5.4 Database Manager Configuration Parameter: TRUST_ALLCLNTS

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

This database manager configuration parameter is only active when the authentication parameter is set to CLIENT which is not a recommended setting as discussed in the [authentication parameter section](#specify-a-secure-authentication-type-authentication). If the parameter is set to YES, the server assumes that the client side is handling authentication to the database. If the parameter is set to NO, the client must provide authentication to the server on behalf of the user.

The recommended value for this parameter is NO.

Rationale:

If the server trusts the client to authenticate the connecting user, a malicious user can connect to the database as any user including a database administrator by simply creating that user on the client system.

Impact:

It is important to be aware that the implementation of this recommendation results in a brief downtime. It is therefore advisable to ensure that the setting is implemented during an approved maintenance window.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Attach to the Db2 instance.

db2 => attach to <db2instance>

Run the following command:

db2 => update database manager configuration parameter
using trust_allclnts no

Restart the Db2 instance.

db2 => db2stop
db2 => db2start

See Also

https://workbench.cisecurity.org/files/4033