6.1.1 Secure SYSADM Authority

Information

The sysadm_group parameter defines the system administrator group (SYSADM) authority. It is recommended that the sysadm_group group contains authorized users only.

Rationale:

If an account that possesses this authority is compromised or used in a malicious manner, the confidentiality, integrity, and availability of data in the Db2 instance will be at increased risk.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Define a valid group name for the SYSADM group.

Attach to the Db2 instance.

db2 => attach to <db2instance>

Run the following command:

db2 => update database manager configuration
using sysadm_group <sys adm group name>

Default Value:

The default value for sysadm_group is NULL.

See Also

https://workbench.cisecurity.org/benchmarks/10752

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: Windows

Control ID: eb7bf5a7e31884d1f333167b28ae3ba9ee20b19f1a7550ef4581d21e3d17b19f