3.2.6 Secure permissions for the tertiary archive log location

Information

The failarchpath parameter specifies the type of media and the location used as the tertiary destination for archived logs. It is recommended that the directory used for the archived logs be set to full access for DB2 administrator accounts and read and execute only for all other accounts.
Rationale:
Restricting access to the contents of the tertiary archive log directory will help ensure that the confidentiality, integrity, and availability of archive logs are protected.
Although there are many ways to ensure that your logs will be archived, we recommend using the value of DISK as part of the failarchpath parameter. This will properly ensure that the logs are archived. A finding of OFF is not acceptable.

Solution

For Windows and Linux:
1. Attach to the DB2 instance.
2. Run the following command from the DB2 command window to change the tertiary archive log directory, if necessary:
db2 => update database configuration using failarchpath

Additional steps for Windows (assuming that the failarchpath parameter includes DISK):
1. Connect to the DB2 host
2. Right-click on the tertiary archive log directory
3. Choose Properties
4. Select the Security tab
5. Grant all DB2 administrator accounts the Full Control authority
6. Grant all other accounts read and execute privileges only (revoke all other privileges)

Additional steps for Linux (assuming that the failarchpath parameter includes DISK):
1. Connect to the DB2 host
2. Change to the tertiary archive log directory
3. Change the permissions for the directory
OS => chmod -R 755
Default Value:
The default value for FAILARCHPATH is null.

See Also

https://workbench.cisecurity.org/files/1654

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-9(4)

Plugin: Windows

Control ID: 5933a64ef82154f8302477165b15d9334cacd84a0a6889fc2875cc26d07901f4