business. As users leave the organization or change responsibilities within the organization, the appropriate roles for them change as well, so role membership needs to be reviewed and verified periodically."
solution : "To remove a role member from a particular role-
1. Attach to a DB2 Instance-
db2 => attach to $DB2INSTANCE
2. Connect to DB2 database-
db2 => connect to $DBNAME
3. Run the following-
db2 => revoke role from "
see_also : "https://benchmarks.cisecurity.org/tools2/db2/CIS_IBM_DB2_10_Benchmark_v1.0.0.pdf"
reference : "800-53|AC-6,CSF|PR.AC-4,LEVEL|1S"
sql_request : "select rolename,grantee from syscat.roleauth where grantortype <> 'S' group by rolename, grantee"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR
sql_expect : NULL, NULL
type : SQL_POLICY
description : "8.4 Review Roles granted to PUBLIC"
info : "Granting to PUBLIC increases the risk of unauthorized entry into the database. Because PUBLIC is accessible by any database user, it is important to understand the exposure it has on all database objects. It would make sense to grant role membership to PUBLIC if all users required all the privileges granted through that role."
solution : "To remove a role member from a particular role-
1. Attach to a DB2 Instance-
db2 => attach to $DB2INSTANCE
2. Connect to DB2 database-
db2 => connect to $DBNAME
3. Run the following-
db2 => revoke role from PUBLIC"
see_also : "https://benchmarks.cisecurity.org/tools2/db2/CIS_IBM_DB2_10_Benchmark_v1.0.0.pdf"
reference : "800-53|AC-6,CSF|PR.AC-4,LEVEL|1S"
sql_request : "select grantee, rolename from syscat.roleauth where grantee = 'PUBLIC'"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR
sql_expect : NULL, NULL
type : SQL_POLICY
description : "9.2 Remove Unused Schemas"
info : "A schema is a logical grouping of database objects. It is recommended that unused schemas be removed from the database.
NOTE - Nessus has not performed this scan. Please review the output to ensure it matches with your company policy."
solution : "Remote unnecessary schemas.
1. Connect to the DB2 database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. Run the following command from the DB2 command window-
db2 => drop scheme restrict
3. Review unused schemas and remove if necessary"
see_also : "https://benchmarks.cisecurity.org/tools2/db2/CIS_IBM_DB2_10_Benchmark_v1.0.0.pdf"
reference : "800-53|CM-7,800-171|3.4.6,800-171|3.4.7,CSF|PR.IP-1,CSF|PR.PT-3,LEVEL|1NS"
sql_request : "select schemaname from syscat.schemata"
sql_types : POLICY_VARCHAR
sql_expect : regex:".+"
severity : MEDIUM
type : SQL_POLICY
description : "9.3 Review System Tablespaces"
info : "System tablespaces store all system object data within that database. It is recommended that system tablespaces are used to stored system data only and not user data."
solution : "1. Connect to the DB2 database.
db2 => connect to $DB2DATABASE user $USERNAME using $PASSWORD
2. Review the system tablespaces to identify any user data objects within them.
3. Drop, migrate, or otherwise remove all user data objects (tables, schemas, etc.) from within the system tablespaces.
4. Revoke write access for the system tablespaces from all users."
see_also : "https://benchmarks.cisecurity.org/tools2/db2/CIS_IBM_DB2_10_Benchmark_v1.0.0.pdf"
reference : "800-53|AC-6,CSF|PR.AC-4,LEVEL|1S"
sql_request : "select tabschema,tabname,tbspace from syscat.tables where tabschema not in ('ADMINISTRATOR','SYSIBM','SYSTOOLS') and tbspace in ('SYSCATSPACE','SYSTOOLSPACE','SYSTOOLSTMPSPACE','TEMPSPACE')"
sql_types : POLICY_VARCHAR, POLICY_VARCHAR, POLICY_VARCHAR
sql_expect : NULL, NULL, NULL