Symantec Enterprise Security Manager IBM DB2 Modules …

Symantec™ EnterpriseSecurity Manager IBM DB2Modules User Guide forWindows and UNIX

Version 4.2

Symantec™ Enterprise Security Manager IBM DB2Modules User Guide

The software described in this book is furnished under a license agreement andmay be usedonly in accordance with the terms of the agreement.

Documentation version: 4.2

Legal NoticeCopyright © 2012 Symantec Corporation. All rights reserved.

Symantec and the Symantec Logo, ActiveAdmin, BindView, BV-Control, and LiveUpdateare trademarks or registered trademarks of Symantec Corporation or its affiliates in theU.S. and other countries. Other names may be trademarks of their respective owners.

This Symantec product may contain third party software for which Symantec is requiredto provide attribution to the third party (“Third Party Programs”). Some of the Third PartyPrograms are available under open source or free software licenses. The LicenseAgreementaccompanying the Software does not alter any rights or obligations you may have underthose open source or free software licenses. Please see theThird Party LegalNoticeAppendixto this Documentation or TPIP ReadMe File accompanying this Symantec product for moreinformation on the Third Party Programs.

The product described in this document is distributed under licenses restricting its use,copying, distribution, and decompilation/reverse engineering. No part of this documentmay be reproduced in any form by any means without prior written authorization ofSymantec Corporation and its licensors, if any.

THEDOCUMENTATIONISPROVIDED"ASIS"ANDALLEXPRESSORIMPLIEDCONDITIONS,REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OFMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT,ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TOBELEGALLYINVALID.SYMANTECCORPORATIONSHALLNOTBELIABLEFORINCIDENTALOR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING,PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINEDIN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

The Licensed Software andDocumentation are deemed to be commercial computer softwareas defined in FAR12.212 and subject to restricted rights as defined in FARSection 52.227-19"Commercial Computer Software - Restricted Rights" and DFARS 227.7202, "Rights inCommercial Computer Software or Commercial Computer Software Documentation", asapplicable, and any successor regulations. Any use, modification, reproduction release,performance, display or disclosure of the Licensed Software andDocumentation by theU.S.Government shall be solely in accordance with the terms of this Agreement.

Symantec Corporation350 Ellis StreetMountain View, CA 94043

http://www.symantec.com

http://www.symantec.com

Technical SupportSymantec Technical Support maintains support centers globally. TechnicalSupport’s primary role is to respond to specific queries about product featuresand functionality. TheTechnical Support group also creates content for our onlineKnowledge Base. The Technical Support group works collaboratively with theother functional areas within Symantec to answer your questions in a timelyfashion. For example, theTechnical Support groupworkswithProductEngineeringand Symantec Security Response to provide alerting services and virus definitionupdates.

Symantec’s support offerings include the following:

■ A range of support options that give you the flexibility to select the rightamount of service for any size organization

■ Telephone and/or Web-based support that provides rapid response andup-to-the-minute information

■ Upgrade assurance that delivers software upgrades

■ Global support purchased on a regional business hours or 24 hours a day, 7days a week basis

■ Premium service offerings that include Account Management Services

For information about Symantec’s support offerings, you can visit our website atthe following URL:

www.symantec.com/business/support/

All support services will be delivered in accordance with your support agreementand the then-current enterprise technical support policy.

Contacting Technical SupportCustomers with a current support agreement may access Technical Supportinformation at the following URL:


Before contacting Technical Support, make sure you have satisfied the systemrequirements that are listed in your product documentation. Also, you should beat the computer onwhich theproblemoccurred, in case it is necessary to replicatethe problem.

When you contact Technical Support, please have the following informationavailable:

■ Product release level



■ Hardware information

■ Available memory, disk space, and NIC information

■ Operating system

■ Version and patch level

■ Network topology

■ Router, gateway, and IP address information

■ Problem description:

■ Error messages and log files

■ Troubleshooting that was performed before contacting Symantec

■ Recent software configuration changes and network changes

Licensing and registrationIf yourSymantecproduct requires registrationor a licensekey, access our technicalsupport Web page at the following URL:


Customer serviceCustomer service information is available at the following URL:


Customer Service is available to assist with non-technical questions, such as thefollowing types of issues:

■ Questions regarding product licensing or serialization

■ Product registration updates, such as address or name changes

■ General product information (features, language availability, local dealers)

■ Latest information about product updates and upgrades

■ Information about upgrade assurance and support contracts

■ Information about the Symantec Buying Programs

■ Advice about Symantec's technical support options

■ Nontechnical presales questions

■ Issues that are related to CD-ROMs, DVDs, or manuals



Support agreement resourcesIf youwant to contact Symantec regarding an existing support agreement, pleasecontact the support agreement administration team for your region as follows:

[email protected] and Japan

[email protected], Middle-East, and Africa

[email protected] America and Latin America

mailto:[email protected]



Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Chapter 1 Introducing Symantec ESM Modules for IBM DB2Databases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

About the Symantec ESM Modules for IBM DB2 Databases ... . . . . . . . . . . . . . . . 15About creating a baseline snapshot ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16What you can do with ESM DB2 modules ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Where you can get more information .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Chapter 2 Understanding the ESM DB2 Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

About the ESM DB2 Audit Configuration module ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Auditing Enabled (Windows and UNIX) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19DB2 Copies (Windows) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20DB2 Instances (UNIX) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Event Types (Windows and UNIX) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Audit Failure Events (Windows and UNIX) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Audit Success Events (Windows and UNIX) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22Audit Database Events (Windows and UNIX) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24Auditing Related Events (Windows and UNIX) ... . . . . . . . . . . . . . . . . . . . . . . . . . . 25Checking Events (Windows and UNIX) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26Object Maintenance Events (Windows and UNIX) ... . . . . . . . . . . . . . . . . . . . . . . 28Security Maintenance Events (Windows and UNIX) ... . . . . . . . . . . . . . . . . . . . 30System Administrator Events (Windows and UNIX) ... . . . . . . . . . . . . . . . . . . . 32Validate Events (Windows and UNIX) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34Context Events (Windows and UNIX) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36Error Handling Facility (Windows and UNIX) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . 38Audit Miscellaneous Events (Windows and UNIX) ... . . . . . . . . . . . . . . . . . . . . . 39Instance Startup And Shutdown (Windows and UNIX) ... . . . . . . . . . . . . . . . 40Changes To Configuration Parameters (Windows and

UNIX) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41Database Activation And Deactivation (Windows and

UNIX) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42Use Of SYSADM,DBADM,SYSCTRL,SYSMAINT (Windows and

UNIX) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Contents

Attempted Access To Restricted Objects (Windows andUNIX) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Access To Sensitive Objects and/or Tables (Windows andUNIX) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Unsuccessful Connection Attempts (Windows and UNIX) ... . . . . . . . . . . . 50Administrative Functions Performed (Windows and UNIX) ... . . . . . . . . . 52Other Audit Settings (Windows and UNIX) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54Audit Archive Path (Windows and UNIX) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55Audit Data Path (Windows and UNIX) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55Audit Configuration Settings (Windows and UNIX) ... . . . . . . . . . . . . . . . . . . . . 56

About the ESM DB2 Discovery module ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57Automatically Add New Database (UNIX) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57Automatically Add New Database (Windows) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58Automatically Add New Instance (UNIX) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59Automatically Remove Deleted Database (Windows and

UNIX) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60Automatically Remove Deleted Instance (UNIX) ... . . . . . . . . . . . . . . . . . . . . . . . . 61Detect Deleted Database (Windows and UNIX) ... . . . . . . . . . . . . . . . . . . . . . . . . . . 61Detect Deleted Instance (UNIX) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62Detect New Database (Windows and UNIX) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63Detect New Instance (UNIX) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

About the ESM DB2 Fix Packs module ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64DB2 Copies (Windows) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64DB2 Instances (UNIX) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64Installed Fix Packs (Windows and UNIX) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64Template files (Windows and UNIX) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

About the ESM DB2 Remote module ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67DB2 Database Aliases (Windows and UNIX) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67Unauthorized Group Set in System Administrator Authority

(Windows and UNIX) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67UnauthorizedGroup Set in SystemControl Authority (Windows

and UNIX) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68Unauthorized Group Set in System Maintenance Authority

(Windows and UNIX) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69Unauthorized Group/User in BINDADD Database Privilege

(Windows and UNIX) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69Unauthorized Group/User in CONNECT Database Privilege

(Windows and UNIX) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70Unauthorized Group/User in CREATETAB Database Privilege

(Windows and UNIX) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71Unauthorized Group/User in CREATE_NOT_FENCED Database

Privilege (Windows and UNIX) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Contents8

UnauthorizedGroup/User inDatabaseAdministratorAuthority(Windows and UNIX) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

Unauthorized Group/User in IMPLICT_SCHEMA DatabasePrivilege (Windows and UNIX) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

Unauthorized Group/User in LOAD Authority (Windows andUNIX) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

Unauthorized Group/User in CREATE_EXTERNAL_ROUTINEauthority (Windows and UNIX) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

Authentication from the Server (Windows and UNIX) ... . . . . . . . . . . . . . . . . 75DB2 Version and OS (Windows and UNIX) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76Server Discovery Mode (Windows and UNIX) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76Instance Discovery Mode (Windows and UNIX) ... . . . . . . . . . . . . . . . . . . . . . . . . . 77Database Discovery Mode (Windows and UNIX) ... . . . . . . . . . . . . . . . . . . . . . . . . 77NewGroup/User inDatabaseAdministratorAuthority (Windows

and UNIX) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78Deleted Group/User in Database Administrator Authority

(Windows and UNIX) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79Modified Group/User in Database Administrator Authority

(Windows and UNIX) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79NewGroup/User in CONNECTDatabase Privilege (Windows and

UNIX) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80Deleted Group/User in CONNECT Database Privilege (Windows

and UNIX) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81ModifiedGroup/User in CONNECTDatabase Privilege (Windows

and UNIX) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81NewGroup/User in BINDADDDatabase Privilege (Windows and

UNIX) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82Deleted Group/User in BINDADD Database Privilege (Windows

and UNIX) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82ModifiedGroup/User inBINDADDDatabasePrivilege (Windows

and UNIX) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83New Group/User in CREATETAB Database Privilege (Windows

and UNIX) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84DeletedGroup/User inCREATETABDatabasePrivilege (Windows

and UNIX) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84Modified Group/User in CREATETAB Database Privilege

(Windows and UNIX) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85New Group/User in IMPLICIT_SCHEMA Database Privilege

(Windows and UNIX) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85Deleted Group/User in IMPLICIT_SCHEMA Database Privilege

(Windows and UNIX) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86Modified Group/User in IMPLICIT_SCHEMADatabase Privilege

(Windows and UNIX) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

9Contents

New Group/User in LOAD Authority (Windows and UNIX) ... . . . . . . . . . . 87Deleted Group/User in LOAD Authority (Windows and

UNIX) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88Modified Group/User in LOAD Authority (Windows and

UNIX) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88New Group/User in CREATE_NOT_FENCED Database Privilege

(Windows and UNIX) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89DeletedGroup/User inCREATE_NOT_FENCEDDatabasePrivilege

(Windows and UNIX) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90Modified Group/User in CREATE_NOT_FENCED Database

Privilege (Windows and UNIX) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90NewGroup/User in theCREATE_EXTERNAL_ROUTINEAuthority

(Windows and UNIX) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91DeletedGroup/User inCREATE_EXTERNAL_ROUTINEAuthority

(Windows and UNIX) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92Modified Group/User in CREATE_EXTERNAL_ROUTINE

Authority (Windows and UNIX) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92Objects with nicknames (Windows and UNIX) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . 93Objects not owned by Orphan ID (Windows and UNIX) ... . . . . . . . . . . . . . . . 94

About the ESM DB2 System module ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94DB2 Instances (Windows and UNIX) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95Database folder on system partition (Windows and UNIX) ... . . . . . . . . . . 95Instance folder on system partition (Windows and UNIX) ... . . . . . . . . . . . 95Database log folder on systempartition (Windows andUNIX) ...

9 6SSL is Disabled (Windows and UNIX) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96Node catalogued by using hostname Windows and UNIX .... . . . . . . . . . . . 97DB2 directory and file permissions (Windows and UNIX) ... . . . . . . . . . . . . 97Database containers (Windows) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98Database containers (UNIX) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99Default database path (Windows) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99Default database path (UNIX) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100Permission on default database path (Windows) ... . . . . . . . . . . . . . . . . . . . . . . 101Permission on default database path (UNIX) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . 103Archive log path (Windows) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105Archive log path (UNIX) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106Permission on archive log path (Windows) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107Permission on archive log path (UNIX) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109Secondary archive log path (Windows) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111Secondary archive log path (UNIX) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113Permission on secondary archive log path (Windows) ... . . . . . . . . . . . . . . . 114Permission on secondary archive log path (UNIX) ... . . . . . . . . . . . . . . . . . . . . 116Tertiary archive log path (Windows) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118

Contents10

Tertiary archive log path (UNIX) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120Permission on tertiary archive log path (Windows) ... . . . . . . . . . . . . . . . . . . 121Permission on tertiary archive log path (UNIX) ... . . . . . . . . . . . . . . . . . . . . . . . 123Mirrored log path (Windows) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125Mirrored log path (UNIX) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127Permission on mirrored log path (Windows) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . 128Permission on diagnostic path (Windows) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130Permission on diagnostic path (UNIX) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133Minimum JDK version (Windows and UNIX) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . 135Permission on JDK runtime library path (Windows) ... . . . . . . . . . . . . . . . . . 136Permission on JDK runtime library path (UNIX) ... . . . . . . . . . . . . . . . . . . . . . . 138Database Path Template files (UNIX) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140User ownership (UNIX) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141Group ownership (UNIX) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142Permissions (UNIX) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143

About the ESM DB2 Privileges module ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144DB2 Instances (Windows and UNIX) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144View Privileges (Windows and UNIX) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144Granteewith theWITHADMINorGRANToption (Windows and

UNIX) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147Unauthorized Grantees in Database Authority (Windows and

UNIX) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148Tablespace Privileges (Windows and UNIX) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149Table Privileges (Windows and UNIX) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151Role Members (Windows and UNIX) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154Routine Privileges (Windows and UNIX) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155Nickname Privileges (Windows and UNIX) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158Privileges of PUBLIC group (Windows and UNIX) ... . . . . . . . . . . . . . . . . . . . . 161Column Privileges (Windows and UNIX) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162Schema Privileges (Windows and UNIX) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165Maximum reported messages (Windows and UNIX) ... . . . . . . . . . . . . . . . . . 168

About the ESM DB2 Configuration module ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168DB2 Instances (Windows and UNIX) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169Database Manager Configuration (Windows and UNIX) ... . . . . . . . . . . . . 169Database Configuration (Windows and UNIX) ... . . . . . . . . . . . . . . . . . . . . . . . . . 170Admin Configuration (Windows and UNIX) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171Fenced user (UNIX) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172DB2 sysctrl or sysmaint group is set as sysadm group (Windows

and UNIX) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173Default databases (Windows and UNIX) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174Unauthorized members in dasadm group (Windows and

UNIX) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175

11Contents

Unauthorized members in DB2 system groups (Windows andUNIX) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176

Chapter 3 Working with the DB2 templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179

About the DB2 Authorities template ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181Creating the DB2 Authorities template ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181About using the DB2 Authorities template ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182About the DB2 Database Manager Config Params template ... . . . . . . . . . . . . . 186Creating the DB2 Database Manager Config Params template ... . . . . . . . . . . 187About using the DB2 Database Manager Config Params

template ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187About the DB2 Fix Packs template ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192Creating the DB2 Fix Packs template ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193About using the DB2 Fix Packs template ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193About the DB2 Admin Config Params template ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195Creating the DB2 Admin Config Params template ... . . . . . . . . . . . . . . . . . . . . . . . . . . 196About using the DB2 Admin Config Params template ... . . . . . . . . . . . . . . . . . . . . . 196About the DB2 Database Config Params template ... . . . . . . . . . . . . . . . . . . . . . . . . . . 201Creating the DB2 Database Config Params template ... . . . . . . . . . . . . . . . . . . . . . . . 202About using the DB2 Database Config Param template ... . . . . . . . . . . . . . . . . . . . 202About the DB2 View Privileges template ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207Creating the DB2 View Privileges template ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208About using the DB2 View Privileges template ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208About the DB2 Tablespace Privileges template ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211Creating the DB2 Tablespace Privileges template ... . . . . . . . . . . . . . . . . . . . . . . . . . . 212About using the DB2 Tablespace Privileges template ... . . . . . . . . . . . . . . . . . . . . . . 212About the DB2 Table Privileges template ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215Creating the DB2 Table Privileges template ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215About using the DB2 Table Privileges template ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215About the DB2 Role Members template ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218Creating the DB2 Role Members template ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218About using the DB2 Role Members template ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219About the DB2 Routine Privileges template ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220Creating the DB2 Routine Privileges template ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220About using the DB2 Routine Privileges template ... . . . . . . . . . . . . . . . . . . . . . . . . . . 221About the DB2 Nickname Privileges template ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224Creating the DB2 Nickname Privileges template ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224About using the DB2 Nickname Privileges template ... . . . . . . . . . . . . . . . . . . . . . . . 224About the DB2 System Authority Groups template ... . . . . . . . . . . . . . . . . . . . . . . . . 227Creating the DB2 System Authority Groups template ... . . . . . . . . . . . . . . . . . . . . . 227About using the DB2 System Authority Groups template ... . . . . . . . . . . . . . . . . 228About the DB2 Column Privileges template ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229

Contents12

Creating the DB2 Column Privileges template ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229About using the DB2 Column Privileges template ... . . . . . . . . . . . . . . . . . . . . . . . . . . 230About the DB2 Schema Privileges template ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233Creating the DB2 Schema Privileges template ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233About using the DB2 Schema Privileges template ... . . . . . . . . . . . . . . . . . . . . . . . . . . 233About the DB2 Audit Settings template ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236Creating the DB2 Audit Settings template ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236About using the DB2 Audit Settings template ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236About the DB2 Database File Permissions template ... . . . . . . . . . . . . . . . . . . . . . . . . 238Creating the DB2 Database File Permissions template ... . . . . . . . . . . . . . . . . . . . . 238About using the DB2 Database File Permissions template ... . . . . . . . . . . . . . . . 239

Chapter 4 Troubleshooting DB2 Modules on Windows . . . . . . . . . . . . . . . . 243

Encryption exception .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243ESM DB2 Remote module errors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244

Chapter 5 Troubleshooting DB2 Modules on UNIX . . . . . . . . . . . . . . . . . . . . . . . 245

Encryption exception .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245ESM DB2 Audit Configuration errors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246ESM DB2 Remote module errors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246

13Contents

Contents14

Introducing Symantec ESMModules for IBM DB2Databases

This chapter includes the following topics:

■ About the Symantec ESM Modules for IBM DB2 Databases

■ About creating a baseline snapshot

■ What you can do with ESM DB2 modules

■ Where you can get more information

About the Symantec ESM Modules for IBM DB2Databases

Symantec Enterprise Security Manager (ESM) Modules for IBM DB2 Databasesextends Symantec ESM beyond securing the operating system to securingmission-critical e-business components.Thesemodulesprotect IBMDB2Databasesfromknownsecurity vulnerabilities. Themodules introducenew, database-specificexecutables and content, including modules to check audit configuration, fixpacks, authenticationmethods, currentDB2versionandUnauthorizedAuthoritiesor privileges.

Working within the framework of Symantec ESM, the industry's mostcomprehensive solution for discovering security vulnerabilities, Symantec ESMModules for IBM DB2 Databases eases the administrative burden of measuringthe effectiveness of enterprise security policies and enforcing compliance.

1Chapter

This product installs on Windows Server 2003, Windows 2008, Solaris SPARC,IBM AIX, and Red Hat Enterprise Linux servers. With these modules, SymantecESM's centralized security scanning and integrated reporting capabilities can beused to automate security evaluations and policy enforcement for any IBM DB29.1, 9.5, and 9.7 databases that runs on your network.

About creating a baseline snapshotTo establish a baseline for ESM DB2 module security checks, create a new ESMDB2 remote policy with snapshot-related checks enabled. Running this policycreates snapshots of the current account information that you can update whenyou run checks for new, deleted, or modified information.

Run themodule one time to create the snapshots, then rerun themodule to detectchanges between policy runs.

After running a policy, to update the snapshots directly from messages in thePolicy Run report, do one of the following:

■ Right-click on a modified message

■ Right-click on a deleted message

■ Right-click on a new report message

What you can do with ESM DB2 modulesYou can use Symantec ESM modules to report on the compliance of the yourcomputer's security policies. You can use Symantec ESM Modules for IBM DB2Databases in the same way that you use other Symantec ESM modules:

■ Configure the application module to report on the IBM DB2 instances anddatabases

■ Create a Symantec ESM policy using one or more DB2 modules

■ Configure the new policy

■ Configure applicable templates

■ Run the policy

■ Review the policy run results to compare the results with the your Enterprisesecurity policies.

The ESM DB2 Remote module uses the configuration information that is storedin the /esm/config/DB2Module.dat file on UNIX and

Introducing Symantec ESM Modules for IBM DB2 DatabasesAbout creating a baseline snapshot

16

<Installation_directory>\Program Files\Symantec\Enterprise Security

Manager\ESM\config\DB2Module.dat on Windows.

Where you can get more informationSee “Using policies, templates, snapshots, and modules” in the latest version ofyour SymantecEnterprise SecurityUser’sGuide and “Reviewing policies,modules,andmessages” in the latest version of your Symantec ESMSecurityUpdateUser’sGuide formore information about Symantec ESMmodules. Formore informationonSymantecESMSecurityUpdates seeSymantecEnterpriseSecurityUser’sGuide.

For more information on Symantec ESM, Symantec ESM Security Updates, andSymantecESMsupport for databaseproducts, see theSymantecSecurityResponseWeb site at http://securityresponse.symantec.com

17Introducing Symantec ESM Modules for IBM DB2 DatabasesWhere you can get more information

http://securityresponse.symantec.com

Introducing Symantec ESM Modules for IBM DB2 DatabasesWhere you can get more information

18

Understanding the ESMDB2 Modules


■ About the ESM DB2 Audit Configuration module

■ About the ESM DB2 Discovery module

■ About the ESM DB2 Fix Packs module

■ About the ESM DB2 Remote module

■ About the ESM DB2 System module

■ About the ESM DB2 Privileges module

■ About the ESM DB2 Configuration module

About the ESM DB2 Audit Configuration moduleThe ESM DB2 Audit Configuration module searches for the audit configurationfor the IBM DB2 databases in the ESM agent computer.

Auditing Enabled (Windows and UNIX)This check reports whether auditing is enabled on the IBM DB2 instances.

The following table lists the message for the check.

2Chapter

Table 2-1 Message for Auditing Enabled

AdditionalInformation

Message Title andDescription

Platform andMessage NumericID

Message String IDand Category

Severity: red-4

Correctable: false

Snapshot Updatable:false

Template Updatable:false

Information FieldFormat: [DB2 AuditConfiguration is notactive. The eventswill not be audited]

Title: DB2 AuditStatus

Description:Auditingis not active for thedatabases. The logswill not be generatedfor any events

■ UNIX (236631)

■ Windows 2003(238031)

■ Windows 2008(238631)

String ID:ESM_AUDIT_ACTIVE

Category: PolicyCompliance

DB2 Copies (Windows)This check lets you include or exclude the DB2 copies that themodule reports on.By default, the module examines all the database copies that were configuredduring the DB2 installation. Use the name list in this option to specify the copiesthat are to be included or excluded. Use the name list to specify DB2V8 to includeor exclude DB2 version 8.

