CIS IBM DB2 v10 v1.1.0 Windows OS Level 2

Audit Details

Name: CIS IBM DB2 v10 v1.1.0 Windows OS Level 2

Updated: 6/17/2024

Authority: CIS

Plugin: Windows

Revision: 1.11

Estimated Item Count: 56

File Details

Filename: CIS_IBM_DB2_10_v1.1.0_Level_2_OS_Windows.audit

Size: 103 kB

MD5: 2019b2b082d326fbd48a4b06ab45c750
SHA256: 16bec50cac4d96b08504c2777aee319c6b4d45d3589efbbf8cba9f87b277c212

Audit Items

DescriptionCategories
1.2 Use IP address rather than hostname

CONFIGURATION MANAGEMENT

1.4 Use non-default account names

ACCESS CONTROL

1.5 Configure DB2 to use non-standard ports - Port 523

CONFIGURATION MANAGEMENT

1.5 Configure DB2 to use non-standard ports - Port 50000

CONFIGURATION MANAGEMENT

2.1 Secure DB2 Runtime Library
2.2 Secure the database container directory
2.4 Verify the groups within the DB2_GRP_LOOKUP environment variable are appropriate (Windows only)

ACCESS CONTROL

2.5 Verify the domains within the DB2DOMAINLIST environment variable are appropriate (Windows only)

ACCESS CONTROL

3.1.1 Enable audit buffer

AUDIT AND ACCOUNTABILITY

3.1.2 Encrypt user data across the network

SYSTEM AND COMMUNICATIONS PROTECTION

3.1.3 Require explicit authorization for cataloging

ACCESS CONTROL

3.1.4 Disable datalinks support
3.1.5 Secure permissions for default database file path
3.1.6 Set diagnostic logging to capture errors and warnings

AUDIT AND ACCOUNTABILITY

3.1.7 Secure permissions for all diagnostic logs
3.1.8 Require instance name for discovery requests

CONFIGURATION MANAGEMENT

3.1.9 Disable instance discoverability

CONFIGURATION MANAGEMENT

3.1.10 Authenticate federated users at the instance level

ACCESS CONTROL

3.1.11 Set maximum connection limits - MAX_CONNECTIONS

SYSTEM AND COMMUNICATIONS PROTECTION

3.1.11 Set maximum connection limits - MAX_COORDAGENTS

SYSTEM AND COMMUNICATIONS PROTECTION

3.1.11 Set maximum connection limits - MAXAPPLS

SYSTEM AND COMMUNICATIONS PROTECTION

3.1.12 Set administrative notification level

AUDIT AND ACCOUNTABILITY

3.1.13 Enable server-based authentication

IDENTIFICATION AND AUTHENTICATION

3.1.14 Set failed archive retry delay

CONFIGURATION MANAGEMENT

3.1.15 Auto-restart after abnormal termination

CONFIGURATION MANAGEMENT

3.1.16 Disable database discovery

CONFIGURATION MANAGEMENT

3.1.17 Secure permissions for the primary archive log location - LOGARCHMETH1 OS Permissions

AUDIT AND ACCOUNTABILITY, CONFIGURATION MANAGEMENT

3.1.17 Secure permissions for the primary archive log location - LOGARCHMETH1 Setting

AUDIT AND ACCOUNTABILITY

3.1.18 Secure permissions for the secondary archive log location - LOGARCHMETH2 OS Permissions

AUDIT AND ACCOUNTABILITY, CONFIGURATION MANAGEMENT

3.1.18 Secure permissions for the secondary archive log location - LOGARCHMETH2 Setting

AUDIT AND ACCOUNTABILITY

3.1.19 Secure permissions for the tertiary archive log location - FAILARCHPATH OS Permissions
3.1.19 Secure permissions for the tertiary archive log location - FAILARCHPATH Setting

AUDIT AND ACCOUNTABILITY

3.1.20 Secure permissions for the log mirror location - MIRRORLOGPATH OS Permissions

AUDIT AND ACCOUNTABILITY, CONFIGURATION MANAGEMENT

3.1.20 Secure permissions for the log mirror location - MIRRORLOGPATH Setting

AUDIT AND ACCOUNTABILITY

3.1.21 Establish retention set size for backups

CONTINGENCY PLANNING

3.1.22 Set archive log failover retry limit

CONFIGURATION MANAGEMENT

4.1 Review Organization's Policies against DB2 RCAC Policies
4.3 Review Users, Groups, and Roles - Groups list

ACCESS CONTROL

4.3 Review Users, Groups, and Roles - Users list

ACCESS CONTROL

5.1 Enable Backup Redundancy
5.2 Protecting Backups
5.3 Enable Automatic Database Maintenance

CONFIGURATION MANAGEMENT

7.1 Secure SYSADM authority - SYSADM Group

ACCESS CONTROL

7.2 Secure SYSCTRL authority - SYSCTRL Group

ACCESS CONTROL

7.3 Secure SYSMAINT Authority

ACCESS CONTROL

7.4 Secure SYSMON Authority

ACCESS CONTROL

9.1 Start and Stop DB2 Instance

ACCESS CONTROL

9.4 Remove Default Databases

CONFIGURATION MANAGEMENT

9.5 Enable SSL communication with LDAP server

SYSTEM AND COMMUNICATIONS PROTECTION

9.6 Secure the permission of the IBMLDAPSecurity.ini file