3.1.17 Secure permissions for the primary archive log location - LOGARCHMETH1 Setting

Information

The logarchmeth1 parameter specifies the type of media and the location used as the primary destination of archived logs. It is recommended that the directory used for the archived logs be set to full access for DB2 administrator accounts and read and execute for all other accounts.

Solution

For Windows and Linux-
1. Attach to the DB2 instance.
2. Run the following command from the DB2 command window to change the primary archive log directory, if necessary-
db2 => update database configuration using logarchmeth1 <valid directory>
Additional steps for Windows (assuming that the logarchmeth1 parameter includes DISK)-
1. Connect to the DB2 host
2. Right-click on the primary archive log directory
3. Choose Properties
4. Select the Security tab
5. Grant all DB2 administrator accounts the Full Control authority
6. Grant all other accounts read and execute privileges only (revoke all other privileges)
Additional steps for Linux (assuming that the logarchmeth1 parameter includes DISK)-
1. Connect to the DB2 host
2. Change to the primary archive log directory
3. Change the permissions for the directory
OS => chmod -R 755

See Also

https://workbench.cisecurity.org/files/162

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-9(4)

Plugin: Windows

Control ID: 0700c58bae0d6217e25113260555d48fe14b9168d7a64095dd67786f78713d5e