DB2 Instances (UNIX)Themodule examines all the databases that were configured during the ESMDB2installation, by default. Use the name list in this option to specify the instancesthat are to be included or excluded.

Event Types (Windows and UNIX)The checks that are included in the Events Types group let you specify whichtypes of events you want to audit. You can also specify whether only successfulor failed events, or both, should be logged.


Understanding the ESM DB2 ModulesAbout the ESM DB2 Audit Configuration module

20

Table 2-2 Message for Event Types





Severity: red-4

Correctable: false



Information FieldFormat: [%s]

Title: Comparisontype not specified

Description: EnableAudit checks

■ UNIX (236651)

■ Windows 2003(238051)

■ Windows 2008(238651)

String ID: ESM_NO_COMPARISON_SPECIFIED

Category: ESM Error

Audit Failure Events (Windows and UNIX)This check reports whether the IBM DB2 databases logs error events are audited.This check is not supported on the IBM DB2 database version 9.5 and 9.7.

The following table lists the messages for the check.

Table 2-3 Messages for Audit Failure Events





Severity: red-4

Correctable: false



Information FieldFormat: [DB2 doesnot log error events]

Title: Audit FailureEvents

Description: DB2does not log errorevents

■ UNIX (236632)

■ Windows 2003(238032)

■ Windows 2008(238632)

String ID:ESM_LOG_DB2ERROR


21Understanding the ESM DB2 ModulesAbout the ESM DB2 Audit Configuration module

Table 2-3 Messages for Audit Failure Events (continued)





Severity: yellow-1

Correctable: false



Information FieldFormat: [Setting forauditing failureevents is enabled butAuditing is notactive. Hence DB2does not audit failureevents]

Title: Audit FailureEvents

Description: Thesetting for auditingfailure events isenabled but Auditingis not active. HenceDB2 does not auditfailure events.

■ UNIX (236653)

■ Windows 2003(238053)

■ Windows 2008(238653)

String ID: ESM_LOG_ERROR_WARNING


Audit Success Events (Windows and UNIX)This check reports whether IBM DB2 databases logs success events are audited.This check is not supported on the IBM DB2 database version 9.5 and 9.7.



22

Table 2-4 Messages for Audit Success Events





Severity: red-4

Correctable: false



Information FieldFormat: [DB2 doesnot log successevents]

Title: Audit SuccessEvents

Description: DB2does not log successevents

■ UNIX (236633)

■ Windows 2003(238033)

■ Windows 2008(238633)

String ID:ESM_LOG_SUCCESS


Severity: yellow-1

Correctable: false



Information FieldFormat: [Setting forauditing successevents is enabled butAuditing is notactive. Hence DB2does not auditsuccess events.]


Description: Thesetting for auditingsuccess events isenabled but Auditingis not active. HenceDB2 does not auditsuccess events.

■ UNIX (236661)

■ Windows 2003(238061)

■ Windows 2008(238661)

String ID:ESM_LOG_SUCCESS_WARNING



Table 2-4 Messages for Audit Success Events (continued)





Severity: yellow-1

Correctable: false



Information FieldFormat: [Setting forauditing successevents is enabled.Thiswill increase theaudit log sizesignificantly.]


Description: Thesetting for auditingsuccess events isenabled. This willincrease the audit logsize significantly.

■ UNIX (236662)

■ Windows 2003(238062)

■ Windows 2008(238662)

String ID:ESM_LOG_SUCCESS_ENABLED_WARNING


Audit Database Events (Windows and UNIX)The checks that are included in the Audit Database Events group verify whichIBM DB2 database events are audited.


Table 2-5 Message for Audit Database Events





Severity: red-4

Correctable: false






■ UNIX (236651)

■ Windows 2003(238051)

■ Windows 2008(238651)


Category: ESM Error


24

Auditing Related Events (Windows and UNIX)This check reports whether IBM DB2 databases logs audit events.


Table 2-6 Messages for Auditing Related Events





Severity: red-4

Correctable: false



Information FieldFormat: [DB2 doesnot log audit events]

Title: Audit auditingrelated events

Description: DB2does not log auditevents

■ UNIX (236634)

■ Windows 2003(238034)

■ Windows 2008(238634)

String ID:ESM_LOG_DB2AUDIT


Severity: yellow-1

Correctable: false



Information FieldFormat: [Setting forauditingaudit relatedevents is enabled butAuditing is notactive. Hence DB2does not audit auditrelated events]

Title: Audit AuditingRelated Events

Description: Thesetting for auditingaudit related eventsis enabled butAuditing is notactive. Hence DB2does not audit auditrelated events

■ UNIX (236654)

■ Windows 2003(238054)

■ Windows 2008(238654)

String ID:ESM_LOG_AUDIT_WARNING



Table 2-6 Messages for Auditing Related Events (continued)





Severity: green-0

Correctable: false




Title: Audit Enabled

Description: Thesetting is enabled.

■ UNIX (236673)

■ Windows 2003(238073)

■ Windows 2008(238673)

String ID:ESM_SETTING_ENABLED


Severity: red-4

Correctable: false




Title: AuditingDisabled

Description: Thesetting is disabled.

■ UNIX (236674)

■ Windows 2003(238074)

■ Windows 2008(238674)

String ID:ESM_SETTING_DISABLED


Severity: yellow-1

Correctable: false



Information FieldFormat: [%s. Thissetting is enabled butAuditing is notactive.]


Description: Thesetting for this eventis enabled butAuditing is notactive. Hence DB2does not audit thisevent.

■ UNIX (236675)

■ Windows 2003(238075)

■ Windows 2008(238675)

String ID:ESM_SETTING_DISABLED_WARNING


Checking Events (Windows and UNIX)This check reports whether IBM DB2 databases logs checking events.



26

Table 2-7 Messages for Checking Events





Severity: red-4

Correctable: false



Information FieldFormat: [DB2 doesnot log checkingevents]

Title: Audit Checkingevents

Description: DB2doesnot log checkingevents

■ UNIX (236635)

■ Windows 2003(238035)

■ Windows 2008(238635)

String ID:ESM_LOG_CHECKING


Severity: yellow-1

Correctable: false



Information FieldFormat: [Setting forauditing checkingevents is enabled butAuditing is notactive. Hence DB2does not auditchecking events]

Title: Audit CheckingEvents

Description: Thesetting for auditingchecking events isenabled but Auditingis not active. HenceDB2 does not auditchecking events

■ UNIX (236655)

■ Windows 2003(238055)

■ Windows 2008(238655)

String ID: ESM_LOG_CHECKING_WARNING


Severity: green-0

Correctable: false






■ UNIX (236673)

■ Windows 2003(238073)

■ Windows 2008(238673)




Table 2-7 Messages for Checking Events (continued)





Severity: red-4

Correctable: false






■ UNIX (236674)

■ Windows 2003(238074)

■ Windows 2008(238674)



Severity: yellow-1

Correctable: false






■ UNIX (236675)

■ Windows 2003(238075)

■ Windows 2008(238675)



Object Maintenance Events (Windows and UNIX)This check reports whether the IBM DB2 databases logs Object Maintenanceevents.



28

Table 2-8 Messages for Object Maintenance Events





Severity: red-4

Correctable: false



Information FieldFormat: [DB2 doesnot log objectmaintenance events]

Title: Audit ObjectMaintenance events

Description: DB2does not log objectmaintenance events

■ UNIX (236636)

■ Windows 2003(238036)

■ Windows 2008(238636)

String ID:ESM_LOG_OBJMAINT


Severity: yellow-1

Correctable: false



Information FieldFormat: [Setting forauditing objectmaintenance eventsis enabled butAuditing is notactive. Hence DB2does not auditobjmaint events]

Title: Audit ObjectMaintenance Events

Description: Thesetting for auditingobject maintenanceevents is enabled butAuditing is notactive. Hence DB2does not audit objectmaintenance events

■ UNIX (236656)

■ Windows 2003(238056)

■ Windows 2008(238656)

String ID:ESM_LOG_OBJMAINT_WARNING


Severity: green-0

Correctable: false






■ UNIX (236673)

■ Windows 2003(238073)

■ Windows 2008(238673)




Table 2-8 Messages for Object Maintenance Events (continued)





Severity: red-4

Correctable: false






■ UNIX (236674)

■ Windows 2003(238074)

■ Windows 2008(238674)



Severity: yellow-1

Correctable: false






■ UNIX (236675)

■ Windows 2003(238075)

■ Windows 2008(238675)



Security Maintenance Events (Windows and UNIX)This check reports whether the IBM DB2 databases logs Security Maintenanceevents.



30

Table 2-9 Messages for Security Maintenance Events





Severity: red-4

Correctable: false



Information FieldFormat: [DB2 doesnot log securitymaintenance events]

Title: Audit SecurityMaintenance events

Description: DB2does not log securitymaintenance events

■ UNIX (236637)

■ Windows 2003(238037)

■ Windows 2008(238637)

String ID:ESM_LOG_SECMAINT


Severity: yellow-1

Correctable: false



Information FieldFormat: [Setting forauditing securitymaintenance event isenabled but Auditingis not active. HenceDB2 does not auditsecmaint events]

Title: Audit SecurityMaintenance Events

Description: Thesetting for auditingsecuritymaintenanceevents is enabled butAuditing is notactive. Hence DB2does not auditsecuritymaintenanceevents

■ UNIX (236657)

■ Windows 2003(238057)

■ Windows 2008(238657)

String ID:ESM_LOG_SECMAINT_WARNING


Severity: green-0

Correctable: false






■ UNIX (236673)

■ Windows 2003(238073)

■ Windows 2008(238673)




Table 2-9 Messages for Security Maintenance Events (continued)





Severity: red-4

Correctable: false






■ UNIX (236674)

■ Windows 2003(238074)

■ Windows 2008(238674)



Severity: yellow-1

Correctable: false






■ UNIX (236675)

■ Windows 2003(238075)

■ Windows 2008(238675)



System Administrator Events (Windows and UNIX)This check reportswhether IBMDB2databases logs SystemAdministrator events.



32

Table 2-10 Messages for System Administrator Events





Severity: red-4

Correctable: false



Information FieldFormat: [DB2 doesnot log systemadministratorevents]

Title: Audit SystemAdministrator events

Description: DB2does not log systemadministrator events

■ UNIX (236638)

■ Windows 2003(238038)

■ Windows 2008(238638)

String ID:ESM_LOG_SYSADM


Severity: yellow-1

Correctable: false



Information FieldFormat: [Setting forauditing systemadministrator eventis enabled butAuditing is notactive. Hence DB2does not auditsysadmin events]

Title: Audit SystemAdministratorEvents

Description: Thesetting for auditingsystemadministratorevents is enabled butAuditing is notactive. Hence DB2doesnot audit systemadministrator events

■ UNIX (236658)

■ Windows 2003(238058)

■ Windows 2008(238658)

String ID:ESM_LOG_SYSADM_WARNING


Severity: green-0

Correctable: false






■ UNIX (236673)

■ Windows 2003(238073)

■ Windows 2008(238673)




Table 2-10 Messages for System Administrator Events (continued)





Severity: red-4

Correctable: false






■ UNIX (236674)

■ Windows 2003(238074)

■ Windows 2008(238674)



Severity: yellow-1

Correctable: false






■ UNIX (236675)

■ Windows 2003(238075)

■ Windows 2008(238675)



Validate Events (Windows and UNIX)This check reports whether the IBM DB2 databases logs Validate events.



34

Table 2-11 Messages for Validate Events





Severity: red-4

Correctable: false



Information FieldFormat: [DB2 doesnot log validateevents]

Title: Audit Validateevents

Description: DB2does not log validateevents

■ UNIX (236639)

■ Windows 2003(238039)

■ Windows 2008(238639)

String ID:ESM_LOG_VALIDATE


Severity: yellow-1

Correctable: false



Information FieldFormat: [Setting forauditing validateevents is enabled butAuditing is notactive. Hence DB2does not auditvalidate events]

Title: Audit ValidateEvents

Description: Thesetting for auditingvalidate events isenabled but Auditingis not active. HenceDB2 does not auditvalidate events

■ UNIX (236659)

■ Windows 2003(238059)

■ Windows 2008(238659)

String ID:ESM_LOG_VALIDATE_WARNING


Severity: green-0

Correctable: false






■ UNIX (236673)

■ Windows 2003(238073)

■ Windows 2008(238673)




Table 2-11 Messages for Validate Events (continued)





Severity: red-4

Correctable: false






■ UNIX (236674)

■ Windows 2003(238074)

■ Windows 2008(238674)



Severity: yellow-1

Correctable: false






■ UNIX (236675)

■ Windows 2003(238075)

■ Windows 2008(238675)



Context Events (Windows and UNIX)This check reports whether IBM DB2 databases logs Context events.



36

Table 2-12 Messages for Context Events





Severity: red-4

Correctable: false



Information FieldFormat: [DB2 doesnot log contextevents]

Title: Audit contextevents

Description: DB2does not log contextevents

■ UNIX (236640)

■ Windows 2003(238040)

■ Windows 2008(238640)

String ID:ESM_LOG_CONTEXT


Severity: yellow-1

Correctable: false



Information FieldFormat: [Setting forauditing contextevents is enabled butAuditing is notactive. Hence DB2does not auditcontext events]

Title: Audit ContextEvents

Description: Thesetting for auditingcontext events isenabled but Auditingis not active. HenceDB2 does not auditcontext events.

■ UNIX (236660)

■ Windows 2003(238060)

■ Windows 2008(238660)

String ID: ESM_LOG_CONTEXT_WARNING


Severity: green-0

Correctable: false






■ UNIX (236673)

■ Windows 2003(238073)

■ Windows 2008(238673)




Table 2-12 Messages for Context Events (continued)





Severity: red-4

Correctable: false






■ UNIX (236674)

■ Windows 2003(238074)

■ Windows 2008(238674)



Severity: yellow-1

Correctable: false






■ UNIX (236675)

■ Windows 2003(238075)

■ Windows 2008(238675)



Error Handling Facility (Windows and UNIX)This check reports whether the IBM DB2 databases have the audit facilityparameter set toAudit. Youhave the option to specifywhether audit facility errorsare returned to the user (AUDIT) or ignored (NORMAL).



38

Table 2-13 Message for Error Handling Facility





Severity: red-4

Correctable: false



Information FieldFormat: [Auditfacility parameter(ERRORTYPE) is setto normal]

Title: Audit FacilityFor Error Handling

Description: Theaudit facilityparameter(ERRORTYPE) is setto Normal

■ UNIX (236641)

■ Windows 2003(238041)

■ Windows 2008(238641)

String ID:ESM_LOG_ERRORTYPE


Audit Miscellaneous Events (Windows and UNIX)The checks that are included in theAuditMiscellaneousEvents groupverifywhichIBM DB2 database miscellaneous events are audited.


Table 2-14 Message for Audit Miscellaneous Events





Severity: red-4

Correctable: false






■ UNIX (236651)

■ Windows 2003(238051)

■ Windows 2008(238651)


Category: ESM Error


Instance Startup And Shutdown (Windows and UNIX)This check reports whether IBM DB2 databases log the startup and shutdownevents of instances.


Table 2-15 Messages for Instance Startup And Shutdown





Severity: red-4

Correctable: false



Information FieldFormat: [Instancestartup andshutdown will not belogged]

Title: Audit Instancestartup andshutdown

Description: DB2does not log instancestartup andshutdown

■ UNIX (236642)

■ Windows 2003(238042)

■ Windows 2008(238642)

String ID:ESM_LOG_INSTANCE_UP_DOWN


Severity: yellow-1

Correctable: false



Information FieldFormat: [This settingis enabled butAuditing is notactive. Hence DB2does not auditinstance startup andshutdown events.]

Title: Audit Instancestartup andshutdown

Description: Thesetting for auditingsuccess events isenabled but Auditingis not active. HenceDB2 does not auditsuccess events.

■ UNIX (236663)

■ Windows 2003(238063)

■ Windows 2008(238663)

String ID:ESM_LOG_INSTANCE_UP_DOWN_WARNING



40

Table 2-15 Messages for Instance Startup And Shutdown (continued)





Severity: green-0

Correctable: false






■ UNIX (236673)

■ Windows 2003(238073)

■ Windows 2008(238673)



Severity: red-4

Correctable: false






■ UNIX (236674)

■ Windows 2003(238074)

■ Windows 2008(238674)



Severity: yellow-1

Correctable: false






■ UNIX (236675)

■ Windows 2003(238075)

■ Windows 2008(238675)



Changes To Configuration Parameters (Windows and UNIX)This check reports whether IBM DB2 databases log the changes made to theinstance and the database configuration parameters.



Table 2-16 Messages for Changes To Configuration Parameters





Severity: red-4

Correctable: false



Information FieldFormat: [Changesmade to instance anddatabaseconfigurationparameters will notbe logged]

Title: Auditconfigurationparameter changes

Description: DB2does not log changesmade to instance anddatabaseconfigurationparameters

■ UNIX (236643)

■ Windows 2003(238043)

■ Windows 2008(238643)

String ID: ESM_LOG_DB_DBM_CFG


Severity: yellow-1

Correctable: false



Information FieldFormat: [This settingis enabled butAuditing is notactive. Hence DB2does not auditinstance anddatabaseconfigurationchangeevents.]

Title: Auditconfigurationparameters changes

Description: Thesetting for auditinginstance anddatabaseconfigurationchangeevents is enabled butAuditing is notactive. Hence DB2does not auditinstance anddatabaseconfigurationchangeevents.

■ UNIX (236664)

■ Windows 2003(238064)

■ Windows 2008(238664)

String ID:ESM_LOG_DB_DBM_CFG_WARNING


Database Activation And Deactivation (Windows and UNIX)This check reports whether IBM DB2 databases log database activation anddeactivation.



42

Table 2-17 Messages for Database Activation And Deactivation





Severity: red-4

Correctable: false



Information FieldFormat: [DatabaseActivation anddeactivation will notbe logged]

Title: Audit databaseactivation anddeactivation

Description: DB2does not log databaseactivation anddeactivation

■ UNIX (236644)

■ Windows 2003(238044)

■ Windows 2008(238644)

String ID:ESM_LOG_DB_ACT_DEACT


Severity: yellow-1

Correctable: false



Information FieldFormat: [This settingis enabled butAuditing is notactive. Hence DB2does not auditdatabase activationand deactivationevents.]

Title: Audit databaseactivation anddeactivation

Description: Thesetting for auditingdatabase activationand deactivationevents is enabled butAuditing is notactive. Hence DB2does not auditdatabase activationand deactivationevents.

■ UNIX (236665)

■ Windows 2003(238065)

■ Windows 2008(238665)

String ID:ESM_LOG_DB_ACT_DEACT_WARNING


Severity: green-0

Correctable: false






■ UNIX (236673)

■ Windows 2003(238073)

■ Windows 2008(238673)




Table 2-17 Messages for Database Activation And Deactivation (continued)





Severity: red-4

Correctable: false






■ UNIX (236674)

■ Windows 2003(238074)

■ Windows 2008(238674)



Severity: yellow-1

Correctable: false






■ UNIX (236675)

■ Windows 2003(238075)

■ Windows 2008(238675)



Use Of SYSADM,DBADM,SYSCTRL,SYSMAINT (Windows and UNIX)This check reports whether IBM DB2 databases log the use of SYSADM, DBADM,SYSCTRL, SYSMAINT.



44

Table 2-18 Messages for Use Of SYSADM, DBADM, SYSCTRL, SYSMAINT





Severity: red-4

Correctable: false



Information FieldFormat: [Use ofSYSADM, DBADM,SYSCTRL,SYSMAINT will notbe logged]

Title: Audit Use ofSYSADM, DBADM,SYSCTRL,SYSMAINT

Description: DB2does not log use ofSYSADM, DBADM,SYSCTRL,SYSMAINT

■ UNIX (236645)

■ Windows 2003(238045)

■ Windows 2008(238645)

String ID:ESM_LOG_ADMINS


Severity: yellow-1

Correctable: false



Information FieldFormat: [This settingis enabled butAuditing is notactive. Hence DB2does not audit use ofSYSADM, DBADM,SYSCTRL,SYSMAINT events.]

Title: Audit Use ofSYSADM, DBADM,SYSCTRL,SYSMAINT

Description: Thesetting for auditinguse of SYSADM,DBADM, SYSCTRL,SYSMAINT events isenabled but Auditingis not active. HenceDB2 does not audituse of SYSADM,DBADM, SYSCTRL,SYSMAINT events.

■ UNIX (236666)

■ Windows 2003(238066)

■ Windows 2008(238666)

String ID:ESM_LOG_ADMINS_WARNING



Table 2-18 Messages for Use Of SYSADM, DBADM, SYSCTRL, SYSMAINT(continued)





Severity: green-0

Correctable: false






■ UNIX (236673)

■ Windows 2003(238073)

■ Windows 2008(238673)



Severity: red-4

Correctable: false






■ UNIX (236674)

■ Windows 2003(238074)

■ Windows 2008(238674)



Severity: yellow-1

Correctable: false






■ UNIX (236675)

■ Windows 2003(238075)

■ Windows 2008(238675)



Attempted Access To Restricted Objects (Windows and UNIX)This check reports whether IBM DB2 databases log the attempted access torestricted objects defined by the Information owner.


46


Table 2-19 Messages for Attempted Access To Restricted Objects





Severity: red-4

Correctable: false



Information FieldFormat: [Attemptedaccess to restrictedobjects defined byInformation ownerwill not be logged]

Title: Auditattempted access torestricted objects

Description: DB2does not logattempted access torestricted objectsdefined

■ UNIX (236646)

■ Windows 2003(238046)

■ Windows 2008(238646)

String ID: ESM_LOG_RESTRICTED_OBJ


Severity: yellow-1

Correctable: false



Information FieldFormat: [This settingis enabled butAuditing is notactive. Hence DB2does not auditattempted access torestricted objectsevents.]

Title: Auditattempted access torestricted objects

Description: Thesetting for auditingattempted access torestricted objectsevents is enabled butAuditing is notactive. Hence DB2does not auditattempted access torestricted objectsevents.

■ UNIX (236667)

■ Windows 2003(238067)

■ Windows 2008(238667)

String ID: ESM_LOG_RESTRICTED_OBJ



Table 2-19 Messages for Attempted Access To Restricted Objects (continued)





Severity: green-0

Correctable: false






■ UNIX (236673)

■ Windows 2003(238073)

■ Windows 2008(238673)



Severity: red-4

Correctable: false






■ UNIX (236674)

■ Windows 2003(238074)

■ Windows 2008(238674)



Severity: yellow-1

Correctable: false






■ UNIX (236675)

■ Windows 2003(238075)

■ Windows 2008(238675)



Access To Sensitive Objects and/or Tables (Windows and UNIX)This check reports whether IBMDB2 databases log the access to sensitive Objectsand/or Tables defined by the Information owner.



48

Table 2-20 Messages for Access To Sensitive Objects and/or Tables





Severity: red-4

Correctable: false



Information FieldFormat: [Access tosensitive Objectsand/or Tablesdefined byInformation ownerwill not be logged]

Title: Audit access tosensitive Objectsand/or Tables

Description: DB2does not log access tosensitive Objectsand/or Tablesdefined

■ UNIX (236647)

■ Windows 2003(238047)

■ Windows 2008(238647)

String ID: ESM_LOG_SENSITIVE_OBJ


Severity: yellow-1

Correctable: false



Information FieldFormat: [This settingis enabled butAuditing is notactive. Hence DB2does not audit accessto sensitive Objectsand/or Tablesevents.]

