1.6 Creating the database with the RESTERICTIVE clause

Information

Allowing the default privileges granted to the group PUBLIC to remain in tack can have negative impacts on the database as well as undermine measures put in place to limit access to authorized users.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

There is no remediation for this parameter due to the fact that the placement of the RESTRICTIVE clause happens within the CREATE DATABASE statement. Unless your backup strategies allow for a complete overhaul of your environment where you are able to recreate the database with the RESTRICTIVE clause, we do not recommend changing this parameter. However, if you would like to align your database configuration to that which the RESTRICTIVE clause would provide, please ensure the following:
1. SYSCAT.DBAUTH - Ensure PUBLIC is NOT granted the following authorities:
-CREATETAB
-BINDADD
-CONNECT
-IMPLICIT_SCHEMA

2. SYSCAT.TABAUTH - Ensure PUBLIC is NOT granted the following privileges:
-SELECT on all SYSCAT and SYSIBM tables
-SELECT and UPDATE on all SYSSTAT tables
-SELECT on the following views in schema SYSIBMADM:
--ALL_*
--USER_*
--ROLE_*
--SESSION_*
--DICTIONARY
--TAB
3. SYSCAT.ROUTINEAUTH - Ensure PUBLIC is NOT granted the following privileges:
-EXECUTE with GRANT on all procedures in schema SQLJ
-EXECUTE with GRANT on all functions and procedures in schema SYSFUN
-EXECUTE with GRANT on all functions and procedures in schema SYSPROC
-EXECUTE on all table functions in schema SYSIBM
-EXECUTE on all other procedures in schema SYSIBM
4. SYSCAT.MODULEAUTH - Ensure PUBLIC is NOT granted the following privileges:
-EXECUTE on the following modules in schema SYSIBMADM:
--DBMS_DDL
--DBMS_JOB
--DBMS_LOB
--DBMS_OUTPUT
--DBMS_SQL
--DBMS_STANDARD
--DBMS_UTILITY
5. SYSCAT.PACKAGEAUTH - Ensure PUBLIC is NOT granted the following privileges:
-BIND on all packages created in the NULLID schema
-EXECUTE on all packages created in the NULLID schema
6. SYSCAT.SCHEMAAUTH - Ensure PUBLIC is NOT granted the following privileges:
-CREATEIN on schema SQLJ
-CREATEIN on schema NULLID
7. SYSCAT.TBSPACEAUTH - Ensure PUBLIC is NOT granted the USE privilege on table space USERSPACE1.
8. SYSCAT.WORKLOADAUTH - Ensure PUBLIC is NOT granted the USAGE privilege on SYSDEFAULTUSERWORKLOAD.
9. SYSCAT.VARIABLEAUTH - Ensure PUBLIC is NOT granted the READ privilege on schema global variables in the SYSIBM schema.

See Also

https://workbench.cisecurity.org/files/162