IBM Db2 Compliance Checks

Plugin ID: 149648

The IBM Db2 DB plugin connects to targets that host IBM Db2 databases. The plugin connects to the target, runs a query against the database, and evaluates the output for specific expressions. The plugin supports Db2 versions 9, 10, and 11.

Scan Requirements

Credentials

The plugin requires Database credentials with the “Database Type” of “IBM Db2” for scanning.

Permissions

Tenable recommends running a database compliance scan with a user account having the following permissions or privileges:

• IBM Db2:

  • Log in with an account that has SYSDBA access.

This ensures thorough scan results and reports because some system or hidden tables and parameters can only be accessed by an account with such high level privileges. These settings were obtained by testing Tenable’s published CIS and DISA STIG audits, which primarily target system databases and tables. Custom audits with user-created databases will require independent testing to achieve maximum results.

Checks

All IBM Db2 DB compliance checks must be bracketed with the check type encapsulation and the IBM_DB2DB designation. This is required to differentiate .audit files intended specifically for systems running IBM Db2 databases from other types of compliance audits.

See the following topics to learn more about the IBM Db2 DB plugin:

• IBM Db2 Audit Containers

• IBM Db2 Audit Items

• IBM Db2 Comments

• IBM Db2 SQL_POLICY Check

• IBM Db2 KB_VALUE Check

Notes

If scans that utilize this plugin are not producing any compliance results, the following items should be checked:

• Check that the credentials provided to the scan policy work from a remote host using a native SQL client.

• Check the audit trail for the plugin that test for database login. For IBM Db2, this would be plugin 91824 - IBM DB2 Login Possible.

• Check the audit trail to see if there is a result for the compliance plugin. For IBM Db2, this would be plugin 149648 - IBM DB2 DB Compliance Checks.