Title: Audit access tosensitive Objectsand/or Tables

Description: Thesetting for auditingaccess to sensitiveObjectsand/orTablesevents is enabled butAuditing is notactive. Hence DB2does not audit accessto sensitive Objectsand/orTables events.

■ UNIX (236668)

■ Windows 2003(238068)

■ Windows 2008(238668)

String ID: ESM_LOG_SENSITIVE_OBJ_WARNING



Table 2-20 Messages for Access To Sensitive Objects and/or Tables (continued)





Severity: green-0

Correctable: false






■ UNIX (236673)

■ Windows 2003(238073)

■ Windows 2008(238673)



Severity: red-4

Correctable: false






■ UNIX (236674)

■ Windows 2003(238074)

■ Windows 2008(238674)



Severity: yellow-1

Correctable: false






■ UNIX (236675)

■ Windows 2003(238075)

■ Windows 2008(238675)



Unsuccessful Connection Attempts (Windows and UNIX)This check reportswhether IBMDB2databases log the non-successful connectionattempts from all users.



50

Table 2-21 Messages for Unsuccessful Connection Attempts





Severity: red-4

Correctable: false



Information FieldFormat:[Unsuccessfulconnection attemptsfrom all users willnot be logged]

Title: Auditunsuccessfulconnection attempts

Description: DB2does not logunsuccessfulconnection attemptsfrom all users

■ UNIX (236648)

■ Windows 2003(238048)

■ Windows 2008(238648)

String ID: ESM_LOG_FAILED_CONN


Severity: yellow-1

Correctable: false



Information FieldFormat: [This settingis enabled butAuditing is notactive. Hence DB2does not auditunsuccessfulconnection attemptsfrom all users]

Title: Auditunsuccessfulconnection attempts

Description: Thesetting for auditingunsuccessfulconnection attemptsfrom all users eventsis enabled butAuditing is notactive. Hence DB2does not auditunsuccessfulconnection attemptsfromall users events.

■ UNIX (236669)

■ Windows 2003(238069)

■ Windows 2008(238669)

String ID:ESM_LOG_FAILED_CONN_WARNING



Table 2-21 Messages for Unsuccessful Connection Attempts (continued)





Severity: green-0

Correctable: false






■ UNIX (236673)

■ Windows 2003(238073)

■ Windows 2008(238673)



Severity: red-4

Correctable: false






■ UNIX (236674)

■ Windows 2003(238074)

■ Windows 2008(238674)



Severity: yellow-1

Correctable: false






■ UNIX (236675)

■ Windows 2003(238075)

■ Windows 2008(238675)



Administrative Functions Performed (Windows and UNIX)This check reports whether IBM DB2 databases log the administrative functionsperformedbyall users against databasepermissions granted to accounts or groups.



52

Table 2-22 Messages for Administrative Functions Performed





Severity: red-4

Correctable: false



Information FieldFormat:[Administrativefunctions performedby all users againstdatabasepermissionsgranted to accountsor groups will not belogged]

Title: Auditadministrativefunctions performed

Description: DB2does not logadministrativefunctions performedby all users

■ UNIX (236649)

■ Windows 2003(238049)

■ Windows 2008(238649)

String ID: ESM_LOG_ADMIN_FNS


Severity: yellow-1

Correctable: false



Information FieldFormat: [This settingis enabled butAuditing is notactive. Hence DB2does not auditadministrativefunctions performedby all users]

Title: Auditadministrativefunctions performed

Description: Thesetting for auditingadministrativefunctions performedby all users events isenabled but Auditingis not active. HenceDB2 does not auditadministrativefunctions performedby all users events.

■ UNIX (236670)

■ Windows 2003(238070)

■ Windows 2008(238670)

String ID:ESM_LOG_ADMIN_FNS_WARNING



Table 2-22 Messages for Administrative Functions Performed (continued)





Severity: green-0

Correctable: false






■ UNIX (236673)

■ Windows 2003(238073)

■ Windows 2008(238673)



Severity: red-4

Correctable: false






■ UNIX (236674)

■ Windows 2003(238074)

■ Windows 2008(238674)



Severity: yellow-1

Correctable: false






■ UNIX (236675)

■ Windows 2003(238075)

■ Windows 2008(238675)



Other Audit Settings (Windows and UNIX)The checks that are included in the Other Audit Settings group reports on otheraudit settings.



54

Table 2-23 Message for Other Audit Settings





Severity: red-4

Correctable: false






■ UNIX (236651)

■ Windows 2003(238051)

■ Windows 2008(238651)


Category: ESM Error

Audit Archive Path (Windows and UNIX)This check reports the path that you set for the audit archive. This check issupported on IBM DB2 database version 9.5 and later.


Table 2-24 Message for Audit Archive Path





Severity: green-0

Correctable: false




Title: Audit ArchivePath

Description: AuditArchive Path

■ UNIX (236672)

■ Windows 2003(238072)

■ Windows 2008(238672)

String ID:ESM_AUDIT_ARCHIVE_PATH

Category: SystemInformation

Audit Data Path (Windows and UNIX)This check reports the path that you set for the audit data. This check is supportedon IBM DB2 database version 9.5 and later.



Table 2-25 Message for Audit Data Path





Severity: green-0

Correctable: false




Title:AuditDataPath

Description: AuditData Path

■ UNIX (236671)

■ Windows 2003(238071)

■ Windows 2008(238671)

String ID:ESM_AUDIT_DATA_PATH


Audit Configuration Settings (Windows and UNIX)This check reports, if theDB2audit settingsmismatchwith the settingsmentionedin the template. This check is supported on IBM DB2 database version 9.5 andlater.

This check uses the DB2 Audit Settings template.


Table 2-26 Message for Audit Configuration Settings





Severity: yellow-2

Correctable: false




Title: Different DB2audit setting

Description: Theaudit setting for thisevent is differentfrom the valuespecified in template.

■ UNIX (236676)

■ Windows 2003(238076)

■ Windows 2008(238676)

String ID: ESM_DB2_DIFF_AUDIT_SETTING



56

About the ESM DB2 Discovery moduleThe ESM DB2 Discovery module includes four checks that let you automate thedetection and configuration of new databases that are not yet configured on thelocal ESM agent computers. The checks also detect the deleted databases and letyou remove thedeleteddatabases fromthe<Installation_directory>:\ProgramFiles\Symantec\ESM\config\DB2Module.dat configuration file onWindows and/esm/config/DB2Module.dat configuration file on UNIX.

The module reports the instance name and the node name in the informationcolumn. If the node name for the corresponding instance is different, the modulereports the node name as: (Nodename) instance name. Else, the module displaysthe instance name.

Automatically Add New Database (UNIX)This check works in collaboration with the Detect New Database check. Thischeck uses the user name that is specified in the User Name text box toautomatically configure the newly detected databases. The check takes the$INSTANCE_NAME keyword that is specified in the User Name text box as aninstance owner to configure the databases.


Table 2-27 Messages for Automatically Add New Database





Severity: yellow-1

Correctable: false




Title: Added NewDatabase

Description:TheESMDB2 Discoverymodule has detecteda new database. Themodule by using thegeneric credentialshas added theconfiguration recordof the newly detecteddatabases in theconfiguration file.

■ UNIX (236732)String ID:ESM_DB2_NEW_DATABASE_ADDED

Category: ESMAdministrativeInformation

57Understanding the ESM DB2 ModulesAbout the ESM DB2 Discovery module

Table 2-27 Messages for Automatically Add New Database (continued)





Severity: yellow-1

Correctable: true




Title: Failed to AddNew Database

Description:TheESMDB2 Discoverymodule by using thegeneric credentialshas failed to add theconfiguration recordof the newly detecteddatabases in theconfiguration file.Either invalid logoncredentials are usedor the database is notrunning. Use theCorrect option andenter the customcredentials toconfigure the newlydetected database.

■ UNIX (236733)String ID:ESM_DB2_ADD_DATABASE_FAILED


Automatically Add New Database (Windows)This check works in collaboration with the Detect New Database check. Thischeck uses the generic credentials to automatically configure the newly detecteddatabases.


Understanding the ESM DB2 ModulesAbout the ESM DB2 Discovery module

58

Table 2-28 Messages for Automatically Add New Database





Severity: yellow-1

Correctable: false




Title: Added NewDatabase

Description:TheESMDB2 Discoverymodule has detecteda new database. Themodule by using thegeneric credentialshas added theconfiguration recordof the newly detecteddatabases in theconfiguration file.

■ Windows 2003(238932)

■ Windows 2008(238732)

String ID:ESM_DB2_NEW_DATABASE_ADDED


Severity: yellow-1

Correctable: true




Title: Failed to AddNew Database

Description:TheESMDB2 Discoverymodule by using thegeneric credentialshas failed to add theconfiguration recordof the newly detecteddatabases in theconfiguration file.Either invalid logoncredentials are usedor the database is notrunning. Use theCorrect option andenter the customcredentials toconfigure the newlydetected database.

■ Windows 2003(238933)

■ Windows 2008(238733)

String ID:ESM_DB2_ADD_DATABASE_FAILED


Automatically Add New Instance (UNIX)This check works in collaboration with the DetectNewInstance. This check usesthe user name as specified in the User Name text box to automatically configurethe newly detected instance. If you specify the $INSTANCE_NAME keyword in


the User Name text box then the module uses the instance owner to configurethe DB2 instance.


Table 2-29 Messages for Automatically Add New Instance





Severity: yellow-1

Correctable: false




Title: Added NewInstance

Description:TheESMDB2 module hasdetected a newInstance. Theconfiguration recordfor the newlydetected instancehasbeen successfullyadded to theconfiguration file.

■ UNIX (236738)String ID:ESM_DB2_NEW_INSTANCE_ADDED


Severity: yellow-1

Correctable: true




Title: Failed to AddNew Instance

Description:TheESMDB2 module hasfailed to add a newrecord in theconfiguration file forthenew instance thatwas detected. Toconfigure the newlydetected instanceusethe Correct optionand then enter thecustom credentials.

■ UNIX (236740)String ID:ESM_DB2_ADD_INSTANCE_FAILED


Automatically Remove Deleted Database (Windows and UNIX)This check works in collaboration with the Detect Deleted Database check. Thischeck automatically removes the deleted database records from the configurationfile.



60

Table 2-30 Message for Automatically Remove Deleted Database





Severity: yellow-1

Correctable: false




Title: RemovedDeleted Database

Description: Theconfiguration recordfor the database hasbeen deleted fromthe configurationfile.

■ UNIX (236735)

■ Windows 2003(238935)

■ Windows 2008(238735)

String ID:ESM_DB2_DATABASE_DELETED


Automatically Remove Deleted Instance (UNIX)This check works in collaboration with the Detect Deleted Instance check. Thischeck automatically removes the deleted instance records from the ESMconfiguration file.


Table 2-31 Message for Automatically Remove Deleted Instance





Severity: yellow-1

Correctable: false




Title: RemovedDeleted Instance

Description:TheESMDB2 module hasdeleted theconfiguration recordfor the instance.

■ UNIX (236739)String ID:ESM_DB2_INSTANCE_DELETED


Detect Deleted Database (Windows and UNIX)This check reports the databases that are deleted from the ESM agent computersbut are still configured earlier in the configuration file.



Table 2-32 Message for Detect Deleted Database





Severity: yellow-1

Correctable: false

Snapshot Updatable:true



Title: DeletedDatabase

Description:TheESMDB2 module hasdetected a deleteddatabase on the localESMagent computer.Use the Updateoption to delete theconfigurationinformation fromtheconfiguration file.

■ UNIX (236734)

■ Windows 2003(238934)

■ Windows 2008(238734)

String ID:ESM_DB2_DEL_DATABASE_DETECTED


Detect Deleted Instance (UNIX)This check reports the instances thatwere deleted from theESMagent computersbut are still configured in the configuration file.


Table 2-33 Message for Detect Deleted Instance





Severity: yellow-1

Correctable: false




Title: DeletedInstance

Description:TheESMDB2 module hasdetected a deletedInstance. Use theUpdate option todelete the detectedinstance.

■ UNIX (236737)String ID:ESM_DB2_DELETED_INSTANCE_DETECTED



62

Detect New Database (Windows and UNIX)This check reports the database that are newly detected on the ESM agentcomputers and that were not configured earlier.


Table 2-34 Message for Detect New Database





Severity: yellow-1

Correctable: true




Title: New Database

Description:TheESMDB2 Discoverymodule has detecteda new database onthe local ESM agentcomputer. Toconfigure the newlydetected database,use the Correctoption to provide theappropriate logoncredentials.

■ UNIX (236731)

■ Windows 2003(238931)

■ Windows 2008(238731)

String ID:ESM_DB2_NEW_DATABASE_DETECTED


Detect New Instance (UNIX)This check reports the IBM DB2 instances that are newly detected on the ESMagent computers and that were not configured earlier in the configuration file.



Table 2-35 Message for Detect New Instance





Severity: yellow-1

Correctable: true




Title: New Instance

Description:TheESMDB2 module hasdetected newInstance. Use theCorrect option toconfigure newlydetected Instance.

■ UNIX (236736)String ID:ESM_DB2_NEW_INSTANCE_DETECTED


About the ESM DB2 Fix Packs moduleThis module reports if the current ESM DB2 level on the IBM DB2 server needsto be upgraded to the latest ESM DB2 fix pack.

The ESM DB2 Fix Packs module reports on the IBM DB2 Copies.

Note: If the ESM agent has only the IBM DB2 client installed, the module reportson the client computer.

DB2 Copies (Windows)This check lets you include or exclude the DB2 copies that themodule reports on.By default, the module examines all the database copies that were configuredduring the DB2 installation. Use the name list in this option to specify the copiesthat are to be included or excluded.

DB2 Instances (UNIX)This check lets you include or exclude the DB2 instances that the module reportson. By default, the module examines all the DB2 instances that were configured.Use the name list to specify the instances that are to be included or excluded.

Installed Fix Packs (Windows and UNIX)This check reports the fix packs that are installed on the IBM DB2 server. Thischeck also reports the details of the IBM DB2 level on the IBM DB2 server.

Understanding the ESM DB2 ModulesAbout the ESM DB2 Fix Packs module

64


Table 2-36 Messages for Installed fix packs





Severity: green-0

Correctable: false




Title: Installed DB2Fix Pack on yourcomputer

Description:Symantec ESM hasdetected that therequiredDB2 fixpackis not installed onyour computer.

■ UNIX (236305)

■ Windows 2003(237605)

■ Windows 2008(238305)

String ID:DB2_INSTALLED_FIXPACK


Severity: red-4

Correctable: false




Title: ConfigurationError

Description: The IBMUtility db2level.exeis not available.

■ UNIX (236309)

■ Windows 2003(237609)

■ Windows 2008(238309)

String ID:DB2_CONFIG_ERR

Category: ESM Error

Template files (Windows and UNIX)This check reports the information on the specific template files that are to beincluded for the checks. This check compares the existing IBM DB2 level on theIBM DB2 server with the latest fix pack available in the template file and reportsthe difference.

This check uses the DB2 Fix Packs template.


65Understanding the ESM DB2 ModulesAbout the ESM DB2 Fix Packs module

Table 2-37 Messages for Template files





Severity: red-4

Correctable: false




Title: Template file(s)not specified

Description: TheDB2Fix Pack module wasrun without anytemplate files. Notemplate relatedchecks wereperformed. Checkyour policy to ensurethat at least onetemplate file isenabled for theagent's operatingsystem.

■ UNIX (236308)

■ Windows 2003(237608)

■ Windows 2008(238308)

String ID:DB2_TEMPLATEFILE_MISSING


Severity: red-4

Correctable: false




Title: Required DB2Fix Pack for yourcomputer

Description:Symantec ESM hasdetected that DB2 fixPack is required to beinstalled on yourcomputer.

■ UNIX (236307)

■ Windows 2003(237607)

■ Windows 2008(238307)

String ID:DB2_REQUIRED_FIXPACK


Severity: red-4

Correctable: false




Title: ConfigurationError

Description: The IBMUtility db2level.exeis not available.

■ UNIX (236309)

■ Windows 2003(237609)

■ Windows 2008(238309)

String ID:DB2_CONFIG_ERR

Category: ESM Error

Understanding the ESM DB2 ModulesAbout the ESM DB2 Fix Packs module

66

Table 2-37 Messages for Template files (continued)





Severity: red-4

Correctable: false




Title: Template Error

Description: Pleasecheck if the entry inthe template forVersion (DB2Version) is inexpected format, forexample DB2v9.1.0.2.

■ UNIX (236310)

■ Windows 2003(237610)

■ Windows 2008(238310)

String ID:DB2_TEMPLATE_ERR

Category: ESM Error

About the ESM DB2 Remote moduleThe ESM DB2 Remote module includes checks that specify database aliases to bechecked, examine authentication methods, and list the current DB2 version andoperating system.

Note:TheESMDB2Remotemodule can report on the remotely configureddatabaseinstances on Windows computers.

DB2 Database Aliases (Windows and UNIX)By default, ESM examines every IBM DB2 database alias for which there exists aconfiguration record.Use the IBMDB2DatabaseAliasesoption to specify includedor excluded database aliases that you want to check. If the name list is empty, alldatabases are checked.

Unauthorized Group Set in System Administrator Authority (Windowsand UNIX)

This check reports groups that are granted the System Administrator Authoritybut that are not authorized to have it. Use the Authorized Groups name list toexclude all groups that are authorized tohave theSystemAdministratorAuthority.


67Understanding the ESM DB2 ModulesAbout the ESM DB2 Remote module

Table 2-38 Message for Unauthorized Group Set in System AdministratorAuthority





Severity: yellow-3

Correctable: false




Title: Unauthorizedgroup set for SystemAdministratorAuthority

Description:Unauthorized groupset for the SystemAdministratorAuthority.

■ UNIX (236150)

■ Windows 2003(237350)

■ Windows 2008(238150)

String ID:ESM_UNAUTH_SYSADM_GROUP


Unauthorized Group Set in System Control Authority (Windows andUNIX)

This check reports groups that have been granted the System Control Authoritybut that are not authorized to have it. Use the Authorized Groups name list toexclude all groups that are authorized to have the System Control Authority.


Table 2-39 Message for Unauthorized Group Set in System Control Authority





Severity: yellow-3

Correctable: false




Title: Unauthorizedgroup set for SystemControl Authority

Description:Unauthorized groupset for SystemControl Authority

■ UNIX (236152)

■ Windows 2003(237352)

■ Windows 2008(238152)

String ID:ESM_UNAUTH_SYSCTRL_GROUP


Understanding the ESM DB2 ModulesAbout the ESM DB2 Remote module

68

Unauthorized Group Set in System Maintenance Authority (Windowsand UNIX)

This check reports groups that have been granted the System MaintenanceAuthority but that are not authorized to have it. Use theAuthorizedGroupsnamelist to exclude all groups that are authorized to have the System MaintenanceAuthority.


Table 2-40 Message for Unauthorized Group Set in System MaintenanceAuthority





Severity: yellow-3

Correctable: false




Title: Unauthorizedgroup set for SystemMaintenanceAuthority

Description:Unauthorized groupset for SystemMaintenanceAuthority.

■ UNIX (236151)

■ Windows 2003(237351)

■ Windows 2008(238151)

String ID:ESM_UNAUTH_SYSMAINT_GROUP


Unauthorized Group/User in BINDADD Database Privilege (Windowsand UNIX)

This check reports groupsandusers thathavebeengranted theBINDADDDatabasePrivilege but that are not authorized to have it. Use theAuthorizedGroups/Usersname list to exclude all groups andusers that are authorized to have theBINDADDDatabase Privilege.



Table 2-41 Message for Unauthorized Group/User in BINDADD DatabasePrivilege





Severity: yellow-3

Correctable: false




Title: Unauthorizedgroup/user set forthe BINDADDDatabase privilege

Description:Unauthorizedgroup/user set forthe BINDADDDatabase privilege.

■ UNIX (236154)

■ Windows 2003(237354)

■ Windows 2008(238154)

String ID:ESM_UNAUTH_GROUPUSER_BINDADDAUTH


Unauthorized Group/User in CONNECT Database Privilege (Windowsand UNIX)

This check reports groups and users that have been granted the CONNECTDatabase Privilege but that are not authorized to have it. Use the AuthorizedGroups/Users name list to exclude all groups and users that are authorized tohave the CONNECT Database Privilege.


Table 2-42 Message for Unauthorized Group/User in CONNECT DatabasePrivilege





Severity: yellow-3

Correctable: false




Title: Unauthorizedgroup/user set forthe CONNECTDatabase privilege

Description:Unauthorizedgroup/user set forthe CONNECTDatabase privilege.

■ UNIX (236155)

■ Windows 2003(237355)

■ Windows 2008(238155)

String ID:ESM_UNAUTH_GROUPUSER_CONNECTAUTH



70

Unauthorized Group/User in CREATETAB Database Privilege (Windowsand UNIX)

This check reports groups and users that have been granted the CREATETABDatabase Privilege but that are not authorized to have it. Use the AuthorizedGroups/Users name list to exclude all groups and users that are authorized tohave the CREATETAB Database Privilege.


Table 2-43 Message for Unauthorized Group/User in CREATETAB DatabasePrivilege





Severity: yellow-3

Correctable: false




Title: Unauthorizedgroup/user set forthe CREATETABDatabase privilege

Description:Unauthorizedgroup/user set forthe CREATETABDatabase privilege.

■ UNIX (236156)

■ Windows 2003(237356)

■ Windows 2008(238156)

String ID:ESM_UNAUTH_GROUPUSER_CREATETABAUTH


Unauthorized Group/User in CREATE_NOT_FENCED Database Privilege(Windows and UNIX)

This check reports groups and users that have been granted theCREATE_NOT_FENCEDDatabase Privilege but that are not authorized to have it.Use the AuthorizedGroups/Users name list to exclude all groups and users thatare authorized to have the CREATE_NOT_FENCED Database Privilege.



Table 2-44 Message for Unauthorized Group/User in CREATE_NOT_FENCEDDatabase Privilege





Severity: yellow-3

Correctable: false




Title: Unauthorizedgroup/user set fortheCREATE_NOT_FENCEDDatabase privilege

Description:Unauthorizedgroup/user set fortheCREATE_NOT_FENCEDDatabase privilege.

■ UNIX (236157)

■ Windows 2003(237357)

■ Windows 2008(238157)

String ID:ESM_UNAUTH_GROUPUSER_NOFENCEAUTH


Unauthorized Group/User in Database Administrator Authority(Windows and UNIX)

This check reports groups and users that have been granted the DatabaseAdministratorAuthority but that arenot authorized tohave it.Use theAuthorizedGroups/Users name list to exclude all groups and users that are authorized tohave the Database Administrator Authority.



72

Table 2-45 Message for Unauthorized Group/User in Database AdministratorAuthority





Severity: yellow-3

Correctable: false




Title: Unauthorizedgroup/user set forDatabaseAdministratorAuthority

Description:Unauthorizedgroup/user set forDatabaseAdministratorAuthority.

■ UNIX (236153)

■ Windows 2003(237353)

■ Windows 2008(238153)

String ID:ESM_UNAUTH_GROUPUSER_DBADMAUTH


Unauthorized Group/User in IMPLICT_SCHEMA Database Privilege(Windows and UNIX)

This check reports the groups and the users that have been granted theIMPLICIT_SCHEMA Database Privilege but are not authorized to have it. Use theAuthorized Groups/Users name list to exclude all the groups and the users thatare authorized to have the IMPLICIT_SCHEMA Database Privilege.



