UCF STIG Viewer Logo

IBM DB2 V10.5 LUW Security Technical Implementation Guide


Overview

Date Finding Count (93)
2019-09-27 CAT I (High): 6 CAT II (Med): 87 CAT III (Low): 0
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Classified)

Finding ID Severity Title
V-74565 High DB2 must prevent non-privileged users from executing privileged functions, to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
V-74597 High DB2 must use NSA-approved cryptography to protect classified information in accordance with the data owners requirements.
V-74611 High Security-relevant software updates to DB2 must be installed within the time period directed by an authoritative source (e.g. IAVM, CTOs, DTMs, and STIGs).
V-74489 High Applications using the database must obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.
V-74493 High DB2 must use NIST FIPS 140-2 validated cryptographic modules for cryptographic operations.
V-74491 High When using command-line tools such as db2, users must use a Connect method that does not expose the password.
V-74459 Medium DB2 must protect its audit features from unauthorized access.
V-74563 Medium When supporting applications that require security labeling of data, DB2 must associate organization-defined types of security labels having organization-defined security label values with information in process.
V-74561 Medium When supporting applications that require security labeling of data, DB2 must associate organization-defined types of security labels having organization-defined security label values with information in storage.
V-74567 Medium DB2 must utilize centralized management of the content captured in audit records generated by all components of DB2.
V-74569 Medium DB2 must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.
V-74479 Medium Unused database components, DBMS software, and database objects must be removed.
V-74475 Medium The role(s)/group(s) used to modify database structure (including but not necessarily limited to tables, indexes, storage, etc.) and logic modules (stored procedures, functions, triggers, links to software external to DB2, etc.) must be restricted to authorized users.
V-74477 Medium Default demonstration and sample databases, database objects, and applications must be removed.
V-74471 Medium Database software, including DBMS configuration files, must be stored in dedicated directories, separate from the host OS and other applications.
V-74619 Medium DB2 must generate audit records when unsuccessful attempts to access categorized information (e.g., classification levels/security levels) occur.
V-74599 Medium DB2 must only accept end entity certificates issued by DoD PKI or DoD-approved PKI Certification Authorities (CAs) for the establishment of all encrypted sessions.
V-74595 Medium DB2 must disable network functions, ports, protocols, and services deemed by the organization to be nonsecure, in accord with the Ports, Protocols, and Services Management (PPSM) guidance.
V-74593 Medium DB2 must produce audit records of its enforcement of access restrictions associated with changes to the configuration of DB2 or database(s).
V-74591 Medium DB2 and the operating system must enforce access restrictions associated with changes to the configuration of DB2 or database(s).
V-74449 Medium DB2 must include additional, more detailed, organization-defined information in the audit records for audit events identified by type, location, or subject.
V-74515 Medium DB2 must provide non-privileged users with error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.
V-74513 Medium DB2 and associated applications, when making use of dynamic code execution, must scan input data for invalid values that may indicate a code injection attack.
V-74511 Medium DB2 and associated applications must reserve the use of dynamic code execution for situations that require it.
V-74441 Medium DB2 must generate audit records when privileges/permissions are retrieved.
V-74443 Medium DB2 must generate audit records when unsuccessful attempts to retrieve privileges/permissions occur.
V-74445 Medium DB2 must initiate session auditing upon startup.
V-74601 Medium DB2 must implement cryptographic mechanisms to prevent unauthorized modification of organization-defined information at rest (to include, at a minimum, PII and classified information) on organization-defined information system components.
V-74457 Medium The audit information produced by DB2 must be protected from unauthorized deletion.
V-74455 Medium The audit information produced by DB2 must be protected from unauthorized modification.
V-74589 Medium DB2 must prohibit user installation of logic modules (stored procedures, functions, triggers, views, etc.) without explicit privileged status.
V-74451 Medium Unless it has been determined that availability is paramount, DB2 must, upon audit failure, cease all auditable activity.
V-74585 Medium DB2 must generate audit records showing starting and ending time for user access to the database(s).
V-74587 Medium DB2 must generate audit records when unsuccessful attempts to execute privileged activities or other system-level access occur.
V-74581 Medium DB2 must generate audit records when successful accesses to objects occur.
V-74583 Medium DB2 must generate audit records when concurrent logons/connections by the same user from different workstations occur.
V-74505 Medium Database contents must be protected from unauthorized and unintended information transfer by enforcement of a data-transfer policy.
V-74507 Medium Access to database files must be limited to relevant processes and to authorized, administrative users.
V-74501 Medium DB2 must protect the confidentiality and integrity of all information at rest.
V-74503 Medium DB2 must isolate security functions from non-security functions.
V-74615 Medium DB2 must generate audit records when unsuccessful attempts to access security objects occur.
V-74617 Medium DB2 must generate audit records when categorized information (e.g., classification levels/security levels) are accessed.
V-74509 Medium DB2 must check the validity of all data inputs except those specifically identified by the organization.
