4.1.1 Creating the Database Without PUBLIC Grants (RESTRICTIVE)

Information

This parameter indicates whether the database was created with the RESTRICTIVE clause in the CREATE DATABASE statement. When creating a database, the use of the RESTRICTIVE clause will cause certain privileges to be revoked from PUBLIC.

Rationale:

Impact:

Allowing the default privileges granted to the group PUBLIC to remain in tack can have negative impacts on the database as well as undermine measures put in place to limit access to authorized users.

Solution

There is no remediation for this parameter due to the fact that the placement of the RESTRICTIVE clause happens within the CREATE DATABASE statement. Unless your backup strategies allow for a complete overhaul of your environment where you are able to recreate the database with the RESTRICTIVE clause, we do not recommend changing this parameter. However, if you would like to align your database configuration to that which the RESTRICTIVE clause would provide, please ensure the following:

SYSCAT.DBAUTH - Ensure PUBLIC is NOT granted the following authorities:

CREATETAB

BINDADD

CONNECT

IMPLICIT_SCHEMA

SYSCAT.TABAUTH - Ensure PUBLIC is NOT granted the following privileges:

SELECT on all SYSCAT and SYSIBM tables

SELECT and UPDATE on all SYSSTAT tables

SELECT on the following views in schema SYSIBMADM:

ALL_*

USER_*

ROLE_*

SESSION_*

DICTIONARY

TAB

SYSCAT.ROUTINEAUTH - Ensure PUBLIC is NOT granted the following privileges:

EXECUTE with GRANT on all procedures in schema SQLJ

EXECUTE with GRANT on all functions and procedures in schema SYSFUN

EXECUTE with GRANT on all functions and procedures in schema SYSPROC

EXECUTE on all table functions in schema SYSIBM

EXECUTE on all other procedures in schema SYSIBM

SYSCAT.MODULEAUTH - Ensure PUBLIC is NOT granted the following privileges:

EXECUTE on the following modules in schema SYSIBMADM:

DBMS_DDL

DBMS_JOB

DBMS_LOB

DBMS_OUTPUT

DBMS_SQL

DBMS_STANDARD

DBMS_UTILITY

SYSCAT.PACKAGEAUTH - Ensure PUBLIC is NOT granted the following privileges:

BIND on all packages created in the NULLID schema

EXECUTE on all packages created in the NULLID schema

SYSCAT.SCHEMAAUTH - Ensure PUBLIC' is NOT granted the following privileges:

CREATEIN on schema SQLJ

CREATEIN on schema NULLID

SYSCAT.TBSPACEAUTH - Ensure PUBLIC is NOT granted the USE privilege on table space USERSPACE1.

SYSCAT.WORKLOADAUTH - Ensure PUBLIC is NOT granted the USAGE privilege on SYSDEFAULTUSERWORKLOAD.

SYSCAT.VARIABLEAUTH - Ensure PUBLIC is NOT granted the READ privilege on schema global variables in the SYSIBM schema.

See Also

https://workbench.cisecurity.org/benchmarks/10752

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: IBM_DB2DB

Control ID: f00d4e238322962f05f94e8604a4550da7b8fc7bd041fe069e8a9e92c794ec70