Table 2-46 Message for Unauthorized Group/User in IMPLICT_SCHEMADatabase Privilege





Severity: yellow-3

Correctable: false




Title: Unauthorizedgroup/user set fortheIMPLICT_SCHEMADatabase privilege

Description:Unauthorizedgroup/user set fortheIMPLICT_SCHEMADatabase privilege.

■ UNIX (236158)

■ Windows 2003(237358)

■ Windows 2008(238158)

String ID:ESM_UNAUTH_GROUPUSER_IMPLSCHEMAAUTH


Unauthorized Group/User in LOAD Authority (Windows and UNIX)This check reports groups and users that were granted the LOAD Authority butthat are not authorized to have it. Use the Authorized Groups/Users name listto exclude all groups and users that are authorized to have the LOAD Authority.


Table 2-47 Message for Unauthorized Group/User in LOAD Authority





Severity: yellow-3

Correctable: false




Title: Unauthorizedgroup/user set forthe LOAD Authority

Description:Unauthorizedgroup/user set forthe LOAD Authority.

■ UNIX (236159)

■ Windows 2003(237359)

■ Windows 2008(238159)

String ID:ESM_UNAUTH_GROUPUSER_LOADAUTH



74

Unauthorized Group/User in CREATE_EXTERNAL_ROUTINE authority(Windows and UNIX)

This check reports the groups and users that were granted theCREATE_EXTERNAL_ROUTINE authority, but are not authorized to have it. Usethe name list to exclude all the groups and users that are authorized to have theCREATE_EXTERNAL_ROUTINE authority.


Table 2-48 Message for Unauthorized Group/User inCREATE_EXTERNAL_ROUTINE authority





Severity: yellow-3

Correctable: false




Title: Unauthorizedgroup/user set fortheCREATE_EXTERNAL_ROUTINEAuthority

Description:Unauthorizedgroup/user set fortheCREATE_EXTERNAL_ROUTINEAuthority.

■ UNIX (236195)

■ Windows 2003(237395)

■ Windows 2008(238195)

String ID:ESM_UNAUTH_GROUPUSR_EXTROUTINE_AUTH


Authentication from the Server (Windows and UNIX)This check examines the way users are authenticated. Your database is mostsecure if users are authenticated from the server side rather than the client side.Use the Authorized Setting name list to specify the authorized authenticationmethods.



Table 2-49 Message for Authentication from the Server





Severity: red-4

Correctable: false




Title: Invalid DB2Authenticationsetting

Description: Invalidauthenticationsetting for DatabaseManagerConfiguration.

■ UNIX (236160)

■ Windows 2003(237360)

■ Windows 2008(238160)

String ID:ESM_INVALID_AUTHENTICATION_SETTING


DB2 Version and OS (Windows and UNIX)This check reports the DB2 database version and operating system.


Table 2-50 Message for DB2 Version and OS





Severity: green-0

Correctable: false




Title: DB2 Versionand OS

Description: DB2Version and OS.

■ UNIX (236181)

■ Windows 2003(237381)

■ Windows 2008(238181)

String ID:ESM_DB2_VERSION_OS


Server Discovery Mode (Windows and UNIX)This check examines the discovery mode setting for the IBM DB2 server. Use theServer Discovery Mode name list to specify allowed the discovery mode actionparameters.



76

Table 2-51 Message for Server Discovery Mode





Severity: green-0

Correctable: false




Title: DB2 ServerDiscovery Mode

Description: DB2server discoverymode is not allowed.

■ UNIX (236182)

■ Windows 2003(237382)

■ Windows 2008(238182)

String ID:ESM_SERVER_DIS_MODE


Instance Discovery Mode (Windows and UNIX)This check examines the discovery mode setting for IBM DB2 instances. Use theInstanceDiscoveryMode name list to specify the allowed discoverymode actionparameters.


Table 2-52 Message for Instance Discovery Mode





Severity: green-0

Correctable: false




Title: DB2 InstanceDiscovery Mode

Description: DB2instance discoverymode is not allowed.

■ UNIX (236183)

■ Windows 2003(237383)

■ Windows 2008(238183)

String ID:ESM_INSTANCE_DIS_MODE


Database Discovery Mode (Windows and UNIX)This check examines the discovery mode setting for IBM DB2 databases. Use theDatabaseDiscoveryModename list to specify the alloweddiscoverymode actionparameters.



Table 2-53 Message for Database Discovery Mode





Severity: green-0

Correctable: false




Title: DB2 DatabaseDiscovery Mode

Description: DB2database discoverymode is not allowed.

■ UNIX (236184)

■ Windows 2003(237384)

■ Windows 2008(238184)

String ID:ESM_DATABASE_DIS_MODE


New Group/User in Database Administrator Authority (Windows andUNIX)

This check reports groups andusers thatwere granted theDatabaseAdministratorAuthority since the last snapshot updates.


Table 2-54 Message for New Group/User in Database Administrator Authority





Severity: yellow-2

Correctable: false




Title: Newgroup/user set forthe DatabaseAdministratorAuthority

Description: Newgroup/user set forthe DatabaseAdministratorAuthority.

■ UNIX (236161)

■ Windows 2003(237361)

■ Windows 2008(238161)

String ID:ESM_NEW_GROUPUSER_DBADMAUTH

Category: ChangeNotification


78

Deleted Group/User in Database Administrator Authority (Windowsand UNIX)

This check reports groups and users that had the Database AdministratorAuthority andhad it revoked or thatwere deleted since the last snapshot updates.


Table 2-55 Message for Deleted Group/User in Database AdministratorAuthority





Severity: yellow-2

Correctable: false




Title: Deletedgroup/user set forDatabaseAdministratorAuthority

Description: Deletedgroup/user set forthe DatabaseAdministratorAuthority.

■ UNIX (236162)

■ Windows 2003(237362)

■ Windows 2008(238162)

String ID: ESM_DEL_GROUPUSER_DBADMAUTH


Modified Group/User in Database Administrator Authority (Windowsand UNIX)

This check reports groups and users with Database Administrator Authoritygrantor or granteetype changes since the last snapshot updates.



Table 2-56 Message for Modified Group/User in Database AdministratorAuthority





Severity: yellow-2

Correctable: false




Title: Modifiedgroup/user set forDatabaseAdministratorAuthority

Description:Modifiedgroup/user set forDatabaseAdministratorAuthority.

■ UNIX (236163)

■ Windows 2003(237363)

■ Windows 2008(238163)

String ID:ESM_MOD_GROUPUSER_DBADMAUTH


New Group/User in CONNECT Database Privilege (Windows and UNIX)This check reports groups and users that were granted the CONNECT DatabasePrivilege since the last snapshot updates.


Table 2-57 Message for New Group/User in CONNECT Database Privilege





Severity: yellow-2

Correctable: false




Title: Newgroup/user set forCONNECT DatabasePrivilege

Description: Newgroup/user set forCONNECT DatabasePrivilege.

■ UNIX (236164)

■ Windows 2003(237364)

■ Windows 2008(238164)

String ID:ESM_NEW_GROUPUSER_CONNECTAUTH



80

Deleted Group/User in CONNECT Database Privilege (Windows andUNIX)

This check reports groups and users that had the CONNECT Database Privilegeand had it revoked or that were deleted since the last snapshot updates.


Table 2-58 Message for Deleted Group/User in CONNECT Database Privilege





Severity: yellow-2

Correctable: false




Title: Deletedgroup/user set forCONNECT DatabasePrivilege

Description: Deletedgroup/user set forCONNECT DatabasePrivilege.

■ UNIX (236185)

■ Windows 2003(237385)

■ Windows 2008(238185)

String ID: ESM_DEL_GROUPUSER_CONNECTAUTH


Modified Group/User in CONNECT Database Privilege (Windows andUNIX)

This check reports groups and users with CONNECT Database Privilege grantoror granteetype changes since the last snapshot updates.



Table 2-59 Message for Modified Group/User in CONNECT Database Privilege





Severity: yellow-2

Correctable: false




Title: Modifiedgroup/user set forCONNECT DatabasePrivilege

Description:Modifiedgroup/user set forCONNECT DatabasePrivilege.

■ UNIX (236165)

■ Windows 2003(237365)

■ Windows 2008(238165)

String ID:ESM_MOD_GROUPUSER_CONNECTAUTH


New Group/User in BINDADD Database Privilege (Windows and UNIX)This check reports groups and users that were granted the BINDADD DatabasePrivilege since the last snapshot updates.


Table 2-60 Message for New Group/User in BINDADD Database Privilege





Severity: yellow-2

Correctable: false




Title: Newgroup/user set forthe BINDADDDatabase Privilege

Description: Newgroup/user set forthe BINDADDDatabase Privilege..

■ UNIX (236166)

■ Windows 2003(237366)

■ Windows 2008(238166)

String ID:ESM_NEW_GROUPUSER_BINDADDAUTH


Deleted Group/User in BINDADD Database Privilege (Windows andUNIX)

This check reports groups and users that had the BINDADD Privilege and had itrevoked or that were deleted since the last snapshot updates.


82


Table 2-61 Message for Deleted Group/User in BINDADD Database Privilege





Severity: yellow-2

Correctable: false




Title: Deletedgroup/user set forthe BINDADDDatabase Privilege.

Description: Deletedgroup/user set forthe BINDADDDatabase Privilege.

■ UNIX (236167)

■ Windows 2003(237367)

■ Windows 2008(238167)

String ID: ESM_DEL_GROUPUSER_BINDADDAUTH


Modified Group/User in BINDADD Database Privilege (Windows andUNIX)

This check reports groups and users with BINDADD Database Privilege grantoror granteetype changes since the last snapshot updates.


Table 2-62 Message for Modified Group/User in BINDADD Database Privilege





Severity: yellow-2

Correctable: false




Title: Modifiedgroup/user set forthe BINDADDDatabase Privilege

Description:Modifiedgroup/user set forthe BINDADDDatabase Privilege.

■ UNIX (236168)

■ Windows 2003(237368)

■ Windows 2008(238168)

String ID:ESM_MOD_GROUPUSER_BINDADDAUTH



New Group/User in CREATETAB Database Privilege (Windows and UNIX)This check reports groups and users thatwere granted the CREATETABDatabasePrivilege since the last snapshot updates.


Table 2-63 Message for New Group/User in CREATETAB Database Privilege





Severity: yellow-2

Correctable: false




Title: Newgroup/user set forthe CREATETABDatabase Privilege

Description: Newgroup/user set forthe CREATETABDatabase Privilege.

■ UNIX (236169)

■ Windows 2003(237369)

■ Windows 2008(238169)

String ID:ESM_NEW_GROUPUSER_CREATETABAUTH


Deleted Group/User in CREATETAB Database Privilege (Windows andUNIX)

This check reports groups and users that had the CREATETABDatabase Privilegeand had it revoked or that were deleted since the last snapshot updates.


Table 2-64 Message for Deleted Group/User in CREATETAB Database Privilege





Severity: yellow-2

Correctable: false




Title: Deletedgroup/user set forthe CREATETABDatabase Privilege

Description: Deletedgroup/user set forthe CREATETABDatabase Privilege.

■ UNIX (236170)

■ Windows 2003(237370)

■ Windows 2008(238170)

String ID: ESM_DEL_GROUPUSER_CREATETABAUTH



84

Modified Group/User in CREATETAB Database Privilege (Windows andUNIX)

This check reports groups anduserswithCREATETABDatabase Privilege grantoror granteetype changes since the last snapshot updates.


Table 2-65 Message for Modified Group/User in CREATETAB Database Privilege





Severity: yellow-2

Correctable: false




Title: Modifiedgroup/user set forthe CREATETABDatabase Privilege

Description:Modifiedgroup/user set forthe CREATETABDatabase Privilege.

■ UNIX (236171)

■ Windows 2003(237371)

■ Windows 2008(238171)

String ID:ESM_MOD_GROUPUSER_CREATETABAUTH


New Group/User in IMPLICIT_SCHEMA Database Privilege (Windowsand UNIX)

This check reports groups and users that were granted the IMPLICIT_SCHEMADatabase Privilege since the last snapshot updates.



Table 2-66 Message for New Group/User in IMPLICIT_SCHEMA DatabasePrivilege





Severity: yellow-2

Correctable: false




Title: Newgroup/user set fortheIMPLICIT_SCHEMADatabase Privilege

Description: Newgroup/user set fortheIMPLICIT_SCHEMADatabase Privilege.

■ UNIX (236172)

■ Windows 2003(237372)

■ Windows 2008(238172)

String ID:ESM_NEW_GROUPUSER_IMPLSCHEMAAUTH


Deleted Group/User in IMPLICIT_SCHEMA Database Privilege (Windowsand UNIX)

This check reports groups and users that had the IMPLICIT_SCHEMA DatabasePrivilege and had it revoked or that were deleted since the last snapshot updates.


Table 2-67 Message for Deleted Group/User in IMPLICIT_SCHEMA DatabasePrivilege





Severity: yellow-2

Correctable: false




Title: Deletedgroup/user set fortheIMPLICIT_SCHEMADatabase Privilege

Description: Deletedgroup/user set fortheIMPLICIT_SCHEMADatabase Privilege.

■ UNIX (236173)

■ Windows 2003(237373)

■ Windows 2008(238173)

String ID: ESM_DEL_GROUPUSER_IMPLSCHEMAAUTH



86

Modified Group/User in IMPLICIT_SCHEMA Database Privilege(Windows and UNIX)

This check reports groups and users with IMPLICIT_SCHEMADatabase Privilegegrantor or granteetype changes since the last snapshot updates.


Table 2-68 Message for Modified Group/User in IMPLICIT_SCHEMA DatabasePrivilege





Severity: yellow-2

Correctable: false




Title: Modifiedgroup/user set fortheIMPLICIT_SCHEMADatabase Privilege

Description:Modifiedgroup/user set fortheIMPLICIT_SCHEMADatabase Privilege.

■ UNIX (236174)

■ Windows 2003(237374)

■ Windows 2008(238174)

String ID:ESM_MOD_GROUPUSER_IMPLSCHEMAAUTH


New Group/User in LOAD Authority (Windows and UNIX)This check reports groups and users that were granted the LOADAuthority sincethe last snapshot updates.



Table 2-69 Message for New Group/User in LOAD Authority





Severity: yellow-2

Correctable: false




Title: Newgroup/user set forthe LOAD Authority

Description: Newgroup/user set forthe LOAD Authority.

■ UNIX (236175)

■ Windows 2003(237375)

■ Windows 2008(238175)

String ID:ESM_NEW_GROUPUSER_LOADAUTH


Deleted Group/User in LOAD Authority (Windows and UNIX)This check reports groups and users that had the LOAD Authority and had itrevoked or that were deleted since the last snapshot updates.


Table 2-70 Message for Deleted Group/User in LOAD Authority





Severity: yellow-2

Correctable: false




Title: Deletedgroup/user set forthe LOAD Authority

Description: Deletedgroup/user set forthe LOAD Authority.

■ UNIX (236176)

■ Windows 2003(237376)

■ Windows 2008(238176)

String ID: ESM_DEL_GROUPUSER_LOADAUTH


Modified Group/User in LOAD Authority (Windows and UNIX)This check reports groups anduserswith LOADAuthority grantor or granteetypechanges since the last snapshot updates.



88

Table 2-71 Message for Modified Group/User in LOAD Authority





Severity: yellow-2

Correctable: false




Title: Modifiedgroup/user set forthe LOAD Authority

Description:Modifiedgroup/user set forthe LOAD Authority.

■ UNIX (236177)

■ Windows 2003(237377)

■ Windows 2008(238177)

String ID:ESM_MOD_GROUPUSER_LOADAUTH


NewGroup/User inCREATE_NOT_FENCEDDatabasePrivilege (Windowsand UNIX)

This check reports groups andusers thatwere granted theCREATE_NOT_FENCEDDatabase Privilege since the last snapshot updates.


Table 2-72 Message for New Group/User in CREATE_NOT_FENCED DatabasePrivilege





Severity: yellow-2

Correctable: false




Title: Newgroup/user set fortheCREATE_NOT_FENCEDDatabase Privilege

Description: Newgroup/user set fortheCREATE_NOT_FENCEDDatabase Privilege.

■ UNIX (236178)

■ Windows 2003(237378)

■ Windows 2008(238178)

String ID:ESM_NEW_GROUPUSER_NOFENCEAUTH



Deleted Group/User in CREATE_NOT_FENCED Database Privilege(Windows and UNIX)

This check reports groups andusers that had theCREATE_NOT_FENCEDDatabasePrivilege and had it revoked or that were deleted since the last snapshot updates.


Table 2-73 Message for Deleted Group/User in CREATE_NOT_FENCED DatabasePrivilege





Severity: yellow-2

Correctable: false




Title: Deletedgroup/user set fortheCREATE_NOT_FENCEDDatabase Privilege

Description: Deletedgroup/user set fortheCREATE_NOT_FENCEDDatabase Privilege.

■ UNIX (236179)

■ Windows 2003(237379)

■ Windows 2008(238179)

String ID: ESM_DEL_GROUPUSER_NOFENCEAUTH


Modified Group/User in CREATE_NOT_FENCED Database Privilege(Windows and UNIX)

This check reports groups and users with CREATE_NOT_FENCED DatabasePrivilege grantor or granteetype changes since the last snapshot updates.



90

Table 2-74 Message for Modified Group/User in CREATE_NOT_FENCED DatabasePrivilege





Severity: yellow-2

Correctable: false




Title: Modifiedgroup/user set fortheCREATE_NOT_FENCEDDatabase Privilege

Description:Modifiedgroup/user set fortheCREATE_NOT_FENCEDDatabase Privilege.

■ UNIX (236180)

■ Windows 2003(237380)

■ Windows 2008(238180)

String ID:ESM_MOD_GROUPUSER_NOFENCEAUTH


New Group/User in the CREATE_EXTERNAL_ROUTINE Authority(Windows and UNIX)

This check reports the groups and the users that were granted theCREATE_EXTERNAL_ROUTINE authority since the last snapshot update.


Table 2-75 Message for New Group/User in the CREATE_EXTERNAL_ROUTINEAuthority





Severity: yellow-2

Correctable: false




Title: Newgroup/user set fortheCREATE_EXTERNAL_ROUTINEAuthority

Description: Newgroup/user set fortheCREATE_EXTERNAL_ROUTINEAuthority

■ UNIX (236196)

■ Windows 2003(237396)

■ Windows 2008(238196)

String ID: ESM_NEW_GROUPUSER_EXTROUTINEAUTH



Deleted Group/User in CREATE_EXTERNAL_ROUTINE Authority(Windows and UNIX)

This check reports the groups and the users that had theCREATE_EXTERNAL_ROUTINE Authority, but the authority is either revoked oris deleted since the last snapshot update.


Table 2-76 Message for Deleted Group/User in CREATE_EXTERNAL_ROUTINEAuthority





Severity: yellow-2

Correctable: false




Title: Deletedgroup/user set fortheCREATE_EXTERNAL_ROUTINEAuthority

Description: Deletedgroup/user set fortheCREATE_EXTERNAL_ROUTINEAuthority.

■ UNIX (236197)

■ Windows 2003(237397)

■ Windows 2008(238197)

String ID: ESM_DEL_GROUPUSER_EXTROUTINEAUTH


Modified Group/User in CREATE_EXTERNAL_ROUTINE Authority(Windows and UNIX)

This check reports the groups and the userswithCREATE_EXTERNAL_ROUTINE'grantor' or 'granteetype' changes since the last snapshot update.



92

Table 2-77 Message for Modified Group/User in CREATE_EXTERNAL_ROUTINEAuthority





Severity: yellow-2

Correctable: false




Title: Modifiedgroup/user set fortheCREATE_EXTERNAL_ROUTINEAuthority

Description:Modifiedgroup/user set fortheCREATE_EXTERNAL_ROUTINEAuthority.

■ UNIX (236198)

■ Windows 2003(237398)

■ Windows 2008(238198)

String ID: ESM_MOD_GROUPUSER_EXTROUTINEAUTH


Objects with nicknames (Windows and UNIX)This check lists the objects that are accessible by using nicknames in the localdatabases. Use the name list to exclude the trusted objects. This check is onlysupported on IBM DB2 9.1 or later versions.


Table 2-78 Message for Objects with nicknames





Severity: yellow-2

Correctable: false




Title: Objects withnicknames

Description:Accessing as objectwith a nickname is apotential securityrisk as a nickname isnot a fully qualifiedidentifier for theobject.

■ UNIX (236199)

■ Windows 2003(237399)

■ Windows 2008(238199)

String ID: ESM_DB_NICKNAMES



Objects not owned by Orphan ID (Windows and UNIX)This check reports the objects for which the owner is not anOrphan ID. If the textbox value is 0, then the check reports the owners that are neither disabled norlocked. If the text box value is 1, then the check first verifies the disabled or thelocked status of the owner and then reports whether the owner has CONNECTprivileges. Use the Keys list to specify the object types that the checkmust reporton. This check is supported on IBMDB2 9 or later versions. This checkworks onlyin the Host-based mode.


Table 2-79 Messages for Objects not owned by Orphan ID





Severity: red-4

Correctable: false




Title: Object is notowned by an OrphanID

Description: Thereported object hasan owner which isnot an Orphan ID.

■ UNIX (236191)

■ Windows 2003(237391)

■ Windows 2008(238191)

String ID: ESM_DB2_OWNER_IS_NOT_INVALID


Severity: yellow-2

Correctable: false




Title: The objectowner has access tothe connect privilege

Description: Theobject owners is anorphan ID but it isdirectly or indirectlyinheriting theConnectionprivilege.

■ UNIX (236192)

■ Windows 2003(237392)

■ Windows 2008(238192)

String ID: ESM_DB2_OWNER_HAS_CONNECTAUTH


About the ESM DB2 System moduleThe ESM DB2 System module detects the DB2 system files and folders on thecomputer and reports if they are valid and secured.

Understanding the ESM DB2 ModulesAbout the ESM DB2 System module

94

DB2 Instances (Windows and UNIX)Use this option to specify the DB2 instances that are to be checked. By default,the module checks for all the instances that are specified when you configure theSymantec ESM Modules for DB2 Databases. The configuration information isstored in the /esm/config/DB2Module.dat file on UNIX and<Installation_directory>:\Program Files\Symantec\Enterprise Security

Manager\ESM\config\DB2Module.dat file on Windows.

Database folder on system partition (Windows and UNIX)This check reports, if the DB2 database folder is found on the system partition.

The following table lists the message output for the Database folder on systempartition check.

Table 2-80 Message for Database folder on system partition





Severity: yellow-1

Correctable: false




Title: Database folderon system partition

Description:TheESMDB2 System modulehas detected that aDB2 database hasbeen created onsystem drive.

■ UNIX (236921)

■ Windows 2003(237071)

■ Windows 2008(237221)

String ID: ESM_DB2_DB_FOLDER_ON_SYSTEM


Instance folder on system partition (Windows and UNIX)This check reports, if the DB2 instance folder is found on the system partition.

The following lists themessage output for the Instance folder on systempartitioncheck.

95Understanding the ESM DB2 ModulesAbout the ESM DB2 System module

Table 2-81 Message for Database folder on system partition





Severity: yellow-1

Correctable: false




Title: Instance folderon system partition

Description:TheESMDB2 System modulehas detected a DB2instance folder onthe system partition.

■ UNIX (236922)

■ Windows 2003(237072)

■ Windows 2008(237222)

String ID:ESM_DB2_INST_FOLDER_ON_SYSTEM


Database log folder on system partition (Windows and UNIX)This check reports, if theDB2 database log folder is found on the systempartition.

This table lists themessage output for theDatabase log folder on systempartitioncheck.

Table 2-82 Message for Database log folder on system partition





Severity: yellow-1

Correctable: false




Title: Log folder onsystem partition

Description:TheESMDB2 System modulehas detected that aDB2 database logfolder has beencreated on thesystem partition.

