DB2 must provide the capability for authorized users to capture, record, and log all content related to a user session.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-74661	DB2X-00-001100	SV-89335r1_rule		Medium

Description
Without the capability to capture, record, and log all content related to a user session, investigations into suspicious user activity would be hampered. Typically, this DBMS capability would be used in conjunction with comparable monitoring of a user's online session, involving other software components such as operating systems, web servers and front-end user applications. The current requirement, however, deals specifically with the DBMS.

Description

Without the capability to capture, record, and log all content related to a user session, investigations into suspicious user activity would be hampered. Typically, this DBMS capability would be used in conjunction with comparable monitoring of a user's online session, involving other software components such as operating systems, web servers and front-end user applications. The current requirement, however, deals specifically with the DBMS.

STIG	Date
IBM DB2 V10.5 LUW Security Technical Implementation Guide	2018-09-13

Details

Check Text ( C-74547r2_chk )
Find out if the user under investigation is being audited. DB2> SELECT AUDITPOLICYNAME, OBJECTNAME, OBJECTTYPE FROM SYSCAT.AUDITUSE WHERE OBJECTTYPE IN ('i',' ') If no rows are returned, this is a finding. If a row with OBJECTTYPE of ' ' (Database; value is a blank) exists in the output, it is a database level policy. If a row with OBJECTTYPE of 'i' exists in the output, it is a user level policy. For each audit policy returned in the statement above, run the following SQL statement to confirm that all of the categories are part of that policy: DB2> SELECT * FROM SYSCAT.AUDITPOLICIES If there is an audit policy defined at database level with the values for the all the audit category columns set to 'B' (Both) and the value in the ERRORTYPE column set to 'A' (Audit), EXECUTEWITHDATA to 'Y', this is not a finding. If the database policy does not exist or does not cover all categories with ERRORTYPE column set to 'A' (Audit), EXECUTEWITHDATA to 'Y' then check if the appropriate policies are defined for all the required users. If the audit policy is defined on the users under investigation but does not have the values for the all the audit category columns set to 'B' (Both) and the value in the ERRORTYPE column set to 'A' (Audit), EXECUTEWITHDATA to 'Y', then this is finding.

Check Text ( C-74547r2_chk )

Find out if the user under investigation is being audited.
DB2> SELECT AUDITPOLICYNAME, OBJECTNAME, OBJECTTYPE
FROM SYSCAT.AUDITUSE
WHERE OBJECTTYPE IN ('i',' ')

If no rows are returned, this is a finding.

If a row with OBJECTTYPE of ' ' (Database; value is a blank) exists in the output, it is a database level policy.

If a row with OBJECTTYPE of 'i' exists in the output, it is a user level policy.

For each audit policy returned in the statement above, run the following SQL statement to confirm that all of the categories are part of that policy:

DB2> SELECT * FROM SYSCAT.AUDITPOLICIES

If there is an audit policy defined at database level with the values for the all the audit category columns set to 'B' (Both) and the value in the ERRORTYPE column set to 'A' (Audit), EXECUTEWITHDATA to 'Y', this is not a finding.

If the database policy does not exist or does not cover all categories with ERRORTYPE column set to 'A' (Audit), EXECUTEWITHDATA to 'Y' then check if the appropriate policies are defined for all the required users.

If the audit policy is defined on the users under investigation but does not have the values for the all the audit category columns set to 'B' (Both) and the value in the ERRORTYPE column set to 'A' (Audit), EXECUTEWITHDATA to 'Y', then this is finding.

Fix Text (F-81261r2_fix)
Define an audit policy using the CREATE AUDIT POLICY SQL statement: DB2> CREATE AUDIT POLICY CATEGORIES AUDIT STATUS BOTH, CHECKING STATUS BOTH, CONTEXT STATUS BOTH, EXECUTE WITH DATA STATUS BOTH, OBJMAINT STATUS BOTH, SECMAINT STATUS BOTH, SYSADMIN STATUS BOTH, VALIDATE STATUS BOTH ERROR TYPE AUDIT Apply the correct audit policy to either the database as a whole or to the specific user using one of these two statements: DB2> AUDIT DATABASE USING POLICY USERCOMPREHENSIVE Or DB2> AUDIT USER USING POLICY USERCOMPREHENSIVE Note: This is to audit suspicious user activity. For a targeted session activity use AUDIT USER command after the policy has been created. For a general database level use the AUDIT DATABASE command.

Fix Text (F-81261r2_fix)

Define an audit policy using the CREATE AUDIT POLICY SQL statement:

DB2> CREATE AUDIT POLICY
CATEGORIES AUDIT STATUS BOTH, CHECKING STATUS BOTH, CONTEXT STATUS BOTH, EXECUTE WITH DATA STATUS BOTH, OBJMAINT STATUS BOTH, SECMAINT STATUS BOTH, SYSADMIN STATUS BOTH, VALIDATE STATUS BOTH ERROR TYPE AUDIT

Apply the correct audit policy to either the database as a whole or to the specific user using one of these two statements:

DB2> AUDIT DATABASE USING POLICY USERCOMPREHENSIVE
Or
DB2> AUDIT USER USING POLICY USERCOMPREHENSIVE

Note: This is to audit suspicious user activity. For a targeted session activity use AUDIT USER command after the policy has been created. For a general database level use the AUDIT DATABASE command.