4.1.5 Secure Permissions for the Primary Archive Log Location (LOGARCHMETH1)

Information

The LOGARCHMETH1 parameter specifies the type of media and the location used as the primary destination of archived logs. It is recommended that the directory used for the archived logs be set to full access for Db2 administrator accounts and read and execute for all other accounts.

Rationale:

Restricting access to the contents of the primary archive log directory will help ensure that the confidentiality, integrity, and availability of archive logs are protected. Although there are many ways to ensure that your primary logs will be archived, we recommend using the value of DISK as part of the LOGARCHMETH1 parameter. This will properly ensure that the primary logs are archived. A finding of OFF is not acceptable.

Solution

For Windows and Linux:

Attach to the Db2 instance.

Run the following command to change the primary archive log directory, if necessary:

db2 => update database configuration using
logarchmeth1 <valid directory>

Additional steps for Windows (assuming that the logarchmeth1 parameter includes DISK):

Connect to the Db2 host

Right-click on the primary archive log directory

Choose Properties

Select the Security tab

Grant all Db2 administrator accounts the Full Control authority

Grant all other accounts read and execute privileges only (revoke all other privileges)

Additional steps for Linux (assuming that the logarchmeth1 parameter includes DISK):

Connect to the Db2 host

Change to the primary archive log directory

Change the permissions for the directory

$ chmod -R 755

See Also

https://workbench.cisecurity.org/benchmarks/10752

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: Windows

Control ID: 76e31662a576641d94338d9e975408e96ff1688f6a8158a2f1a1159869c6c322