■ UNIX (236923)

■ Windows 2003(237073)

■ Windows 2008(237223)

String ID: ESM_DB2_LOG_FOLDER_ON_SYSTEM


SSL is Disabled (Windows and UNIX)This check reports, if the SSL is disabled for an instance.



96

Table 2-83 Message for SSL is Disabled





Severity: yellow-1

Correctable: false




Title: SSL is disabled

Description: The SSLis disabled for aninstance.

■ UNIX (236924)

■ Windows 2003(237074)

■ Windows 2008(237224)

String ID:ESM_DB2_SSL_DISABLED


Node catalogued by using hostname Windows and UNIXThis check reports, if the host name is used instead of an IP address to connectto an instance.


Table 2-84 Message for Node catalogued by using hostname





Severity: yellow-1

Correctable: false




Title: Host nameinstead of IP

Description: A DB2node has beencataloguedaccordingto the host name.

■ UNIX (236925)

■ Windows 2003(237075)

■ Windows 2008(237225)

String ID: ESM_DB2_HOST_IP


DB2 directory and file permissions (Windows and UNIX)This check group reports, if the DB2 database directories and files are accessedby unauthorized users or groups.


Database containers (Windows)This check reports, if the DB2 database container is accessed by unauthorizedusers or groupshaving a less restrictive permission than themaximumpermissiongranted. Use the name list to exclude the authorized user or group names orinclude the unauthorized user or group names.


Table 2-85 Messages for Database containers





Severity: yellow-1

Correctable: false




Title: DB2 folderunauthorized access

Description:Theuseror group isunauthorized toaccess the DB2folder.

■ Windows 2003(237077)

■ Windows 2008(237227)

String ID: ESM_DB2_UNAUTHORIZED


Severity: red-4

Correctable: false




Title: Permissionvalidity error

Description: Themaximumpermission enteredby the user is invalid.

■ Windows 2003(237078)

■ Windows 2008(237228)

String ID: ESM_DB2_PERM_ERR

Category: ESM Error

Severity: red-4

Correctable: false




Title: Folderaccessibility error

Description: TheDB2folder is inaccessible.

■ Windows 2003(237079)

■ Windows 2008(237229)

String ID: ESM_DB2_ACCESS_ERR

Category: ESM Error


98

Database containers (UNIX)This check reports, if the DB2 database directory has a less restrictive permissionthan the value that is specified in your policy. Permissions are specified as athree-digit octal number.







Severity: yellow-1

Correctable: false




Title: Databasecontainer directorypermissions

Description: Thepermission on thedatabase containerdirectory isexcessive.

■ UNIX (236927)String ID:ESM_DB2_DIFF_PERM


Severity: red-4

Correctable: false






■ UNIX (236929)String ID: ESM_DB2_ACCESS_ERR

Category: ESM Error

Default database path (Windows)This check reports, if the default path of the database is invalid. This check alsoreports, if the path is not owned by the DB2 administrator and is accessed byunauthorized users or groups. Use the name list to exclude the authorized useror group names or include the unauthorized user or group names.








Severity: yellow-1

Correctable: false




Title: Unauthorizedaccounts on defaultdatabase path

Description:Theuseror group isunauthorized toaccess the defaultdatabase path.

■ Windows 2003(237081)

■ Windows 2008(237231)

String ID:ESM_DB2_DEFPATHUNAUTH


Severity: yellow-1

Correctable: false




Title: Defaultdatabase path

Description: TheDB2folder does not existon the computer orthe default databasepath parameterDFTDBPATH is notset.

■ Windows 2003(237080)

■ Windows 2008(237230)

String ID:ESM_DB2_DFTDBPATH


Severity: red-4

Correctable: false






■ Windows 2003(237079)

■ Windows 2008(237229)


Category: ESM Error

Default database path (UNIX)This check reports, if the default path of the database is invalid.



100

Table 2-88 Message for Database database path





Severity: yellow-1

Correctable: false




Title: Defaultdatabase path

Description: TheDB2folder does not existon the computer orthe default databasepath parameterDFTDBPATH is notset.

■ UNIX (236930)String ID:ESM_DB2_DFTDBPATH


Permission on default database path (Windows)This check reports, if the default path of the database is accessed byunauthorizedusers or groupshaving a less restrictive permission than themaximumpermissiongranted. Use the name list to exclude the authorized user or group names orinclude the unauthorized user or group names.

If the actual permissions are other than Full Control,Modify, Read&Execute, ListFolder Contents, and Read and Write, then that is a case of special permissions.Special permissions are displayed in the corresponding Information column asfollows:

Actual Permissions: 'XRQNAE (Special Permissions)'

Following is the list of special permissions:

■ XFILE_EXECUTE

■ RFILE_READ_DATA

■ QFILE_READ_ATTRIBUTES

■ NFILE_READ_EA

■ WFILE_WRITE_DATA

■ T


FILE_WRITE_ATTRIBUTES

■ AFILE_APPEND_DATA

■ BFILE_WRITE_EA

■ UFILE_DELETE_CHILD

■ DDELETE

■ EREAD_CONTROL

■ PWRITE_DAC

■ OWRITE_OWNER


Table 2-89 Messages for Permission on default database path





Severity: yellow-1

Correctable: false




Title: Unauthorizedpermission ondefault databasepath

Description:Theuseror group has anunauthorizedpermission on thedefault databasepath.

■ Windows 2003(237082)

■ Windows 2008(237232)

String ID:ESM_DB2_DEFPATHPERMS



102

Table 2-89 Messages for Permission on default database path (continued)





Severity: red-4

Correctable: false






■ Windows 2003(237078)

■ Windows 2008(237228)


Category: ESM Error

Severity: red-4

Correctable: false






■ Windows 2003(237079)

■ Windows 2008(237229)


Category: ESM Error

Permission on default database path (UNIX)This check reports, if thedefault pathof thedatabase asmentioned inDFTDBPATHparameter has a higher permission than the value that is specified in your policy.Permissions are specified as a three-digit octal number.




■ XFILE_EXECUTE

■ RFILE_READ_DATA



■ NFILE_READ_EA


■ TFILE_WRITE_ATTRIBUTES


■ BFILE_WRITE_EA


■ DDELETE

■ EREAD_CONTROL

■ PWRITE_DAC

■ OWRITE_OWNER



104

Table 2-90 Message for Permission on default database path





Severity: yellow-1

Correctable: false




Title: Defaultdatabase pathpermission

Description: Thepermission on thedefault databasepathis excessive.

■ UNIX (236932)String ID:ESM_DB2_DEFPATHPERMS


Archive log path (Windows)This check reports, if the primary log archive path of the database is invalid. Thischeck also reports, if the path is accessed by unauthorized users or groups. Usethe name list to exclude the authorized user or group names or include theunauthorized user or group names.


Table 2-91 Messages for Archive log path





Severity: yellow-1

Correctable: false




Title: Unauthorizedaccounts on archivelog path

Description:Theuseror group isunauthorized toaccess the archive logpath.

■ Windows 2003(237083)

■ Windows 2008(237233)

String ID: ESM_DB2_ARCHLOGUNAUTH



Table 2-91 Messages for Archive log path (continued)





Severity: yellow-1

Correctable: false




Title: Configurationparameter not set

Description: Theconfigurationparameter is not set.

■ Windows 2003(237085)

■ Windows 2008(237235)

String ID: ESM_DB2_PARAM_NOT_SET


Severity: yellow-1

Correctable: false




Title: Configurationparameter value isinvalid

Description: Theconfigurationparameter value isinvalid.

■ Windows 2003(237088)

■ Windows 2008(237238)

String ID: ESM_DB_PARAM_NOT_VALID


Severity: red-4

Correctable: false






■ Windows 2003(237079)

■ Windows 2008(237229)


Category: ESM Error

Archive log path (UNIX)This check reports, if the primary log archive path of the database is invalid.



106

Table 2-92 Messages for Archive log path





Severity: yellow-1

Correctable: false






■ UNIX (236935)String ID: ESM_DB2_PARAM_NOT_SET


Severity: yellow-1

Correctable: false





Description: Theconfigurationparameter value isinvalid.

■ UNIX (236938)String ID: ESM_DB_PARAM_NOT_VALID


Severity: red-4

Correctable: false







Category: ESM Error

Permission on archive log path (Windows)This check reports, if the primary log archive path of the database is accessed byunauthorized users or groups having a less restrictive permission than themaximum permission granted. Use the name list to exclude the authorized useror group names or include the unauthorized user or group names.

If the actual permissions are other than Full Control,Modify, Read&Execute, ListFolder Contents, and Read and Write, then that is a case of special permissions.


Special permissions are displayed in the corresponding Information column asfollows:



■ XFILE_EXECUTE

■ RFILE_READ_DATA


■ NFILE_READ_EA




■ BFILE_WRITE_EA


■ DDELETE

■ EREAD_CONTROL

■ PWRITE_DAC

■ OWRITE_OWNER



108

Table 2-93 Messages for Permission on archive log path





Severity: yellow-1

Correctable: false




Title: Unauthorizedpermission onarchive log path

Description:Theuseror group hasunauthorizedpermission on thearchive log path.

■ Windows 2003(237084)

■ Windows 2008(237234)

String ID:ESM_DB2_ARCHLOGPERMS


Severity: red-4

Correctable: false






■ Windows 2003(237078)

■ Windows 2008(237228)


Category: ESM Error

Severity: red-4

Correctable: false






■ Windows 2003(237079)

■ Windows 2008(237229)


Category: ESM Error

Permission on archive log path (UNIX)This check reports, if the primary log archive path of the database as mentionedin LOGARCHMETH1 parameter has a higher permission than the value that isspecified in your policy. Permissions are specified as a three-digit octal number.






■ XFILE_EXECUTE

■ RFILE_READ_DATA


■ NFILE_READ_EA




■ BFILE_WRITE_EA


■ DDELETE

■ EREAD_CONTROL

■ PWRITE_DAC

■ OWRITE_OWNER



110

Table 2-94 Messages for Permission on archive log path





Severity: yellow-1

Correctable: false




Title: Unauthorizedpermission onarchive log path

Description: Thepermission on theprimary archive logpath is excessive.

■ UNIX (236934)String ID:ESM_DB2_ARCHLOGPERMS


Severity: red-4

Correctable: false






■ UNIX (236928)String ID: ESM_DB2_PERM_ERR

Category: ESM Error

Severity: red-4

Correctable: false







Category: ESM Error

Secondary archive log path (Windows)This check reports, if the secondary archive log path of the database is invalid.This check also reports, if the path is accessed by unauthorized users or groups.Use the name list to exclude the authorized user or group names or include theunauthorized user or group names.



Table 2-95 Messages for Secondary archive log path





Severity: yellow-1

Correctable: false




Title: Unauthorizedaccounts onsecondary archivelog path

Description:Theuseror group isunauthorized toaccess the secondaryarchive log path.

■ Windows 2003(237086)

■ Windows 2008(237236)

String ID:ESM_DB2_SECLOGUNAUTH


Severity: yellow-1

Correctable: false





Description: Theconfigurationparameter value isnot valid.

■ Windows 2003(237088)

■ Windows 2008(237238)

String ID: ESM_DB2_PARAM_NOT_VALID


Severity: yellow-1

Correctable: false






■ Windows 2003(237085)

■ Windows 2008(237235)




112

Table 2-95 Messages for Secondary archive log path (continued)





Severity: red-4

Correctable: false






■ Windows 2003(237079)

■ Windows 2008(237229)


Category: ESM Error

Secondary archive log path (UNIX)This check reports, if the secondary archive log path of the database is invalid.


Table 2-96 Messages for Secondary archive log path





Severity: yellow-1

Correctable: false






■ UNIX (236938)String ID: ESM_DB2_PARAM_NOT_VALID



Table 2-96 Messages for Secondary archive log path (continued)





Severity: yellow-1

Correctable: false








Severity: red-4

Correctable: false







Category: ESM Error

Permission on secondary archive log path (Windows)This check reports, if the secondary archive log path of the database is accessedby unauthorized users or groups having a less restrictive permission than themaximum permission granted. Use the name list to exclude the authorized useror group names or include the unauthorized user or group names.




■ XFILE_EXECUTE

■ RFILE_READ_DATA


114


■ NFILE_READ_EA




■ BFILE_WRITE_EA


■ DDELETE

■ EREAD_CONTROL

■ PWRITE_DAC

■ OWRITE_OWNER



Table 2-97 Messages for Permission on secondary archive log path





Severity: yellow-1

Correctable: false




Title: Unauthorizedpermission onsecondary archivelog path

Description:Theuseror group has anunauthorizedpermission on thesecondary archivelog path.

■ Windows 2003(237087)

■ Windows 2008(237237)

String ID:ESM_DB2_SECLOGPERMS


Severity: red-4

Correctable: false






■ Windows 2003(237078)

■ Windows 2008(237228)


Category: ESM Error

Severity: red-4

Correctable: false






■ Windows 2003(237079)

■ Windows 2008(237229)


Category: ESM Error

Permission on secondary archive log path (UNIX)This check reports, if the secondary log archive path of the database asmentionedin LOGARCHMETH2 parameter has a higher permission than the value that isspecified in your policy. Permissions are specified as a three-digit octal number.



116




■ XFILE_EXECUTE

■ RFILE_READ_DATA


■ NFILE_READ_EA




■ BFILE_WRITE_EA


■ DDELETE

■ EREAD_CONTROL

■ PWRITE_DAC

■ OWRITE_OWNER



Table 2-98 Messages for Permission on secondary archive log path





Severity: yellow-1

Correctable: false




Title: Unauthorizedpermission onsecondary archivelog path

Description: Thepermission on thesecondary archivelog path is excessive.

■ UNIX (236937)String ID:ESM_DB2_SECLOGPERMS


Severity: red-4

Correctable: false







Category: ESM Error

Severity: red-4

Correctable: false







Category: ESM Error

Tertiary archive log path (Windows)This check reports, if the tertiary archive log path of the database is invalid. Thischeck also reports, if the path is accessed by unauthorized users or groups. Usethe name list to exclude the authorized user or group names or include theunauthorized user or group names.



118

Table 2-99 Messages for Tertiary archive log path





Severity: yellow-1

Correctable: false




Title: Unauthorizedaccounts on tertiaryarchive log path

Description:Theuseror group isunauthorized toaccess the tertiaryarchive log path.

■ Windows 2003(237089)

■ Windows 2008(237239)

String ID:ESM_DB2_TERLOGUNAUTH


Severity: yellow-1

Correctable: false






■ Windows 2003(237088)

■ Windows 2008(237238)



Severity: yellow-1

Correctable: false






■ Windows 2003(237085)

■ Windows 2008(237235)




Table 2-99 Messages for Tertiary archive log path (continued)





Severity: red-4

Correctable: false






■ Windows 2003(237079)

■ Windows 2008(237229)


Category: ESM Error

Tertiary archive log path (UNIX)This check reports, if the tertiary archive log path of the database is invalid.


Table 2-100 Messages for Tertiary archive log path





Severity: yellow-1

Correctable: false









120

Table 2-100 Messages for Tertiary archive log path (continued)





Severity: yellow-1

Correctable: false








Severity: red-4

Correctable: false







Category: ESM Error

Permission on tertiary archive log path (Windows)This check reports, if the tertiary archive log path of the database is accessed byunauthorized users or groups having a less restrictive permission than themaximum permission granted. Use the name list to exclude the authorized useror group names or include the unauthorized user or group names.




■ XFILE_EXECUTE

■ RFILE_READ_DATA



■ NFILE_READ_EA




■ BFILE_WRITE_EA


■ DDELETE

■ EREAD_CONTROL

■ PWRITE_DAC

■ OWRITE_OWNER



122

Table 2-101 Messages for Permission on tertiary archive log path





Severity: yellow-1

Correctable: false




Title: Unauthorizedpermission ontertiary archive logpath

Description:Theuseror group has anunauthorizedpermission on thetertiary archive logpath.

■ Windows 2003(237090)

■ Windows 2008(237240)

String ID:ESM_DB2_TERLOGPERMS


Severity: red-4

Correctable: false






■ Windows 2003(237078)

■ Windows 2008(237228)


Category: ESM Error

Severity: red-4

Correctable: false






■ Windows 2003(237079)

■ Windows 2008(237229)


Category: ESM Error

Permission on tertiary archive log path (UNIX)This check reports, if the tertiary log archive path of the database as mentionedin the FAILARCHPATH parameter has a higher permission than the value that isspecified in your policy. Permissions are specified as a three-digit octal number.






■ XFILE_EXECUTE

■ RFILE_READ_DATA


■ NFILE_READ_EA




■ BFILE_WRITE_EA


■ DDELETE

■ EREAD_CONTROL

■ PWRITE_DAC

■ OWRITE_OWNER



124

Table 2-102 Messages for Permission on tertiary archive log path





Severity: yellow-1

Correctable: false




Title: Unauthorizedpermission ontertiary archive logpath

Description: Thepermission on thetertiary archive logpath is excessive.

■ UNIX (236940)String ID:ESM_DB2_TERLOGPERMS


Severity: red-4

Correctable: false







Category: ESM Error

Severity: red-4

Correctable: false







Category: ESM Error

Mirrored log path (Windows)This check reports, if the mirrored log path of the database is invalid. This checkalso reports, if the path is accessed by unauthorized users or groups. Use the namelist to exclude the authorized user or group names or include the unauthorizeduser or group names.



Table 2-103 Messages for Mirrored log path





Severity: yellow-1

Correctable: false




Title: Unauthorizedaccountsonmirroredlog path

Description:Theuseror group isunauthorized toaccess the mirroredlog path.

■ Windows 2003(237098)

■ Windows 2008(237248)

String ID:ESM_DB2_MIRRORLOGUNAUTH


Severity: yellow-1

Correctable: false






■ Windows 2003(237088)

■ Windows 2008(237238)



Severity: yellow-1

Correctable: false






■ Windows 2003(237085)

■ Windows 2008(237235)




126

Table 2-103 Messages for Mirrored log path (continued)





Severity: red-4

Correctable: false






■ Windows 2003(237079)

■ Windows 2008(237229)


Category: ESM Error

Mirrored log path (UNIX)This check reports, if the mirrored log path of the database is invalid.


Table 2-104 Messages for Mirrored log path





Severity: yellow-1

Correctable: false









Table 2-104 Messages for Mirrored log path (continued)





Severity: yellow-1

Correctable: false








Severity: red-4

Correctable: false







Category: ESM Error

Permission on mirrored log path (Windows)This check reports, if the mirrored log path of the database is accessed byunauthorized users or groups having a higher permission than the maximumpermission granted. Use the name list to exclude the authorized user or groupnames or include the unauthorized user or group names.




■ XFILE_EXECUTE

■ RFILE_READ_DATA


128


■ NFILE_READ_EA




■ BFILE_WRITE_EA


■ DDELETE

■ EREAD_CONTROL

■ PWRITE_DAC

■ OWRITE_OWNER



Table 2-105 Messages for Permission on mirrored log path





Severity: yellow-1

Correctable: false




Title: Unauthorizedpermission onmirrored log path

Description:Theuseror group has anunauthorizedpermission on themirrored log path.

■ Windows 2003(237092)

■ Windows 2008(237242)

String ID:ESM_DB2_MIRRORLOGPERMS


Severity: red-4

Correctable: false






■ Windows 2003(237078)

■ Windows 2008(237228)


Category: ESM Error

Severity: red-4

Correctable: false






■ Windows 2003(237079)

■ Windows 2008(237229)


Category: ESM Error

Permission on diagnostic path (Windows)This check reports, if the diagnostic log path of the database is accessed byunauthorized users or groups having a less restrictive permission than themaximum permission granted. Use the name list to exclude the authorized useror group names or include the unauthorized user or group names.



130




■ XFILE_EXECUTE

■ RFILE_READ_DATA


■ NFILE_READ_EA




■ BFILE_WRITE_EA


■ DDELETE

■ EREAD_CONTROL

■ PWRITE_DAC

■ OWRITE_OWNER



Table 2-106 Messages for Permission on diagnostic path





Severity: yellow-1

Correctable: false




Title: Unauthorizedpermission ondiagnostic log path

Description:Theuseror group has anunauthorizedpermission on thediagnostic log path.

■ Windows 2003(237094)

■ Windows 2008(237244)

String ID:ESM_DB2_DIAGLOGPERMS


Severity: yellow-1

Correctable: false






■ Windows 2003(237088)

■ Windows 2008(237238)



Severity: red-4

Correctable: false






■ Windows 2003(237078)

■ Windows 2008(237228)


Category: ESM Error


132

Table 2-106 Messages for Permission on diagnostic path (continued)





Severity: red-4

Correctable: false






■ Windows 2003(237079)

■ Windows 2008(237229)


Category: ESM Error

Permission on diagnostic path (UNIX)This check reports, if the diagnostic log path of the instance as mentioned inDIAGPATH parameter has a higher permission than the value that is specified inyour policy. Permissions are specified as a three-digit octal number.




■ XFILE_EXECUTE

■ RFILE_READ_DATA


■ NFILE_READ_EA





■ BFILE_WRITE_EA


■ DDELETE

■ EREAD_CONTROL

■ PWRITE_DAC

■ OWRITE_OWNER


Table 2-107 Messages for Permission on diagnostic path





Severity: yellow-1

Correctable: false




Title: Unauthorizedpermission ondiagnostic log path

Description:Theuseror group has anunauthorizedpermission on thediagnostic log path.

■ UNIX (236944)String ID:ESM_DB2_DIAGLOGPERMS


Severity: yellow-1

Correctable: false









134

Table 2-107 Messages for Permission on diagnostic path (continued)





Severity: red-4

Correctable: false







Category: ESM Error

Severity: red-4

Correctable: false







Category: ESM Error

Minimum JDK version (Windows and UNIX)This check reports, if the JavaDevelopment Kit (JDK) version installed on theDB2administration server is less than theminimumversion specified in the value textbox.



Table 2-108 Message for Minimum JDK version





Severity: yellow-1

Correctable: false




Title: Earlier versionof JDK

Description: Anearlier version of JDKis installed on theDB2 administrationserver.

■ UNIX (236946)

■ Windows 2003(237096)

■ Windows 2008(237246)

String ID: ESM_DB2_MIN_JDKVERSION


Permission on JDK runtime library path (Windows)This check reports, if the 32-bit or 64-bit JDK runtime library path of the DB2administration server is accessed by unauthorized users or groups having a lessrestrictive permission than the maximum permission granted. Use the name listto exclude the authorized user or group names or include the unauthorized useror group names.




■ XFILE_EXECUTE

■ RFILE_READ_DATA


■ NFILE_READ_EA



136



■ BFILE_WRITE_EA


■ DDELETE

■ EREAD_CONTROL

■ PWRITE_DAC

■ OWRITE_OWNER


Table 2-109 Messages for Permission on JDK runtime library path





Severity: yellow-1

Correctable: false




Title: Unauthorizedpermission on JDKruntime library path

Description:Theuseror group hasunauthorizedpermission on theJDK runtime librarypath.

■ Windows 2003(237097)

■ Windows 2008(237247)

String ID:ESM_DB2_JDKPERMS



Table 2-109 Messages for Permission on JDK runtime library path (continued)





Severity: red-4

Correctable: false






■ Windows 2003(237078)

■ Windows 2008(237228)


Category: ESM Error

Severity: red-4

Correctable: false






■ Windows 2003(237079)

■ Windows 2008(237229)


Category: ESM Error

Permission on JDK runtime library path (UNIX)This check reports, if the 32-bit or 64-bit JDK runtime library path of the DB2administration server has a higher permission than the value that is specified inyour policy. Permissions are specified as a three-digit octal number.




