6.1.7 Secure SQLADM Authority

Information

The SQLADM authority is required to monitor, tune, and alter SQL statements.

Rationale:

The SQLADM authority can CREATE, SET, FLUSH, DROP EVENT MONITORS and perform RUNSTATS and REORG INDEXES and TABLES. SQLADM can be granted to users, groups, or roles or PUBLIC. SQLADM authority is a subset of the DBADM authority and can be granted by the SECADM authority.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Revoke SQLADM authority from any unauthorized users.

db2 => REVOKE SQLADM ON DATABASE FROM USER <username>

See Also

https://workbench.cisecurity.org/benchmarks/10752

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: IBM_DB2DB

Control ID: 8d669a083a78850df0905b209e52d4be289ecc437f5b59dc6c3d315bd3871c5f