# (C) 2012 Tenable Network Security # # This script is released under the Tenable Subscription License and # may not be used from within scripts released under another license # without authorization from Tenable Network Security Inc. # # See the following licenses for details: # # http://cgi.tenablesecurity.com/Nessus_4_SLA_and_Subscription_Agreement.pdf # http://cgi.tenablesecurity.com/Subscription_Agreement.pdf # # @PROFESSIONALFEED@ # # $Revision: 1.2 $ # $Date: 2012/03/28 19:56:05 $ # # Description : This .audit is designed against the CIS Security Configuration # Benchmark For DB2 8,9 & 9.5 for Linux, UNIX Version 1.2.0 December 31, 2011. # # NOTE : The audits contained in this document audit are for Level 1 items # of the CIS DB2 8, 9 & 9.5 for *NIX. # # # ## 1. Installation and Patches # type : CMD_EXEC description : "1.0.2 Use IP address rather than hostname - 'db2system = IP'" info : "Use an IP address rather than a hostname to connect to the host of the DB2 instance." info : "Level 1, Scorable, 8,9,9.5" cmd : "/opt/ibm/DB2/V9.5/bin/db2 get admin configuration | /bin/egrep -i '\\(db2system\\)'" expect : "^ *[Nn][Aa][Mm][Ee] [Oo][Ff] [Tt][Hh][Ee] [Dd][Bb]2 [Ss][Ee][Vv][Rr][Ee][Rr] [Ss][Yy][Ss][Tt][Ee][Mm]([\\s\\t]*\([Dd][Bb]2[Ss][Yy][Ss][Tt][Ee][Mm]\) *= *([0-9]{1,2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.([0-9]{1,2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.([0-9]{1,2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.([0-9]{1,2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])" dont_echo_cmd : YES info : "NOTE: Changed '' to 9.5 - DB2 system." info : "ref. https://benchmarks.cisecurity.org/tools2/db2/CIS_IBM_DB2_Benchmark_v1.2.0.pdf, pg 10." type : FILE_CHECK_NOT description: "1.0.4 Use non-standard account names - '!= db2admin'" info : "The DB2 service is installed with default, well-known accounts such as db2admin, db2inst1, dasusr1, or db2fenc1." info : "It is recommended that the use of these accounts be avoided." info : "Level 1, Scorable, 8,9,9.5" file : "/opt/ibm/DB2/V9.5/*" owner : "db2admin" group : "db2admin" info : "NOTE: Changed '' to 9.5 - DB2 system." info : "ref. https://benchmarks.cisecurity.org/tools2/db2/CIS_IBM_DB2_Benchmark_v1.2.0.pdf, pg 12." type : FILE_CHECK_NOT description: "1.0.4 Use non-standard account names - '!= db2inst1'" info : "The DB2 service is installed with default, well-known accounts such as db2admin, db2inst1, dasusr1, or db2fenc1." info : "It is recommended that the use of these accounts be avoided." info : "Level 1, Scorable, 8,9,9.5" file : "/opt/ibm/DB2/V9.5/*" owner : "db2inst1" group : "db2inst1" info : "NOTE: Changed '' to 9.5 - DB2 system." info : "ref. https://benchmarks.cisecurity.org/tools2/db2/CIS_IBM_DB2_Benchmark_v1.2.0.pdf, pg 12." type : FILE_CHECK_NOT description: "1.0.4 Use non-standard account names - '!= dasusr1'" info : "The DB2 service is installed with default, well-known accounts such as db2admin, db2inst1, dasusr1, or db2fenc1." info : "It is recommended that the use of these accounts be avoided." info : "Level 1, Scorable, 8,9,9.5" file : "/opt/ibm/DB2/V9.5/*" owner : "dasusr1" group : "dasusr1" info : "NOTE: Changed '' to 9.5 - DB2 system." info : "ref. https://benchmarks.cisecurity.org/tools2/db2/CIS_IBM_DB2_Benchmark_v1.2.0.pdf, pg 12." type : FILE_CHECK_NOT description : "1.0.4 Use non-standard account names - '!= db2fenc1'" info : "The DB2 service is installed with default, well-known accounts such as db2admin, db2inst1, dasusr1, or db2fenc1." info : "It is recommended that the use of these accounts be avoided." info : "Level 1, Scorable, 8,9,9.5" file : "/opt/ibm/DB2/V9.5/*" owner : "db2fenc1" group : "db2fenc1" info : "NOTE: Changed '' to 9.5 - DB2 system." info : "ref. https://benchmarks.cisecurity.org/tools2/db2/CIS_IBM_DB2_Benchmark_v1.2.0.pdf, pg 12." # ## 3. DB2 Configurations # # ## 3.1 DB2 Instance Parameter Settings type : CMD_EXEC description : "3.1.1 Enable audit buffer - 'audit_buf_sz <= 1000'" info : "DB2 can be configured to use an audit buffer." info : "It is recommended that the audit buffer size be set to at least 1000." info : "Level 2, Scorable, 8,9,9.5" cmd : "/opt/ibm/DB2/V9.5/bin/db2 get database manager configuration | /bin/egrep -i '\\(audit_buf_sz\\)'" expect : "^ *[Aa][Uu][Dd][Ii][Tt] [Bb][Uu][Ff][Ff][Ee][Rr] [Ss][Ii][Zz][Ee] \(4[Kk][Bb]\)(([\s\t])*)\([Aa][Uu][Dd][Ii][Tt]_[Bb][Uu][Ff]_[Ss][Zz]\) *= *([1-9][0-9]{3}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5]) *$" dont_echo_cmd : YES info : "NOTE: Changed '' to 9.5 - DB2 system." info : "ref. https://benchmarks.cisecurity.org/tools2/db2/CIS_IBM_DB2_Benchmark_v1.2.0.pdf, pg 14." type : CMD_EXEC description : "3.1.2 Encrypt user data across the network - 'authentication = Data_Encrypt'" info : "DB2 supports a number of authentication mechanisms." info : "It is recommended that the DATA_ENCRYPT authentication mechanism be used." info : "Level 2, Scorable, 8,9,9.5" cmd : "/opt/ibm/DB2/V9.5/bin/db2 get database manager configuration | /bin/egrep -i '\\(authentication\\)'" expect : "^ *[Dd][Aa][Tt][Aa][Bb][Aa][Ss][Ee] [Mm][Aa][Nn][Aa][Gg][Ee][Rr] [Aa][Uu][Tt][Hh][Ee][Nn][Tt][Ii][Cc][Aa][Tt][Ii][Oo][Nn](([\s\t])*)\([Aa][Uu][Tt][Hh][Ee][Nn][Tt][Ii][Cc][Aa][Tt][Ii][Oo][Nn]\) *= *[Dd][Aa][Tt][Aa]_[Ee][Nn][Cc][Rr][Yy][Pp][Tt] *$" dont_echo_cmd : YES info : "NOTE: Changed '' to 9.5 - DB2 system." info : "ref. https://benchmarks.cisecurity.org/tools2/db2/CIS_IBM_DB2_Benchmark_v1.2.0.pdf, pg 15." type : CMD_EXEC description : "3.1.3 Require explicit authorization for cataloging - 'catalog_noauth = no'" info : "DB2 can be configured to allow users that do not possess the SYSADM authority to catalog and uncatalog databases and nodes." info : "It is recommended that the SYSADM authority be required to catalog and uncatalog databases and nodes." info : "It is recommended that the catalog_noauth parameter be set to NO." info : "Level 2, Scorable, 8,9,9.5" cmd : "/opt/ibm/DB2/V9.5/bin/db2 get database manager configuration | /bin/egrep -i '\\(catalog_noauth\\)'" expect : "^ *[Cc][Aa][Tt][Aa][Ll][Oo][Gg][Ii][Nn][Gg] [Aa][Ll][Ll][Oo][Ww][Ee][Dd] [Ww][Ii][Tt][Hh][Oo][Uu][Tt] [Aa][Uu][Tt][Hh][Oo][Rr][Ii][Tt][Yy](([\s\t])*)\([Cc][Aa][Tt][Aa][Ll][Oo][Gg]_[Nn][Oo][Aa][Uu][Tt][Hh]\) *= *[Nn][Oo] *$" dont_echo_cmd : YES info : "NOTE: Changed '' to 9.5 - DB2 system." info : "ref. https://benchmarks.cisecurity.org/tools2/db2/CIS_IBM_DB2_Benchmark_v1.2.0.pdf, pg 16." type : CMD_EXEC description : "3.1.7 Set diagnostic logging to capture errors and warnings - 'diaglevel = 3 or 4'" info : "The diaglevel parameter specifies the type of diagnostic