4.4.9 Restrict Access to SYSIBMADM.PRIVILEGES

Information

The view SYSIBMADM.PRIVILEGES lists all the privileges that have been explicitly granted to authorization IDs. In a non-restrictive database this view has SELECT granted to public. It is recommended that public should not be able to select from this view.

Rationale:

A malicious user may use this view to conduct information gathering regarding the privileges that users have.

Solution

Perform the following to revoke access from PUBLIC.

Connect to the Db2 database.

db2 => connect to <dbname>

Run the following command:

db2 => revoke SELECT on table SYSIBMADM.PRIVILEGES from public

See Also

https://workbench.cisecurity.org/benchmarks/10752

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: IBM_DB2DB

Control ID: 9d152e3b6baa684ee98e5a2280143ea911b13ec5a2805157b47bb35e238bb236