3.1.2 Secure Permissions for Default Database File Path (DFTDBPATH)

Information

The DFTDBPATH parameter contains the default file path used to create Db2 databases. It is recommended that the permissions for this directory be set to full access for Db2 administrators and read and execute access only for all other accounts. It is also recommended that this directory be owned by the Db2 Administrator.

Rationale:

Restricting access to the directory used as the default file path through permissions will help ensure that the confidentiality, integrity, and availability of the files there are protected.

Solution

For Windows and Linux:

Attach to the Db2 instance.

db2 => attach to <db2instance>

Run the following command to change the default file path, if necessary:

db2 => update database manager configuration using dftdbpath <valid directory>

Additional steps for Windows:

Connect to the Db2 host

Right-click over the directory used as the default file path

Choose Properties

Select the Security tab

Assign ownership of the directory to the Db2 Administrator

Grant all Db2 administrator accounts the Full Control authority

Grant only read and execute privileges to all other users (revoke all other privileges)

Additional steps for Linux:

Connect to the Db2 host

Change to the directory used as the default file path

Assign the Db2 Administrator to be the owner of the directory using the chown command

Change the permissions for the directory

$ chmod -R 755

See Also

https://workbench.cisecurity.org/benchmarks/10752

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: Unix

Control ID: 78fbcfcb2bde325b03fd78e4a94cc3f1f2a2703e69baeaaf7bbc6270f6fcbcfd