New Vulnerability and Configuration Check Highlights
IBM DB2 LUW
• Audit information must be protected from unauthorized read access
o Verify that only the instance owner has write access to the datapath directory.
o Risk: Medium
• Ensure DB2COMM value is set to SSL
o Verify that the db2set parameter DB2COMM is set to SSL.
o Risk: Medium
• Ensure SSL_VERSIONS is enabled and configured
o Verify that the Database Manager Configuration parameter SSL_VERSIONS is enabled and configured correctly.
o Risk: Medium
• Use NIST FIPS 140-2 validated cryptographic modules for cryptographic operations
o Verify that the DB2 Database Manager Configuration parameters: SSL_VERSIONS, SSL_CIPHERSPECS, and SSL_SVR_LABEL are enabled and configured correctly.
o Risk: Medium
• Utilize centralized management of the content captured in audit records
o Report the permissions of the Audit Data Directory and the Audit Archive Directory.
o Risk: Medium
Oracle
• I/O Rate limits for PDBs
o Verify that MAX_IOPS and MAX_MBPS parameters for each PDB are configured to have a limit.
o Risk: Low
• Use of ORA_STIG_PROFILE profile
o Verify that users assigned ORA_STIG_PROFILE profile.
o Risk: Informational
Updated Checks
Sybase
• Latest patch not applied
o Check for Sybase ASE 15.0 ESD 4.5
o Risk: High
• Patch not applied on time
o Check for Sybase ASE 15.0 ESD 4.5
o Risk: High
New Policies
• CIS v3.0.1 for IBM DB2 LUW - Audit (Built-In)
o This document, Security Configuration Benchmark for IBM DB2, provides prescriptive guidance for establishing a secure configuration posture for DB2 versions 9.7 or 9.8 running on Linux, Unix and Windows.
• DISA-STIG IBM DB2 v10.5 V1R2 - Audit (Built-in)
o This policy has been created with the guidelines mapped out in the DOD Security Technical Implementation Guides "IBM DB2 V10.5 LUW Security Technical Implementation Guide Version 1 Release 2"
Updated Policies
• Authorization - Audit (Built-in)
o New Checks
o Oracle: Use of ORA_STIG_PROFILE profile: Informational
• Best Practices for Federal Gov. - Audit (Built-in)
o New Checks
o Oracle: Use of ORA_STIG_PROFILE profile: Informational
• DISA-STIG Oracle 12c V1R8 - Audit (Built-in)
o New Checks
o Oracle: Use of ORA_STIG_PROFILE profile: Informational
• Strict - Audit (Built-in)
• New Checks
o Oracle: I/O Rate Limits for PDBs: Low
o Oracle: Use of ORA_STIG_PROFILE profile: Informational
User Creation Scripts
• Microsoft SQL Server URR script has been updated to grant SQLAgentRole.
Availability
Available to all AppDetectivePRO and DbProtect customers with maintenance (subscription or perpetual) in good standing at no additional cost
• AppDetectivePRO customers can use the Updater within the product as well