3.1.13 Secure the Communication Buffer Exit Library (COMM_EXIT_LIST)

Information

A communication exit library is a dynamically loaded library that vendor applications use to examine communication buffers. The COMM_EXIT_LIST parameter specifies the list of communication buffer exist libraries. The permissions on the libraries should be secured so that users other than the instance owner do not have write privileges.

Rationale:

If a malicious user has write access to a communication exit library, they can overwrite it with their own thereby receiving all of the communication buffers that Db2 receives over the network. Securing the libraries will prevent a loss of confidentiality of data.

Solution

To change permissions of a file on Linux:

chmod 755 <file>

To change permissions of a file on Windows:

Right-click on the file

Choose properties

Select the Security tab

Grant the Full Control authority to all Db2 administrator accounts

Grant only read and execute privileges to all other accounts (revoke any other privileges)

See Also

https://workbench.cisecurity.org/benchmarks/10752

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: Unix

Control ID: da5a3609645d42059e41d883dd05b58304dfa5a1b1c70df07d3444ff4b796085