08 April,2015 by Tom Collins
Fully protecting DB2 against an external attack requires solid design and regular Audits. Exposing some surface area to external connections ,creates an attack opportunity. As a DBA being aware of potential weaknesses and designing secure systems is a top priority.
These are some areas of focus when designing a DB2 security audit. The foundation of DB2 security is a solid DB2 security policy. Any audit should be comparing the results with the security policy
1) Do not use standard ports for DB2. Protect the DB2 server against scans. On Linux, you will have to define a port/service before making remote connections via TCP/IP.
2) Change the default address of the DB2 instance port
3) Review all accounts with OS and DB2 access. A DIY approach is OK. The key is to list the accounts, identify the list of accounts and privileges. Repeat on regular basis
4) Review permissions directories and files.
5) DB2 uses the password policies as defined in the Microsoft Active Directory and the local RedHat Linux. Familiarise yourself with the policies.
6) Consider setting Instance parameter AUTHENTICATION to DATA_ENCRYPT. IBM recommends , If remote clients are connecting to the database server to use SERVER_ENCRYPT as suggested value to protect the user ID and password
To identify the current value assigned to the AUTHENTICATION parameter , use db2pd -dbmcfg
7) Review cryptographic methods used by DB2. Are they strong enough?
8) Audit changes in privileges. Checkout the DB2 Audit facility.
9) Implement a DB2 server only installation. Maintaining a DB2 server only policy decreases the surface area
10) Make sure a service account can’t logon directly to a terminal client(telnet,ssh etc) using a service account (like Instance owner). Set up a policy whereby Users must logon as themselves and then su to the required user.
This is a brief list , but is enough to complete a basic security review.
DB2 - A Security Primer - DBA DB2
How to prepare a Database audit - DBA DB2
DBA Interview Questions and Answers – DB2 Security Management
This is only a preview. Your comment has not yet been posted.
As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.
Having trouble reading this image? View an alternate.
Posted by: |