Front cover DB2 Security and Compliance Solutions for Linux, UNIX, and Windows Understand DB2 security concepts and technologies Learn security implementation by examples Protect your data with DB2 security features Whei-Jen Chen Ivo Rytir Paul Read Rafat Odeh ibm.com/redbooks International Technical Support Organization DB2 Security and Compliance Solutions for Linux, UNIX, and Windows March 2008 SG24-7555-00 Note: Before using this information and the product it supports, read the information in “Notices” on page vii. First Edition (March 2008) This edition applies to DB2 9.5 for Linux, UNIX, and Widows. © Copyright International Business Machines Corporation 2008. All rights reserved. Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contents Notices . vii Trademarks . viii Preface . ix The team that wrote this book . ix Acknowledgements . x Become a published author . xi Comments welcome. xii Chapter 1. DB2 security overview . 1 1.1 DB2 security compliance. 2 1.2 DB2 security model . 4 1.2.1 Authentication . 5 1.2.2 Authorization . 6 1.2.3 DB2 security plug-ins . 11 1.2.4 LBAC. 16 1.2.5 DB2 database roles. 17 1.2.6 Trusted contexts and trusted connections . 18 1.2.7 Data encryption . 19 1.2.8 Auditing . 20 1.2.9 DB2 security tools . 22 Chapter 2. SYSADM, DBADM, SECADM, and OS authorities . 25 2.1 Primary DB2 security authorities . 26 2.1.1 SYSADM authority . 26 2.1.2 DBADM authority . 33 2.1.3 SECADM authority . 39 2.2 Operating system authorities and DB2 . 41 Chapter 3. Roles . 47 3.1 Definition of a role . 48 3.2 Scenario - basic setup. 49 3.3 Planning . 50 3.4 Setup and configuration of roles . 51 3.4.1 Create roles. 52 3.4.2 Assign privileges . 55 3.4.3 Granting membership to roles. 57 3.4.4 Maintenance and administration of roles . 59 3.5 Comparisons with roles and groups . 62 © Copyright IBM Corp. 2008. All rights reserved. iii 3.6 Considerations . 64 Chapter 4. Trusted contexts and connections . 67 4.1 lDefinition of trusted contexts . 68 4.2 Setup and configuration . 70 4.2.1 Trusted context statement. 71 4.2.2 Using trusted contexts. 71 4.2.3 Administering . 74 4.3 User ID switching within trusted connections . 75 4.4 Role membership inheritance . 77 4.5 Switching user roles considerations . 79 4.6 Problem determination . 80 Chapter 5. Label-based access control. 83 5.1 Overview . 84 5.1.1 LBAC enhancements in DB2 9.5 . 85 5.2 Security label components . 86 5.2.1 SET . 87 5.2.2 ARRAY . 88 5.2.3 TREE. 89 5.3 Security policies . 90 5.3.1 Policies and rules . 91 5.4 Security labels . 93 5.5 Set up LBAC . 95 5.5.1 Creating a security label component. 96 5.5.2 Create a security policy. 97 5.5.3 Create a security label . 97 5.5.4 Secure table with LBAC . 98 5.5.5 Maintenance and administration . 112 Chapter 6. Auditing . 117 6.1 db2audit. 118 6.1.1 Concept. 118 6.1.2 Changes for DB2 9.5. 118 6.2 Audit policies . 120 6.2.1 Audit categories . 122 6.3 Audit statement . 123 6.3.1 Auditable objects. 124 6.4 Setup and configuration . 126 6.4.1 db2audit files . 126 6.4.2 Instance. 129 6.4.3 Database. 130 6.4.4 Table . 131 6.4.5 User, role, and group . 131 iv DB2 Security and Compliance Solutions for Linux, UNIX, and Windows 6.5 Audit data . 132 6.5.1 Archive . 132 6.5.2 Extract . 133 6.5.3 Load . ..