Securing the Operating System

When securing any database server the first thing to do is harden the operating system. Most vendors provide good documentation on how to harden their OS. These guidelines should be followed. With DB2 it's especially important to carefully consider user account security because the database server relies on operating system user accounts. A good password policy should be used: a mix of alphanumeric characters with a minimum length of eight characters . Account lockout should be enabled to prevent attackers from attempting to brute force accounts. Remember, when attempting to authenticate against DB2 it indicates whether or not the user account is valid. Once an account has been found, if account lockout is not enabled, an attacker can continue to attack that account trying to guess its password. Also ensure that any account created for use by DB2 does not have a default password.

Once DB2 has been installed, set permissions on the database server's files so that normal users can't access them. This is especially important on *nix-based systems where setuid root binaries exist. I've removed the setuid bit on my test DB2 system and it appears to run fine. That said, it is a test system. Removing the setuid bit could lead to problems under certain conditions. I'd recommend testing it on your setup before changing this on a production system.

On *nix servers, consider removing the setuid bit on any DB2 executable that has it set.



Database Hacker's Handbook. Defending Database Servers
The Database Hackers Handbook: Defending Database Servers
ISBN: 0764578014
EAN: 2147483647
Year: 2003
Pages: 156

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net