DB2 Database 11 CIS V1.0.0

Here is a list of all controls implemented in this puppet module. The link takes you to the documentation of the implementation class.

1 Staying Current

1.1 General Considerations
1.1.1 Install Available Updates (Manual)

2 Securing the Server Environment

2.1 Prevent Database Users from Logging into the Operating System (Manual)

3 Securing the Server Instance

3.1 Database Manager Configuration Parameters
3.1.1 Require Explicit Authorization for Cataloging (CATALOG_NOAUTH) (Automated)
3.1.2 Secure Permissions for Default Database File Path (DFTDBPATH) (Automated)
3.1.3 Set Diagnostic Logging to Capture Errors and Warnings (DIAGLEVEL) (Automated)
3.1.4 Secure Permissions for All Diagnostic Logs (DIAGPATH) (Automated)
3.1.5 Secure Permissions for Alternate Diagnostic Log Path (ALT_DIAGPATH) (Automated)
3.1.6 Disable Client Discovery Requests (DISCOVER) (Automated)
3.1.7 Disable Instance Discoverability (DISCOVER_INST) (Automated)
3.1.8 Set Maximum Connection Limits (MAX_CONNECTIONS and MAX_COORDAGENTS) (Automated)
3.1.9 Set Administrative Notification Level (NOTIFYLEVEL) (Automated)
3.1.10 Secure the Java Development Kit Installation Path (JDK_PATH) (Automated)
3.1.11 Secure the Python Runtime Path (PYTHON_PATH) (Automated)
3.1.12 Secure the R Runtime Path (R_PATH) (Automated)
3.1.13 Secure the Communication Buffer Exit Library (COMM_EXIT_LIST) (Automated)
3.2 Db2 Registry Values
3.2.1 Specify Secure Remote Shell Command (DB2RSHCMD) (Automated)
3.2.2 Turn Off Remote Command Legacy Mode (DB2RCMD_LEGACY_MODE) (Automated)
3.2.3 Disable Grants During Restore (DB2_RESTORE_GRANT_ADMIN_AUTHORITIES) (Automated)
3.2.4 Enable Extended Security (DB2_EXTSECURITY) (Automated)
3.2.5 Limit OS Privileges of Fenced Mode Process (DB2_LIMIT_FENCED_GROUP) (Automated)
3.3 General Considerations
3.3.1 Secure Db2 Runtime Library (Manual)
3.3.2 Secure the Database Container Directory (Manual)
3.3.3 Set Umask Value in the Db2 Instance Owner’s .profile (Automated)