errors that will be recorded in the db2diag.log file." info : "It is recommended that the diaglevel parameter be set to at least 3." info : "Level 2, Scorable, 8,9,9.5" cmd : "/opt/ibm/DB2/V9.5/bin/db2 get database manager configuration | /bin/egrep -i '\\(diaglevel\\)'" expect : "^ *[Dd][Ii][Aa][Gg][Nn][Oo][Ss][Tt][Ii][Cc] [Ee][Rr][Rr][Oo][Rr] [Cc][Aa][Pp][Tt][Uu][Rr][Ee] [Ll][Ee][Vv][Ee][Ll](([\s\t])*)\([Dd][Ii][Aa][Gg][Ll][Ee][Vv][Ee][Ll]\) *= *(3|4) *$" dont_echo_cmd : YES info : "NOTE: Changed '' to 9.5 - DB2 system." info : "ref. https://benchmarks.cisecurity.org/tools2/db2/CIS_IBM_DB2_Benchmark_v1.2.0.pdf, pg 20." type : CMD_EXEC description : "3.1.9 Require instance name for discovery requests - 'discover = known'" info : "The discover parameter determines what kind of discovery requests, if any, the DB2 server will fulfill." info : "It is recommended that the DB2 server only fulfill requests from clients that know the given instance name." info : "Level 2, Scorable, 8,9,9.5" cmd : "/opt/ibm/DB2/V9.5/bin/db2 get database manager configuration | /bin/egrep -i '\\(discover\\)'" expect : "^ *[Dd][Ii][Ss][Cc][Oo][Vv][Ee][Rr][Yy] [Mm][Oo][Dd][Ee](([\s\t])*)\([Dd][Ii][Ss][Cc][Oo][Vv][Ee][Rr]\) *= *[Kk][Nn][Oo][Ww][Nn] *$" dont_echo_cmd : YES info : "NOTE: Changed '' to 9.5 - DB2 system." info : "ref. https://benchmarks.cisecurity.org/tools2/db2/CIS_IBM_DB2_Benchmark_v1.2.0.pdf, pg 22." type : CMD_EXEC description : "3.1.10 Disable instance discoverability - 'discover_inst = disable'" info : "The discover_inst parameter specifies whether the instance can be discovered in the network." info : "It is recommended that instances be undiscoverable." info : "Level 2, Scorable, 8,9,9.5" cmd : "/opt/ibm/DB2/V9.5/bin/db2 get database manager configuration | /bin/egrep -i '\\(discover_inst\\)'" expect : "^ *[Dd][Ii][Ss][Cc][Oo][Vv][Ee][Rr] [Ss][Ee][Rr][Vv][Ee][Rr] [Ii][Nn][Ss][Tt][Aa][Nn][Cc][Ee](([\s\t])*)\([Dd][Ii][Ss][Cc][Oo][Vv][Ee][Rr]_[Ii][Nn][Ss][Tt]\) *= *[Dd][Ii][Ss][Aa][Bb][Ll][Ee] *$" dont_echo_cmd : YES info : "NOTE: Changed '' to 9.5 - DB2 system." info : "ref. https://benchmarks.cisecurity.org/tools2/db2/CIS_IBM_DB2_Benchmark_v1.2.0.pdf, pg 23." type : CMD_EXEC description : "3.1.11 Authenticate federated users at the instance level - 'fed_noauth = no'" info : "The fed_noauth parameter determines whether federated authentication will be bypassed at the instance." info : "It is recommended that this parameter be set to no." info : "Level 2, Scorable, 8,9,9.5" cmd : "/opt/ibm/DB2/V9.5/bin/db2 get database manager configuration | /bin/egrep -i '\\(fed_noauth\\)'" expect : "^ *[Bb][Yy][Pp][Aa][Ss][Ss] [Ff][Ee][Dd][Ee][Rr][Aa][Tt][Ee][Dd] [Aa][Uu][Tt][Hh][Ee][Nn][Tt][Ii][Cc][Aa][Tt][Ii][Oo][Nn](([\s\t])*)\([Ff][Ee][Dd]_[Nn][Oo][Aa][Uu][Tt][Hh]\) *= *[Nn][Oo] *$" dont_echo_cmd : YES info : "NOTE: Changed '' to 9.5 - DB2 system." info : "ref. https://benchmarks.cisecurity.org/tools2/db2/CIS_IBM_DB2_Benchmark_v1.2.0.pdf, pg 24." type : CMD_EXEC description : "3.1.12 Enable instance health monitoring - 'health_mon = on'" info : "The health_mon parameter allows you to specify whether you want to monitor the instance, the databases, and" info : " the corresponding database objects." info : "It is recommended that health_mon be set to on." info : "Level 2, Scorable, 