2.1 Prevent Database Users from Logging into the Operating System

Information

Db2's default authentication mechanism (SERVER) uses the operating system for authentication. This necessitates that users who require access to the database can be authenticated by the operating system. A by-product of this is that those users will be able to log into a shell in the OS of the database server, such as through ssh. The scope of the problem is greater if the OS has been configured to use an LDAP server for authentication, as that would likely contain more than just database users. Unless explicitly authorized, database users should not be able to log into the OS and action is required to prevent this.

For Windows, the recommendation is based on the CIS Benchmark for Windows Server 2016, section '2.2.21 Ensure 'Deny access to this computer from the network' to include 'Guests, Local account and member of Administrators group''.

Rationale:

Only authorized users should be able to log into the operating system that is running the Db2 database server. This will reduce the attack exposure of the system by preventing database users from accessing operating system resources or taking advantage of operating system flaws.

Impact:

The recommendation in this section affects who can log into the operating system of the server where Db2 is installed. Care must be taken to ensure that appropriate settings are made and system administrators continue to have the ability to login to the system.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

The steps to accomplish this differ per OS and even the level of OS.

RHEL 7
Run the following commands as root:

Modify the file /etc/security/access.conf
Add users who are allowed to log into the OS with a +

+ : <user1> <user2>

Add a deny all rule as the last rule to prevent other users not explicitly allowed to log in, which would apply to database users:

- : ALL : ALL

Modify the file /etc/sysconfig/authconfig
Ensure the following line is set to yes

USEPAMACCESS=yes

Run this command to update the auth configuration:

$ authconfig --updateall

Using these steps will ensure that account required pam_access.so is placed into the file /etc/pam.d/system-auth and the access list will be enforced for OS login.

RHEL 8
Run the following commands as root:

Modify the file /etc/security/access.conf
Add users who are allowed to log into the OS with a +

+ : <user1> <user2>

Add a deny all rule as the last rule to prevent other users not explicitly allowed to log in, which would apply to database users:

- : ALL : ALL

Run this command to update the auth configuration:

$ authselect enable-feature with-pamaccess

Using these steps will ensure that account required pam_access.so is placed into the file /etc/pam.d/system-auth and the access list will be enforced for OS login.

AIX

Ensure appropriate users are explicitly listed as being allowed to log into the system. It is important that you have users listed with privilege to rlogin so that you do not lock yourself out of the system. Modify the file /etc/security/user, and for each user allowed to log in, find their stanza and add the following line:

rlogin = true

Modify the default stanza to indicate the default value is that users are not able to login

rlogin = false

Ensure the DB2LOGINRESTRICTIONS registry variable is set to a value of LOCAL (the default if not specified) or NONE. Setting a value of NETWORK will return an error during Db2 authentication for any user with rlogin set to false. You can check this value as the instance owner by issuing the command:

$ db2set | grep DB2LOGINRESTRICTIONS

To change the value, use the command:

db2set DB2LOGINRESTRICTIONS=LOCAL

Windows
The remediation should only be followed for these scenarios:

You are using Db2 11.5 or later

You are using Db2 11.1 or prior and do not have local accounts that are members of the Administrator group. Following these changes will prevent local accounts that are members of the Administrator group from connecting to the database.

Follow these steps:

To establish the recommended configuration via Group Policy, configure the following UI path:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Access this computer from the network

Ensure these two values are present in the setting, and if not follow the remediation:

Guests

Local account and member of Administrators group.

For Db2 11.5 and later, set the DB2_WINDOWS_LOGON_TYPE to DEFINITION. This setting controls how Db2 authenticates users when they connect. Local users must hold the right 'Allow log on locally' and not be part of the 'Deny log on locally'. Domain users must hold the right 'Access this computer from the network' and not be part of 'Deny access to this computer from the network'. This setting will ensure that local users are authenticated when connecting to Db2 according to their ability to log on locally, and not through the default value of accessing this computer from the network.
Issue the following command

db2set DB2_WINDOW_LOGON_TYPE=DEFINITION

See Also

https://workbench.cisecurity.org/files/4033