3.1.8 Secure all diagnostic logs

Information

The diagpath parameter specifies the location of the diagnostic files for the DB2 instance. The directory at this location should be secured so that users have read and execute privileges only (no write privileges). All DB2 administrators should have full access to the directory.

Securing the directory will ensure that the confidentiality, integrity, and availability of the diagnostic files contained in the directory are preserved.

Solution

For Windows and Linux, to change the directory for the diagnostic logs:
1. Attach to the DB2 instance.
db2 => attach to $DB2INSTANCE
2. Run the following command from the DB2 command window:
db2 => update database manager configuration using diagpath

Additional steps for Windows:
1. Connect to the DB2 host
2. Right-click over the diagnostic log directory
3. Choose Properties
4. Select the Security tab
5. Grant the Full Control authority to all DB2 administrator accounts
6. Grant only read and execute privileges to all other accounts (revoke any other privileges)

Additional steps for Linux:
1. Connect to the DB2 host
2. Change to the diagnostic log directory
3. Change the permissions of the directory
OS => chmod -R 755
Default Value:
The default value for diagpath is NULL.

See Also

https://workbench.cisecurity.org/files/1654

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-9(4)

Plugin: Unix

Control ID: e5c236c04a557179cbc117d90b688cb4189679a95d59f8a56cbf7f820f960e7e