4 Securing the Database

4.1 Database Configuration Parameters
4.1.1 Creating the Database without PUBLIC Grants (RESTRICTIVE) (Automated)
4.1.2 Set Failed Archive Retry Delay (ARCHRETRYDELAY) (Automated)
4.1.3 Auto-restart After Abnormal Termination (AUTORESTART) (Automated)
4.1.4 Disable Database Discovery (DISCOVER_DB) (Automated)
4.1.5 Secure Permissions for the Primary Archive Log Location (LOGARCHMETH1) (Automated)
4.1.6 Secure Permissions for the Secondary Archive Log Location (LOGARCHMETH2) (Automated)
4.1.7 Secure Permissions for the Tertiary Archive Log Location (FAILARCHPATH) (Automated)
4.1.8 Secure Permissions for the Log Mirror Location (MIRRORLOGPATH) (Automated)
4.1.9 Secure Permissions for the Log Overflow Location (OVERFLOWLOGPATH) (Manual)
4.1.10 Establish Retention Set Size for Backups (NUM_DB_BACKUPS) (Manual)
4.1.11 Set Archive Log Failover Retry Limit (NUMARCHRETRY) (Automated)
4.1.12 Set Maximum Number of Applications (MAXAPPLS) (Automated)
4.1.13 Ensure a Secure Connect Procedure is Used (CONNECT_PROC) (Manual)
4.1.14 Specify a Secure Location for External Tables (EXTBL_LOCATION) (Manual)
4.1.15 Disable Database Discoverability (DISCOVER_DB) (Automated)
4.2 Secure the Database Catalog Views
4.2.1 Restrict Access to SYSCAT.AUDITPOLICIES (Automated)
4.2.2 Restrict Access to SYSCAT.AUDITUSE (Automated)
4.2.3 Restrict Access to SYSCAT.COLAUTH (Automated)
4.2.4 Restrict Access to SYSCAT.COLDIST (Automated)
4.2.5 Restrict Access to SYSCAT.COLGROUPDIST (Automated)
4.2.6 Restrict Access to SYSCAT.COLUMNS (Automated)
4.2.7 Restrict Access to SYSCAT.CONTEXTATTRIBUTES (Automated)
4.2.8 Restrict Access to SYSCAT.CONTEXTS (Automated)
4.2.9 Restrict Access to SYSCAT.CONTROLDEP (Automated)
4.2.10 Restrict Access to SYSCAT.CONTROLS (Automated)
4.2.11 Restrict Access to SYSCAT.DBAUTH (Automated)
4.2.12 Restrict Access to SYSCAT.EVENTS (Automated)
4.2.13 Restrict Access to SYSCAT.EVENTTABLES (Automated)
4.2.14 Restrict Access to SYSCAT.EXTERNALTABLEOPTIONS (Automated)
4.2.15 Restrict Access to SYSCAT.INDEXAUTH (Automated)
4.2.16 Restrict Access to SYSCAT.MODULEAUTH (Automated)
4.2.17 Restrict Access to SYSCAT.PACKAGEAUTH (Automated)
4.2.18 Restrict Access to SYSCAT.PACKAGES (Automated)
4.2.19 Restrict Access to SYSCAT.PASSTHRUAUTH (Automated)
4.2.20 Restrict Access to SYSCAT.ROLEAUTH (Automated)
4.2.21 Restrict Access to SYSCAT.ROLES (Automated)
4.2.22 Restrict Access to SYSCAT.ROUTINEAUTH (Automated)
4.2.23 Restrict Access to SYSCAT.ROUTINES (Automated)
4.2.24 Restrict Access to SYSCAT.SECURITYLABELACCESS (Automated)
