CIS IBM DB2 11 v1.1.0 Linux OS Level 1

Audit Details

Name: CIS IBM DB2 11 v1.1.0 Linux OS Level 1

Updated: 6/17/2024

Authority: CIS

Plugin: Unix

Revision: 1.1

Estimated Item Count: 61

File Details

Filename: CIS_IBM_DB2_11_v1.1.0_Level_1_OS_Linux.audit

Size: 154 kB

MD5: bb018948af43143a8894f21298a52359
SHA256: 0165dc2ea6b20af54cf7f3a41cda2daea5146e324662a2c710e86eb5a5649112

Audit Items

DescriptionCategories
3.1.1 Require Explicit Authorization for Cataloging (CATALOG_NOAUTH)

ACCESS CONTROL, MEDIA PROTECTION

3.1.2 Secure Permissions for Default Database File Path (DFTDBPATH)

ACCESS CONTROL, MEDIA PROTECTION

3.1.3 Set Diagnostic Logging to Capture Errors and Warnings (DIAGLEVEL)

AUDIT AND ACCOUNTABILITY

3.1.4 Secure Permissions for All Diagnostic Logs (DIAGPATH)

ACCESS CONTROL, MEDIA PROTECTION

3.1.5 Secure Permissions for Alternate Diagnostic Log Path (ALT_DIAGPATH)

ACCESS CONTROL, MEDIA PROTECTION

3.1.6 Disable Client Discovery Requests (DISCOVER)

CONFIGURATION MANAGEMENT

3.1.7 Disable Instance Discoverability (DISCOVER_INST)

CONFIGURATION MANAGEMENT

3.1.8 Set Maximum Connection Limits (MAX_CONNECTIONS and MAX_COORDAGENTS)

ACCESS CONTROL, MEDIA PROTECTION

3.1.9 Set Administrative Notification Level (NOTIFYLEVEL)

AUDIT AND ACCOUNTABILITY

3.1.10 Secure the Java Development Kit Installation Path (JDK_PATH)

ACCESS CONTROL, MEDIA PROTECTION

3.1.11 Secure the Python Runtime Path (PYTHON_PATH)

ACCESS CONTROL, MEDIA PROTECTION

3.1.12 Secure the R Runtime Path (R_PATH)

ACCESS CONTROL, MEDIA PROTECTION

3.1.13 Secure the Communication Buffer Exit Library (COMM_EXIT_LIST)

ACCESS CONTROL, MEDIA PROTECTION

3.2.1 Specify Secure Remote Shell Command (DB2RSHCMD)

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

3.2.2 Turn Off Remote Command Legacy Mode (DB2RCMD_LEGACY_MODE)

CONFIGURATION MANAGEMENT

3.2.3 Disable Grants During Restore (DB2_RESTORE_GRANT_ADMIN_AUTHORITIES)

ACCESS CONTROL, MEDIA PROTECTION

3.2.4 Enable Extended Security (DB2_EXTSECURITY)

ACCESS CONTROL, MEDIA PROTECTION

3.2.5 Limit OS Privileges of Fenced Mode Process (DB2_LIMIT_FENCED_GROUP)

ACCESS CONTROL, MEDIA PROTECTION

3.3.1 Secure Db2 Runtime Library

ACCESS CONTROL, MEDIA PROTECTION

3.3.3 Set umask Value in the Db2 Instance Owner's .profile

ACCESS CONTROL, MEDIA PROTECTION

4.1.2 Set Failed Archive Retry Delay (ARCHRETRYDELAY)

AUDIT AND ACCOUNTABILITY

4.1.3 Auto-restart After Abnormal Termination (AUTORESTART)

CONFIGURATION MANAGEMENT

4.1.4 Disable Database Discovery (DISCOVER_DB)

CONFIGURATION MANAGEMENT

4.1.5 Secure Permissions for the Primary Archive Log Location (LOGARCHMETH1)

ACCESS CONTROL, MEDIA PROTECTION

4.1.6 Secure Permissions for the Secondary Archive Log Location (LOGARCHMETH2)

ACCESS CONTROL, MEDIA PROTECTION

4.1.7 Secure Permissions for the Tertiary Archive Log Location (FAILARCHPATH)

ACCESS CONTROL, MEDIA PROTECTION

4.1.8 Secure Permissions for the Log Mirror Location (MIRRORLOGPATH)

ACCESS CONTROL, MEDIA PROTECTION

4.1.9 Secure Permissions for the Log Overflow Location (OVERFLOWLOGPATH)

ACCESS CONTROL, MEDIA PROTECTION

4.1.10 Establish Retention Set Size for Backups (NUM_DB_BACKUPS)

CONTINGENCY PLANNING

4.1.11 Set Archive Log Failover Retry Limit (NUMARCHRETRY)

AUDIT AND ACCOUNTABILITY

4.1.12 Set Maximum Number of Applications (MAXAPPLS)

ACCESS CONTROL

4.1.13 Ensure a Secure Connect Procedure is Used (CONNECT_PROC)

CONFIGURATION MANAGEMENT

4.1.14 Specify a Secure Location for External Tables (EXTBL_LOCATION)

ACCESS CONTROL, MEDIA PROTECTION

4.1.15 Disable Database Discoverability (DISCOVER_DB)

CONFIGURATION MANAGEMENT

5.1 Specify a Secure Connection Authentication Type (SRVCON_AUTH)

ACCESS CONTROL

5.2 Specify a Secure Authentication Type (AUTHENTICATION)

ACCESS CONTROL

5.3 Database Manager Configuration Parameter: ALTERNATE_AUTH_ENC

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

5.4 Database Manager Configuration Parameter: TRUST_ALLCLNTS

ACCESS CONTROL

5.5 Database Manager Configuration Parameter: TRUST_CLNTAUTH

ACCESS CONTROL

5.6 Database Manager Configuration Parameter: FED_NOAUTH

ACCESS CONTROL

5.10 DB2AUTH Registry Variable

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

5.11 DB2CHGPWD_EEE Registry Variable

ACCESS CONTROL

6.1.1 Secure SYSADM Authority

ACCESS CONTROL, MEDIA PROTECTION

6.1.2 Secure SYSCTRL Authority

ACCESS CONTROL, MEDIA PROTECTION

6.1.3 Secure SYSMAINT Authority

ACCESS CONTROL, MEDIA PROTECTION

6.1.4 Secure SYSMON Authority

ACCESS CONTROL, MEDIA PROTECTION

7.1.1 Disable the Audit Buffer

AUDIT AND ACCOUNTABILITY

7.1.2 Disable Limited Audit of Applications (DB2_LIMIT_AUDIT_APPS)

AUDIT AND ACCOUNTABILITY

7.1.4 Ensure Audit is Enabled Within the Instance

AUDIT AND ACCOUNTABILITY

8.1.1 Configure a Server-side Key Store for TLS (SSL_SVR_KEYDB)

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION