# (C) 2016 Tenable Network Security, Inc. # # This script is released under the Tenable Subscription License and # may not be used from within scripts released under another license # without authorization from Tenable Network Security Inc. # # See the following licenses for details: # # http://static.tenable.com/prod_docs/Nessus_6_SLA_and_Subscription_Agreement.pdf # # @PROFESSIONALFEED@ # # $Revision: 1.2 $ # $Date: Tue May 31 18:29:39 2016 -0400 $ # # Description : This .audit is designed against the CIS Security Configuration # Benchmark For DB2 10.x for Linux, UNIX, and Windows # Version 1.0.0 December 29, 2015. # # NOTE : The audits contained in this document audit are for Level 1 items # of the CIS DB2 10.x Windows OS. # # # #CIS v1.0.0 IBM DB2 v10 Windows OS Level 1 # # CIS # IBM DB2 10 Windows OS Level 1 # 1.0.0 # https://benchmarks.cisecurity.org/tools2/db2/CIS_IBM_DB2_10_Benchmark_v1.0.0.pdf # #database,cis,ibm,db2 # # #DB2_DATABASE #SAMPLE #DB2 Database to be scanned #The DB2 database being scanned. # # #DB2_CONTAINER_DIR #C:\DB2\NODE0000\ #DB2 Container Directory #The container directory for the DB2 database being scanned. # # #DB2_SQLDB_DIR #C:\DB2\NODE0000\SQLDBDIR #DB2 SQLDB Directory #The SQLLIB directory for the DB2 database being scanned. # # #DB2_USER #db2admin #DB2 User #The unique DB2 account for the database. # # #DB2_DIAGPATH #C:\ProgramData\IBM\DB2\DB2COPY1\db2dump #DB2 diagnostic log directory #The full path for the DB2 diagnostic log directory. # # #DB2_LOGARCHMETH1 #C:\DB2\NODE0000\SQL00001\LOGSTREAM0000\ #DB2 Log Archive Method 1 #The full path for the DB2 primary log archive method 1. # # #DB2_LOGARCHMETH2 #C:\DB2\NODE0000\SQL00001\LOGSTREAM0000\ #DB2 Log Archive Method 2 #The full path for the DB2 secondary log archive method 2. # # #DB2_FAILARCHPATH #C:\PATH\TO\FAILARCHPATH #DB2 Log Archive Failure Method #The full path for the DB2 archive log failure method. # # #DB2_MIRRORLOGPATH #C:\PATH\TO\DB2MIRRORLOGS #DB2 Mirror Log Path #The full path for the DB2 mirror logs. # # #DB2_IBMLDAP_SECURITY_FILE #C:\Program Files\IBM\SQLLIB\cfg\IBMLDAPSecurity.ini #DB2 LDAP Security File #The full path to the DB2 LDAP security file. # # #DB2_SSLCONFIG_FILE #C:\Program Files\IBM\SQLLIB\cfg\SSLconfig.ini #DB2 SSL Config File #The full path to the DB2 SSL Config file. # # # type : AUDIT_POWERSHELL description : "1.2 Use IP address rather than hostname" info : "Use an IP address rather than a hostname to connect to the host of the DB2 instance." solution : "1. Drop all existing nodes 2. Recreate node directory using IP addresses and not hostnames" see_also : "https://benchmarks.cisecurity.org/tools2/db2/CIS_IBM_DB2_10_Benchmark_v1.0.0.pdf" reference : "800-53|CM-6,800-171|3.4.2,CSF|PR.IP-1,LEVEL|1S" value_type : POLICY_TEXT powershell_args : "set-item -path env:DB2CLP -value '**$$**' | Invoke-Command -ScriptBlock {db2 list node directory show detail} | Select-String 'Hostname'| %{$_ -split('= ')} | Select-Object -Last 1" value_data : "^(?:[0-9]{1,3}\.){3}[0-9]{1,3}$" check_type : CHECK_REGEX type : AUDIT_POWERSHELL description : "1.4 Use non-default account names" info : "The DB2 service is installed with default accounts with well-known names such as db2admin, db2inst1, dasusr1, or db2fenc1. It is recommended that the use of these account names be avoided. The default accounts may be renamed and then used." solution : "For each account with a default name, either change the name to a name that is not well-known or delete the account if it is not needed." see_also : "https://benchmarks.cisecurity.org/tools2/db2/CIS_IBM_DB2_10_Benchmark_v1.0.0.pdf" reference : "800-53|AC-2,800-171|3.1.1,CSF|DE.CM-1,CSF|DE.CM-3,CSF|PR.AC-1,CSF|PR.AC-4,LEVEL|1S" value_type : POLICY_TEXT powershell_args : "Get-WmiObject -Class Win32_UserAccount | Where-Object {$_.LocalAccount -match 'True'} | Select-Object Caption | Where {$_.caption -like '*db2admin' -or $_.caption -like '*db2inst1' -or $_.caption -like '*dausr1' -or $_.caption -like '*db2fenc1'} | Format-List" value_data : "" type : AUDIT_POWERSHELL description : "3.1.1 Enable audit buffer" info : "DB2 can be configured to use an audit buffer. It is recommended that the audit buffer size be set to at least 1000." solution : "Perform the following to establish an audit buffer- 1. Attach to the DB2 instance db2 => attach to $DB2INSTANCE 2. Run the following command from the DB2 command window- db2 => update database manager configuration using audit_buf_sz 1000" see_also : "https://benchmarks.cisecurity.org/tools2/db2/CIS_IBM_DB2_10_Benchmark_v1.0.0.pdf" reference : "800-53|AU-4,CSF|PR.DS-4,CSF|PR.PT-1,LEVEL|1S" value_type : POLICY_TEXT powershell_args : "set-item -path env:DB2CLP -value '**$$**' | Invoke-Command -ScriptBlock {db2 get database manager configuration} | Select-String '\(AUDIT_BUF_SZ\)'| %{$_ -split('= ')} | Select-Object -Last 1" value_data : "^[1-9][0-9][0-9][0-9]+$" check_type : CHECK_REGEX type : AUDIT_POWERSHELL description : "3.1.2 Encrypt user data across the network" info : "DB2 supports a number of authentication mechanisms. It is recommended that the DATA_ENCRYPT authentication mechanism be used." solution : "Suggested value is DATA_ENCRYPT so that authentication occurs at the server. 1. Attach to the DB2 instance db2 => attach to $DB2INSTANCE 2. Run the following command from the DB2 command window- db2 => update database manager configuration using authentication data_encrypt" see_also : "https://benchmarks.cisecurity.org/tools2/db2/CIS_IBM_DB2_10_Benchmark_v1.0.0.pdf" reference : "800-53|SC-8,800-171|3.13.8,CSF|PR.DS-2,CSF|PR.DS-5,LEVEL|1S" value_type : POLICY_TEXT powershell_args : "set-item -path env:DB2CLP -value '**$$**' | Invoke-Command -ScriptBlock {db2 get database manager configuration} | Select-String '\(AUTHENTICATION\)'| %{$_ -split('= ')} | Select-Object -Last 1" value_data : "^DATA_ENCRYPT$" check_type : CHECK_REGEX type : AUDIT_POWERSHELL description : "3.1.3 Require explicit authorization for cataloging" info : "DB2 can be configured to allow users that do not possess the SYSADM authority to catalog and uncatalog databases and nodes. It is recommended that the catalog_noauth parameter be set to NO." solution : "Perform the following to require explicit authorization to catalog and uncatalog databases and nodes. 1. Attach to the DB2 instance db2 => attach to $DB2INSTANCE 2. Run the following command from the DB2 command window- db2 => update database manager configuration using catalog_noauth no" see_also : "https://benchmarks.cisecurity.org/tools2/db2/CIS_IBM_DB2_10_Benchmark_v1.0.0.pdf" reference : "800-53|AC-6,800-171|3.1.5,CSF|PR.AC-4,LEVEL|1S" value_type : POLICY_TEXT powershell_args : "set-item -path env:DB2CLP -value '**$$**' | Invoke-Command -ScriptBlock {db2 get database manager configuration} | Select-String '\(CATALOG_NOAUTH\)'| %{$_ -split('= ')} | Select-Object -Last 1" value_data : "^NO$" check_type : CHECK_REGEX type : AUDIT_POWERSHELL description : "3.1.7 Set diagnostic logging to capture errors and warnings" info : "The diaglevel parameter specifies the type of diagnostic errors that will be recorded