4.2.25 Restrict Access to SYSCAT.SECURITYLABELCOMPONENTELEMENTS (Automated)
4.2.26 Restrict Access to SYSCAT.SECURITYLABELCOMPONENTS (Automated)
4.2.27 Restrict Access to SYSCAT.SECURITYLABELS (Automated)
4.2.28 Restrict Access to SYSCAT.SECURITYPOLICIES (Automated)
4.2.29 Restrict Access to SYSCAT.SECURITYPOLICYCOMPONENTRULES (Automated)
4.2.30 Restrict Access to SYSCAT.SECURITYPOLICYEXEMPTIONS (Automated)
4.2.31 Restrict Access to SYSCAT.SERVEROPTIONS (Automated)
4.2.32 Restrict Access to SYSCAT.SCHEMAAUTH (Automated)
4.2.33 Restrict Access to SYSCAT.SCHEMATA (Automated)
4.2.34 Restrict Access to SYSCAT.SEQUENCEAUTH (Automated)
4.2.35 Restrict Access to SYSCAT.STATEMENTS (Automated)
4.2.36 Restrict Access to SYSCAT.STATEMENTTEXTS (Automated)
4.2.37 Restrict Access to SYSCAT.SURROGATEAUTHIDS (Automated)
4.2.38 Restrict Access to SYSCAT.TABAUTH (Automated)
4.2.39 Restrict Access to SYSCAT.TBSPACEAUTH (Automated)
4.2.40 Restrict Access to SYSCAT.USEROPTIONS (Automated)
4.2.41 Restrict Access to SYSCAT.VARIABLEAUTH (Automated)
4.2.42 Restrict Access to SYSCAT.VARIABLES (Automated)
4.2.43 Restrict Access to SYSCAT.WORKLOADAUTH (Automated)
4.2.44 Restrict Access to SYSCAT.WRAPOPTIONS (Automated)
4.2.45 Restrict Access to SYSCAT.XSROBJECTAUTH (Automated)
4.2.46 Restrict Access to SYSSTAT.COLDIST (Automated)
4.2.47 Restrict Access to SYSSTAT.COLGROUPDIST (Automated)
4.2.48 Restrict Access to SYSSTAT.COLUMNS (Automated)
4.3 Secure the Database Catalog Tables
4.3.1 Restrict Access to SYSIBM.SYSAUDITPOLICIES (Automated)
4.3.2 Restrict Access to SYSIBM.SYSAUDITUSE (Automated)
4.3.3 Restrict Access to SYSIBM.SYSCOLAUTH (Automated)
4.3.4 Restrict Access to SYSIBM.SYSCOLDIST (Automated)
4.3.5 Restrict Access to SYSIBM.SYSCOLGROUPDIST (Automated)
4.3.6 Restrict Access to SYSIBM.SYSCOLUMNS (Automated)
4.3.7 Restrict Access to SYSIBM.SYSCONTEXTATTRIBUTES (Automated)
4.3.8 Restrict Access to SYSIBM.SYSCONTEXTS (Automated)
4.3.9 Restrict Access to SYSIBM.SYSCONTROLDEPENDENCIES (Automated)
4.3.10 Restrict Access to SYSIBM.SYSCONTROLS (Automated)
4.3.11 Restrict Access to SYSIBM.SYSDBAUTH (Automated)
4.3.12 Restrict Access to SYSIBM.SYSEVENTS (Automated)
4.3.13 Restrict Access to SYSIBM.SYSEVENTTABLES (Automated)
4.3.14 Restrict Access to SYSIBM.SYSEXTTAB (Automated)
4.3.15 Restrict Access to SYSIBM.SYSINDEXAUTH (Automated)
4.3.16 Restrict Access to SYSIBM.SYSMODULEAUTH (Automated)
4.3.17 Restrict Access to SYSIBM.SYSPASSTHRUAUTH (Automated)
4.3.18 Restrict Access to SYSIBM.SYSPLANAUTH (Automated)
