Detections
Analytics
5.2 Specify a Secure Authentication Type (AUTHENTICATION)
Information
The AUTHENTICATION database manager configuration parameter specifies how and where authentication takes place for incoming connections to the database as well as local authorization of commands run outside a connection or attachment, such as tools run from the command line. This parameter can be overridden by the SRVCON_AUTH parameter for incoming connections.This parameter can take on any of the following values:
SERVER
SERVER_ENCRYPT
KERBEROS
KRB_SERVER_ENCRYPT
GSSPLUGIN
GSS_SERVER_ENCRYPT
Recommendations:
Do not use CLIENT authentication types.
Rationale:
When using CLIENT authentication type, the server trusts the client to authenticate the connecting user. A malicious user can connect to the database as any user including a database administrator by simply creating that user on the client system. Note that CLIENT authentication is deprecated and can only be set if the DB2AUTH registry variable contains ENABLE_CLIENT_AUTHN.
When using SERVER authentication type without SSL enabled, the user ID and password that are sent from the client to the server during a connect or an attach are in plaintext format. Therefore, these credentials are exposed when sent across an insecure network and can be intercepted by a malicious user.
The SERVER_ENCRYPT authentication type has been deprecated and may be removed in a future version of Db2. The Diffie-Hellman key exchange size does not meet NIST SP 80-131A recommendations. TLS is recommended to use to protect client-server communications.
Impact:
It is important to be aware that the implementation of this recommendation results in a brief downtime. It is therefore advisable to ensure that the setting is implemented during an approved maintenance window.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
Attach to the Db2 instance.db2 => attach to <db2instance>
Run the following command:
db2 => update database manager configuration parameter
using authentication <authentication type>
Restart the Db2 instance.
db2 => db2stop
db2 => db2start
Refer to the 'encryption of data in motion' section for more information about using SSL for client-server communication.
See Also
Item Details
Audit Name: CIS IBM DB2 12.1 v1.0.0 Linux OS Level 1
Category: ACCESS CONTROL
References: 800-53|AC-2(1), 800-53|AC-3, CSCv7|16.2
Plugin: Unix
Control ID: b3491930aaa06cdffd1ad85e5611f59fca63c84074bb402d800280305aa061b8