# (C) 2016 Tenable Network Security, Inc. # # This script is released under the Tenable Subscription License and # may not be used from within scripts released under another license # without authorization from Tenable Network Security Inc. # # See the following licenses for details: # # http://static.tenable.com/prod_docs/Nessus_6_SLA_and_Subscription_Agreement.pdf # # @PROFESSIONALFEED@ # # $Revision: 1.2 $ # $Date: Tue May 31 18:29:39 2016 -0400 $ # # Description : This .audit is designed against the CIS Security Configuration # Benchmark For DB2 10.x for Linux, UNIX, and Windows # Version 1.0.0 December 29, 2015. # # NOTE : The audits contained in this document audit are for Level 1 items # of the CIS DB2 10.x Linux OS. # # #CIS v1.0.0 IBM DB2 v10 Linux OS Level 1 type : CMD_EXEC description : "1.2 Use IP address rather than hostname" info : "Use an IP address rather than a hostname to connect to the host of the DB2 instance." solution : "1. Drop all existing nodes 2. Recreate node directory using IP addresses and not hostnames" see_also : "https://benchmarks.cisecurity.org/tools2/db2/CIS_IBM_DB2_10_Benchmark_v1.0.0.pdf" reference : "800-53|CM-6,800-171|3.4.2,CSF|PR.IP-1,LEVEL|1S" cmd : "/opt/ibm/DB2/V10.5/bin/db2 list node directory show detail | /bin/egrep 'Hostname' | /bin/awk -F'= ' '{ print $2 }'" expect : "^(?:[0-9]{1,3}\.){3}[0-9]{1,3}$" type : FILE_CONTENT_CHECK_NOT description : "1.4 Use non-default account names" info : "The DB2 service is installed with default accounts with well-known names such as db2admin, db2inst1, dasusr1, or db2fenc1. It is recommended that the use of these account names be avoided. The default accounts may be renamed and then used." solution : "For each account with a default name, either change the name to a name that is not well-known or delete the account if it is not needed." see_also : "https://benchmarks.cisecurity.org/tools2/db2/CIS_IBM_DB2_10_Benchmark_v1.0.0.pdf" reference : "800-53|AC-2,800-171|3.1.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|PR.AC-1,CSF|PR.AC-4,LEVEL|1S" file : "/etc/passwd" regex : "db2admin|db2inst1|dausr1|db2fenc1" expect : "^[^#]*^db2admin|[^#]*db2inst1|^[^#]*dausr1|^[^#]*db2fenc1" type : CMD_EXEC description : "3.1.1 Enable audit buffer" info : "DB2 can be configured to use an audit buffer. It is recommended that the audit buffer size be set to at least 1000." solution : "Perform the following to establish an audit buffer- 1. Attach to the DB2 instance db2 => attach to $DB2INSTANCE 2. Run the following command from the DB2 command window- db2 => update database manager configuration using audit_buf_sz 1000" see_also : "https://benchmarks.cisecurity.org/tools2/db2/CIS_IBM_DB2_10_Benchmark_v1.0.0.pdf" reference : "800-53|AU-4,CSF|PR.DS-4,CSF|PR.PT-1,LEVEL|1S" cmd : "/opt/ibm/DB2/V10.5/bin/db2 get database manager configuration | /bin/egrep '\\(AUDIT_BUF_SZ\\)' | /bin/awk -F'= ' '{ print $2 }'" expect : "^[1-9][0-9][0-9][0-9]+$" type : CMD_EXEC description : "3.1.2 Encrypt user data across the network" info : "DB2 supports a number of authentication mechanisms. It is recommended that the DATA_ENCRYPT authentication mechanism be used." solution : "Suggested value is DATA_ENCRYPT so that authentication occurs at the server. 1. Attach to the DB2 instance db2 => attach to $DB2INSTANCE 2. Run the following command from the DB2 command window- db2 => update database manager configuration using authentication data_encrypt" see_also : "https://benchmarks.cisecurity.org/tools2/db2/CIS_IBM_DB2_10_Benchmark_v1.0.0.pdf" reference : "800-53|SC-8,800-171|3.13.8,CSF|PR.DS-2,CSF|PR.DS-5,LEVEL|1S" cmd : "/opt/ibm/DB2/V10.5/bin/db2 get database manager configuration | /bin/egrep '\\(AUTHENTICATION\\)' | /bin/awk -F'= ' '{ print $2 }'" expect : "^DATA_ENCRYPT$" type : CMD_EXEC description : "3.1.3 Require explicit authorization for cataloging" info : "DB2 can be configured to allow users that do not possess the SYSADM authority to catalog and uncatalog databases and nodes. It is recommended that the catalog_noauth parameter be set to NO." solution : "Perform the following to require explicit authorization to catalog and uncatalog databases and nodes. 1. Attach to the DB2 instance db2 => attach to $DB2INSTANCE 2. Run the following command from the DB2 command window- db2 => update database manager configuration using catalog_noauth no" see_also : "https://benchmarks.cisecurity.org/tools2/db2/CIS_IBM_DB2_10_Benchmark_v1.0.0.pdf" reference : "800-53|AC-6,800-171|3.1.5,CSF|PR.AC-4,LEVEL|1S" cmd : "/opt/ibm/DB2/V10.5/bin/db2 get database manager configuration | /bin/egrep '\\(CATALOG_NOAUTH\\)' | /bin/awk -F'= ' '{ print $2 }'" expect : "^NO$" type : CMD_EXEC description : "3.1.7 Set diagnostic logging to capture errors and warnings" info : "The diaglevel parameter specifies the type of diagnostic errors that will be recorded in the db2diag.log file. It is recommended that the diaglevel parameter be set to at least 3." solution : "1. Attach to the DB2 instance db2 => attach to $DB2INSTANCE 2. Run the following command from the DB2 command window- db2 => update database manager configuration using diaglevel 3" see_also : "https://benchmarks.cisecurity.org/tools2/db2/CIS_IBM_DB2_10_Benchmark_v1.0.0.pdf" reference : "800-53|AU-12,800-171|3.3.1,800-171|3.3.2,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,LEVEL|1S" cmd : "/opt/ibm/DB2/V10.5/bin/db2 get database manager configuration | /bin/egrep '\\(DIAGLEVEL\\)' | /bin/awk -F'= ' '{ print $2 }'" expect : "^[3|4]$" type : CMD_EXEC description : "3.1.9 Require instance name for discovery requests" info : "The discover parameter determines what kind of discovery requests, if any, the DB2 server will fulfill. It is recommended that the DB2 server only fulfill requests from clients that know the given instance name (discover parameter value of known)." solution : "The recommended value is KNOWN. Note- this requires a DB2 restart. 1. Attach to the DB2 instance db2 => attach to $DB2INSTANCE 2. Run the following command from the DB2 command window- db2 => update database manager configuration using discover known 3. Restart the DB2 instance. db2 => db2stop db2 => db2start Impact- It is important to be aware that the implementation of this recommendation results in a brief downtime. It is advisable to ensure that the setting is implemented during an approved maintenance window." see_also : "https://benchmarks.cisecurity.org/tools2/db2/CIS_IBM_DB2_10_Benchmark_v1.0.0.pdf" reference : "800-53|CM-6,800-171|3.4.2,CSF|PR.IP-1,LEVEL|1S" cmd : "/opt/ibm/DB2/V10.5/bin/db2 get database manager configuration | /bin/egrep '\\(DISCOVER\\)' | /bin/awk -F'= ' '{ print $2 }'" expect : "^KNOWN$" type : CMD_EXEC description : "3.1.10 Disable instance discoverability" info : "The discover_inst parameter specifies whether the instance can be discovered in the network. It is recommended that instances not be discoverable." solution : "1. Attach to the DB2 instance db2 => attach to $DB2INSTANCE 2. Run the following command from the DB2 command window- db2 => update database manager configuration using discover_inst disable" see_also : "https://benchmarks.cisecurity.org/tools2/db2/CIS_IBM_DB2_10_Benchmark_v1.0.0.pdf" reference : "800-53|SC-30,LEVEL|1S" cmd : "/opt/ibm/DB2/V10.5/bin/db2 get database manager configuration | /bin/egrep '\\(DISCOVER_INST\\)' | /bin/awk -F'= ' '{ print $2 }'" expect : "^DISABLE$" type : CMD_EXEC description : "3.1.11 Authenticate federated users at the instance level" info : "The fed_noauth parameter determines whether federated authentication will be bypassed at the instance. It is recommended that this parameter be set to no." solution : "1. Attach to the DB2 instance db2 => attach to $DB2INSTANCE 2. Run the following command from the DB2 command window- db2 => update database manager configuration using fed_noauth no" see_also : "https://benchmarks.cisecurity.org/tools2/db2/CIS_IBM_DB2_10_Benchmark_v1.0.0.pdf" reference : "800-53|AC-3,800-171|3.1.1,CSF|PR.AC-4,CSF|PR.PT-3,LEVEL|1S" cmd : "/opt/ibm/DB2/V10.5/bin/db2 get database manager configuration | /bin/egrep '\\(FED_NOAUTH\\)' | /bin/awk -F'= ' '{ print $2 }'" expect : "^NO$" type : CMD_EXEC description : "3.1.13 Set administrative notification level" info : "The notifylevel parameter specifies the type of administration notification messages that are written to the administration notification log. It is recommended that this parameter be set greater than or equal to 3. A setting of 3, which includes settings 1 & 2, will log all fatal errors, failing services, system integrity, as well as system health." solution : "1. Attach to the DB2 instance db2 => attach to $DB2INSTANCE 2. Run the following command from the DB2 command window- db2 => update database manager configuration using notifylevel 3 Default Value - The default value of notifylevel is 3." see_also : "https://benchmarks.cisecurity.org/tools2/db2/CIS_IBM_DB2_10_Benchmark_v1.0.0.pdf" reference : "800-53|AU-12,800-171|3.3.1,800-171|3.3.2,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,LEVEL|1S" cmd : "/opt/ibm/DB2/V10.5/bin/db2 get database manager configuration | /bin/egrep '\\(NOTIFYLEVEL\\) =' | /bin/awk -F'= ' '{ print $2 }'" expect : "^[3|4]$" type : CMD_EXEC description : "3.1.14 Enable server-based authentication" info : "The srvcon_auth parameter specifies how and where authentication is to take place for incoming connections to the server. It is recommended that this parameter is not set to CLIENT." solution : "The recommended value is SERVER. Note- this will require a DB2 restart. 1. Attach to the DB2 instance db2 => attach to $DB2INSTANCE 2. Run the following command from the DB2 command window- db2 => update database manager configuration using srvcon_auth server 3. Restart the DB2 instance. db2 => db2stop db2 => db2start Impact - It is important to be aware that the implementation of this recommendation results in a brief downtime. It is advisable to ensure that the setting is implemented during an approved maintenance window." see_also : "https://benchmarks.cisecurity.org/tools2/db2/CIS_IBM_DB2_10_Benchmark_v1.0.0.pdf" reference : "800-53|IA-2,800-171|3.5.1,CSF|PR.AC-1,LEVEL|1S" cmd : "/opt/ibm/DB2/V10.5/bin/db2 get database manager configuration | /bin/egrep '\\(SRVCON_AUTH\\) =' | /bin/awk -F'= ' '{ print $2 }'" expect : "^SERVER$" type : CMD_EXEC description : "9.4 Remove Default Databases" info : "A DB2 instance may come installed with default databases. It is recommended that the SAMPLE database be removed." solution : "Drop unused sample databases- 1. Connect to the DB2 instance. 2. Run the following command from the DB2 command window- db2 => drop database sample" see_also : "https://benchmarks.cisecurity.org/tools2/db2/CIS_IBM_DB2_10_Benchmark_v1.0.0.pdf" reference : "800-53|CM-7,800-171|3.4.6,800-171|3.4.7,CSF|PR.IP-1,CSF|PR.PT-3,LEVEL|1S" cmd : "/opt/ibm/DB2/V10.5/bin/db2 list database directory | /bin/egrep 'Database name.*SAMPLE' | /bin/awk -F'= ' '{ print $2 }'" expect : ""