Walker News

How To Secure ITMA Installation Files And Folders That Has 777 Permission?

The ITMA (IBM Tivoli Monitoring Agent) that comes with DB2 9.5/9.7 is by default installing files and folders on Linux to have 777 permission (i.e. allows every user account to read, write and execute these files and folders).

For example:
ls -l /opt/ibm/db2/V9.7/itma | grep drwxrwxrwx

drwxrwxrwx  3 root root 4096 Jun  6 12:14 bin
drwxrwxrwx  4 root root 4096 Jun 11 15:58 config
drwxrwxrwx  3 root root 4096 Jun  6 12:14 InstallITM
drwxrwxrwx  3 root root 4096 Jun  6 12:14 LAP
drwxrwxrwx  3 root root 4096 Jun  6 12:14 licenses
drwxrwxrwx  3 root root 4096 Jun 11 15:58 logs
drwxrwxrwx  4 root root 4096 Jun  6 12:14 lx8266
drwxrwxrwx  2 root root 4096 Jun  6 12:14 META-INF
drwxrwxrwx  2 root root 4096 Jun  6 12:14 registry
drwxrwxrwx  2 root root 4096 Jun  6 12:13 tables
drwxrwxrwx  4 root root 4096 Jun  6 12:14 tmaitm6
drwxrwxrwx  2 root root 4096 Jun 11 15:58 tmp

In order to pass IT auditor or IT security checking, sysadmin has to give justification for keeping the default file permission or find a way to secure them. Most of the time, it’s easier to secure the files than to provide justification. In fact, there is an official guide offered by IBM to fix this (though it’s not fixed by ITMA installer..):

1. Login as root

2. Change directory to DB2DIR/itma (where DB2DIR is your DB2 installation directory. On RHEL, the default DB2 9.x installation directory is /opt/ibm/db2/V9.x)

3. Execute bin/secureMain -g root lock where the secureMain shell script will set Linux file permission of all ITMA related folder/files to 755 mode.

After applying this recommended solution of IBM, you may hope that IT auditor / security members will agree with this “hardening” effort. To me, I choose to uninstall this ITMA if there is no chance or no need of using it.

Custom Search

2014  •  Privacy Policy