This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "OWASP Backend Security Project DB2 Hardening"
| Line 21: | Line 21: | ||
It is advisable to change the default user-ids installed at the moment of database installation or by 3rd party products. Default accounts/groups related with operating systems are listed below. | It is advisable to change the default user-ids installed at the moment of database installation or by 3rd party products. Default accounts/groups related with operating systems are listed below. | ||
| − | '''*nix Operating Systems''': | + | '''Configuring *nix Operating Systems''': |
| + | By default, the DB2 Setup wizard creates these user and group accounts automatically during a DB2 UDB server installation. | ||
Installed with the database there are some DB2 users (db2inst1, db2fenc1, and dasusr1): | Installed with the database there are some DB2 users (db2inst1, db2fenc1, and dasusr1): | ||
| Line 43: | Line 44: | ||
db2as/ibmdb2 | db2as/ibmdb2 | ||
dlfm/ibmdb2 | dlfm/ibmdb2 | ||
| + | db2admin/db2admin | ||
| − | + | It is advisable to change all the default password. | |
| − | + | '''Configuring Windows Operating Systems''': | |
| + | |||
| + | Beginning in DB2 UDB Version 8.2, additional security option was added as part of the DB2 UDB installation to create two additional groups in the operating system, DB2USERS and DB2ADMNS. Once these groups are created, only user accounts that are members of these groups will have access to the DB2 UDB files on the system (including commands as well as user data files created by DB2 UDB). | ||
DB2ADMNS this group and local managers have complete access to DB2 objects through the operating system | DB2ADMNS this group and local managers have complete access to DB2 objects through the operating system | ||
DB2USERS this group has read and execution access to the DB2 objects through the operating system | DB2USERS this group has read and execution access to the DB2 objects through the operating system | ||
| − | + | Ensure you have changed default password for db2admin account and you have enabled this option during the original DB2 UDB installation, you can always enable it at a later time by running the db2secv82.exe program. This program can be found in the DB2PATH\SQLLIB\BIN\ directory, where DB2PATH is the location where DB2 UDB was installed. You should enable this option in order to secure your server to the greatest extent. | |
| − | |||
| − | |||
=== Authentication parameters === | === Authentication parameters === | ||
Revision as of 20:01, 23 May 2008
Overview
Historically DB2 has lived on a mainframe and resided in a fairly secure network. More and more we see DB2 exposed to the large world and used as backend for web applications. With these changes in DB2 comes increased risk.
This paragraph has the objectives to define the minimum security requirements for configuring and managing DB2 databases, in terms of access to, configuration and management of the system, and to supply guidelines and operation instructions for system administrators, in order to guarantee the development of secure applications on DB2 platforms.
Description
Configuring Authentication and Authorization
Unlike Oracle and Microsoft SQL Server, which support database authentication and database accounts, DB2 exclusively uses the operating system for authentication purposes. What this means is that DB2 is immune to attackers gaining access via database accounts without a password, or accounts that have a default password. Indeed, when DB2 is installed some OS accounts are created and, in earlier versions of DB2, these OS accounts were given default passwords.
Configuring Accounts
DB2 accounts must be subject to the same control and administration rules as other accounts in operating systems. In particular, you must verify if accounts are redundant or have not been used at least once. Database administrators must periodically verify and possibly rectify privileges, groups and functions assigned to accounts, in order to guarantee that permissions assigned to users correspond to their real working needs.
Ensure you have enabled password management features with for example a password lockout to 10 and password expiration to 90 days. The account expiration date must be set for accounts for users whose period of work is defined and limited in time.
Default Account/Group
It is advisable to change the default user-ids installed at the moment of database installation or by 3rd party products. Default accounts/groups related with operating systems are listed below.
Configuring *nix Operating Systems:
By default, the DB2 Setup wizard creates these user and group accounts automatically during a DB2 UDB server installation. Installed with the database there are some DB2 users (db2inst1, db2fenc1, and dasusr1):
db2inst1:x:1001:1001::/home/db2inst1:/bin/sh db2fenc1:x:1002:1002::/home/db2fenc1:/bin/sh dasusr1:x:1003:1003::/home/dasusr1:/bin/sh
You need to modify the initial passwords (ibmdb2). To do this, run these three commands:
passwd db2inst1 passwd db2fenc1 passwd dasusr1
Some others accounts could be present after database or 3rd party products installation, they are:
db2inst[n]/ibmdb2 0 < n < 10 (db2inst2, db2inst3, ..., db2inst9) db2fenc[n]/ibmdb2 0 < n < 10 (db2fenc2, db2fenc3, ..., db2fenc9) db2ins[n]/ibmdb2 9 < n < 100 (db2ins10, db2ins11, ..., db2ins99) db2fen[n]/ibmdb2 9 < n < 100 (db2fen10, db2fen11, ..., db2fen99) db2as/ibmdb2 dlfm/ibmdb2 db2admin/db2admin
It is advisable to change all the default password.
Configuring Windows Operating Systems:
Beginning in DB2 UDB Version 8.2, additional security option was added as part of the DB2 UDB installation to create two additional groups in the operating system, DB2USERS and DB2ADMNS. Once these groups are created, only user accounts that are members of these groups will have access to the DB2 UDB files on the system (including commands as well as user data files created by DB2 UDB).
DB2ADMNS this group and local managers have complete access to DB2 objects through the operating system DB2USERS this group has read and execution access to the DB2 objects through the operating system
Ensure you have changed default password for db2admin account and you have enabled this option during the original DB2 UDB installation, you can always enable it at a later time by running the db2secv82.exe program. This program can be found in the DB2PATH\SQLLIB\BIN\ directory, where DB2PATH is the location where DB2 UDB was installed. You should enable this option in order to secure your server to the greatest extent.
Authentication parameters
Encryption during Authentication
Configuring Authorisations
Authorisations and privileges on DB groups
Roles, Views and Access controls
Database Management System Configuration
File Permission
Administration
Auditing & Monitoring
Triggers
DB2 Universal Database audit facility
Auditing Events
References
- DB2 Security and Compliance Solutions for Linux, UNIX, and Windows - Whei-Jen Chen, Ivo Rytir, Paul Read, Rafat Odeh - IBM Redbooks
- Hardening DB2 - Giuseppe Gottardi - Internal at Communication Valley S.p.A.
