4.2.39 Restrict Access to SYSCAT.TBSPACEAUTH

Information

The SYSCAT.TBSPACEAUTH view contains users or groups that have been granted the USE privilege on a particular tablespace in the database. It is recommended that the PUBLIC role be restricted from accessing this view.

Rationale:

PUBLIC should not have access to the grants of the tablespaces in a database. This could lead to an exploit.

Solution

Perform the following to revoke access from PUBLIC.

Connect to the Db2 database.

db2 => connect to <dbname>

Run the following command:

db2 => REVOKE SELECT ON SYSCAT.TBSPACEAUTH FROM PUBLIC

See Also

https://workbench.cisecurity.org/benchmarks/10752

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: IBM_DB2DB

Control ID: 816d1003e612f52c31e72f86c304ffd6a7dde6318e3f7779866d54884f981f4d