4.3.19 Restrict Access to SYSIBM.SYSPLAN (Automated)
4.3.20 Restrict Access to SYSIBM.SYSROLEAUTH (Automated)
4.3.21 Restrict Access to SYSIBM.SYSROLES (Automated)
4.3.22 Restrict Access to SYSIBM.SYSROUTINEAUTH (Automated)
4.3.23 Restrict Access to SYSIBM.SYSROUTINES (Automated)
4.3.24 Restrict Access to SYSIBM.ROUTINES_S (Automated)
4.3.25 Restrict Access to SYSIBM.SYSSCHEMAAUTH (Automated)
4.3.26 Restrict Access to SYSIBM.SYSSCHEMATA (Automated)
4.3.27 Restrict Access to SYSIBM.SYSSECURITYLABELACCESS (Automated)
4.3.28 Restrict Access to SYSIBM.SYSSECURITYLABELCOMPONENTELEMENTS (Automated)
4.3.29 Restrict Access to SYSIBM.SYSSECURITYLABELCOMPONENTS (Automated)
4.3.30 Restrict Access to SYSIBM.SYSSECURITYLABELS (Automated)
4.3.31 Restrict Access to SYSIBM.SYSSECURITYPOLICIES (Automated)
4.3.32 Restrict Access to SYSIBM.SYSSECURITYPOLICYCOMPONENTRULES (Automated)
4.3.33 Restrict Access to SYSIBM.SYSSECURITYPOLICYEXEMPTIONS (Automated)
4.3.34 Restrict Access to SYSIBM.SYSSERVEROPTIONS (Automated)
4.3.35 Restrict Access to SYSIBM.SYSSEQUENCEAUTH (Automated)
4.3.36 Restrict Access to SYSIBM.SYSSTATEMENTTEXTS (Automated)
4.3.37 Restrict Access to SYSIBM.SYSSTMT (Automated)
4.3.38 Restrict Access to SYSIBM.SYSSURROGATEAUTHIDS (Automated)
4.3.39 Restrict Access to SYSIBM.SYSTABAUTH (Automated)
4.3.40 Restrict Access to SYSIBM.SYSTBSPACEAUTH (Automated)
4.3.41 Restrict Access to SYSIBM.SYSUSEROPTIONS (Automated)
4.3.42 Restrict Access to SYSIBM.SYSVARIABLEAUTH (Automated)
4.3.43 Restrict Access to SYSIBM.SYSVARIABLES (Automated)
4.3.44 Restrict Access to SYSIBM.SYSWORKLOADAUTH (Automated)
4.3.45 Restrict Access to SYSIBM.SYSWRAPOPTIONS (Automated)
4.3.46 Restrict Access to SYSIBM.SYSXSROBJECTAUTH (Automated)
4.4 Secure the Database Administrative Views and Routines
4.4.1 Restrict Access to SYSIBMADM.AUTHORIZATIONIDS (Automated)
4.4.2 Restrict Access to SYSIBMADM.OBJECTOWNERS (Automated)
4.4.3 Restrict Access to SYSIBMADM.PRIVILEGES (Automated)
4.4.4 Restrict Access to SYSPROC.AUTH_LIST_AUTHORITIES_FOR_AUTHID (Automated)
4.4.5 Restrict Access to SYSPROC.AUTH_LIST_ROLES_FOR_AUTHID (Automated)
4.4.6 Restrict Access to SYSPROC.AUTH_LIST_GROUPS_FOR_AUTHID (Automated)
4.4.7 Restrict Access to SYSIBMADM.AUTHORIZATIONIDS (Automated)
4.4.8 Restrict Access to SYSIBMADM.OBJECTOWNERS (Automated)
4.4.9 Restrict Access to SYSIBMADM.PRIVILEGES (Automated)
4.5 General Database Considerations
4.5.1 Restrict Access to Tablespaces (Automated)
4.5.2 Remove Unused Schemas (Automated)
4.5.3 Review System Tablespaces (Automated)