V-74613 Medium DB2 must generate audit records when security objects are accessed.
V-74609 Medium When invalid inputs are received, DB2 must behave in a predictable and documented manner that reflects organizational and system objectives.
V-74637 Medium DB2 must generate audit records when privileges/permissions are deleted.
V-74607 Medium DB2 must maintain the confidentiality and integrity of information during reception.
V-74635 Medium DB2 must generate audit records when unsuccessful attempts to modify categorized information (e.g., classification levels/security levels) occur.
V-74605 Medium DB2 must maintain the confidentiality and integrity of information during preparation for transmission.
V-74633 Medium DB2 must generate audit records when categorized information (e.g., classification levels/security levels) is modified.
V-74603 Medium DB2 must implement and/or support cryptographic mechanisms preventing the unauthorized disclosure of organization-defined information at rest on organization-defined information system components.
V-74429 Medium DB2 must limit the number of concurrent sessions to an organization-defined number per user for all accounts and/or account types.
V-74631 Medium DB2 must generate audit records when unsuccessful attempts to modify security objects occur.
V-74629 Medium DB2 must generate audit records when security objects are modified.
V-74447 Medium DB2 must produce audit records containing sufficient information to establish the outcome (success or failure) of the events.
V-74621 Medium DB2 must generate audit records when privileges/permissions are added.
V-74623 Medium DB2 must generate audit records when unsuccessful attempts to add privileges/permissions occur.
V-74625 Medium DB2 must generate audit records when privileges/permissions are modified.
V-74627 Medium DB2 must generate audit records when unsuccessful attempts to modify privileges/permissions occur.
V-74431 Medium DB2 must integrate with an organization-level authentication/access mechanism providing account management and automation for all users, groups, roles, and any other principals.
V-74433 Medium DB2 must enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
V-74435 Medium DB2 must protect against a user falsely repudiating having performed organization-defined actions.
V-74437 Medium DB2 must provide audit record generation capability for DoD-defined auditable events within all DBMS/database components.
V-74439 Medium DB2 must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited.
V-74639 Medium DB2 must generate audit records when unsuccessful attempts to delete privileges/permissions occur.
V-74643 Medium DB2 must generate audit records for all privileged activities or other system-level access.
V-74641 Medium DB2 must generate audit records when security objects are deleted.
V-74647 Medium DB2 must generate audit records when successful logons or connections occur.
V-74645 Medium DB2 must generate audit records when unsuccessful logons or connection attempts occur.
V-74649 Medium DB2 must generate audit records when unsuccessful attempts to delete security objects occur.
V-74485 Medium DB2 must be configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.
V-74487 Medium If passwords are used for authentication, DB2 must transmit only encrypted representations of passwords.
V-74481 Medium Unused database components which are integrated in DB2 and cannot be uninstalled must be disabled.
V-74483 Medium Access to external executables must be disabled or restricted.
V-74473 Medium Database objects (including but not limited to tables, indexes, storage, stored procedures, functions, triggers, links to software external to DB2, etc.) must be owned by database/DBMS principals authorized for ownership.
V-74519 Medium DB2 must automatically terminate a user session after organization-defined conditions or trigger events requiring session disconnect.
V-74651 Medium DB2 must generate audit records when categorized information (e.g., classification levels/security levels) is deleted.
V-74653 Medium DB2 must generate audit records when unsuccessful attempts to delete categorized information (e.g., classification levels/security levels) occur.
V-74497 Medium DB2 must maintain the authenticity of communications sessions by guarding against man-in-the-middle attacks that guess at Session ID values.
V-74495 Medium DB2 must separate user functionality (including user interface services) from database management functionality.
V-74499 Medium In the event of a system failure, DB2 must preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to mission processes.
V-74453 Medium The audit information produced by DB2 must be protected from unauthorized read access.
V-74575 Medium DB2 must off-load audit data to a separate log management facility; this must be continuous and in near real time for systems with a network connection to the storage facility and weekly or more often for stand-alone systems.
V-74577 Medium DB2 must generate audit records for all direct access to the database(s).
V-74571 Medium DB2 must provide a warning to appropriate support staff when allocated audit record storage volume reaches 75% of maximum audit record storage capacity.
V-74573 Medium DB2 must provide an immediate real-time alert to appropriate support staff of all audit failure events requiring real-time alerts.
V-74517 Medium DB2 must reveal detailed error messages only to the ISSO, ISSM, SA and DBA.
V-74579 Medium DB2 must generate audit records when unsuccessful accesses to objects occur.
V-74469 Medium The DB2 software installation account must be restricted to authorized users.
V-74467 Medium The OS must limit privileges to change the DB2 software resident within software libraries (including privileged programs).
V-74465 Medium DB2 must limit privileges to change software modules, to include stored procedures, functions and triggers, and links to software external to DB2.
V-74463 Medium DB2 must protect its audit features from unauthorized removal.
V-74461 Medium DB2 must protect its audit configuration from unauthorized modification.