# (C) 2012 Tenable Network Security # # This script is released under the Tenable Subscription License and # may not be used from within scripts released under another license # without authorization from Tenable Network Security Inc. # # See the following licenses for details: # # http://cgi.tenablesecurity.com/Nessus_4_SLA_and_Subscription_Agreement.pdf # http://cgi.tenablesecurity.com/Subscription_Agreement.pdf # # @PROFESSIONALFEED@ # # $Revision: 1.2 $ # $Date: 2012/03/28 19:56:05 $ # # Description : This .audit is designed against the CIS Security Configuration # Benchmark For DB2 8,9 & 9.5 for Linux, UNIX Version 1.2.0 December 31, 2011. # # NOTE : The audits contained in this document audit are for Level 1 items # of the CIS DB2 8, 9 & 9.5 for *NIX. # # # ## 6. Securing Database Objects type : SQL_POLICY description : "6.0.1 Restrict Access to SYSCAT.AUDITPOLICIES" info : "The SYSCAT.AUDITPOLICIES view contains all audit policies for a database." info : "It is recommended that the PUBLIC role be restricted from accessing this view." info : "Level 2, Scorable, 8,9,9.5" sql_request : "SELECT grantee FROM sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'AUDITPOLICIES' and grantee = 'PUBLIC'" sql_types : POLICY_VARCHAR sql_expect : "" info : "ref. https://benchmarks.cisecurity.org/tools2/db2/CIS_IBM_DB2_Benchmark_v1.2.0.pdf, pg 53." type : SQL_POLICY description : "6.0.2 Restrict Access to SYSCAT.AUDITUSE" info : "The SYSCAT.AUDITUSE view contains database audit policy for all non-database objects, such as authority, groups, roles, and users." info : "It is recommended that the PUBLIC role be restricted from accessing this view." info : "Level 2, Scorable, 8,9,9.5" sql_request : "SELECT grantee FROM sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'AUDITUSE' and grantee = 'PUBLIC'" sql_types : POLICY_VARCHAR sql_expect : "" info : "ref. https://benchmarks.cisecurity.org/tools2/db2/CIS_IBM_DB2_Benchmark_v1.2.0.pdf, pg 53." type : SQL_POLICY description : "6.0.3 Restrict Access to SYSCAT.DBAUTH" info : "The SYSCAT.DBAUTH view contains information on authorities granted to users or group of users." info : "It is recommended that the PUBLIC role be restricted from accessing this view." info : "Level 2, Scorable, 8,9,9.5" sql_request : "SELECT grantee FROM sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'DBAUTH' and grantee = 'PUBLIC'" sql_types : POLICY_VARCHAR sql_expect : "" info : "ref. https://benchmarks.cisecurity.org/tools2/db2/CIS_IBM_DB2_Benchmark_v1.2.0.pdf, pg 54." type : SQL_POLICY description : "6.0.4 Restrict Access to SYSCAT.COLAUTH" info : "The SYSCAT.COLAUTH view contains the column privileges granted to the user or a group of users." info : "It is recommended that the PUBLIC role be restricted from accessing this view." info : "Level 2, Scorable, 8,9,9.5" sql_request : "SELECT grantee FROM sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'COLAUTH' and grantee = 'PUBLIC'" sql_types : POLICY_VARCHAR sql_expect : "" info : "ref. https://benchmarks.cisecurity.org/tools2/db2/CIS_IBM_DB2_Benchmark_v1.2.0.pdf, pg 55." type : SQL_POLICY description : "6.0.5 Restrict Access to SYSCAT.EVENTS" info : "The SYSCAT.EVENTS view contains all events that the database is currently monitoring." info : "It is recommended that the PUBLIC role be restricted from accessing this view." info : "Level 2, Scorable, 8,9,9.5" sql_request : "SELECT grantee FROM sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'EVENTS' and grantee = 'PUBLIC'" sql_types : POLICY_VARCHAR sql_expect : "" info : "ref. https://benchmarks.cisecurity.org/tools2/db2/CIS_IBM_DB2_Benchmark_v1.2.0.pdf, pg 55." type : SQL_POLICY