5 Authentication Considerations

5.1 Specify a Secure Connection Authentication Type (SRVCON_AUTH) (Manual)
5.2 Specify a Secure Authentication Type (AUTHENTICATION) (Manual)
5.3 Database Manager Configuration Parameter: ALTERNATE_AUTH_ENC (Manual)
5.4 Database Manager Configuration Parameter: TRUST_ALLCLNTS (Manual)
5.5 Database Manager Configuration Parameter: TRUST_CLNTAUTH (Manual)
5.6 Database Manager Configuration Parameter: FED_NOAUTH (Manual)
5.7 Secure Permissions for All Authentication Plugins (Manual)
5.8 DB2_GRP_LOOKUP Registry Variable (Windows only) (Manual)
5.9 DB2DOMAINLIST registry variable (Windows only) (Manual)
5.10 DB2AUTH Registry Variable (Manual)
5.11 DB2CHGPWD_EEE Registry Variable (Manual)

6 Authorization Considerations

6.1 Secure Database Authorities
6.1.1 Secure SYSADM Authority (Manual)
6.1.2 Secure SYSCTRL Authority (Manual)
6.1.3 Secure SYSMAINT Authority (Manual)
6.1.4 Secure SYSMON Authority (Manual)
6.1.5 Secure SECADM Authority (Manual)
6.1.6 Secure DBADM Authority (Manual)
6.1.7 Secure SQLADM Authority (Manual)
6.1.8 Secure DATAACCESS Authority (Manual)
6.1.9 Secure ACCESSCTRL Authority (Manual)
6.1.10 Secure WLMADM Authority (Manual)
6.1.11 Secure CREATAB Authority (Manual)
6.1.12 Secure BINDADD Authority (Manual)
6.1.13 Secure CONNECT Authority (Manual)
6.1.14 Secure LOAD Authority (Manual)
6.1.15 Secure EXTERNALROUTINE Authority (Manual)
6.1.16 Secure QUIESCECONNECT Authority (Manual)
6.1.17 Secure SETSESSIONUSER Privilege (Manual)
6.1.18 Secure SCHEMAADM Authority (Manual)
6.1.19 Secure Schema ACCESSCTRL Authority (Manual)
6.1.20 Secure Schema DATAACCESS Authority (Manual)
6.2 General Authorization
6.2.1 Review Users, Groups, and Roles (Manual)
6.2.2 Review Roles (Manual)
6.2.3 Review Role Members (Manual)
6.2.4 Nested Roles (Manual)
6.2.5 Review Roles Granted to PUBLIC (Manual)
6.2.6 Review Role Grantees with WITH ADMIN OPTION (Manual)
6.3 Row and Column Access Control
6.3.1 Review Organization’s Policies Against Db2 RCAC Policies (Manual)
6.3.2 Review Row Permission Logic According to Policy (Manual)
6.3.3 Review Column Mask Logic According to Policy (Manual)
6.4 Trusted Context Considerations
6.4.1 Ensure Trusted Contexts are Enabled (Manual)
6.4.2 Do not allow Trusted Context to Switch Users Wwithout Authentication (Manual)

7 Audit Considerations

7.1 General Audit Considerations
7.1.1 Disable the Audit Buffer (Manual)
7.1.2 Disable Limited Audit of Applications (DB2_LIMIT_AUDIT_APPS) (Manual)
7.1.3 Ensure Audit Policies are Enabled Within the Database (Manual)
7.1.4 Ensure Audit is Enabled Within the Instance (Automated)

8 Encryption Considerations

8.1 Encryption of Data in Motion
8.1.1 Configure a Server-side Key Store for TLS (SSL_SVR_KEYDB) (Manual)
8.1.2 Configure a Server-side Stash File for TLS (SSL_SVR_STASH) (Manual)
8.1.3 Configure an Endpoint Certificate (SSL_SVR_LABEL) (Manual)
8.1.4 Configure the Service Name for TLS (SSL_SVCENAME) (Manual)
8.1.5 Configure a Secure TLS Version (SSL_VERSIONS) (Manual)
8.1.6 Configure Secure TLS Cipher Suites (SSL_CIPHERSPECS) (Manual)
8.1.7 Unset the Service Name for Plaintext Communication (SVCENAME) (Manual)
8.1.8 Configure a Client-side Key Store for TLS (SSL_CLNT_KEYDB) (Manual)
8.1.9 Configure a Client-side Stash File for TLS (SSL_CLNT_STASH) (Manual)
8.1.10 Enable TLS Communication Between HADR Primary and Standby Instances (HADR_SSL_LABEL) (Manual)
8.1.11 Enable Remote TLS Connections to Db2 (DB2COMM) (Manual)
8.2 Encryption of Data at Rest
8.2.1 Encrypt the Database (Manual)
8.2.2 Do Not Use Encryption Algorithms that are Not Secure (Manual)
8.2.3 Secure the Configuration File (Automated)
8.2.4 Secure the Stash File (Manual)
8.2.5 Backup the Stash File (Manual)
8.2.6 Create a Strong Password (Manual)
8.2.7 Backup Your Keystore (Manual)
8.2.8 Backup Your Password In Case Stash File is Inaccessible or Corrupted (Manual)
8.2.9 Rotate the Master Key (Manual)
8.2.10 Turn Off ALLOW_KEY_INSERT_WITHOUT_KEYSTORE_BACKUP (Manual)
8.2.11 Keep Master Key Labels Unique (Manual)
8.2.12 Retain All Master Keys (Manual)
8.2.13 Set CFG Values in a Single Command (Manual)
8.2.14 Key rotation in HADR Environment (Manual)

9 Additional Considerations

9.1 Leverage the Least Privilege Principle (Manual)
9.2 Enable Backup Redundancy (Manual)
9.3 Protecting Backups (Manual)