Supported rules for CIS IBM Db2 13 for z/OS Benchmark v1.0.0


(SPE2507)

The CIS IBM® Db2 13 for z/OS Benchmark v1.0.0 provides prescriptive guidance for securing IBM Db2 for z/OS. This helps establish a strong configuration posture, ensuring compliance with security best practices. The benchmark references IBM RACF as the security manager, offering recommendations for access control and database security.

This benchmark is developed through a community consensus process, ensuring it reflects best practices.

As a security administrator, you can use the CIS benchmarks to reduce vulnerabilities and enhance the overall security of your mainframe environment.

 

BMC AMI Security Policy Managersupports compliance testing for the following CIS controls. The titles and descriptions are from the CIS IBM Db2 13 for z/OS Benchmark documentation. For more information, register and download the CIS IBM Db2 13 for z/OS Benchmark v1.0.0 PDF file from: https://www.cisecurity.org/cis-benchmarks

In SPM, the CIS Db2 reports for RACF are identified by the CD0nnn naming convention. For example, for compliance rule CD0245:

  • C = CIS
  • D = Db2
  • 0 = version 1.0.0
  • 245 = report 2.4.5

SPMsupports compliance testing for the following rules:

1.2.2 Ensure that authorization is enabled

Description:

The AUTH subsystem parameter controls authorization checking in Db2. It is recommended that this parameter is set to YES.

1.2.3 Ensure that the default authorization IDs are changed from the installation defined

Description:

The following subsystem parameters specify default authorization IDs. It Is recommended to change the installation-specified default values and ensure the authorization IDs are defined in RACF.

  • SYSTEM ADMIN 1 – Specifies the first of two authorization IDs to which installation SYSADM authority is assigned.
  • SYSTEM ADMIN 2 - Specifies the second of two authorization IDs to which installation SYSADM authority is assigned.
  • SYSTEM OPERATOR 1 - Specifies the first of two authorization IDs to which installation SYSOPR authority is assigned.
  • SYSTEM OPERATOR 2 - Specifies the second of two authorization IDs to which installation SYSOPR authority is assigned.
  • SECURITY ADMIN 1 - Specifies the first of two authorization IDs or roles to which security administrator authority is assigned.
  • SECURITY ADMIN 2 - Specifies the second of two authorization IDs or roles to which security administrator authority is assigned.
  • UNKNOWN AUTHID – Specifies the authorization ID that is to be used if RACF is not available for batch access and USER= is not specified in the JOB statement.

1.2.4 Ensure that generic error codes are returned for remote security errors

Description:

The EXTSEC subsystem parameter specifies whether detailed reason codes are returned to a DRDA client when a DDF connection request fails due to security errors. It is recommended to set the value to NO to return generic error codes to the clients.

2.1.1 Ensure subsystem access is protected

Description:

The profiles specified in the DSNR RACF resource class control access to a Db2 for z/OS subsystem from another environment. It is recommended that you activate the DSNR class and define a profile with a name in the form of subsystem.environment for each subsystem and environment combination that you want to use. Permit profile access only to the users who are allowed to access Db2 from a specific environment.

2.1.2 Ensure secure authentication is enabled for remote access

Description:

The TCPALVER subsystem parameter specifies the type of security credentials to accept for TCP/IP connection requests. It is recommended that you set the parameter to SERVER_ENCRYPT and require encrypted security credentials. With the required permissions to use the RACF passticket service, you can use RACF passticket to connect to Db2.

2.2.1 Ensure that access to the catalog tables in the communications database (CDB) is restricted

Description:

The communications database (CDB) is a set of Db2 catalog tables that can be configured to control aspects of outbound and inbound connection requests. The SYSIBM.LOCATIONS table and SYSIBM.USERNAMES table are configured for using TCP/IP or SNA protocol. The following tables are configured specifically to use TCP/IP protocol:

  • SYSIBM.IPLIST
  • SYSIBM.IPNAMES
    The following tables are configured specifically to use SNA protocol:
  • SYSIBM.LULIST
  • SYSIBM.LUMODES
  • SYSIBM.LUNAMES
  • SYSIBM.MODESELECT

PUBLIC should be restricted from inserting, updating, deleting, or accessing these tables.

Note: VTAM (SNA connection) is deprecated. You can disable SNA connections by setting IPNAMES in the bootstrap data set (BSDS).

2.2.2 Ensure that access to SYSIBM.SYSAUDITPOLICIES is restricted

Description:

The SYSIBM.SYSAUDITPOLICIES table contains all audit policies. PUBLIC should be restricted from accessing this table.

2.2.3 Ensure that access to SYSIBM.SYSCOLAUTH is restricted

Description:

The SYSIBM.SYSCOLAUTH table records the UPDATE or REFERENCES privileges that are held by users on individual columns of a table or view. PUBLIC should be restricted from accessing this table.

2.2.4 Ensure that access to SYSIBM.SYSCOLUMNS is restricted

Description:

The SYSIBM.SYSCOLUMNS table contains one row for every column of each table and view. PUBLIC should be restricted from accessing this table.

2.2.5 Ensure that access to trusted context tables is restricted

Description:

The following tables are related to trusted context and contain details about trusted context, attributes for trusted context, and the authids that are allowed to use the trusted context.

  • SYSIBM.SYSCONTEXT
  • SYSIBM.SYSCONTEXTAUTHIDS
  • SYSIBM.SYSCTXTTRUSTATTRS

PUBLIC should be restricted from accessing these tables.

2.2.6 Ensure that access to SYSIBM.SYSCONTROLS is restricted

Description:

The SYSIBM.SYSCONTROLS table contains row permissions and column masks. PUBLIC should be restricted from accessing this table.

2.2.7 Ensure that access to SYSIBM.SYSDATABASE is restricted

Description:

The SYSIBM.SYSDATABASE table records database information. PUBLIC should be restricted from accessing this table.

2.2.8 Ensure that access to SYSIBM.SYSDBAUTH is restricted

Description:

The SYSIBM.SYSDBAUTH table records the privileges that are held by users over databases. PUBLIC should be restricted from accessing this table.

2.2.9 Ensure that access to dynamic query-related tables is restricted

Description:

The following tables contain information related to the stabilization of access paths for dynamic SQL statements and dependencies for dynamic query packages:

  • SYSIBM.SYSDYNQRY
  • SYSIBM.SYSDYNQRYDEP
  • SYSIBM.SYSDYNQRY_TXTL

PUBLIC should be restricted from accessing these tables.

2.2.10 Ensure that access to SYSIBM.SYSINDEXES is restricted

Description:

The SYSIBM.SYSINDEXES table records one row for every index. PUBLIC should be restricted from accessing this table.

2.2.11 Ensure that access to SYSIBM.SYSOBJROLEDEP is restricted

Description:

The SYSIBM.SYSOBJROLEDEP table lists the dependent objects for each role. PUBLIC should be restricted from accessing this table.

2.2.12 Ensure that access to package-related tables is restricted

Description:

The following tables contain information related to packages, dependencies of packages on objects, and statements in the packages:

  • SYSIBM.SYSPACKAGE
  • SYSIBM.SYSPACKCOPY
  • SYSIBM.SYSPACKDEP
  • SYSIBM.SYSPACKLIST
  • SYSIBM.SYSPACKSTMT
  • SYSIBM.SYSPACKSTMT_STMB
  • SYSIBM.SYSPACKSTMT_STMT

PUBLIC should be restricted from accessing these tables.

2.2.13 Ensure that access to SYSIBM.SYSPACKAUTH is restricted

Description:

The SYSIBM.SYSPACKAUTH table contains the package privileges that are granted to an authorization ID or a role. PUBLIC should be restricted from accessing this table.

2.2.14 Ensure that access to SYSIBM.SYSPARMS is restricted

Description:

The SYSIBM.SYSPARMS table contains a row for each parameter of a routine or multiple rows for table parameters (one for each column of the table). PUBLIC should be restricted from accessing this table.

2.2.15 Ensure that access to SYSIBM.SYSPLAN is restricted

Description:

The SYSIBM.SYSPLAN table contains each application plan. PUBLIC should be restricted from accessing this table.

2.2.16 Ensure that access to SYSIBM.SYSPLANAUTH is restricted

Description:

The SYSIBM.SYSPLANAUTH table records the privileges that are held by users over application plans. PUBLIC should be restricted from accessing this table.

2.2.17 Ensure that access to SYSIBM.SYSQUERY is restricted

Description:

The SYSIBM.SYSQUERY table identifies an SQL statement. PUBLIC should be restricted from accessing this table.

2.2.18 Ensure that access to SYSIBM.SYSRESAUTH is restricted

Description:

The SYSIBM.SYSRESAUTH table contains a list of all users that have various privileges on an object (collections, distinct types, etc.). PUBLIC should be restricted from accessing this table.

2.2.19 Ensure that access to SYSIBM.SYSROLES is restricted

Description:

The SYSIBM.SYSROLES table contains all available roles. PUBLIC should be restricted from accessing this table.

2.2.20 Ensure that access to SYSIBM.SYSROUTINEAUTH is restricted

Description:

The SYSIBM.SYSROUTINEAUTH table records the privileges that are held by users on routines (function or stored procedure). PUBLIC should be restricted from accessing this table.

2.2.21 Ensure that access to SYSIBM.SYSROUTINES is restricted

Description:

The SYSIBM.SYSROUTINES table contains routines (user-defined function, cast function, or stored procedure). PUBLIC should be restricted from accessing this table.

2.2.22 Ensure that access to SYSIBM.SYSROUTINESTEXT is restricted

Description:

The SYSIBM.SYSROUTINESTEXT table is an auxiliary table for the TEXT column of the SYSIBM.SYSROUTINES table and is required to hold the LOB data. PUBLIC should be restricted from accessing this table.

2.2.23 Ensure that access to SYSIBM.SYSSCHEMAAUTH is restricted

Description:

The SYSIBM.SYSSCHEMAAUTH table contains a list of all users who have one or more privileges or access to a particular schema. PUBLIC should be restricted from accessing this table.

2.2.24 Ensure that access to SYSIBM.SYSSEQUENCEAUTH is restricted

Description:

The SYSIBM.SYSSEQUENCEAUTH table contains users, groups, or roles that have been granted one or more privileges on a sequence. PUBLIC should be restricted from accessing this table.

2.2.25 Ensure that access to SYSIBM.SYSSEQUENCES is restricted

Description:

The SYSIBM.SYSSEQUENCES table contains sequence definition. PUBLIC should be restricted from accessing this table.

2.2.26 Ensure that access to SYSIBM.SYSSTMT is restricted

Description:

The SYSIBM.SYSSTMT table contains all SQL statements for each DBRM. PUBLIC should be restricted from accessing this table.

2.2.27 Ensure that access to SYSIBM.SYSSTOGROUP is restricted

Description:

The SYSIBM.SYSSTOGROUP table contains one row for each storage group. PUBLIC should be restricted from accessing this table.

2.2.28 Ensure that access to SYSIBM.SYSTABAUTH is restricted

Description:

The SYSIBM.SYSTABAUTH table contains users or groups that have been granted one or more privileges on a table or view. PUBLIC should be restricted from accessing this table.

2.2.29 Ensure that access to SYSIBM.SYSTABLES is restricted

Description:

The SYSIBM.SYSTABLES table contains definition for each table, view, or alias. PUBLIC should be restricted from accessing this table.

2.2.30 Ensure that access to SYSIBM.SYSTABLESPACE is restricted

Description:

The SYSIBM.SYSTABLESPACE table contains one row for each table space. PUBLIC should be restricted from accessing this table.

2.2.31 Ensure that access to SYSIBM.SYSTRIGGERS is restricted

Description:

The SYSIBM.SYSTRIGGERS table contains one row for each trigger. PUBLIC should be restricted from accessing this table.

2.2.32 Ensure that access to SYSIBM.SYSUSERAUTH is restricted

Description:

The SYSIBM.SYSUSERAUTH table records the system privileges that are held by users. PUBLIC should be restricted from accessing this table.

2.2.33 Ensure that access to variable-related tables is restricted

Description:

The following tables contain information related to global variables:

  • SYSIBM.SYSVARIABLES
  • SYSIBM.SYSVARIABLES_DESC
  • SYSIBM.SYSVARIABLES_TEXT

PUBLIC should be restricted from accessing these tables.

2.2.34 Ensure that access to SYSIBM.SYSVARIABLEAUTH is restricted

Description:

The SYSIBM.SYSVARIABLEAUTH table contains the granted privileges on a global variable for users, groups, or roles. PUBLIC should be restricted from accessing this table.

2.2.35 Ensure that access to SYSIBM.SYSVIEWS is restricted

Description:

The SYSIBM.SYSVIEWS table contains one or more rows for each view, materialized query table, or user-defined SQL function. PUBLIC should be restricted from accessing this table.

2.3.1 Ensure that access to the program authorization table is restricted

Description:

When program authorization is used, the SYSIBM.DSNPROGAUTH table controls whether a program can use a plan for execution. 

PUBLIC should be restricted from accessing this table.

2.3.2 Ensure that access to the REST services definition table is restricted

Description:

When Db2 REST services are used, the SYSIBM.DSNSERVICE table is used to describe REST services and to associate them with corresponding packages.

PUBLIC should be restricted from accessing this table.

