4.3.17 Restrict Access to SYSIBM.SYSPASSTHRUAUTH

Information

The SYSIBM.SYSPASSTHRUAUTH table contains the names of user or group that have pass-through authorization to query the data source. It is recommended that the PUBLIC role be restricted from accessing this table.

Rationale:

The ability to see which accounts have the pass-through privilege could allow an attacker to exploit these accounts to access another data source.

Solution

Perform the following to revoke access from PUBLIC.

Connect to the Db2 database.

db2 => connect to <dbname>

Run the following command:

db2 => REVOKE SELECT ON SYSIBM.SYSPASSTHRUAUTH FROM PUBLIC

See Also

https://workbench.cisecurity.org/benchmarks/10752

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: IBM_DB2DB

Control ID: 8c570ca3d6866949bcdf9423f975f616932e8cbf40d118d0fc989c7e21495af6