Securing the Operating System
When securing any database server the first thing to do is harden the operating system. Most vendors provide good documentation on how to harden their OS. These guidelines should be followed. With DB2 it's especially important to carefully consider user account security because the database server relies on operating system user accounts. A good password policy should be used: a mix of alphanumeric characters with a minimum length of eight characters. Account lockout should be enabled to prevent attackers from attempting to brute force accounts. Remember, when attempting to authenticate against DB2 it indicates whether or not the user account is valid. Once an account has been found, if account lockout is not enabled, an attacker can continue to attack that account trying to guess its password. Also ensure that any account created for use by DB2 does not have a default password.
Once DB2 has been installed, set permissions on the database server's files so that normal users can't access them. This is especially important on *nix-based systems where setuid root binaries exist. I've removed the setuid bit on my test DB2 system and it appears to run fine. That said, it is a test system. Removing the setuid bit could lead to problems under certain conditions. I'd recommend testing it on your setup before changing this on a production system.
On *nix servers, consider removing the setuid bit on any DB2 executable that has it set.
Get The Database Hacker's Handbook: Defending Database Servers now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.