6.1.4 Secure SYSMON Authority

Information

The sysmon_group parameter defines the operating system groups with system monitor (SYSMON) authority. It is recommended that the sysmon_group group contain authorized users only.

Rationale:

If an account that possesses this authority is compromised or used in a malicious manner, the confidentiality, integrity, and availability of data in the Db2 instance will be at increased risk.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Define a valid group name for the SYSMON group.

Attach to the Db2 instance.

db2 => attach to <db2instance>

Run the following command:

db2 => update database manager configuration
using sysmon_group <sys monitor group name>

Default Value:

The default value for sysmon_group is NULL.

See Also

https://workbench.cisecurity.org/benchmarks/10752

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: Unix

Control ID: c737c723d6096aef136f7206686906dd1842d173edd956260538483b1832b9ff