6.28 Restrict Access to SYSCAT.TABAUTH

Information

The SYSCAT.TABAUTH contains users or groups that have been granted one or more privileges on a table or view. It is recommended that the PUBLIC role be restricted from accessing this view.

PUBLIC should not have access to the grants of views and tables in a database. This could lead to an exploit.

Solution

Perform the following to revoke access from PUBLIC.
1. Connect to the DB2 database.
db2 => connect to $DB2INSTANCE user $USERNAME using $PASSWORD
2. Run the following command from the DB2 command window:
db2 => REVOKE SELECT ON SYSCAT.TABAUTH FROM PUBLIC

See Also

https://workbench.cisecurity.org/files/1654

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-6

Plugin: IBM_DB2DB

Control ID: 8bd3031d7809f5325f65cab248696e3b038f7a670bbd03eff413ab0c6708edd4