description : "6.0.6 Restrict Access to SYSCAT.EVENTTABLES" info : "The SYSCAT.EVENTTABLES view contains the name of the destination table that will receive the monitoring events." info : "It is recommended that the PUBLIC role be restricted from accessing this view." info : "Level 2, Scorable, 8,9,9.5" sql_request : "SELECT grantee FROM sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'EVENTTABLES' and grantee = 'PUBLIC'" sql_types : POLICY_VARCHAR sql_expect : "" info : "ref. https://benchmarks.cisecurity.org/tools2/db2/CIS_IBM_DB2_Benchmark_v1.2.0.pdf, pg 56." type : SQL_POLICY description : "6.0.7 Restrict Access to SYSCAT.ROUTINES" info : "The SYSCAT.ROUTINES view contains all user-defined routines, functions, and stored procedures in the database." info : "It is recommended that the PUBLIC role be restricted from accessing this view." info : "Level 2, Scorable, 8,9,9.5" sql_request : "SELECT grantee FROM sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'ROUTINES' and grantee = 'PUBLIC'" sql_types : POLICY_VARCHAR sql_expect : "" info : "ref. https://benchmarks.cisecurity.org/tools2/db2/CIS_IBM_DB2_Benchmark_v1.2.0.pdf, pg 57." type : SQL_POLICY description : "6.0.8 Restrict Access to SYSCAT.INDEXAUTH" info : "The SYSCAT.INDEXAUTH view contains a list of user or group that has CONTROL access on an index." info : "It is recommended that the PUBLIC role be restricted from accessing this view." info : "Level 2, Scorable, 8,9,9.5" sql_request : "SELECT grantee FROM sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'INDEXAUTH' and grantee = 'PUBLIC'" sql_types : POLICY_VARCHAR sql_expect : "" info : "ref. https://benchmarks.cisecurity.org/tools2/db2/CIS_IBM_DB2_Benchmark_v1.2.0.pdf, pg 57." type : SQL_POLICY description : "6.0.9 Restrict Access to SYSCAT.PACKAGEAUTH" info : "The SYSCAT.PACKAGEAUTH view contains a list of user or group that has EXECUTE privilege on a package." info : "It is recommended that the PUBLIC role be restricted from accessing this view." info : "Level 2, Scorable, 8,9,9.5" sql_request : "SELECT grantee FROM sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'PACKAGEAUTH' and grantee = 'PUBLIC'" sql_types : POLICY_VARCHAR sql_expect : "" info : "ref. https://benchmarks.cisecurity.org/tools2/db2/CIS_IBM_DB2_Benchmark_v1.2.0.pdf, pg 58." type : SQL_POLICY description : "6.0.10 Restrict Access to SYSCAT.PACKAGES" info : "The SYSCAT.PACKAGES view contains all packages created in the database instance." info : "It is recommended that the PUBLIC role be restricted from accessing this view." info : "Level 2, Scorable, 8,9,9.5" sql_request : "SELECT grantee FROM sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'PACKAGES' and grantee = 'PUBLIC'" sql_types : POLICY_VARCHAR sql_expect : "" info : "ref. https://benchmarks.cisecurity.org/tools2/db2/CIS_IBM_DB2_Benchmark_v1.2.0.pdf, pg 59." type : SQL_POLICY description : "6.0.11 Restrict Access to SYSCAT.PASSTHRUAUTH" info : "The SYSCAT.PASSTHRUAUTH view contains the names of user or group that has pass-through authorization to query the data source." info : "It is recommended that the PUBLIC role be restricted from accessing this view." info : "Level 2, Scorable, 8,9,9.5" sql_request : "SELECT grantee FROM sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'PASSTHRUAUTH' and grantee = 'PUBLIC'" sql_types : POLICY_VARCHAR sql_expect : "" info : "ref. https://benchmarks.cisecurity.org/tools2/db2/CIS_IBM_DB2_Benchmark_v1.2.0.pdf, pg 59." type : SQL_POLICY description : "6.0.12 Restrict Access to SYSCAT.SECURITYLABELACCESS" info : "The SYSCAT.SECURITYLABELACCESS view contains all accounts in the database that have a security label