This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

OWASP Backend Security Project DB2 Hardening

From OWASP
Revision as of 16:12, 23 May 2008 by Overet (talk | contribs)

Jump to: navigation, search

Overview

Historically DB2 has lived on a mainframe and resided in a fairly secure network. More and more we see DB2 exposed to the large world and used as backend for web applications. With these changes in DB2 comes increased risk.

This paragraph has the objectives to define the minimum security requirements for configuring and managing DB2 databases, in terms of access to, configuration and management of the system, and to supply guidelines and operation instructions for system administrators, in order to guarantee the development of secure applications on DB2 platforms.

Description

Configuring Authentication and Authorization

Unlike Oracle and Microsoft SQL Server, which support database authentication and database accounts, DB2 exclusively uses the operating system for authentication purposes. What this means is that DB2 is immune to attackers gaining access via database accounts without a password, or accounts that have a default password. Indeed, when DB2 is installed some OS accounts are created and, in earlier versions of DB2, these OS accounts were given default passwords.

Configuring Accounts

DB2 accounts must be subject to the same control and administration rules as other accounts in operating systems. In particular, you must verify if accounts are redundant or have not been used at least once. Database administrators must periodically verify and possibly rectify privileges, groups and functions assigned to accounts, in order to guarantee that permissions assigned to users correspond to their real working needs.

Ensure you have enabled password management features with for example a password lockout to 10 and password expiration to 90 days. The account expiration date must be set for accounts for users whose period of work is defined and limited in time.

Default Account/Group

It is advisable to change the default user-ids installed at the moment of database installation or by 3rd party products. Default accounts/groups are listed below:

Unix accounts: 

 db2inst1/ibmdb2     owner of the instance, belonging to group db2iadm1
 db2fenc1/ibmdb2     fenced external user, belonging to group db2iadm1
 dasusr1:            responsible for running the DAS, belonging to group db2iadm1
 dasus2:             for administrating DB2 servers, belonging to group db2iadm1
 db2as/ibmdb2
 db2admin/db2admin

Windows accounts: 

 DB2ADMNS:     this group and local managers have complete access to DB2 objects through the operating system
 DB2USERS:     this group has read and execution access to the DB2 objects through the operating system

Authentication parameters

Encryption during Authentication

Configuring Authorisations

Authorisations and privileges on DB groups

Roles, Views and Access controls

Database Management System Configuration

File Permission

Administration

Auditing & Monitoring

Triggers

DB2 Universal Database audit facility

Auditing Events

References

  • DB2 Security and Compliance Solutions for Linux, UNIX, and Windows - Whei-Jen Chen, Ivo Rytir, Paul Read, Rafat Odeh - IBM Redbooks
  • Hardening DB2 - Giuseppe Gottardi - Internal at Communication Valley S.p.A.
Retrieved from "https://wiki.owasp.org/index.php?title=OWASP_Backend_Security_Project_DB2_Hardening&oldid=29750"