Information
A DB2 software installation will place all executables under the default <DB2PATH>\sqllib directory. This directory needs to be secured so it grants only the necessary access to authorized users and administrators.
The DB2 runtime is comprised of files that are executed as part of the DB2 service. If these resources are not secured, an attacker may alter them to execute arbitrary code.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
For Windows:
1. Connect to the DB2 host
2. Right-click on the %DB2PATH%\sqllib directory
3. Choose Properties
4. Select the Security tab
5. Select all DB administrator accounts and grant them the Full Control authority
6. Select all non-administrator accounts and revoke all privileges other than Read and Execute
For Linux:
1. Connect to the DB2 host
2. Change to the $DB2PATH/sqllib directory
3. Change the permission level of the directory to this recommended value:
OS => chmod -R 750
Default Value:
Linux: $DB2PATH/sqllib is owned by the DB2 administrator with read, write, and execute access.
MS Windows: %DB2PATH%\sqllib owned by the DB2 administrator with read, write, and execute access.