privilege." info : "It is recommended that the PUBLIC role be restricted from accessing this view." info : "Level 2, Scorable, 8,9,9.5" sql_request : "SELECT grantee FROM sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'SECURITYLABELACCESS' and grantee = 'PUBLIC'" sql_types : POLICY_VARCHAR sql_expect : "" info : "ref. https://benchmarks.cisecurity.org/tools2/db2/CIS_IBM_DB2_Benchmark_v1.2.0.pdf, pg 60." type : SQL_POLICY description : "6.0.13 Restrict Access to SYSCAT.SECURITYLABELCOMPONENTELEMENTS" info : "The SYSCAT.SECURITYLABELCOMPONENTELEMENTS view contains element value for a security label component." info : "It is recommended that the PUBLIC role be restricted from accessing this view." info : "Level 2, Scorable, 8,9,9.5" sql_request : "SELECT grantee FROM sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'SECURITYLABELCOMPONENTELEMENTS' and grantee = 'PUBLIC'" sql_types : POLICY_VARCHAR sql_expect : "" info : "ref. https://benchmarks.cisecurity.org/tools2/db2/CIS_IBM_DB2_Benchmark_v1.2.0.pdf, pg 61." type : SQL_POLICY description : "6.0.14 Restrict Access to SYSCAT.SECURITYLABELCOMPONENTS" info : "The SYSCAT.SECURITYLABELCOMPONENTS view contains the component for a security label." info : "It is recommended that the PUBLIC role be restricted from accessing this view." info : "Level 2, Scorable, 8,9,9.5" sql_request : "SELECT grantee FROM sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'SECURITYLABELCOMPONENTS' and grantee = 'PUBLIC'" sql_types : POLICY_VARCHAR sql_expect : "" info : "ref. https://benchmarks.cisecurity.org/tools2/db2/CIS_IBM_DB2_Benchmark_v1.2.0.pdf, pg 61." type : SQL_POLICY description : "6.0.15 Restrict Access to SYSCAT.SECURITYLABELS" info : "The SYSCAT.SECURITYLABELS view contains all security labels in the database." info : "It is recommended that the PUBLIC role be restricted from accessing this view." info : "Level 2, Scorable, 8,9,9.5" sql_request : "SELECT grantee FROM sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'SECURITYLABELS' and grantee = 'PUBLIC'" sql_types : POLICY_VARCHAR sql_expect : "" info : "ref. https://benchmarks.cisecurity.org/tools2/db2/CIS_IBM_DB2_Benchmark_v1.2.0.pdf, pg 62." type : SQL_POLICY description : "6.0.16 Restrict Access to SYSCAT.SECURITYPOLICIES" info : "The SYSCAT.SECURITYPOLICIES view contains all database security policies." info : "It is recommended that the PUBLIC role be restricted from accessing this view." info : "Level 2, Scorable, 8,9,9.5" sql_request : "SELECT grantee FROM sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'SECURITYPOLICIES' and grantee = 'PUBLIC'" sql_types : POLICY_VARCHAR sql_expect : "" info : "ref. https://benchmarks.cisecurity.org/tools2/db2/CIS_IBM_DB2_Benchmark_v1.2.0.pdf, pg 63." type : SQL_POLICY description : "6.0.17 Restrict Access to SYSCAT.SECURITYPOLICYCOMPONENTRULES" info : "The SYSCAT.SECURITYPOLICYCOMPONENTRULES view contains accss rights for a security label component." info : "It is recommended that the PUBLIC role be restricted from accessing this view." info : "Level 2, Scorable, 8,9,9.5" sql_request : "SELECT grantee FROM sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'SECURITYPOLICYCOMPONENTRULES' and grantee = 'PUBLIC'" sql_types : POLICY_VARCHAR sql_expect : "" info : "ref. https://benchmarks.cisecurity.org/tools2/db2/CIS_IBM_DB2_Benchmark_v1.2.0.pdf, pg 63." type : SQL_POLICY description : "6.0.18 Restrict Access to SYSCAT.SECURITYPOLICYEXEMPTIONS" info : "The SYSCAT.SECURITYPOLICYEXEMPTIONS view contains the exemption on a security policy that was granted to a database account." info : "It is recommended that the PUBLIC role be restricted from accessing this