3.2.7 Secure permissions for the log mirror location

Information

The mirrorlogpath parameter specifies the type of media and the location used to store the mirror copy of the logs. It is recommended that the directory used for the mirror copy of the logs be set to full access for DB2 administrator accounts and read and execute only for all other accounts.

A mirror log path should not be empty and it should be a valid path. The mirror log path stores a second copy of the active log files. Access to the directory pointed to by that path should be restricted through permissions to help ensure that the confidentiality, integrity, and availability of the mirror logs are protected.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance. If MIRROR_LOG_PATH variable was not set, to a file path, the permissions could be supplied.

Solution

For Windows and Linux:
1. Connect to the DB2 database.
db2 => connect to $DB2INSTANCE user $USERNAME using $PASSWORD
2. Run the following command from the DB2 command window to change the mirror log directory, if necessary:
db2 => update database configuration using mirrorlogpath

Additional steps for Windows:
1. Connect to the DB2 host
2. Right-click on the primary archive log directory
3. Choose Properties
4. Select the Security tab
5. Grant all DB2 administrator accounts the Full Control authority
6. Grant all other accounts read and execute privileges only (revoke all other privileges)

Additional steps for Linux:
1. Connect to the DB2 host
2. Change to the mirror log directory
3. Change the permissions for the directory
OS => chmod -R 755
Default Value:
The default value for mirrorlogpath is null.

See Also

https://workbench.cisecurity.org/files/1654

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-9(4)

Plugin: Windows

Control ID: 9ad3517527a894b4642822bdfde703192be8d726afdad6596c72a95ced59d277