DB2 relies upon the IT Environment to authenticate users before access to DB2 is allowed, provide a reliable time source, provide domain separation, and provide OS resource management (memory management, etc.). The IT Environment and its security requirements are not included in this evaluation.
\r\nDB2 is a software application, relational database management system (RDBMS) provided by IBM. DB2 supports the Standard Query Language (SQL) interface from a client that is connected to the database server. From the client, commands can be entered interactively or through an executing program to the database server to create databases, database tables, and to store and retrieve information from tables.
\r\nDB2 meets security functional requirements in the following areas: Access Control, Identification and Authentication, Audit, Security Management, and TOE Protection. DB2 supports Access Control by controlling access to the database and objects within the database (e.g. views) based upon user and object security attributes. DB2 requires all users to be identified and authenticated before allowing them access to DB2 resources. The IT Environment performs the actual authentication and association of users with groups and passes the result to DB2. DB2 audits security relevant events such as access to database resources, changing of security attributes, and modification of security attributes. Management of the DB2 TOE, including the ability to select and review audit records, is restricted to authorized administrators based on authorities. Management of DB2 objects is restricted to those users that are assigned the appropriate privileges to do so. DB2 is designed so that each of its interfaces performs the necessary access checks before allowing access to DB2 resources.
\r\nThere are several IBM DB2 product versions included in the evaluated configuration and the differences have no affect on the security functions claimed in the Security Target. The various DB2 editions differ primarily in the number of resources (e.g., users) they support and are identical in terms of their security architecture and behavior.","evaluation_configuration":null,"security_evaluation_summary":"The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The purpose of the evaluation was to demonstrate that the IBM DB2 Version 8.2 TOE meets the security requirements of the Security Target. The TOE was evaluated against Evaluation Assurance Level 4 (EAL4) augmented with Basic Flaw Remediation (ALC_FLR.1) requirements according to the Common Criteria for Information Technology Security Evaluation, Version 2.1 The evaluation methodology used by the evaluation team to conduct the evaluation is the Version 1.0 and Part 2: Evaluation Methodology, Supplement: ALC_FLR - Flaw Remediation, Version 1.1, February 2002, CEM-2001/0015R . A validator on behalf of the CCEVS Validation Body monitored the evaluation carried out by Science Application International Corporation (SAIC). The evaluation was completed in September 2004. The results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report, DB2 Version 8.2, dated September 17, 2004.
","environmental_strengths":"IBM DB2 is a commercial DBMS product that provides security functionality in the areas of identification and authentication, access control, audit, security management, and TOE protection. The TOE provides a level of protection that is appropriate for IT environments that require that access be controlled to the database and its contents, and where the TOE is appropriately protected from physical attacks.
\r\n
","features":[]}