■ XFILE_EXECUTE

■ RFILE_READ_DATA


138


■ NFILE_READ_EA




■ BFILE_WRITE_EA


■ DDELETE

■ EREAD_CONTROL

■ PWRITE_DAC

■ OWRITE_OWNER



Table 2-110 Messages for Permission on JDK runtime library path





Severity: yellow-1

Correctable: false




Title: Unauthorizedpermission on JDKruntime library path

Description: Thepermission on theJDK runtime librarypath is excessive.

■ UNIX (236947)String ID: ESM_DB2_JDKPERMS


Severity: red-4

Correctable: false







Category: ESM Error

Severity: red-4

Correctable: false







Category: ESM Error

Database Path Template files (UNIX)This option lets you enable or disable the template files that the module uses tocheck the selected file attributes.


140

User ownership (UNIX)This check verifies the proper user ownership of files that use the values that arespecified in the templates.


Table 2-111 Messages for User ownership





Severity: yellow-1

Correctable: false




Title: Different fileownership

Description: The fileowner does notmatch the ownerspecified in the filetemplate. If thechanges areauthorized, updatethe file template. Ifthe changes are notauthorized, correctthe file owner andrun CRC and/or MD5checksum checks toensure file integrity.

■ UNIX (236965)String ID: ESM_DB2_DIFFOWN


Severity: yellow-1

Correctable: false




Title: Differentdirectory ownership

Description: Thedirectory owner doesnot match the ownerspecified in the filetemplate. If thechanges areauthorized, updatethe file template. Ifthe changes are notauthorized, correctthe directory owner.

■ UNIX (236966)String ID: ESM_DB2_DIFFOWN_DIR



Group ownership (UNIX)This check verifies the proper group ownership of the files that use the valuesthat are specified in the templates.


Table 2-112 Messages for Group ownership





Severity: yellow-1

Correctable: false




Title: Different fileownership

Description: The fileowner does notmatch the ownerspecified in the filetemplate. If thechanges areauthorized, updatethe file template. Ifthe changes are notauthorized, correctthe file owner andrun CRC and/or MD5checksum checks toensure file integrity.

■ UNIX (236965)String ID: ESM_DB2_DIFFOWN


Severity: yellow-1

Correctable: false




Title: Differentdirectory ownership

Description: Thedirectory owner doesnot match the ownerspecified in the filetemplate. If thechanges areauthorized, updatethe file template. Ifthe changes are notauthorized, correctthe directory owner.

■ UNIX (236966)String ID: ESM_DB2_DIFFOWN_DIR



142

Permissions (UNIX)This check verifies theproper file permissions that use the values that are specifiedin the templates.


Table 2-113 Messages for Permissions





Severity: yellow-1

Correctable: false




Title: Different filepermissions

Description: The filepermissions do notmatch thepermissions specifiedin the file template.If the changes areauthorized, updatethe file template. Ifthe changes are notauthorized, correctthe file permissionsand run CRC and/orMD5 checksumchecks to ensure fileintegrity.

■ UNIX (236967)String ID: ESM_DB2_DIFFPERM


Severity: yellow-1

Correctable: false




Title: Differentdirectorypermissions

Description: Thedirectorypermissions do notmatch thepermissions specifiedin the file template.If the changes areauthorized, updatethe file template. Ifthe changes are notauthorized, correctthe directorypermissions.

■ UNIX (236968)String ID: ESM_DB2_DIFFPERM_DIR



About the ESM DB2 Privileges moduleTheESMDB2Privilegesmodule reports the privileges of theDB2database objects.

While working with IBM DB2 Version 9.1, if you check the With Schema Ownerand With <Object> Owner check box, the check uses the owner name to excludethe record from the output result.

While working with IBMDB2 version 9.5 and later, if you check the WithSchemaOwner andWith<Object>Owner check box, the check uses both the owner nameand the owner type to exclude the record from the output result.



View Privileges (Windows and UNIX)This check reports, if the privileges granted to the grantees on the viewmismatchwith the required privileges mentioned in the template.

This check uses the DB2 View Privileges template.


Understanding the ESM DB2 ModulesAbout the ESM DB2 Privileges module

144

Table 2-114 Messages for View Privileges





Severity: green-0

Correctable: false




Title: UnauthorizedView Privilege

Description: There isa mismatch in theactual view privilegepresent in thedatabase and theprivilege that ismentioned in thetemplate.Check if theGrantee privilegemarked asRestrictedin the template isavailable in thedatabase or if theGrantee privilege notmarked asRestrictedin the template is notavailable in thedatabase. For moreinformation, see thecorrespondingInformation column.

■ UNIX (264151)

■ Windows 2003(264351)

■ Windows 2008(264551)

String ID:ESM_DB2_VIEW_PRIVILEGE_G


145Understanding the ESM DB2 ModulesAbout the ESM DB2 Privileges module

Table 2-114 Messages for View Privileges (continued)





Severity: yellow-2

Correctable: false






■ UNIX (264152)

■ Windows 2003(264352)

■ Windows 2008(264552)

String ID:ESM_DB2_VIEW_PRIVILEGE_Y



146

Table 2-114 Messages for View Privileges (continued)





Severity: red-4

Correctable: false






■ UNIX (264153)

■ Windows 2003(264353)

■ Windows 2008(264553)

String ID:ESM_DB2_VIEW_PRIVILEGE_R


Grantee with the WITH ADMIN or GRANT option (Windows and UNIX)This check lists all users/groups/roles having a privilege on any database objectwith the WITH ADMIN or WITH GRANT option. Use the include/exclude list tospecify grantees you want to report on.



Table 2-115 Message for Grantee with the WITH ADMIN or GRANT option





Severity: yellow-2

Correctable: false




Title: Grantee withthe WITH ADMIN orGRANT option

Description: Theusers/groups/roleshaving a privilegewith the WITHADMIN or WITHGRANT option havebeen detected.Ensure that thegrantee is authorizedto have this option.

■ UNIX (264157)

■ Windows 2003(264357)

■ Windows 2008(264557)

String ID: ESM_DB2_WITH_ADMIN_GRANT


Unauthorized Grantees in Database Authority (Windows and UNIX)This check reports the users/groups/roles that were granted a certain authoritywhen not authorized. Use the DB2 Authority template to select the authority andspecify the authorized users/groups/roles for exclusion.

This check uses the DB2 Authorities template.


Table 2-116 Message for Unauthorized Grantees in Database Authority





Severity: yellow-3

Correctable: false




Title: Unauthorizedgrantee havingdatabase authority

Description: Theusers/groups/roleshavingDB2authorityhave been detected.Ensure that thegrantee is authorizedto have thisauthority.

■ UNIX (264158)

■ Windows 2003(264358)

■ Windows 2008(264558)

String ID:ESM_UNAUTH_GRANTEE_DBAUTH



148

Tablespace Privileges (Windows and UNIX)This check reports, if the access privileges granted to the grantees on thetablespace mismatch with the required privileges mentioned in the template.

This check uses the DB2 Tablespace Privileges template.


Table 2-117 Messages for Tablespace Privileges





Severity: green-0

Correctable: false




Title: UnauthorizedTablespace Privilege

Description: There isa mismatch in theactual tablespaceprivilege present inthe database and theprivilege that ismentioned in thetemplate. Check iftheGrantee privilegemarked asRestrictedin the template isavailable in thedatabase, or if theGrantee privilege notmarked asRestrictedin the template is notavailable in thedatabase. For moreinformation, see thecorrespondingInformation column.

■ UNIX (264154)

■ Windows 2003(264354)

■ Windows 2008(264554)

String ID:ESM_DB2_TABLESPACE_PRIVILEGE_G



Table 2-117 Messages for Tablespace Privileges (continued)





Severity: yellow-2

Correctable: false






■ UNIX (264155)

■ Windows 2003(264355)

■ Windows 2008(264555)

String ID:ESM_DB2_TABLESPACE_PRIVILEGE_Y



150

Table 2-117 Messages for Tablespace Privileges (continued)





Severity: red-4

Correctable: false






■ UNIX (264156)

■ Windows 2003(264356)

■ Windows 2008(264556)

String ID:ESM_DB2_TABLESPACE_PRIVILEGE_R


Table Privileges (Windows and UNIX)This check reports, if the privileges granted to the grantees on the tablemismatchwith the required privileges mentioned in the template.

This check uses the DB2 Table Privileges template.



Table 2-118 Messages for Table Privileges





Severity: green-0

Correctable: false




Title: UnauthorizedTable Privilege

Description: There isa mismatch in theactual table privilegepresent in thedatabase and theprivilege that ismentioned in thetemplate. Check iftheGrantee privilegemarked asRestrictedin the template isavailable in thedatabase, or if theGrantee privilege notmarked asRestrictedin the template is notavailable in thedatabase. For moreinformation, see thecorrespondingInformation column.

■ UNIX (264159)

■ Windows 2003(264359)

■ Windows 2008(264559)

String ID:ESM_DB2_TABLE_PRIVILEGE_G



152

Table 2-118 Messages for Table Privileges (continued)





Severity: yellow-2

Correctable: false






■ UNIX (264160)

■ Windows 2003(264360)

■ Windows 2008(264560)

String ID:ESM_DB2_TABLE_PRIVILEGE_Y








Severity: red-4

Correctable: false






■ UNIX (264161)

■ Windows 2003(264361)

■ Windows 2008(264561)

String ID:ESM_DB2_TABLE_PRIVILEGE_R


Role Members (Windows and UNIX)This check reports the members of the DB2 role specified in the template. Thischeck uses the DB2 Role Members template.



154

Table 2-119 Messages for Role Members





Severity: green-0

Correctable: false




Title: Role Member

Description: Thismember belongs tothe DB2 rolespecified in thetemplate.

■ UNIX (264162)

■ Windows 2003(264362)

■ Windows 2008(264562)

String ID: ESM_DB2_ROLE_MEMBER_G


Severity: yellow-2

Correctable: false




Title: Role Member


■ UNIX (264163)

■ Windows 2003(264363)

■ Windows 2008(264563)

String ID: ESM_DB2_ROLE_MEMBER_Y


Severity: red-4

Correctable: false




Title: Role Member


■ UNIX (264164)

■ Windows 2003(264364)

■ Windows 2008(264564)

String ID: ESM_DB2_ROLE_MEMBER_R


Routine Privileges (Windows and UNIX)This check reports, if privileges granted to the grantees on the routines likefunction,method, andproceduremismatchwith the requiredprivilegesmentionedin the template.

This check uses the DB2 Routine Privileges template.



Table 2-120 Messages for Routine Privileges





Severity: green-0

Correctable: false




Title: UnauthorizedRoutine Privilege

Description: There isa mismatch in theactual routineprivilege present inthe database and theprivilege that ismentioned in thetemplate. Check iftheGrantee privilegemarked asRestrictedin the template isavailable in thedatabase, or if theGrantee privilege notmarked asRestrictedin the template is notavailable in thedatabase. For moreinformation, see thecorrespondingInformation column.

■ UNIX (264165)

■ Windows 2003(264365)

■ Windows 2008(264565)

String ID: ESM_DB2_ROUTINE_PRIVILEGE_G



156

Table 2-120 Messages for Routine Privileges (continued)





Severity: yellow-2

Correctable: false






■ UNIX (264166)

■ Windows 2003(264366)

■ Windows 2008(264566)

String ID: ESM_DB2_ROUTINE_PRIVILEGE_Y



Table 2-120 Messages for Routine Privileges (continued)





Severity: red-4

Correctable: false






■ UNIX (264167)

■ Windows 2003(264367)

■ Windows 2008(264567)

String ID: ESM_DB2_ROUTINE_PRIVILEGE_R


Nickname Privileges (Windows and UNIX)This check reports, if the privileges granted to the grantees on the nicknamemismatch with the required privileges mentioned in the template.

This check uses the DB2 Nickname Privileges template.



158

Table 2-121 Messages for Nickname Privileges





Severity: green-0

Correctable: false




Title: UnauthorizedNickname Privilege

Description: There isa mismatch in theactual nicknameprivilege present inthe database and theprivilege that ismentioned in thetemplate. Check iftheGrantee privilegemarked asRestrictedin the template isavailable in thedatabase, or if theGrantee privilege notmarked asRestrictedin the template is notavailable in thedatabase. For moreinformation, see thecorrespondingInformation column.

■ UNIX (264168)

■ Windows 2003(264368)

■ Windows 2008(264568)

String ID: ESM_DB2_NICKNAME_PRIVILEGE_G



Table 2-121 Messages for Nickname Privileges (continued)





Severity: yellow-2

Correctable: false






■ UNIX (264169)

■ Windows 2003(264369)

■ Windows 2008(264569)

String ID: ESM_DB2_NICKNAME_PRIVILEGE_Y



160

Table 2-121 Messages for Nickname Privileges (continued)





Severity: red-4

Correctable: false






■ UNIX (264170)

■ Windows 2003(264370)

■ Windows 2008(264570)

String ID: ESM_DB2_NICKNAME_PRIVILEGE_R


Privileges of PUBLIC group (Windows and UNIX)This check lists all the privileges the PUBLIC group has on any database object.Use the keys list to specify the object types that the check must report on.



Table 2-122 Message for Privileges of PUBLIC group





Severity: yellow-2

Correctable: false




Title: Privilege ofPUBLIC group

Description: PUBLICgroup has a privilegeon a database object.Ensure that theprivilege is assignedto a specific userdirectly or by usingroles andnot throughPUBLIC group.

■ UNIX (264171)

■ Windows 2003(264371)

■ Windows 2008(264571)

String ID:ESM_DB2_PUBLIC_PRIV


Column Privileges (Windows and UNIX)This check reports, if the privileges granted to the grantees on the columnmismatch with the required privileges mentioned in the template.

This check uses the DB2 Column Privileges template.



162






Severity: green-0

Correctable: false




Title: UnauthorizedColumn Privilege

Description: There isa mismatch in theactual columnprivilege present inthe database and theprivilege that ismentioned in thetemplate. Check iftheGrantee privilegemarked asRestrictedin the template isavailable in thedatabase, or if theGrantee privilege notmarked asRestrictedin the template is notavailable in thedatabase. For moreinformation, see thecorrespondingInformation column.

■ UNIX (264172)

■ Windows 2003(264372)

■ Windows 2008(264572)

String ID:ESM_DB2_COLUMN_PRIVILEGE_G








Severity: yellow-2

Correctable: false






■ UNIX (264173)

■ Windows 2003(264373)

■ Windows 2008(264573)

String ID:ESM_DB2_COLUMN_PRIVILEGE_Y



164






Severity: red-4

Correctable: false






■ UNIX (264174)

■ Windows 2003(264374)

■ Windows 2008(264574)

String ID:ESM_DB2_COLUMN_PRIVILEGE_R


Schema Privileges (Windows and UNIX)This check reports, if the privileges granted to the grantees on the schemamismatch with the required privileges mentioned in the template.

This check uses the DB2 Schema Privileges template.








Severity: green-0

Correctable: false




Title: UnauthorizedSchema Privilege

Description: There isa mismatch in theactual schemaprivilege present inthe database and theprivilege that ismentioned in thetemplate. Check iftheGrantee privilegemarked asRestrictedin the template isavailable in thedatabase, or if theGrantee privilege notmarked asRestrictedin the template is notavailable in thedatabase. For moreinformation, see thecorrespondingInformation column.

■ UNIX (264175)

■ Windows 2003(264375)

■ Windows 2008(264575)

String ID:ESM_DB2_SCHEMA_PRIVILEGE_G



166






Severity: yellow-2

Correctable: false






■ UNIX (264176)

■ Windows 2003(264376)

■ Windows 2008(264576)

String ID:ESM_DB2_SCHEMA_PRIVILEGE_Y








Severity: red-4

Correctable: false






■ UNIX (264177)

■ Windows 2003(264377)

■ Windows 2008(264577)

String ID:ESM_DB2_SCHEMA_PRIVILEGE_R


Maximum reported messages (Windows and UNIX)Enable this option to limit the number of messages that are reported for eachdatabase. Use the MaximumMessages text box to specify the maximum numberof times amessage should bedisplayed.When themaximumnumber for amessageis reached, the message is displayed again with the count of the repeat instanceof the message that is not reported.

About the ESM DB2 Configuration moduleTheESMDB2Configurationmodule reports the configuration of theDB2databaseobjects.

Understanding the ESM DB2 ModulesAbout the ESM DB2 Configuration module

168



Database Manager Configuration (Windows and UNIX)This check reports the database configurationparameters selected in the templatefor configured instances of the database.

This check uses theDB2DatabaseManagerConfigurationParameters template.


Table 2-125 Messages for Database Manager Configuration





Severity: yellow-2

Correctable: false




Title: Recommendeddatabase managerconfiguration valuedoes not exist

Description: Therecommendeddatabase managerconfiguration valuedoes not exist.

■ UNIX (265355)

■ Windows 2003(265655)

■ Windows 2008(265955)

String ID:ESM_DB2_DBM_CONFIG_Y


Severity: red-4

Correctable: false






■ UNIX (265354)

■ Windows 2003(265654)

■ Windows 2008(265954)

String ID:ESM_DB2_DBM_CONFIG_R


169Understanding the ESM DB2 ModulesAbout the ESM DB2 Configuration module

Table 2-125 Messages for Database Manager Configuration (continued)





Severity: green-0

Correctable: false






■ UNIX (265353)

■ Windows 2003(265653)

■ Windows 2008(265953)

String ID:ESM_DB2_DBM_CONFIG_G


Database Configuration (Windows and UNIX)This check reports the database configurationparameters selected in the templatefor configured instances of the database.

This check uses the DB2 Database Configuration Parameters template.


Table 2-126 Messages for Database Configuration





Severity: yellow-2

Correctable: false




Title: Recommendeddatabaseconfiguration valuedoes not exist

Description: Therecommendeddatabaseconfiguration valuedoes not exist.

■ UNIX (265358)

■ Windows 2003(265658)

■ Windows 2008(265958)

String ID: ESM_DB2_DB_CONFIG_Y



170

Table 2-126 Messages for Database Configuration (continued)





Severity: red-4

Correctable: false






■ UNIX (265357)

■ Windows 2003(265657)

■ Windows 2008(265957)

String ID: ESM_DB2_DB_CONFIG_R


Severity: green-0

Correctable: false






■ UNIX (265356)

■ Windows 2003(265656)

■ Windows 2008(265956)

String ID: ESM_DB2_DB_CONFIG_G


Admin Configuration (Windows and UNIX)This check reports the admin configuration parameters selected in the templatefor configured instances of the database.

Note:This check reports the database admin configuration only for the configuredinstances andnotwith respect to nodes. Therefore, the same admin configurationinformation will be reported multiple times for all the instances under the samenode.

This check uses the DB2 Admin Configuration Parameters template.



Table 2-127 Messages for Admin Configuration





Severity: yellow-2

Correctable: false




Title: Recommendedadmin configurationvalue does not exist

Description: Therecommendedadminconfiguration valuedoes not exist.

■ UNIX (265361)

■ Windows 2003(265661)

■ Windows 2008(265961)

String ID: ESM_DB2_ADMIN_CONFIG_Y


Severity: red-4

Correctable: false






■ UNIX (265360)

■ Windows 2003(265660)

■ Windows 2008(265960)

String ID: ESM_DB2_ADMIN_CONFIG_R


Severity: green-0

Correctable: false






■ UNIX (265359)

■ Windows 2003(265659)

■ Windows 2008(265959)

String ID: ESM_DB2_ADMIN_CONFIG_G


Fenced user (UNIX)This check reports, if the fenced user is a member of any of the privileged groupsprovided in the name list or if the fenced user is one of the user provided in thename list or if the fenced user name is same as the instance owner name. Use thename list to add the keywords such as %SYSADM_GROUP%,%SYSCTRL_GROUP%, %SYSMAINT_GROUP%, %SYSMON_GROUP%, and%DB2INSTANCE_OWNER%.


172


Table 2-128 Messages for Fenced user





Severity: yellow-2

Correctable: false




Title: PrivilegedFenced user

Description: Thefenced user is aprivileged user.

■ UNIX (265362)String ID: ESM_DB2_FENCED


Severity: yellow-2

Correctable: false




Title: ProhibitedFenced user

The fenced user is aprohibited user.

■ UNIX (265363)String ID: ESM_DB2_PROHIBIT_FENCED


Severity: yellow-2

Correctable: false




Title: Fenced userdoes not exist

Description: Thefenced user does notexist on thecomputer.

■ UNIX (265364)String ID: ESM_DB2_NO_FENCED


DB2 sysctrl or sysmaint group is set as sysadm group (Windows andUNIX)

This check reports, if the same group is set for System Control or SystemMaintenance Authority as is set for System Administrator Authority.



Table 2-129 Messages for DB2 sysctrl or sysmaint group is set as sysadm group





Severity: yellow-1

Correctable: false




Title: Sysctrl group isset as sysadm group

Description: Thegroup that is set forthe System Controlgroup is the same asis set for the SystemAdministratorAuthority group.

■ UNIX (265365)

■ Windows 2003(265665)

■ Windows 2008(265965)

String ID:ESM_DB2_SYSCTRL_GRP


Severity: yellow-1

Correctable: false




Title: Sysmaint groupis set as sysadmgroup

Description: Thegroup that is set forSystemMaintenancegroup is the same asis set for the SystemAdministratorAuthority group.

■ UNIX (265366)

■ Windows 2003(265666)

■ Windows 2008(265966)

String ID:ESM_DB2_SYSMAINT_GRP


Default databases (Windows and UNIX)This check lists the default databases that are mentioned in the namelist and arepresent in the computer.



174

Table 2-130 Message for Default databases





Severity: yellow-2

Correctable: false




Title: Defaultdatabase

Description: Thedefault database ispresent on thecomputer.

■ UNIX (265367)

■ Windows 2003(265667)

■ Windows 2008(265967)

String ID:ESM_DB2_DEFAULTDB


Unauthorized members in dasadm group (Windows and UNIX)This check reports the unauthorized users and groups that are members of theDAS administration authority group. Use the name list to exclude the users orgroups that are authorized to have the DAS administration authority groupmembership.


Table 2-131 Messages for Unauthorized members in dasadm group





Severity: yellow-2

Correctable: false




Title: Unauthorizedmember of DASadministrationauthority group

Description: Anunauthorizedmember of the DASadministrationauthority group hasbeen detected.Ensure that themember isauthorized.

■ UNIX (263568)

■ Windows 2003(265668)

■ Windows 2008(265968)

String ID:ESM_DB2_UNAUTH_DAS



Table 2-131 Messages for Unauthorized members in dasadm group (continued)





Severity: yellow-2

Correctable: false





Description: Theconfigurationparameter is invalid.

■ UNIX (263572)

■ Windows 2003(265672)

■ Windows 2008(265972)

String ID: ESM_DB2_PARAMVAL_INVALID


Unauthorized members in DB2 system groups (Windows and UNIX)This check reports the unauthorized users and groups that are members of theDB2 Systemauthority groups. Use the name list to enable or disable the template.

This check uses the DB2 System Authority Groups template.


Table 2-132 Messages for Unauthorized members in DB2 system groups





Severity: yellow-2

Correctable: false




Title: Unauthorizedmember of DB2system group

Description: Anunauthorizedmember of the DB2system authoritygroup has beendetected. Ensure thatthe member isauthorized.

■ UNIX (263569)

■ Windows 2003(265669)

■ Windows 2008(265969)

String ID: ESM_DB2_UNAUTH_SYSGRP



176

Table 2-132 Messages for Unauthorized members in DB2 system groups(continued)





Severity: yellow-2

Correctable: false




Title: Configurationparameter not found

Description: Theconfigurationparameter is notfound.

