Detections
Analytics

8.2.4 Secure the Stash File

Information

A stash file is an obfuscated file that contains the credentials that are needed to access the keystore. If a keystore password was not provided during db2start, the password will be retrieved from the stash file.

A stash file is created when -stash command is used during the creation of the keystore.

Rationale:

Set this file to be readable by only the Db2 instance owner. If this file is not secured, an attacker may delete it, causing potential interruption of operations.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Change the permissions for the file:

$ chmod 600 keystore.sth

See Also

https://workbench.cisecurity.org/benchmarks/23492

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: IBM_DB2DB

Control ID: 3a5769cd2264e69e19c170e7d6fcc02a55517276e0c810fcb0783708a8325f00