6.1.3 Secure SYSMAINT Authority

Information

The sysmaint_group parameter defines the system administrator group that possesses the system maintenance (SYSMAINT) authority. It is recommended that the sysmaint_group group contains authorized users only.

Rationale:

If an account that possesses this authority is compromised or used in a malicious manner, the confidentiality, integrity, and availability of data in the Db2 instance will be at increased risk.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Define a valid group name for the SYSMAINT group.

Attach to the Db2 instance.

db2 => attach to <db2instance>

Run the following command:

db2 => update database manager configuration
using sysmaint_group <sys maintenance group name>

Default Value:

The default value for sysmaint_group is NULL.

See Also

https://workbench.cisecurity.org/benchmarks/10752

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: Unix

Control ID: d5e6f2f9ed06dac6010f50b9360a91ddc406faf29d0a62e79b7e4f86cede7568