3.1.4 Secure Permissions for All Diagnostic Logs (DIAGPATH)

Information

The DIAGPATH parameter specifies the location of the diagnostic files for the Db2 instance. The directory at this location should be secured so that users have read and execute privileges only (no write privileges). All Db2 administrators should have full access to the directory.

Rationale:

Securing the directory will ensure that the confidentiality, integrity, and availability of the diagnostic files contained in the directory are preserved.

Solution

For Windows and Linux
To change the directory for the diagnostic logs:

Attach to the Db2 instance

db2 => attach to <db2instance>

Run the following command:

db2 => update database manager configuration using diagpath <valid directory>

Additional steps for Windows:

Connect to the Db2 host

Right-click over the diagnostic log directory

Choose Properties

Select the Security tab

Grant the Full Control authority to all Db2 administrator accounts

Grant only read and execute privileges to all other accounts (revoke any other privileges)

Additional steps for Linux:

Connect to the Db2 host

Change to the diagnostic log directory

Change the permissions of the directory

$ chmod -R 3777 .

See Also

https://workbench.cisecurity.org/benchmarks/10752

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: Unix

Control ID: 4d0cf383fcf4b9d4ade7fce36a0d262ee07842bc07f6216a8b23e6134d7af90c