Unless it has been determined that availability is paramount, DB2 must, upon audit failure, cease all auditable activity.

From IBM DB2 V10.5 LUW Security Technical Implementation Guide

Part of SRG-APP-000109-DB-000049

Associated with: CCI-000140

SV-89125r1_rule Unless it has been determined that availability is paramount, DB2 must, upon audit failure, cease all auditable activity.

Vulnerability discussion

It is critical that when the DBMS is at risk of failing to process audit logs as required, it take action to mitigate the failure. Audit processing failures include: software/hardware errors; failures in the audit capturing mechanisms; and audit storage capacity being reached or exceeded. Responses to audit failure depend upon the nature of the failure mode. When the need for system availability does not outweigh the need for a complete audit trail, the DBMS should cease production of audit records immediately, rolling back all in-flight transactions. DB2 does this when configured to track audit errors.Systems where audit trail completeness is paramount will most likely be at a lower MAC level than MAC I; the final determination is the prerogative of the application owner, subject to Authorizing Official concurrence. In any case, sufficient auditing resources must be allocated to avoid a shutdown in all but the most extreme situations.

Check content

Ask the ISSO whether the system should stay available or stop processing the auditable events. If the system needs to stay available and the Error Type is set to 'A' for the policies then this is not applicable (NA). Run the following SQL statement to find the Error type value for all audit policies: DB2> SELECT * FROM SYSCAT.AUDITPOLICIES If the system needs to stop processing the auditable events and Error Type is not set to 'A' then this is a finding.

Fix text

Drop and recreate the policy with ERROR TYPE as required by the ISSO or run the ALTER AUDIT POLICY command to set the ERROR TYPE as per ISSO requirement. Run the following command to drop and recreate the policy: DB2> DROP AUDIT POLICY DB2> CREATE AUDIT POLICY CATEGORIES EXECUTE WITH DATA STATUS BOTH ERROR TYPE AUDIT To alter the audit policy: DB2> ALTER AUDIT POLICY CATEGORIES EXECUTE WITH DATA STATUS BOTH ERROR TYPE AUDIT

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer