III - Administrative Sensitive

SRG-APP-000141-DB-000092

Unused database components which are integrated in DB2 and cannot be uninstalled must be disabled.

SRG-APP-000141-DB-000093

Access to external executables must be disabled or restricted.

SRG-APP-000142-DB-000094

DB2 must be configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.

SRG-APP-000172-DB-000075

If passwords are used for authentication, DB2 must transmit only encrypted representations of passwords.

SRG-APP-000178-DB-000083

Applications using the database must obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.

SRG-APP-000178-DB-000083

When using command-line tools such as db2, users must use a Connect method that does not expose the password.

SRG-APP-000179-DB-000114

DB2 must use NIST FIPS 140-2 validated cryptographic modules for cryptographic operations.

SRG-APP-000211-DB-000122

DB2 must separate user functionality (including user interface services) from database management functionality.

SRG-APP-000224-DB-000384

DB2 must maintain the authenticity of communications sessions by guarding against man-in-the-middle attacks that guess at Session ID values.

SRG-APP-000226-DB-000147

In the event of a system failure, DB2 must preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to mission processes.

SRG-APP-000231-DB-000154

DB2 must protect the confidentiality and integrity of all information at rest.

SRG-APP-000233-DB-000124

DB2 must isolate security functions from non-security functions.

SRG-APP-000243-DB-000128

Database contents must be protected from unauthorized and unintended information transfer by enforcement of a data-transfer policy.

SRG-APP-000243-DB-000374

Access to database files must be limited to relevant processes and to authorized, administrative users.

SRG-APP-000251-DB-000160

DB2 must check the validity of all data inputs except those specifically identified by the organization.

SRG-APP-000251-DB-000391

DB2 and associated applications must reserve the use of dynamic code execution for situations that require it.

SRG-APP-000251-DB-000392

DB2 and associated applications, when making use of dynamic code execution, must scan input data for invalid values that may indicate a code injection attack.

SRG-APP-000266-DB-000162

DB2 must provide non-privileged users with error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.

SRG-APP-000267-DB-000163

DB2 must reveal detailed error messages only to the ISSO, ISSM, SA and DBA.

SRG-APP-000295-DB-000305

DB2 must automatically terminate a user session after organization-defined conditions or trigger events requiring session disconnect.

SRG-APP-000311-DB-000308

When supporting applications that require security labeling of data, DB2 must associate organization-defined types of security labels having organization-defined security label values with information in storage.

SRG-APP-000313-DB-000309

When supporting applications that require security labeling of data, DB2 must associate organization-defined types of security labels having organization-defined security label values with information in process.

SRG-APP-000340-DB-000304

DB2 must prevent non-privileged users from executing privileged functions, to include disabling, circumventing, or altering implemented security safeguards/countermeasures.

SRG-APP-000356-DB-000314

DB2 must utilize centralized management of the content captured in audit records generated by all components of DB2.

SRG-APP-000357-DB-000316

DB2 must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.