2.3.3 Ensure that access to the query accelerator tables is restricted

Description:

When a query accelerator is used, the following tables are used by Db2 to control the acceleration behavior:

  • SYSACCEL.SYSACCELERATORS
  • SYSACCEL.SYSACCELERATEDTABLES
  • SYSACCEL.SYSACCELERATEDPACKAGES
  • SYSACCEL.SYSACCELERATEDTABLESAUTH

PUBLIC should be restricted from accessing these tables.

2.3.4 Ensure that access to profile tables is restricted

Description:

When profiles are used for monitoring and controlling Db2 in specific application contexts, the following tables are used to define the profiles, provide the filtering criteria, and specify the action that Db2 takes for the processes that meet the filtering criteria:

  • SYSIBM.DSN_PROFILE_TABLE
  • SYSIBM.DSN_PROFILE_HISTORY
  • SYSIBM.DSN_PROFILE_ATTRIBUTES
  • SYSIBM.DSN_PROFILE_ATTRIBUTES_HISTORY

PUBLIC should be restricted from accessing these tables.

2.3.5 Ensure that access to SQL Data Insights tables is restricted

Description:

SQL Data Insights (DI) brings deep learning AI capabilities into Db2. When SQL Data Insights capability is used, the following tables are used to define and store the metadata for AI objects, object models, and tables:

  • SYSAIDB.SYSAIOBJECTS
  • SYSAIDB.SYSAICONFIGURATIONS
  • SYSAIDB.SYSAICOLUMNCONFIG
  • SYSAIDB.SYSAIMODELS
  • SYSAIDB.SYSAIDCOLUMNCENTERS
  • SYSAIDB.SYSAITRAININGJOBS

PUBLIC should be restricted from accessing these tables.

2.4.1 Secure SYSADM authority access

Description:

The SYSADM authority defines the system administrator authority. It is recommended that the SYSADM authority be granted to an authorization ID or a role.

2.4.2 Secure SYSCTRL authority access

Description:

The SYSCTRL authority defines the system control authority. It is recommended that the SYSCTRL authority be granted to an authorization ID or a role.

2.4.3 Secure SYSOPR authority access

Description:

The SYSOPR authority defines the system operator authority that allows its holder to issue most of the Db2 commands. It is recommended that the SYSOPR authority be granted to an authorization ID or a role.

2.4.4 Secure system DBADM authority access

Description:

The system DBADM authority defines privileges on databases in the Db2 system. It allows an administrator to manage databases across a Db2 subsystem. It is recommended that the system DBADM authority be granted to an authorized ID or a role.

2.4.5 Secure DATAaccess

 authority access ==

Description:

The DATAACCESS authority defines the data access authority. It allows its holder to access and update data in user tables, views, and materialized query tables in a Db2 subsystem. It also allows its holder to execute plans, packages, functions, and procedures. It is recommended that the DATAACCESS authority be granted to an authorized ID or a role.

2.4.6 Secure ACCESSCTRL authority access

Description:

The ACCESSCTRL authority defines the access control authority. It allows its holder to grant explicit privileges to authorization IDs or roles by issuing SQL GRANT statements. It enables its holder to grant privileges on most objects and resources. It is recommended that the ACCESSCTRL authority be granted to an authorized ID or a role.

2.4.7 Secure PACKADM authority access

Description:

The PACKADM authority defines certain privileges on collections and packages. It has the package privileges on all packages in specific collections and the CREATE IN privilege on these collections. It is recommended that the PACKADM authority be granted to an authorized ID or a role.

2.4.8 Secure SQLADM authority access

Description:

The SQLADM authority includes certain system privileges that allow its holder to issue SQL EXPLAIN statements, execute the PROFILE commands, run the RUNSTATS and MODIFY STATISTICS utilities on all user databases, and execute stored procedures or functions and any packages that are executed within the routines. It is recommended that the SQLADM authority be granted to an authorized ID or a role.

2.4.9 Secure database DBADM authority access

Description:

The DBADM authority defines privileges on a database. Its holder can access any tables in a specific database by using SQL statements. It is recommended that the DBADM authority be granted to an authorized ID or a role.

2.4.10 Secure database DBCTRL authority access

Description:

The DBCTRL authority defines privileges on a database. It includes the DBMAINT privileges on a specific database. A user with the DBCTRL authority can run utilities that can change the data. It is recommended that the DBCTRL authority be granted to an authorized ID or a role.

2.4.11 Secure database DBMAINT authority access

Description:

The DBMAINT authority defines certain privileges on a database. Its holder can grant the privileges on a specific database to an ID and can perform actions such as creating objects within that database. It is recommended that the DBMAINT authority be granted to an authorized ID or a role.

 

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*