| 3.1.1 Require Explicit Authorization for Cataloging (CATALOG_NOAUTH) | ACCESS CONTROL, MEDIA PROTECTION |
| 3.1.2 Secure Permissions for Default Database File Path (DFTDBPATH) | ACCESS CONTROL, MEDIA PROTECTION |
| 3.1.3 Set Diagnostic Logging to Capture Errors and Warnings (DIAGLEVEL) | AUDIT AND ACCOUNTABILITY |
| 3.1.4 Secure Permissions for All Diagnostic Logs (DIAGPATH) | ACCESS CONTROL, MEDIA PROTECTION |
| 3.1.5 Secure Permissions for Alternate Diagnostic Log Path (ALT_DIAGPATH) | ACCESS CONTROL, MEDIA PROTECTION |
| 3.1.6 Set Maximum Connection Limits (MAX_CONNECTIONS and MAX_COORDAGENTS) | ACCESS CONTROL, MEDIA PROTECTION |
| 3.1.7 Set Administrative Notification Level (NOTIFYLEVEL) | AUDIT AND ACCOUNTABILITY |
| 3.1.8 Secure the Java Development Kit Installation Path (JDK_PATH) | ACCESS CONTROL, MEDIA PROTECTION |
| 3.1.9 Secure the Python Runtime Path (PYTHON_PATH) | ACCESS CONTROL, MEDIA PROTECTION |
| 3.1.10 Secure the R Runtime Path (R_PATH) | ACCESS CONTROL, MEDIA PROTECTION |
| 3.1.11 Secure the Communication Buffer Exit Library (COMM_EXIT_LIST) | ACCESS CONTROL, MEDIA PROTECTION |
| 3.2.1 Specify Secure Remote Shell Command (DB2RSHCMD) | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.2.2 Turn Off Remote Command Legacy Mode (DB2RCMD_LEGACY_MODE) | CONFIGURATION MANAGEMENT |
| 3.2.3 Disable Grants During Restore (DB2_RESTORE_GRANT_ADMIN_AUTHORITIES) | ACCESS CONTROL, MEDIA PROTECTION |
| 3.2.4 Enable Extended Security (DB2_EXTSECURITY) | ACCESS CONTROL, MEDIA PROTECTION |
| 3.2.5 Limit OS Privileges of Fenced Mode Process (DB2_LIMIT_FENCED_GROUP) | ACCESS CONTROL, MEDIA PROTECTION |
| 3.3.1 Secure Db2 Runtime Library | ACCESS CONTROL, MEDIA PROTECTION |
| 3.3.3 Set umask Value in the Db2 Instance Owner's .profile | ACCESS CONTROL, MEDIA PROTECTION |
| 4.1.2 Set Failed Archive Retry Delay (ARCHRETRYDELAY) | AUDIT AND ACCOUNTABILITY |
| 4.1.3 Auto-restart After Abnormal Termination (AUTORESTART) | CONFIGURATION MANAGEMENT |
| 4.1.4 Secure Permissions for the Primary Archive Log Location (LOGARCHMETH1) | ACCESS CONTROL, MEDIA PROTECTION |
| 4.1.5 Secure Permissions for the Secondary Archive Log Location (LOGARCHMETH2) | ACCESS CONTROL, MEDIA PROTECTION |
| 4.1.6 Secure Permissions for the Tertiary Archive Log Location (FAILARCHPATH) | ACCESS CONTROL, MEDIA PROTECTION |
| 4.1.7 Secure Permissions for the Log Mirror Location (MIRRORLOGPATH) | ACCESS CONTROL, MEDIA PROTECTION |
| 4.1.8 Secure Permissions for the Log Overflow Location (OVERFLOWLOGPATH) | ACCESS CONTROL, MEDIA PROTECTION |
| 4.1.9 Establish Retention Set Size for Backups (NUM_DB_BACKUPS) | CONTINGENCY PLANNING |
| 4.1.10 Set Archive Log Failover Retry Limit (NUMARCHRETRY) | AUDIT AND ACCOUNTABILITY |
| 4.1.11 Set Maximum Number of Applications (MAXAPPLS) | ACCESS CONTROL |
| 4.1.12 Ensure a Secure Connect Procedure is Used (CONNECT_PROC) | CONFIGURATION MANAGEMENT |
| 4.1.13 Specify a Secure Location for External Tables (EXTBL_LOCATION) | ACCESS CONTROL, MEDIA PROTECTION |
| 5.1 Specify a Secure Connection Authentication Type (SRVCON_AUTH) | ACCESS CONTROL |
| 5.2 Specify a Secure Authentication Type (AUTHENTICATION) | ACCESS CONTROL |
| 5.3 Database Manager Configuration Parameter: ALTERNATE_AUTH_ENC | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.4 Database Manager Configuration Parameter: TRUST_ALLCLNTS | ACCESS CONTROL |
| 5.5 Database Manager Configuration Parameter: TRUST_CLNTAUTH | ACCESS CONTROL |
| 5.6 Database Manager Configuration Parameter: FED_NOAUTH | ACCESS CONTROL |
| 5.9 DB2AUTH Registry Variable | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.10 DB2CHGPWD_EEE Registry Variable | ACCESS CONTROL |
| 6.1.1 Secure SYSADM Authority | ACCESS CONTROL, MEDIA PROTECTION |
| 6.1.2 Secure SYSCTRL Authority | ACCESS CONTROL, MEDIA PROTECTION |
| 6.1.3 Secure SYSMAINT Authority | ACCESS CONTROL, MEDIA PROTECTION |
| 6.1.4 Secure SYSMON Authority | ACCESS CONTROL, MEDIA PROTECTION |
| 7.1.1 Disable the Audit Buffer | AUDIT AND ACCOUNTABILITY |
| 7.1.2 Disable Limited Audit of Applications (DB2_LIMIT_AUDIT_APPS) | AUDIT AND ACCOUNTABILITY |
| 7.1.4 Ensure Audit is Enabled Within the Instance | AUDIT AND ACCOUNTABILITY |
| 8.1.1 Configure a Server-side Key Store for TLS (SSL_SVR_KEYDB) | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 8.1.2 Configure a Server-side Stash File for TLS (SSL_SVR_STASH) | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 8.1.3 Configure an Endpoint Certificate (SSL_SVR_LABEL) | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 8.1.4 Configure the Service Name for TLS (SSL_SVCENAME) | PLANNING, SYSTEM AND SERVICES ACQUISITION |
| 8.1.7 Unset the Service Name for Plaintext Communication (SVCENAME) | PLANNING, SYSTEM AND SERVICES ACQUISITION |