■ UNIX (263570)

■ Windows 2003(265670)

■ Windows 2008(265970)

String ID: ESM_DB2_PARAM_NOT_FND


Severity: yellow-2

Correctable: false





The configurationparameter is not set.

■ UNIX (263571)

■ Windows 2003(265671)

■ Windows 2008(265971)



Severity: yellow-2

Correctable: false





The configurationparameter value isnot valid.

■ UNIX (263572)

■ Windows 2003(265672)

■ Windows 2008(265972)





178

Working with the DB2templates


■ About the DB2 Authorities template

■ Creating the DB2 Authorities template

■ About using the DB2 Authorities template

■ About the DB2 Database Manager Config Params template

■ Creating the DB2 Database Manager Config Params template

■ About using the DB2 Database Manager Config Params template

■ About the DB2 Fix Packs template

■ Creating the DB2 Fix Packs template

■ About using the DB2 Fix Packs template

■ About the DB2 Admin Config Params template

■ Creating the DB2 Admin Config Params template

■ About using the DB2 Admin Config Params template

■ About the DB2 Database Config Params template

■ Creating the DB2 Database Config Params template

■ About using the DB2 Database Config Param template

■ About the DB2 View Privileges template

3Chapter

■ Creating the DB2 View Privileges template

■ About using the DB2 View Privileges template

■ About the DB2 Tablespace Privileges template

■ Creating the DB2 Tablespace Privileges template

■ About using the DB2 Tablespace Privileges template

■ About the DB2 Table Privileges template

■ Creating the DB2 Table Privileges template

■ About using the DB2 Table Privileges template

■ About the DB2 Role Members template

■ Creating the DB2 Role Members template

■ About using the DB2 Role Members template

■ About the DB2 Routine Privileges template

■ Creating the DB2 Routine Privileges template

■ About using the DB2 Routine Privileges template

■ About the DB2 Nickname Privileges template

■ Creating the DB2 Nickname Privileges template

■ About using the DB2 Nickname Privileges template

■ About the DB2 System Authority Groups template

■ Creating the DB2 System Authority Groups template

■ About using the DB2 System Authority Groups template

■ About the DB2 Column Privileges template

■ Creating the DB2 Column Privileges template

■ About using the DB2 Column Privileges template

■ About the DB2 Schema Privileges template

■ Creating the DB2 Schema Privileges template

■ About using the DB2 Schema Privileges template

■ About the DB2 Audit Settings template

Working with the DB2 templates180

■ Creating the DB2 Audit Settings template

■ About using the DB2 Audit Settings template

■ About the DB2 Database File Permissions template

■ Creating the DB2 Database File Permissions template

■ About using the DB2 Database File Permissions template

About the DB2 Authorities templateThe Unauthorized Grantees in Database Authority check of the DB2 Privilegesmodule uses the DB2 Authorities template. By using this template, the check letsyou report users/groups/roles having certain database authorities. All theauthorities so far available in DB2 v9.7 are provided in default template. Use theDB2 Authority template to select the authority and specify the authorizedusers/groups/roles for exclusion.

Note: The authorities SQLADMAUTH, WLMADMAUTH, EXPLAINAUTH,DATAACCESSAUTH,ACCESSCTRLAUTHarenotavailable inDB2databaseversion9.5 and earlier.

Creating the DB2 Authorities templateTo run the Unauthorized Grantees in Database Authority check, do one of thefollowing:

■ Use the default template that is installed with the Symantec ESMmodules forDB2.

■ Edit the default template.

■ Create a new template.

To create a DB2 Authorities template

1 In the tree view, right-click Templates, and then click New.

2 In the Create New Template dialog box, select DB2 Authorities - all.

3 In the Template file name (no extension) text box, type new template filename.

4 After Symantec ESM adds the .aut extension to the template file name, clickOK.

181Working with the DB2 templatesAbout the DB2 Authorities template

About using the DB2 Authorities templateThe DB2 Authorities template contains the following fields:

Table 3-1 Field and Values/Options descriptions

Values/OptionsDescriptionField

Check theEnabled checkboxto enable a DB2 authority.

Lets you enable a specificDB2 authority.

Enabled

Working with the DB2 templatesAbout using the DB2 Authorities template

182

Table 3-1 Field and Values/Options descriptions (continued)


Lets you select the name ofthe DB2 authority.

DB2 Authority

183Working with the DB2 templatesAbout using the DB2 Authorities template



Select any one of thefollowing:

■ ACCESSCTRL

Access Control Authority

■ BINDADD

Bind Add Authority

■ CONNECT

Connect Authority

■ DBADM

DatabaseAdministrationAuthority

■ CREATE_EXTERNAL_ROUTINE

External RoutineAuthority

■ DATAACCESS

Data Access Authority

■ IMPLICIT_SCHEMA

Implicit SchemaAuthority

■ LOAD

Load Authority

■ CREATE_NOT_FENCED

Create Not FencedAuthority

■ QUIESCE_CONNECT

QUIESCE CONNECTAuthority

■ SQLADM

SQL AdministrationAuthority

■ SECADM

Security AdministrationAuthority

■ CREATETAB

Create Table Authority

■ WLMADM

WorkloadAdministrationAuthority

■ EXPLAIN

Explain Authority

Working with the DB2 templatesAbout using the DB2 Authorities template

184



LIBRARYADM■

Library AdministrationAuthority

Check the Exclude Granteecheckbox to exclude agrantee.

Lets you exclude a grantee.Exclude Grantee

■ Grantee

Enter the name of thegrantee.

■ Grantee Type

Select the grantee type asUser, Group, or Role.

Note: Use the keywords%SYSADM_GROUP%,%SYSCTRL_GROUP%,%SYSMAINT_GROUP%,and%SYSMON_GROUP% tospecify the grantee for thegrantee type Group. Thesekeywords expand to displaythe correspondingparametervalues and report if thegroup has the selectedauthority. The keywords arecase-sensitive.

Lets you display theTemplate Sublist Editorwindow to specify a grantee.

Grantee

185Working with the DB2 templatesAbout using the DB2 Authorities template



■ Exclude

Check to exclude a DB2database version.

■ Version

Enter the DB2 databaseversion.

■ ALL

All releases (default ifno release specified)

■ 9.0

Release 9.0.x

■ 9.5

Release 9.5.x

■ 9.5.3

Release 9.5.3.x

■ -9.5

Release 9.5.x andearlier

■ +10

Release 10.x and later

Lets you display theTemplate Sublist Editorwindow to specify the DB2version.

DB2 Version

About the DB2 Database Manager Config Paramstemplate

The Database Manager Configuration check of the DB2 Configuration moduleuses the DB2 Database Manager Config Params template. The default templatecontains a pre-defined list of all database manager configuration parametersavailable in DB2 v9.7. By using this template, the check lets you if the setting onthe machine is different than recommended value in the template.

This template provides sublists that let you do the following:

■ Specify the conditional database manager configuration parameters.

■ Specify OS specific database manager configuration parameters.

■ Specify DB2 version specific database manager configuration parameters.

Working with the DB2 templatesAbout the DB2 Database Manager Config Params template

186

Creating the DB2 Database Manager Config Paramstemplate

To run the Database Manager Configuration check, do one of the following:




To create a DB2 Database Manager Config Params template


2 In theCreateNewTemplatedialog box, selectDB2DatabaseManagerConfigParams - all.


4 After Symantec ESM adds the .dcp extension to the template file name, clickOK.

About using the DB2 Database Manager ConfigParams template

TheDB2DatabaseManager Config Params template contains the following fields:



Check theEnabled checkboxto enable a DB2 databasemanager configurationparameter.

Lets you enable a specificDB2 database managerconfiguration parameter.

Enabled

NALets you specify thedescription of the DB2database managerconfiguration parameter.

Description

Enter the DB2 databasemanager configurationparameter.

Lets you specify the DB2database managerconfiguration parameter.

Configuration Parameter

187Working with the DB2 templatesCreating the DB2 Database Manager Config Params template



Enter the recommendedvalue for the DB2 databasemanager configurationparameter.

Lets you specify therecommended value for theDB2 database managerconfiguration parameter.

Recommended Value

■ Description

Enter a description forthe conditionalparameter.

■ Conditional Parameter

Enter a conditionalparamater.

■ Recommended Value

Enter a recommendedvalue.

Lets you display theTemplate Sublist Editor tospecify the conditionalparameters.

Conditional Parameters

Working with the DB2 templatesAbout using the DB2 Database Manager Config Params template

188



Lets you display theTemplate Sublist Editor tospecify the OS and therevision.

OS/Rev

189Working with the DB2 templatesAbout using the DB2 Database Manager Config Params template



■ Exclude

Check to exclude an OSand revision.

■ OS

■ ALL

All platforms

■ UNIX

All UNIX platforms

■ NT

All NT platforms

■ WIN2K

All Windows 2000platforms

■ WINXP

All Windows XPplatforms

■ WIN2K3


■ WIN2K3-ix64

Windows 2003 x64platforms

■ WIN2K3-ix86


■ WIN2K3-ia64

Windows 2003 ia64platforms

■ WIN2K8


■ WIN2K8-ix64


■ WIN2K8-ix86


■ WIN2K8-ia64


Working with the DB2 templatesAbout using the DB2 Database Manager Config Params template

190



WIN7■


■ WIN7-ix64


■ WIN7-ix86


■ WINVISTA

All Windows Vistaplatforms

■ WINVISTA-ix64

Windows Vista x64platforms

■ WINVISTA-ix86


■ aix-rs6k

■ aix-ppc64

■ hpux-hppa

■ hpux-ia64

■ solaris-sparc

■ solaris-x86

■ redhat-x86

■ redhat-s390x

■ suse-s390x

■ redhat-ia64

■ suse-x86

■ suse-ia64

■ nt-ix86

■ suse-ppc64

■ redhat-ppc64

■ solaris-local-zone

■ Revision

Enter a revision numberfor the OS.

191Working with the DB2 templatesAbout using the DB2 Database Manager Config Params template



■ Exclude

Check to exclude a DB2database version.

■ Version


■ ALL


■ 9.0

Release 9.0.x

■ 9.5

Release 9.5.x

■ 9.5.3

Release 9.5.3.x

■ -9.5


■ +10


Lets you specify the DB2version of the target serverthat you want the check toreport on.

DB2 Version

■ Green

Select Green for anInformation message.

■ Yellow

Select Yellow for aWarning message.

■ Red

Select Red for an Errormessage.

Lets you specify the severitylevel for the audit type thatyou select.

Severity

Note: Enter the short name of the parameter, if available, as long names for theseparameters are considered invalid.

About the DB2 Fix Packs templateTheTemplatefiles check uses theDB2 Fix Packs template. By using this template,the check lets you report the information on the specific template files that areto be included for the checks.

Working with the DB2 templatesAbout the DB2 Fix Packs template

192

Creating the DB2 Fix Packs templateTo run the Template files check, do one of the following:




To create a DB2 Fix Packs template


2 In the Create New Template dialog box, select DB2 Fix Packs - all.


4 After Symantec ESM adds the .wdb extension to the template file name, clickOK.

About using the DB2 Fix Packs templateThe DB2 Fix Packs template contains the following fields:



Enter the name of theproduct that is installed onthe server. For example, IBMDB2 Version 9.5.

Lets you specify the productname that is installed on theserver.

Note: The check does notconsider the product namefor the verification report.

Product

Enter the patch versionnumber that you want thecheck to report on.

Lets you specify the DB2database version of thetarget server that you wantthe check to report on.

Version

193Working with the DB2 templatesCreating the DB2 Fix Packs template



■ All

Select this value for thecheck to report on allplatforms.

■ aix

Select this value for thecheck to report on Aixplatforms.

■ hpux-hppa

Select this value for thecheck to report onHpux-hppa platforms.

■ linux

Select this value for thecheck to report on Linuxplatforms.

■ solaris-sparc

Select this value for thecheck to report onSolaris-sparc platforms.

■ hpux-ia64

Select this value for thecheck to report onHpux-ia64 platforms.

■ hpux-hppa/HP-UX 10.20

Select this value for thecheck to report onHP-UX10.20 platforms.

■ redhat-x86

Select this value for thecheck to report onRedHat platforms.

■ WIN3S

Select this value for thecheck to report on allWindows2003platforms.

■ WIN8S

Select this value for thecheck to report on allWindows2008platforms.

Lets you specify the platformof the target server that youwant the check to report on.

Platform

Working with the DB2 templatesAbout using the DB2 Fix Packs template

194



Enter the Fix Pack ID.Lets you specify the Fix Packidentifier.

Fix Pack ID

Enter the date in thefollowing format:YYYY/MM/DD.

Lets you specify the releasedate of the fix pack.

Release Date

■ All

Select this value for thecheck to report on allprocessors.

■ 32 bits

Select this value for thecheck to report on 32-bitprocessor.

■ 64 bits

Select this value for thecheck to report on 64-bitprocessor.

Lets you specify thearchitecture of the serverthat you want the check toreport on.

Architecture

NALets you enter a descriptionfor the patch.

Description

Enter the build number forthe DB2 database.

Lets you specify the buildnumber of theDB2 database.

Build Level

Enter the platform number.Lets you specify the platformnumber of the operatingsystem on which the DB2database is installed.

PTF No.

About the DB2 Admin Config Params templateThe Admin Configuration check of the DB2 Configuration module uses the DB2Admin Config Params template. By using this template, the check reports theadmin configuration parameters selected in the template for configured instancesof the database.


■ Specify the conditional admin configuration parameters.

■ Specify OS specific admin configuration parameters.

195Working with the DB2 templatesAbout the DB2 Admin Config Params template

■ Specify DB2 version specific admin configuration parameters.

Creating the DB2 Admin Config Params templateTo run the Admin Configuration check, do one of the following:




To create a DB2 Admin Config Params template


2 In the Create New Template dialog box, select DB2 Admin Config Params -all.


4 After Symantec ESM adds the .dap extension to the template file name, clickOK.

About using the DB2 Admin Config Params templateThe DB2 Admin Config Params template contains the following fields:



Check theEnabled checkboxto enable a DB2 adminconfiguration parameter.

Lets you enable a specificadmin configurationparameter.

Enabled

NALets you specify thedescription of theDB2adminconfiguration parameter.

Description

Enter a DB2 adminconfiguration parameter.

Lets you specify the DB2admin configurationparameter.


Working with the DB2 templatesCreating the DB2 Admin Config Params template

196



Enter a recommended valuefor the DB2 adminconfiguration parameter.

Lets you specify therecommended value for theDB2 admin configurationparameter.

Recommended Value

■ Description



Enter a conditionalparameter.





197Working with the DB2 templatesAbout using the DB2 Admin Config Params template




OS/Rev

Working with the DB2 templatesAbout using the DB2 Admin Config Params template

198



■ Exclude

Check to exclude an OSand revision.

■ OS

■ ALL

All platforms

■ UNIX

All UNIX platforms

■ NT

All NT platforms

■ WIN2K


■ WINXP


■ WIN2K3


■ WIN2K3-ix64


■ WIN2K3-ix86


■ WIN2K3-ia64


■ WIN2K8


■ WIN2K8-ix64


■ WIN2K8-ix86


■ WIN2K8-ia64


199Working with the DB2 templatesAbout using the DB2 Admin Config Params template



WIN7■


■ WIN7-ix64


■ WIN7-ix86


■ WINVISTA


■ WINVISTA-ix64


■ WINVISTA-ix86


■ aix-rs6k

■ aix-ppc64

■ hpux-hppa

■ hpux-ia64

■ solaris-sparc

■ solaris-x86

■ redhat-x86

■ redhat-s390x

■ suse-s390x

■ redhat-ia64

■ suse-x86

■ suse-ia64

■ nt-ix86

■ suse-ppc64

■ redhat-ppc64


■ Revision


Working with the DB2 templatesAbout using the DB2 Admin Config Params template

200



■ Exclude

Check to exclude a DB2version.

■ Version


■ ALL


■ 9.0

Release 9.0.x

■ 9.5

Release 9.5.x

■ 9.5.3

Release 9.5.3.x

■ -9.5


■ +10



DB2 Version

■ Green


■ Yellow


■ Red



Severity


About the DB2 Database Config Params templateThe Database Configuration check of the DB2 Configuration module uses theDB2 Database Config Params template. By using this template, the check lets you

201Working with the DB2 templatesAbout the DB2 Database Config Params template

report the database configuration parameters selected in the template forconfigured instances of the database.


■ Specify the conditional database configuration parameters.

■ Specify OS specific database configuration parameters.

■ Specify DB2 version specific database configuration parameters.

Creating the DB2 Database Config Params templateTo run the Database Configuration check, do one of the following:




To create a DB2 Database Config Params template


2 In the CreateNewTemplate dialog box, select DB2DatabaseConfigParams- all.


4 After Symantec ESM adds the .dbc extension to the template file name, clickOK.

About using theDB2DatabaseConfig Param templateThe DB2 Database Config Params template contains the following fields:



Check theEnabled checkboxto enable a DB2 databaseconfiguration parameter.

Lets you enable a specificDB2 database configurationparameter.

Enabled

Working with the DB2 templatesCreating the DB2 Database Config Params template

202



NALets you specify thedescription of the DB2database configurationparameter.

Description

Enter a DB2 databaseconfiguration parameter.

Lets you specify the DB2database configurationparameter.


Enter a recommended valuefor the DB2 databaseconfiguration parameter.

Lets you specify therecommended value for theDB2 database configurationparameter.

Recommended Value

■ Description



Enter a conditionalparameter.





203Working with the DB2 templatesAbout using the DB2 Database Config Param template




OS/Rev

Working with the DB2 templatesAbout using the DB2 Database Config Param template

204



■ Exclude

Check the Exclude checkbox to exclude an OS andrevision.

■ OS

■ ALL

All platforms

■ UNIX

All UNIX platforms

■ NT

All NT platforms

■ WIN2K


■ WINXP


■ WIN2K3


■ WIN2K3-ix64


■ WIN2K3-ix86


■ WIN2K3-ia64


■ WIN2K8


■ WIN2K8-ix64


■ WIN2K8-ix86


■ WIN2K8-ia64

Windows 2008 ia64

205Working with the DB2 templatesAbout using the DB2 Database Config Param template



platforms

■ WIN7


■ WIN7-ix64


■ WIN7-ix86


■ WINVISTA


■ WINVISTA-ix64


■ WINVISTA-ix86


■ aix-rs6k

■ aix-ppc64

■ hpux-hppa

■ hpux-ia64

■ solaris-sparc

■ solaris-x86

■ redhat-x86

■ redhat-s390x

■ suse-s390x

■ redhat-ia64

■ suse-x86

■ suse-ia64

■ nt-ix86

■ suse-ppc64

■ redhat-ppc64


■ Revision


Working with the DB2 templatesAbout using the DB2 Database Config Param template

206



■ Exclude

Check to exclude a DB2version.

■ Version

Enter a DB2 databaseversion.

■ ALL


■ 9.0

Release 9.0.x

■ 9.5

Release 9.5.x

■ 9.5.3

Release 9.5.3.x

■ -9.5


■ +10



DB2 Version

■ Green


■ Yellow


■ Red



Severity


About the DB2 View Privileges templateThe View Privileges check of the DB2 Privileges module uses the DB2 ViewPrivileges template. This template takes the recommended information of DB2

207Working with the DB2 templatesAbout the DB2 View Privileges template

view privileges. By using this template, the check reports if access to the viewsmismatch with the required privileges mentioned in the template.


■ Exclude grantees.

■ Exclude grantor.

■ Specify the DB2 database version.

■ Specify the grantee privilege recommended information.

Note:Make sure that the DB2 user used to configure the IBMDB2 database on theESM agent computer has select privileges on the views SYSCAT.TABAUTH andSYSCAT.SCHEMATA.

Creating the DB2 View Privileges templateTo run the View Privileges check, do one of the following:




To create a DB2 View Privileges template


2 In the Create New Template dialog box, select DB2 View Privileges - all.


4 After Symantec ESM adds the .vpr extension to the template file name, clickOK.

About using the DB2 View Privileges templateThe DB2 View Privileges template contains the following fields:

Working with the DB2 templatesCreating the DB2 View Privileges template

208



Check theEnabled checkboxto enable a view privilege.

Lets you enable a specificview privilege.

Enabled

Enter the name of thedatabase.

Lets you specify the name ofthe database for the check toreport on.

Database

Enter the name of theschema.

Lets you specify the name ofthe schema.

Schema

Enter the name of the view.Lets you specify the name ofthe view.

View

■ Grantee


■ Grantee Type

Select the grantee type asAny,User,Group, orRole.

Lets you display a TemplateSublist Editor to specify thegrantee that you want toexclude from the output.

Grantee Exclude

■ Restrict

Check the Restrict checkbox to restrict the granteeprivilege.

■ Grantee


■ Grantee Type


■ Privilege

Select the privilege asANY, SELECT, UPDATE,DELETE, INSERT,CONTROL, or ALL.

■ Grant Option

Select the grant optionsas Any, With Grant, orWithout Grant.

Lets you display a TemplateSublist Editor to enter thegrantee privilegerecommended information.

Grantee Privileges

209Working with the DB2 templatesAbout using the DB2 View Privileges template



Enter the name of thegrantor.

Lets you display a TemplateSublist Editor to specify thegrantor that you want toexclude from the output.

Grantor Exclude

Check the With SchemaOwner check box to includethe grantees who are theowners of the view's schema.

Lets you include or excludethe grantees who are theowners of the view's schema.

With Schema Owner

Check the WithViewOwnercheck box to include a viewowner in the output.

Lets you include or excludethe viewowner in the output.

With View Owner

■ Exclude

Check to exclude aversion of the DB2database.

■ DB2 Version


■ ALL


■ 9.0

Release 9.0.x

■ 9.5

Release 9.5.x

■ 9.5.3

Release 9.5.3.x

■ -9.5


■ +10


Lets you display a TemplateSublist Editor to specify theof the target server that youwant the check to report on.

DB2 Version

Working with the DB2 templatesAbout using the DB2 View Privileges template

210



■ Green


■ Yellow


■ Red


Lets you specify the severitylevel for the view privilegethat you select.

Severity

NALets you enter any additionalcomments.

Comment

Note: You can use the wildcard character '*' while specifying the database underthe Database field, schema under the Schema field, view under the View field,and the granteeunder theGranteePrivileges sublist.Wildcard support is availableonly for the restricted grantee privileges.

About the DB2 Tablespace Privileges templateThe Tablespace Privileges check of the DB2 Privileges module uses the DB2TablespacePrivileges template. This template takes the recommended informationof DB2 tablespace privileges. By using this template, the check reports if accessto the tablespacemismatchwith the requiredprivilegesmentioned in the template.






Note:Make sure that the DB2 user used to configure the IBMDB2 database on theESM agent computer has select privileges on the view SYSCAT.TBSPACEAUTH.

211Working with the DB2 templatesAbout the DB2 Tablespace Privileges template

Creating the DB2 Tablespace Privileges templateTo run the Tablespace Privileges check, do one of the following:




To create a DB2 Tablespace Privileges template


2 In the Create New Template dialog box, select DB2 Tablespace Privileges -all.


4 After Symantec ESM adds the .tpr extension to the template file name, clickOK.

About using the DB2 Tablespace Privileges templateThe DB2 Tablespace Privileges template contains the following fields:



Check theEnabled checkboxto enable a tablespaceprivilege.

Lets you enable a specifictablespace privilege.

Enabled



Database

Enter the name of thetablespace.

Lets you specify the name ofthe tablespace.

