4.1.9 Secure Permissions for the Log Overflow Location (OVERFLOWLOGPATH)

Information

The OVERFLOWLOGPATH parameter specifies a location for Db2 databases to find log files needed for a rollforward operation, as well as where to store active log files retrieved from the archive. It also gives a location for finding and storing log files needed for using db2ReadLog API. It is recommended that the directory used be set to full access for Db2 administrator accounts and read and execute only for all other accounts.

Rationale:

The overflow log path can contain log files containing user data. Access to the directory pointed to by that path should be restricted through permissions to help ensure that the confidentiality, integrity, and availability of the logs are protected.

Solution

For Windows and Linux:

Connect to the Db2 database

db2 => connect to <dbname>

Run the following command to change the mirror log directory, if necessary:

db2 => update database configuration using overflowlogpath <valid directory>

Additional steps for Windows:

Connect to the Db2 host

Right-click on the overflow archive log directory

Choose Properties

Select the Security tab

Grant all Db2 administrator accounts the Full Control authority

Grant all other accounts read and execute privileges only (revoke all other privileges)

Additional steps for Linux:

Connect to the Db2 host

Change to the overflow log directory

Change the permissions for the directory

$ chmod -R 755

See Also

https://workbench.cisecurity.org/benchmarks/10752

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: Unix

Control ID: 01efb0b00e6edce41e5c6492733554c62ac2774be05d30dc2cdbf3f0acdd7c56