in the db2diag.log file. It is recommended that the diaglevel parameter be set to at least 3." solution : "1. Attach to the DB2 instance db2 => attach to $DB2INSTANCE 2. Run the following command from the DB2 command window- db2 => update database manager configuration using diaglevel 3" see_also : "https://benchmarks.cisecurity.org/tools2/db2/CIS_IBM_DB2_10_Benchmark_v1.0.0.pdf" reference : "800-53|AU-12,800-171|3.3.1,800-171|3.3.2,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,LEVEL|1S" value_type : POLICY_TEXT powershell_args : "set-item -path env:DB2CLP -value '**$$**' | Invoke-Command -ScriptBlock {db2 get database manager configuration} | Select-String '\(DIAGLEVEL\)'| %{$_ -split('= ')} | Select-Object -Last 1" value_data : "^[3|4]$" check_type : CHECK_REGEX type : AUDIT_POWERSHELL description : "3.1.9 Require instance name for discovery requests" info : "The discover parameter determines what kind of discovery requests, if any, the DB2 server will fulfill. It is recommended that the DB2 server only fulfill requests from clients that know the given instance name (discover parameter value of known)." solution : "The recommended value is KNOWN. Note- this requires a DB2 restart. 1. Attach to the DB2 instance db2 => attach to $DB2INSTANCE 2. Run the following command from the DB2 command window- db2 => update database manager configuration using discover known 3. Restart the DB2 instance. db2 => db2stop db2 => db2start Impact- It is important to be aware that the implementation of this recommendation results in a brief downtime. It is advisable to ensure that the setting is implemented during an approved maintenance window." see_also : "https://benchmarks.cisecurity.org/tools2/db2/CIS_IBM_DB2_10_Benchmark_v1.0.0.pdf" reference : "800-53|CM-6,800-171|3.4.2,CSF|PR.IP-1,LEVEL|1S" value_type : POLICY_TEXT powershell_args : "set-item -path env:DB2CLP -value '**$$**' | Invoke-Command -ScriptBlock {db2 get database manager configuration} | Select-String '\(DISCOVER\)'| %{$_ -split('= ')} | Select-Object -Last 1" value_data : "^KNOWN$" check_type : CHECK_REGEX type : AUDIT_POWERSHELL description : "3.1.10 Disable instance discoverability" info : "The discover_inst parameter specifies whether the instance can be discovered in the network. It is recommended that instances not be discoverable." solution : "1. Attach to the DB2 instance db2 => attach to $DB2INSTANCE 2. Run the following command from the DB2 command window- db2 => update database manager configuration using discover_inst disable" see_also : "https://benchmarks.cisecurity.org/tools2/db2/CIS_IBM_DB2_10_Benchmark_v1.0.0.pdf" reference : "800-53|CM-7,800-171|3.4.6,800-171|3.4.7,CSF|PR.IP-1,CSF|PR.PT-3,LEVEL|1S" value_type : POLICY_TEXT powershell_args : "set-item -path env:DB2CLP -value '**$$**' | Invoke-Command -ScriptBlock {db2 get database manager configuration} | Select-String '\(DISCOVER_INST\)'| %{$_ -split('= ')} | Select-Object -Last 1" value_data : "^DISABLE$" check_type : CHECK_REGEX type : AUDIT_POWERSHELL description : "3.1.11 Authenticate federated users at the instance level" info : "The fed_noauth parameter determines whether federated authentication will be bypassed at the instance. It is recommended that this parameter be set to no." solution : "1. Attach to the DB2 instance db2 => attach to $DB2INSTANCE 2. Run the following command from the DB2 command window- db2 => update database manager configuration using fed_noauth no" see_also : "https://benchmarks.cisecurity.org/tools2/db2/CIS_IBM_DB2_10_Benchmark_v1.0.0.pdf" reference : "800-53|AC-3,800-171|3.1.1,CSF|PR.AC-4,CSF|PR.PT-3,LEVEL|1S" value_type : POLICY_TEXT powershell_args : "set-item -path env:DB2CLP -value '**$$**' | Invoke-Command -ScriptBlock {db2 get database manager configuration} | Select-String '\(FED_NOAUTH\)'| %{$_ -split('= ')} | Select-Object -Last 1" value_data : "^NO$" check_type : CHECK_REGEX type : AUDIT_POWERSHELL description : "3.1.13 Set administrative notification level" info : "The notifylevel parameter specifies the type of administration notification messages that are written to the administration notification log. It is recommended that this parameter be set greater than or equal to 3. A setting of 3, which includes settings 1 & 2, will log all fatal errors, failing services, system integrity, as well as system health." solution : "1. Attach to the DB2 instance db2 => attach to $DB2INSTANCE 2. Run the following command from the DB2 command window- db2 => update database manager configuration using notifylevel 3 Default Value - The default value of notifylevel is 3." see_also : "https://benchmarks.cisecurity.org/tools2/db2/CIS_IBM_DB2_10_Benchmark_v1.0.0.pdf" reference : "800-53|AU-12,800-171|3.3.1,800-171|3.3.2,CSF|DE.CM-1,CSF|DE.CM-3,CSF|DE.CM-7,CSF|PR.PT-1,LEVEL|1S" value_type : POLICY_TEXT powershell_args : "set-item -path env:DB2CLP -value '**$$**' | Invoke-Command -ScriptBlock {db2 get database manager configuration} | Select-String '\(NOTIFYLEVEL\)'| %{$_ -split('= ')} | Select-Object -Last 1" value_data : "^[3|4]$" check_type : CHECK_REGEX type : AUDIT_POWERSHELL description : "3.1.14 Enable server-based authentication" info : "The srvcon_auth parameter specifies how and where authentication is to take place for incoming connections to the server. It is recommended that this parameter is not set to CLIENT." solution : "The recommended value is SERVER. Note- this will require a DB2 restart. 1. Attach to the DB2 instance db2 => attach to $DB2INSTANCE 2. Run the following command from the DB2 command window- db2 => update database manager configuration using srvcon_auth server 3. Restart the DB2 instance. db2 => db2stop db2 => db2start Impact - It is important to be aware that the implementation of this recommendation results in a brief downtime. It is advisable to ensure that the setting is implemented during an approved maintenance window." see_also : "https://benchmarks.cisecurity.org/tools2/db2/CIS_IBM_DB2_10_Benchmark_v1.0.0.pdf" reference : "800-53|IA-2,800-171|3.5.1,CSF|PR.AC-1,LEVEL|1S" value_type : POLICY_TEXT powershell_args : "set-item -path env:DB2CLP -value '**$$**' | Invoke-Command -ScriptBlock {db2 get database manager configuration} | Select-String '\(SRVCON_AUTH\)'| %{$_ -split('= ')} | Select-Object -Last 1" value_data : "^SERVER$" check_type : CHECK_REGEX type : AUDIT_POWERSHELL description : "9.4 Remove Default Databases" info : "A DB2 instance may come installed with default databases. It is recommended that the SAMPLE database be removed." solution : "Drop unused sample databases- 1. Connect to the DB2 instance. 2. Run the following command from the DB2 command window- db2 => drop database sample" see_also : "https://benchmarks.cisecurity.org/tools2/db2/CIS_IBM_DB2_10_Benchmark_v1.0.0.pdf" reference : "800-53|CM-7,800-171|3.4.6,800-171|3.4.7,CSF|PR.IP-1,CSF|PR.PT-3,LEVEL|1S" value_type : POLICY_TEXT powershell_args : "set-item -path env:DB2CLP -value '**$$**' | Invoke-Command -ScriptBlock {db2 list database directory} | Select-String 'Database name.*SAMPLE'| %{$_ -split('= ')} | Select-Object -Last 1" value_data : ""