3.1.7 Secure permissions for all diagnostic logs

Information

The diagpath parameter specifies the location of the diagnostic files for the DB2 instance. The directory at this location should be secured so that users have read and execute privileges only (no write privileges). All DB2 administrators should have full access to the directory.

Solution

For Windows and Linux, to change the directory for the diagnostic logs-
1. Attach to the DB2 instance
db2 => attach to $DB2INSTANCE
2. Run the following command from the DB2 command window-
db2 => update database manager configuration using diagpath <valid directory>
Additional steps for Windows-
1. Connect to the DB2 host
2. Right-click over the diagnostic log directory
3. Choose Properties
4. Select the Security tab
5. Grant the Full Control authority to all DB2 administrator accounts
6. Grant only read and execute privileges to all other accounts (revoke any other privileges)
Additional steps for Linux-
1. Connect to the DB2 host
2. Change to the diagnostic log directory
3. Change the permissions of the directory
OS => chmod -R 755

See Also

https://workbench.cisecurity.org/files/162