8,9,9.5" cmd : "/opt/ibm/DB2/V9.5/bin/db2 get database manager configuration | /bin/egrep -i '\\(health_mon\\)'" expect : "^ *[Mm][Oo][Nn][Ii][Tt][Oo][Rr] [Hh][Ee][Aa][Ll][Tt][Hh] [Oo][Ff] [Ii][Nn][Ss][Tt][Aa][Nn][Cc][Ee] [Aa][Nn][Dd] [Dd][Aa][Tt][Aa][Bb][Aa][Ss][Ee][Ss](([\s\t])*)\([Hh][Ee][Aa][Ll][Tt][Hh]_[Mm][Oo][Nn]\) *= *[Oo][Nn] *$" dont_echo_cmd : YES info : "NOTE: Changed '' to 9.5 - DB2 system." info : "ref. https://benchmarks.cisecurity.org/tools2/db2/CIS_IBM_DB2_Benchmark_v1.2.0.pdf, pg 25." type : CMD_EXEC description : "3.1.13 Retain fenced model processes - 'keepfenced = no'" info : "The keepfenced parameter indicates whether or not an external user-defined functions or stored procedures will reuse" info : "DB2 process after each subsequent call." info : "It is recommended that this parameter be set to NO." info : "Level 2, Scorable, 8,9,9.5" cmd : "/opt/ibm/DB2/V9.5/bin/db2 get database manager configuration | /bin/egrep -i '\\(keepfenced\\)'" expect : "^ *[Kk][Ee][Ee][Pp] [Ff][Ee][Nn][Cc][Ee][Dd] [Pp][Rr][Oo][Cc][Ee][Ss][Ss](([\s\t])*)\([Kk][Ee][Ee][Pp][Ff][Ee][Nn][Cc][Ee][Dd]\) *= *[Nn][Oo] *$" dont_echo_cmd : YES info : "NOTE: Changed '' to 9.5 - DB2 system." info : "ref. https://benchmarks.cisecurity.org/tools2/db2/CIS_IBM_DB2_Benchmark_v1.2.0.pdf, pg 26." type : CMD_EXEC description : "3.1.15 Set administrative notification level - 'notifylevel = 3 or 4'" info : "The notifylevel parameter specifies the type of administration notification messages that are written to the" info : "administration notification log." info : "It is recommended this parameter be set to 3." info : "A setting of 3 will log all fatal errors, failing services, system integrity, as well as system health." info : "Level 2, Scorable, 8,9,9.5" cmd : "/opt/ibm/DB2/V9.5/bin/db2 get database manager configuration | /bin/egrep -i '\\(notifylevel\\)'" expect : "^ *[Nn][Oo][Tt][Ii][Ff][Yy] [Ll][Ee][Vv][Ee][Ll](([\s\t])*)\([Nn][Oo][Tt][Ii][Ff][Yy][Ll][Ee][Vv][Ee][Ll]\) *= *(3|4) *$" dont_echo_cmd : YES info : "NOTE: Changed '' to 9.5 - DB2 system." info : "ref. https://benchmarks.cisecurity.org/tools2/db2/CIS_IBM_DB2_Benchmark_v1.2.0.pdf, pg 29." # ## 3.3 Database Administration Server Settings type : CMD_EXEC description : "3.3.3 Disable DAS discoverability - 'discover = disable'" info : "The discover parameter specifies the discovery mode for the DB2 Administration Server." info : "It is recommended that this parameter be set to DISABLE." info : "Level 2, Scorable, 8,9,9.5" cmd : "/opt/ibm/DB2/V9.5/bin/db2 get admin configuration | /bin/egrep -i '\\(discover\\)'" expect : "^ *[Dd][Aa][Ss] [Dd][Ii][Ss][Cc][Oo][Vv][Ee][Rr][Yy] [Mm][Oo][Dd][Ee](([\s\t])*)\([Dd][Ii][Ss][Cc][Oo][Vv][Ee][Rr]\) *= *[Dd][Ii][Ss][Aa][Bb][Ll][Ee] *$" dont_echo_cmd : YES info : "NOTE: Changed '' to 9.5 - DB2 system." info : "ref. https://benchmarks.cisecurity.org/tools2/db2/CIS_IBM_DB2_Benchmark_v1.2.0.pdf, pg 44." type : CMD_EXEC description : "3.3.4 Do not execute expired tasks - 'exec_exp_task = no'" info : "The exec_exp_task parameter controls whether the DB2 Scheduler will initialize past taks that were scheduled but not yet executed." info : "It is recommended that this parameter be set to NO." info : "Level 2, Scorable, 8,9,9.5" cmd : "/opt/ibm/DB2/V9.5/bin/db2 get admin configuration | /bin/egrep -i '\\(exec_exp_task\\)'" expect : "^ *[Ee][Xx][Ee][Cc][Uu][Tt][Ee] [Ee][Xx][Pp][Ii][Rr][Ee][Dd] [Tt][Aa][Ss][Kk][Ss](([\s\t])*)\([Ee][Xx][Ee][Cc]_[Ee][Xx][Pp]_[Tt][Aa][Ss][Kk]\) *= *[Nn][Oo] *$" dont_echo_cmd : YES info : "NOTE: Changed '' to 9.5 - DB2 system." info : "ref. https://benchmarks.cisecurity.org/tools2/db2/CIS_IBM_DB2_Benchmark_v1.2.0.pdf, pg 45." type : CMD_EXEC description : "3.3.5 Secure the JDK runtime library - 'jdk_path value'" info : "The jdk_path parameter specifies the Software Developer's Kit (JDK) for Java directory for the DB2 administration server." info : "It is recommended that the location pointed to by this parameter contain a current version of the JDK and be secure." info : "Level 2, Scorable, 8,9,9.5" cmd : "/opt/ibm/DB2/V9.5/bin/db2 get admin configuration | /bin/egrep -i '\\(jdk_path\\)'" expect : "" dont_echo_cmd : YES info : "NOTE: Verify the found jdk_path location is a current version and is in a secure location on the system." info : "NOTE: Changed '' to 9.5 - DB2 system." info : "ref. https://benchmarks.cisecurity.org/tools2/db2/CIS_IBM_DB2_Benchmark_v1.2.0.pdf, pg 46." type : CMD_EXEC description : "3.3.6 Secure the JDK 64-bit runtime library - 'jdk_64_path value'" info : "The jdk_64_path parameter specifies the 64-Bit Software Developer's Kit (JDK) for Java directory for the DB2 administration server." info : "It is recommended that the location pointed to by this parameter contain a current version of the JDK and be secure." info : "Level 2, Scorable, 8,9,9.5" cmd : "/opt/ibm/DB2/V9.5/bin/db2 get admin configuration | /bin/egrep -i '\\(jdk_64_path\\)'" expect : "" dont_echo_cmd : YES info : "NOTE: Verify the found jdk_64_path location is a current version and is in a secure location on the system." info : "NOTE: Changed '' to 9.5 - DB2 system." info : "ref. https://benchmarks.cisecurity.org/tools2/db2/CIS_IBM_DB2_Benchmark_v1.2.0.pdf, pg 47." type : CMD_EXEC description : "3.3.7 Disable unused task scheduler - 'sched_enable = off'" info : "The sched_enable parameter specifies whether the DB2 Task Center utility is allowed to schedule and execute tasks" info : "at the administration server." info : "It is recommended that this parameter be set to OFF when the Task Scheduler is not in use." info : "Level 2, Scorable, 8,9,9.5" cmd : "/opt/ibm/DB2/V9.5/bin/db2 get admin configuration | /bin/egrep -i '\\(sched_enable\\)'" expect : "^ *[Ss][Cc][Hh][Ee][Dd][Uu][Ll][Ee][Rr] [Mm][Oo][Dd][Ee](([\s\t])*)([Ss][Cc][Hh][Ee][Dd]_[Ee][Nn][Aa][Bb][Ll][Ee]) *= *[Oo][Ff][Ff] *$" dont_echo_cmd : YES info : "NOTE: Changed '' to 9.5 - DB2 system." info : "ref. https://benchmarks.cisecurity.org/tools2/db2/CIS_IBM_DB2_Benchmark_v1.2.0.pdf, pg 48." # ## 8. General Policy and Procedures type : CMD_EXEC description : "8.0.5 Remove Default Databases - 'Database name != SAMPLE'" info : "A DB2 Instance may come installed with default databases." info : "It is recommended that the SAMPLE database be removed." info : "Level 2, Scorable, 8,9,9.5" cmd : "/opt/ibm/DB2/V9.5/bin/db2 list database directory | /bin/egrep -i 'Database name *= *SAMPLE'" expect : "" dont_echo_cmd : YES severity : HIGH info : "NOTE: Changed '' to 9.5 - DB2 system." info : "ref. https://benchmarks.cisecurity.org/tools2/db2/CIS_IBM_DB2_Benchmark_v1.2.0.pdf, pg 88."