view." info : "Level 2, Scorable, 8,9,9.5" sql_request : "SELECT grantee FROM sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'SECURITYPOLICYEXEMPTIONS' and grantee = 'PUBLIC'" sql_types : POLICY_VARCHAR sql_expect : "" info : "ref. https://benchmarks.cisecurity.org/tools2/db2/CIS_IBM_DB2_Benchmark_v1.2.0.pdf, pg 64." type : SQL_POLICY description : "6.0.19 Restrict Access to SYSCAT.SURROGATEAUTHIDS" info : "The SYSCAT.SURROGATEAUTHIDS contains all accounts that have been granted SETSESSIONUSER privilege on a user or the PUBLIC." info : "It is recommended that the PUBLIC role be restricted from accessing this view." info : "Level 2, Scorable, 8,9,9.5" sql_request : "SELECT grantee FROM sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'SURROGATEAUTHIDS' and grantee = 'PUBLIC'" sql_types : POLICY_VARCHAR sql_expect : "" info : "ref. https://benchmarks.cisecurity.org/tools2/db2/CIS_IBM_DB2_Benchmark_v1.2.0.pdf, pg 65." type : SQL_POLICY description : "6.0.20 Restrict Access to SYSCAT.ROLEAUTH" info : "The SYSCAT.ROLEAUTH contains information on all roles and their respective grantees." info : "It is recommended that the PUBLIC role be restricted from accessing this view." info : "Level 2, Scorable, 9.5" sql_request : "SELECT grantee FROM sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'ROLEAUTH' and grantee = 'PUBLIC'" sql_types : POLICY_VARCHAR sql_expect : "" info : "ref. https://benchmarks.cisecurity.org/tools2/db2/CIS_IBM_DB2_Benchmark_v1.2.0.pdf, pg 66." type : SQL_POLICY description : "6.0.21 Restrict Access to SYSCAT.ROLES" info : "The SYSCAT.ROLES contains all roles available in the database." info : "It is recommended that the PUBLIC role be restricted from accessing this view." info : "Level 2, Scorable, 8,9,9.5" sql_request : "SELECT grantee FROM sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'ROLES' and grantee = 'PUBLIC'" sql_types : POLICY_VARCHAR sql_expect : "" info : "ref. https://benchmarks.cisecurity.org/tools2/db2/CIS_IBM_DB2_Benchmark_v1.2.0.pdf, pg 66." type : SQL_POLICY description : "6.0.22 Restrict Access to SYSCAT.ROUTINEAUTH" info : "The SYSCAT.ROUTINEAUTH contains a list of all users that have EXECUTE privilege on a routine (function, method, or procedure)." info : "It is recommended that the PUBLIC role be restricted from accessing this view." info : "Level 2, Scorable, 8,9,9.5" sql_request : "SELECT grantee FROM sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'ROUTINEAUTH' and grantee = 'PUBLIC'" sql_types : POLICY_VARCHAR sql_expect : "" info : "ref. https://benchmarks.cisecurity.org/tools2/db2/CIS_IBM_DB2_Benchmark_v1.2.0.pdf, pg 67." type : SQL_POLICY description : "6.0.23 Restrict Access to SYSCAT.SCHEMAAUTH" info : "The SYSCAT.SCHEMAAUTH contains a list of all users that have one or more privileges or access to a particular schema." info : "It is recommended that the PUBLIC role be restricted from accessing this view." info : "Level 2, Scorable, 8,9,9.5" sql_request : "SELECT grantee FROM sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'SCHEMAAUTH' and grantee = 'PUBLIC'" sql_types : POLICY_VARCHAR sql_expect : "" info : "ref. https://benchmarks.cisecurity.org/tools2/db2/CIS_IBM_DB2_Benchmark_v1.2.0.pdf, pg 68." type : SQL_POLICY description : "6.0.24 Restrict Access to SYSCAT.SCHEMATA" info : "The SYSCAT.SCHEMATA contains all schema names in the database." info : "It is recommended that the PUBLIC role be restricted from accessing this view." info : "Level 2, Scorable, 8,9,9.5" sql_request : "SELECT grantee FROM sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'SCHEMATA' and grantee = 'PUBLIC'" sql_types : POLICY_VARCHAR sql_expect : "" info : "ref. https://benchmarks.cisecurity.org/tools2/db2/CIS_IBM_DB2_Benchmark_v1.2.0.pdf, pg 68." type : SQL_POLICY description : "6.0.25 Restrict Access to SYSCAT.SEQUENCEAUTH" info : "The SYSCAT.SEQUENCEAUTH contains user and/or group that has access to one or more privileges on a sequence." info : "It is recommended that the PUBLIC role be restricted from accessing this view." info : "Level 2, Scorable, 8,9,9.5" sql_request : "SELECT grantee FROM sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'SEQUENCEAUTH' and grantee = 'PUBLIC'" sql_types : POLICY_VARCHAR sql_expect : "" info : "ref. https://benchmarks.cisecurity.org/tools2/db2/CIS_IBM_DB2_Benchmark_v1.2.0.pdf, pg 69." type : SQL_POLICY description : "6.0.26 Restrict Access to SYSCAT.STATEMENTS" info : "The SYSCAT.STATEMENTS contains all SQL statements of a compiled package." info : "It is recommended that the PUBLIC role be restricted from accessing this view." info : "Level 2, Scorable, 8,9,9.5" sql_request : "SELECT grantee FROM sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'STATEMENTS' and grantee = 'PUBLIC'" sql_types : POLICY_VARCHAR sql_expect : "" info : "ref. https://benchmarks.cisecurity.org/tools2/db2/CIS_IBM_DB2_Benchmark_v1.2.0.pdf, pg 70." type : SQL_POLICY description : "6.0.27 Restrict Access to SYSCAT.PROCEDURES" info : "The SYSCAT.PROCEDURES contains all stored procedures in the database." info : "It is recommended that the PUBLIC role be restricted from accessing this view." info : "Level 2, Scorable, 8,9,9.5" sql_request : "SELECT grantee FROM sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'PROCEDURES' and grantee = 'PUBLIC'" sql_types : POLICY_VARCHAR sql_expect : "" info : "ref. https://benchmarks.cisecurity.org/tools2/db2/CIS_IBM_DB2_Benchmark_v1.2.0.pdf, pg 70." type : SQL_POLICY description : "6.0.28 Restrict Access to SYSCAT.TABAUTH" info : "The SYSCAT.TABAUTH contains user or group that has been granted one or more privileges on a table or view." info : "It is recommended that the PUBLIC role be restricted from accessing this view." info : "Level 2, Scorable, 8,9,9.5" sql_request : "SELECT grantee FROM sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'TABAUTH' and grantee = 'PUBLIC'" sql_types : POLICY_VARCHAR sql_expect : "" info : "ref. https://benchmarks.cisecurity.org/tools2/db2/CIS_IBM_DB2_Benchmark_v1.2.0.pdf, pg 71." type : SQL_POLICY description : "6.0.29 Restrict Access to SYSCAT.TBSPACEAUTH" info : "The SYSCAT.TBSPACEAUTH contains user or group that has been granted the USE privilege on a particular table space in the database." info : "It is recommended that the PUBLIC role be restricted from accessing this view." info : "Level 2, Scorable, 8,9,9.5" sql_request : "SELECT grantee FROM sysibm.systabauth where tcreator = 'SYSCAT' and ttname = 'TBSPACEAUTH' and grantee = 'PUBLIC'" sql_types : POLICY_VARCHAR sql_expect : "" info : "ref. https://benchmarks.cisecurity.org/tools2/db2/CIS_IBM_DB2_Benchmark_v1.2.0.pdf, pg 72." #The CIS benchmark audit query for item 6.0.30 generates an error when trying to run it. #The modified SQL query for this item reports the same information and does not generate an error. type : SQL_POLICY description : "6.0.30 Restrict Access to Tablespaces" info : "A Tablespace is where the data is physically stored." info : "It is recommended that usage of tablespaces be granted to authorize users only." info : "Level 2, Scorable, 8,9,9.5" sql_request : "SELECT grantee, tbspace FROM sysibm.systbspaceauth where grantee = 'PUBLIC'" sql_types : POLICY_VARCHAR,POLICY_VARCHAR sql_expect : "","" info : "ref. https://benchmarks.cisecurity.org/tools2/db2/CIS_IBM_DB2_Benchmark_v1.2.0.pdf, pg 72."