| 1.2 Use IP address rather than hostname | CONFIGURATION MANAGEMENT |
| 1.4 Use non-default account names | ACCESS CONTROL |
| 1.5 Configure DB2 to use non-standard ports - Port 523 | CONFIGURATION MANAGEMENT |
| 1.5 Configure DB2 to use non-standard ports - Port 50000 | CONFIGURATION MANAGEMENT |
| 2.1 Secure DB2 Runtime Library | |
| 2.2 Secure the database container directory | |
| 2.4 Verify the groups within the DB2_GRP_LOOKUP environment variable are appropriate (Windows only) | ACCESS CONTROL |
| 2.5 Verify the domains within the DB2DOMAINLIST environment variable are appropriate (Windows only) | ACCESS CONTROL |
| 3.1.1 Enable audit buffer | AUDIT AND ACCOUNTABILITY |
| 3.1.2 Encrypt user data across the network | SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.1.3 Require explicit authorization for cataloging | ACCESS CONTROL |
| 3.1.4 Disable datalinks support | |
| 3.1.5 Secure permissions for default database file path | |
| 3.1.6 Set diagnostic logging to capture errors and warnings | AUDIT AND ACCOUNTABILITY |
| 3.1.7 Secure permissions for all diagnostic logs | |
| 3.1.8 Require instance name for discovery requests | CONFIGURATION MANAGEMENT |
| 3.1.9 Disable instance discoverability | CONFIGURATION MANAGEMENT |
| 3.1.10 Authenticate federated users at the instance level | ACCESS CONTROL |
| 3.1.11 Set maximum connection limits - MAX_CONNECTIONS | SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.1.11 Set maximum connection limits - MAX_COORDAGENTS | SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.1.11 Set maximum connection limits - MAXAPPLS | SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.1.12 Set administrative notification level | AUDIT AND ACCOUNTABILITY |
| 3.1.13 Enable server-based authentication | IDENTIFICATION AND AUTHENTICATION |
| 3.1.14 Set failed archive retry delay | CONFIGURATION MANAGEMENT |
| 3.1.15 Auto-restart after abnormal termination | CONFIGURATION MANAGEMENT |
| 3.1.16 Disable database discovery | CONFIGURATION MANAGEMENT |
| 3.1.17 Secure permissions for the primary archive log location - LOGARCHMETH1 OS Permissions | AUDIT AND ACCOUNTABILITY, CONFIGURATION MANAGEMENT |
| 3.1.17 Secure permissions for the primary archive log location - LOGARCHMETH1 Setting | AUDIT AND ACCOUNTABILITY |
| 3.1.18 Secure permissions for the secondary archive log location - LOGARCHMETH2 OS Permissions | AUDIT AND ACCOUNTABILITY, CONFIGURATION MANAGEMENT |
| 3.1.18 Secure permissions for the secondary archive log location - LOGARCHMETH2 Setting | AUDIT AND ACCOUNTABILITY |
| 3.1.19 Secure permissions for the tertiary archive log location - FAILARCHPATH OS Permissions | |
| 3.1.19 Secure permissions for the tertiary archive log location - FAILARCHPATH Setting | AUDIT AND ACCOUNTABILITY |
| 3.1.20 Secure permissions for the log mirror location - MIRRORLOGPATH OS Permissions | AUDIT AND ACCOUNTABILITY, CONFIGURATION MANAGEMENT |
| 3.1.20 Secure permissions for the log mirror location - MIRRORLOGPATH Setting | AUDIT AND ACCOUNTABILITY |
| 3.1.21 Establish retention set size for backups | CONTINGENCY PLANNING |
| 3.1.22 Set archive log failover retry limit | CONFIGURATION MANAGEMENT |
| 4.3 Review Users, Groups, and Roles - Groups list | ACCESS CONTROL |
| 4.3 Review Users, Groups, and Roles - Users list | ACCESS CONTROL |
| 5.1 Enable Backup Redundancy | |
| 5.2 Protecting Backups | |
| 5.3 Enable Automatic Database Maintenance | CONFIGURATION MANAGEMENT |
| 7.3 Secure SYSMAINT Authority | ACCESS CONTROL |
| 7.4 Secure SYSMON Authority | ACCESS CONTROL |
| 9.1 Start and Stop DB2 Instance | ACCESS CONTROL |
| 9.4 Remove Default Databases | CONFIGURATION MANAGEMENT |
| 9.5 Enable SSL communication with LDAP server | SYSTEM AND COMMUNICATIONS PROTECTION |
| 9.6 Secure the permission of the IBMLDAPSecurity.ini file | |
| 9.7 Secure the permission of the SSLconfig.ini file | |
| 9.9 Secure plug-in library locations - client | |
| 9.9 Secure plug-in library locations - group | |
