4.4.4 Restrict Access to SYSPROC.AUTH_LIST_AUTHORITIES_FOR_AUTHID

Information

The table function SYSPROC.AUTH_LIST_AUTHORITIES_FOR_AUTHID returns the instance and database authorities for the specified authorization ID. In a non-restrictive database this table function has EXECUTE granted to public. It is recommended that public should not be able to execute this routine.

Rationale:

A malicious user may use this function to conduct information gathering regarding users that have high level authorities.

Solution

Perform the following to revoke access from PUBLIC.

Connect to the Db2 database.

db2 => connect to <dbname>

Run the following command:

db2 => revoke EXECUTE on function
SYSPROC.AUTH_LIST_AUTHORITIES_FOR_AUTHID
from public RESTRICT

See Also

https://workbench.cisecurity.org/benchmarks/10752

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: IBM_DB2DB

Control ID: 20367b99985703748735b48b9c1c075b2ba286ab4fed03a27968946dbd34c99d