Tablespace

■ Grantee


■ Grantee Type



Grantee Exclude

Working with the DB2 templatesCreating the DB2 Tablespace Privileges template

212



■ Restrict


■ Grantee


■ Grantee Type

Enter the grantee type asUser or Group or Role.

■ Privilege

Select the privilege asUSE.

■ Grant Option

Select the grant optionsas Any, With Grant, orWithout Grant.


Grantee Privileges



Grantor Exclude

Check the With TablespaceOwner check box to includethe tablespace owner in theoutput.

Lets you include or excludethe tablespace owner in theoutput.

With Tablespace Owner

213Working with the DB2 templatesAbout using the DB2 Tablespace Privileges template



■ Exclude


■ DB2 Version


■ ALL


■ 9.0

Release 9.0.x

■ 9.5

Release 9.5.x

■ 9.5.3

Release 9.5.3.x

■ -9.5


■ +10



DB2 Version

■ Green


■ Yellow


■ Red


Lets you specify the severitylevel for the tablespaceprivilege that you select.

Severity


Comment

Note: You can use the wildcard character '*' while specifying the database underthe Database field, tablespace under the Tablespace field, and the grantee undertheGranteePrivileges sublist.Wildcard support is available only for the restrictedgrantee privileges.

Working with the DB2 templatesAbout using the DB2 Tablespace Privileges template

214

About the DB2 Table Privileges templateThe Table Privileges check of the DB2 Privileges module uses the DB2 TablePrivileges template. This template takes the recommended information of DB2table privileges. By using this template, the check reports if access to the tablemismatch with the required privileges mentioned in the template.






Note:Make sure that the DB2 user used to configure the IBMDB2 database on theESM agent computer has select privileges on the views SYSCAT.TABAUTH andSYSCAT.SCHEMATA.

Creating the DB2 Table Privileges templateTo run the Table Privileges check, do one of the following:




To create a DB2 Table Privileges template


2 In the Create New Template dialog box, select DB2 Table Privileges - all.


4 After Symantec ESM adds the .tbl extension to the template file name, clickOK.

About using the DB2 Table Privileges templateThe DB2 Table Privileges template contains the following fields:

215Working with the DB2 templatesAbout the DB2 Table Privileges template



Check theEnabled checkboxto enable a table privilege.

Lets you enable a specifictable privilege.

Enabled



Database



Schema

Enter the name of the table.Lets you specify the name ofthe table.

Table

■ Grantee


■ Grantee Type



Grantee Exclude

■ Restrict


■ Grantee


■ Grantee Type


■ Privilege

Select the privilege asAll,SELECT, UPDATE,DELETE, INSERT,CONTROL, ALTER,INDEX, REFERENCES,ANY.

■ Grant Option

Select the grant option asWithout Grant, WithGrant, or Any.


Grantee Privileges

Working with the DB2 templatesAbout using the DB2 Table Privileges template

216





Grantor Exclude

Check the With SchemaOwner check box to includethe grantees who are theowners of the table's schema.

Lets you include or excludethe grantees who are theowners of the table's schemain the output.

With Schema Owner

Check theWithTableOwnercheckbox to include the tableowner in the output.

Lets you include or excludethe table owner in theoutput.

With Table Owner

■ Exclude


■ DB2 Version


■ ALL


■ 9.0

Release 9.0.x

■ 9.5

Release 9.5.x

■ 9.5.3

Release 9.5.3.x

■ -9.5


■ +10



DB2 Version

217Working with the DB2 templatesAbout using the DB2 Table Privileges template



■ Green


■ Yellow


■ Red


Lets you specify the severitylevel for the table privilegethat you select.

Severity


Comment

Note: You can use the wildcard character '*' while specifying the database underthe Database field, schema under the Schema field, table under the Table field,and the granteeunder theGranteePrivileges sublist.Wildcard support is availableonly for the restricted grantee privileges.

About the DB2 Role Members templateTheRoleMembers checkof theDB2Privilegesmoduleuses theDB2RoleMemberstemplate. This template takes the information ofDB2 rolemembers. By using thistemplate, the check reports themembers of theDB2 role specified in the template.



■ Specify the role members information.

Creating the DB2 Role Members templateTo run the Role Members check, do one of the following:




Working with the DB2 templatesAbout the DB2 Role Members template

218

To create a DB2 Role Members template


2 In the Create New Template dialog box, select DB2 Role Members - all.


4 After Symantec ESM adds the .drm extension to the template file name, clickOK.

About using the DB2 Role Members templateThe DB2 Role Members template contains the following fields:



Check theEnabled checkboxto enable a role.

Lets you enable a specificrole.

Enabled



Database

Enter the name of the role.Lets you specify the name ofthe role.

Role

■ Grantee


■ Grantee Type

Select the grantee type asAll, User, Group, or Role.


Grantee Exclude

■ Grantee


■ Grantee Type


■ Admin Option

Select the admin optionas Any, With Admin, orWithout Admin.

Lets you display a TemplateSublist Editor to specify therole members information.

Role Members

219Working with the DB2 templatesAbout using the DB2 Role Members template



■ Green


■ Yellow


■ Red


Lets you specify the severitylevel for the role that youselect.

Severity


Comment

Note: You can use the wildcard character '*' while specifying the database underthe Database field, role under the Role field, and the grantee under the GranteePrivileges sublist.

About the DB2 Routine Privileges templateThe RoutinePrivileges check of the DB2 Privilegesmodule uses the DB2 RoutinePrivileges template. This template outlines theDB2 routines like function,method,and procedure privileges. By using this template, the check reports if access tothe routines like function, method and procedure mismatch with the requiredprivileges mentioned in the template.

Creating the DB2 Routine Privileges templateTo run the Routine Privileges check, do one of the following:




To create a DB2 Routine Privileges template


2 In the Create New Template dialog box, select DB2 Routine Privileges - all.

Working with the DB2 templatesAbout the DB2 Routine Privileges template

220


4 After Symantec ESM adds the .drp extension to the template file name, clickOK.

About using the DB2 Routine Privileges templateThe DB2 Routine Privileges template contains the following fields:



Check theEnabled checkboxto enable a routine privilege.

Lets you enable a specificroutine privilege.

Enabled



Database

Enter the name of the role.Lets you specify the name ofthe schema.

Schema

Enter the name of theroutine.

Lets you specify the name ofthe routine.

Routine

Select the routine type asFunction, Method, orProcedure.

Lets you specify the routinetype.

Routine Type

■ Grantee


■ Grantee Type



Grantee Exclude

221Working with the DB2 templatesAbout using the DB2 Routine Privileges template



■ Restrict


■ Grantee


■ Grantee Type


■ Privilege

Select the privilege asEXECUTE.

■ Grant Option



Grantee Privileges



Grantor Exclude



With Schema Owner

Check the With RoutineOwner check box to includethe routine owner in theoutput.

Lets you include or excludethe routine owner in theoutput.

With Routine Owner

Select Yes, No, or Any.Lets you to filter out theresult according the fencedsettings.

Fenced

Working with the DB2 templatesAbout using the DB2 Routine Privileges template

222



■ Exclude


■ DB2 Version


■ ALL


■ 9.0

Release 9.0.x

■ 9.5

Release 9.5.x

■ 9.5.3

Release 9.5.3.x

■ -9.5


■ +10



DB2 Version

■ Green


■ Yellow


■ Red


Lets you specify the severitylevel for the role that youselect.

Severity


Comment

Note: You can use the wildcard character '*' while specifying the database underthe Database field, schema under the Schema field, routine under the Routinefield, and the grantee under the Grantee Privileges sublist. Wildcard support isavailable only for the restricted grantee privileges.

223Working with the DB2 templatesAbout using the DB2 Routine Privileges template

About the DB2 Nickname Privileges templateThe Nickname Privileges check of the DB2 Privileges module uses the DB2NicknamePrivileges template. This template outlines theDB2nicknameprivileges.Byusing this template, the check reports if access to thenicknamemismatchwiththe required privileges mentioned in the template.

Creating the DB2 Nickname Privileges templateTo run the Nickname Privileges check, do one of the following:




To create a DB2 Nickname Privileges template


2 In the Create New Template dialog box, select DB2 Nickname Privileges -all.


4 After Symantec ESM adds the .dnp extension to the template file name, clickOK.

About using the DB2 Nickname Privileges templateThe DB2 Nickname Privileges template contains the following fields:



Check theEnabled checkboxto enable a nicknameprivilege.

Lets you enable a specificnickname privilege.

Enabled



Database

Working with the DB2 templatesAbout the DB2 Nickname Privileges template

224





Schema

Enter the DB2 nickname.Lets you specify the DB2nickname.

Nickname

■ Grantee


■ Grantee Type



Grantee Exclude

■ Restrict


■ Grantee


■ Grantee Type


■ Privilege

Select the privilege asAll,SELECT, UPDATE,DELETE, INSERT,CONTROL, ALTER,INDEX, REFERENCES,ANY.

■ Grant Option



Grantee Privileges



Grantor Exclude

225Working with the DB2 templatesAbout using the DB2 Nickname Privileges template





With Schema Owner

Check the With NicknameOwner check box to includethe nickname owner in theoutput.

Lets you include or excludethe nickname owner in theoutput.

With Nickname Owner

■ Exclude


■ DB2 Version


■ ALL


■ 9.0

Release 9.0.x

■ 9.5

Release 9.5.x

■ 9.5.3

Release 9.5.3.x

■ -9.5


■ +10



DB2 Version

■ Green


■ Yellow


■ Red



Severity

Working with the DB2 templatesAbout using the DB2 Nickname Privileges template

226




Comment

Note: You can use the wildcard character '*' while specifying the database undertheDatabase field, schemaunder theSchema field, nicknameunder theNicknamefield, and the grantee under the Grantee Privileges sublist. Wildcard support isavailable only for the restricted grantee privileges.

About the DB2 System Authority Groups templateTheUnauthorizedmembersinDB2systemgroups checkof theDB2Configurationmodule uses the DB2 SystemAuthority Groups template. This templates outlinesthe acceptable DB2 systemauthority groupsmembership. By using this template,the check compares and reports the unauthorized users and groups that aremembers of the DB2 System authority groups with the following groups:

■ SYSADM_GROUP

■ SYSCTRL_GROUP

■ SYSMAINT_GROUP

■ SYSMON_GROUP

Creating the DB2 System Authority Groups templateTo run the Unauthorized members in DB2 system groups check, do one of thefollowing:




To create a DB2 System Authority Groups template


2 In theCreateNewTemplatedialog box, selectDB2SystemAuthorityGroups- all.

227Working with the DB2 templatesAbout the DB2 System Authority Groups template


4 After Symantec ESM adds the .ddp extension to the template file name, clickOK.

About using the DB2 System Authority Groupstemplate

The DB2 System Authority Groups template contains the following fields:



Check theEnabled checkboxto enable a system authoritygroup.

Lets you enable a specificDB2 systemauthority group.

Enabled

■ SYSADM_GROUP

System AdministratorGroup

■ SYSCTRL_GROUP

System Control Group

■ SYSMAINT_GROUP

System MaintenanceGroup

■ SYSMON_GROUP

System Monitor Group

Lets you select the DB2system authority group forthe check to report on.

DB2 Authority Groups

Check the Prohibited checkbox if the unauthorizedmembers are listed in theMembers sublist. Uncheckthe Prohibited check box ifthe authorized members arelisted in the Memberssublist.

Lets you report authorizedor unauthorizedmembers ofthe group.

Prohibited

Working with the DB2 templatesAbout using the DB2 System Authority Groups template

228



■ Member Name

Enter the name of themember.

You can use the wildcardcharacter '*' whilespecifying the database.

■ Member Type

Select the member typeas User or Group

Note: The member typeGroup is not applicable inthe case of UNIXoperating systems. Onlyusers are allowed to bemembers of the DB2system authority groups.

Lets you display a TemplateSublist Editor to enter themember details.

Members

About the DB2 Column Privileges templateThe ColumnPrivileges check of the DB2 Privilegesmodule uses the DB2 ColumnPrivileges template. This template outlines the DB2 column privileges. By usingthis template, the check reports if privileges granted to the grantees on the columnmismatch with the required privileges mentioned in the template.

Creating the DB2 Column Privileges templateTo run the Column Privileges check, do one of the following:




To create a DB2 Column Privileges template


2 In the Create New Template dialog box, select DB2 Column Privileges - all.

229Working with the DB2 templatesAbout the DB2 Column Privileges template


4 After Symantec ESM adds the .dcl extension to the template file name, clickOK.

About using the DB2 Column Privileges templateThe DB2 Column Privileges template contains the following fields:



Check theEnabled checkboxto enable a column privilege.

Lets you enable a specificcolumn privilege.

Enabled



Database



Schema

Enter the name of the tableor view.

Lets you specify the name ofthe table or view.

Table/View

Enter the name of thecolumn.

Lets you specify the name ofthe column.

Column

■ Grantee


■ Grantee Type



Grantee Exclude

Working with the DB2 templatesAbout using the DB2 Column Privileges template

230



■ Restrict


■ Grantee


■ Grantee Type


■ Privilege

Select the privilege asUPDATE, REFERENCES,or ANY.

■ Grant Option



Grantee Privileges



Grantor Exclude



With Schema Owner

Check the With ColumnOwner check box to includethe column owner in theoutput.

Lets you include or excludethe column owner in theoutput.

With Column Owner

231Working with the DB2 templatesAbout using the DB2 Column Privileges template



■ Exclude


■ DB2 Version


■ ALL


■ 9.0

Release 9.0.x

■ 9.5

Release 9.5.x

■ 9.5.3

Release 9.5.3.x

■ -9.5


■ +10



DB2 Version

■ Green


■ Yellow


■ Red



Severity


Comment

Note: You can use the wildcard character '*' while specifying the database underthe Database column, schema under the Schema column, table or view under theTable/View column, column name under the Column column, and the granteeunder the Grantee Privileges sublist. Wildcard support is available only for therestricted grantee privileges.

Working with the DB2 templatesAbout using the DB2 Column Privileges template

232

About the DB2 Schema Privileges templateThe SchemaPrivileges check of the DB2 Privilegesmodule uses the DB2 SchemaPrivileges template. This template outlines the DB2 schema privileges. By usingthis template, the check reports if privileges granted to the grantees on the schemamismatch with the required privileges mentioned in the template.

Creating the DB2 Schema Privileges templateTo run the Schema Privileges check, do one of the following:




To create a DB2 Schema Privileges template


2 In the Create New Template dialog box, select DB2 Schema Privileges - all.


4 After Symantec ESM adds the .dsc extension to the template file name, clickOK.

About using the DB2 Schema Privileges templateThe DB2 Schema Privileges template contains the following fields:



Check theEnabled checkboxto enable a schemaprivilege.

Lets you enable a specificschema privilege.

Enabled



Database



Schema

233Working with the DB2 templatesAbout the DB2 Schema Privileges template



■ Grantee


■ Grantee Type



Grantee Exclude

■ Restrict


■ Grantee


■ Grantee Type


■ Privilege

Select the privilege asAll,ALTER, CREATE, DROP,or ANY.

■ Grant Option



Grantee Privileges



Grantor Exclude



With Schema Owner

Working with the DB2 templatesAbout using the DB2 Schema Privileges template

234



■ Exclude


■ DB2 Version


■ ALL


■ 9.0

Release 9.0.x

■ 9.5

Release 9.5.x

■ 9.5.3

Release 9.5.3.x

■ -9.5


■ +10



DB2 Version

■ Green


■ Yellow


■ Red



Severity


Comment

Note: You can use the wildcard character '*' while specifying the database underthe Database field, schema under the Schema field, and the grantee under theGrantee Privileges sublist. Wildcard support is available only for the restrictedgrantee privileges.

235Working with the DB2 templatesAbout using the DB2 Schema Privileges template

About the DB2 Audit Settings templateThe Audit Configuration Settings check of the DB2 Audit Configuration moduleuses the DB2 Audit Settings template. This template outlines the acceptable DB2audit settings. By using this template, the check reports if the DB2 audit settingsmismatch with the settings mentioned in the template.

Creating the DB2 Audit Settings templateTo run the Audit Configuration Settings check, do one of the following:




To create a DB2 Audit Settings template


2 In the Create New Template dialog box, select DB2 Audit Settings - all.


4 After Symantec ESM adds the .das extension to the template file name, clickOK.

About using the DB2 Audit Settings templateThe DB2 Audit Settings template contains the following fields:



Check theEnabled checkboxto enable an audit setting.

Lets you enable a specificaudit setting.

Enabled

Working with the DB2 templatesAbout the DB2 Audit Settings template

236



Select any of the followingevents to log:

■ Audit Events

■ Checking Events

■ Object MaintenanceEvents

■ Security MaintenanceEvents

■ System AdministratorEvents

■ Validate Events

■ Context Events

Lets you select the auditsettings that youwant to log.

Audit Setting

■ Success

■ Failure

■ Both

■ Any

This option reports thevalues Success, Failure,or Both.

■ None

Lets you select the expectedvalue.

Expected Value

237Working with the DB2 templatesAbout using the DB2 Audit Settings template



■ Exclude


■ DB2 Version


■ ALL


■ 9.0

Release 9.0.x

■ 9.5

Release 9.5.x

■ 9.5.3

Release 9.5.3.x

■ -9.5


■ +10



DB2 Version

About the DB2 Database File Permissions templateThe Permissions check of the DB2 System module uses the DB2 Database FilePermissions template. This template outlines the acceptable DB2 Database filepermissions. By using this template, the check verifies the proper file permissionsthat use the values that are specified in the templates.

Creating theDB2Database File Permissions templateTo run the Permissions check, do one of the following:




Working with the DB2 templatesAbout the DB2 Database File Permissions template

238

To create a DB2 Database File Permissions template


2 In theCreateNewTemplatedialog box, selectDB2DatabaseFilePermissionstemplate - all.


4 After Symantec ESM adds the .dfp extension to the template file name, clickOK.

About using the DB2 Database File Permissionstemplate

The DB2 DB2 Database File Permissions template contains the following fields:



Check theEnabled checkboxto enable an audit setting.

Lets you enable a specificaudit setting.

Enabled

Select any of the followingkeywords:

■ TBSP_CONTAINER

DMS Tablespace FileContainer

■ TBSP_DIRECTORY

SMS TablespaceDirectory

■ LOGPATH

Primary Log Path

■ MIRRORLOGPATH

Database ConfigurationMirror Log Path

■ DB_STORAGE_PATH

Automatic Storage Path

■ DBPATH

Database Directory Path

■ LOCAL_DB_DIRECTORY

Local Database DirectoryPath

Lets you select the keyword.Keyword

239Working with the DB2 templatesAbout using the DB2 Database File Permissions template



Enter the name of the user.Lets you specify the name ofthe user.

User

Enter the name of the group.Lets you specify the name ofthe group.

Group

Specify the permissions ofthe file in the followingformat:

rwx-rwx-rwx

ESM reports an error if thepermissions on the filesystem are different thanwhat is defined in thetemplate. If you add a file tothe template by clicking theAdd File icon, this fieldauto-populates based on theexisting file information.

Lets you specify thepermissions.

Permission

Working with the DB2 templatesAbout using the DB2 Database File Permissions template

240



Select any of the followingvalues:

■ All

Traverse all levels

■ 0

Current level only

■ 1

Traverse 1 level deep

■ 2

Traverse 2 levels deep

■ 3


■ 4


■ 5


■ 6


■ 7


■ 8


■ 9


Lets you specify the level tillwhich ESM can traverse afolder.

Depth

Note: The User and Group columns support the keywords %DB2_USER% and%DB2_GROUP%, respectively. The keywords are expanded toDB2 instance owneruser and the DB2 instance group of the DB2 instance configured in theDB2Module.dat file.

241Working with the DB2 templatesAbout using the DB2 Database File Permissions template

Working with the DB2 templatesAbout using the DB2 Database File Permissions template

242

Troubleshooting DB2Modules on Windows


■ Encryption exception

■ ESM DB2 Remote module errors

Encryption exceptionAnerrormaydisplaywhenyou run apolicy asking you to reconfigure themodule.

Table 4-1 lists the error message that is displayed and the solution for the error.

Table 4-1 Encryption exception

SolutionError

This error may occur if you have set SSLConfigure =0 after configuring theESMDB2module. Or, if you have renamed or deletedthe AESConfigure.dat file.

To solve this problem, you need toreconfigure the ESM DB2 module.

If you want to generate logs for encryption,addDebugon=1 in theAESConfigure.dat filefrom esm\config folder. This generatesDB2AESDebuglog.log in the\esm\system\<platform>folder.

Encryption error

4Chapter

ESM DB2 Remote module errorsYoumay encounter errorswhile running policies thatmay cause the user accountto get locked or the connection to the DB2 database may fail.

Table 4-2 lists the errors pertaining to ESM DB2 Remote module and theirsolutions.

Table 4-2 ESM DB2 Remote module errors

SolutionError

This happens because for every check, theESM DB2 module connects to the databaseand the user account gets locked based onthe Windows Password policy.

To solve this problem, make sure thecredentials supplied for each database iscorrect.

User account gets locked after running aPolicy run on DB2 Remote module onWindows

This happens when the local DB2 instanceis registered to a different control center anduses a different node name on the samecomputer. Likewise, the install pathdetection may also fail.

To solve this problem, use the instancenameto configure the databases.

Connection to theDB2database by using thenode name may fail

Troubleshooting DB2 Modules on WindowsESM DB2 Remote module errors

244

Troubleshooting DB2Modules on UNIX


■ Encryption exception

■ ESM DB2 Audit Configuration errors

■ ESM DB2 Remote module errors

Encryption exceptionAnerrormaydisplaywhenyou run apolicy asking you to reconfigure themodule.

Table 5-1 lists the error message pertaining to all ESM DB2 modules and thesolution for the error.

Table 5-1 Encryption exception

SolutionError

This error may occur if you have set SSLConfigure =0 after configuring theESMDB2module. Or, if you have renamed or deletedthe AESConfigure.dat file.

To solve this problem, you need toreconfigure the ESM DB2 module.

If you want to generate logs for encryption,addDebugon=1 in theAESConfigure.dat filefrom esm\config folder. This generatesDB2AESDebuglog.log in theesm/system/<platform>folder.

Encryption error

5Chapter

ESM DB2 Audit Configuration errorsYou may encounter errors while running policies that may cause the module toreport incorrect results for the IBMDB2database instance configuration settings.

Table 5-2 lists the error pertaining to ESM DB2 Audit Configuration module andthe solution.

Table 5-2 ESM DB2 Audit Configuration module errors

SolutionError

This behavior is observed while youconfigure the DB2 Audit configurationmodule by using the db2setup utility. If youuse adifferent usernameother than theusername that exists on the ESM agentcomputers then during the policy run themodule reports audit settings as disabled forthe IBM DB2 database instanceconfiguration.

To solve this problem, you need to ensurethat you use a valid user for configuration.

Module reports audit settings as disabled

ESM DB2 Remote module errorsYou may encounter errors while running policies that may cause the policy toterminate unexpectedly.

Table 5-3 lists the error pertaining to ESM DB2 Remote module and the solution.

Table 5-3 ESM DB2 Remote module errors

SolutionError

This behavior is observedonly on6.5.0 Linuxagent.

To solve this problem, you need to upgradeESM agent to 6.5.2 or later.

Policy terminates unexpectedly

Troubleshooting DB2 Modules on UNIXESM DB2 Audit Configuration errors

246

Date post:	29-Nov-2021
Category:	Documents
Upload:	others
View:	3 times
Download:	0 times

Symantec Enterprise Security Manager IBM DB2 Modules …

Documents