4.1.2 Set Failed Archive Retry Delay (ARCHRETRYDELAY)

Information

The ARCHRETRYDELAY parameter specifies the number of seconds the Db2 service will wait before it reattempts to archive log files after a failure. It is recommended that this parameter be set anywhere in the range of 10-30. You do not want the delay to be so short that the database ends up in a denial of service scenario, but you don't want the delay to be too long if an outside attack happens at the same time.

Rationale:

Ensure that the value is non-zero, otherwise archive logging will not retry after the first failure. A denial of service attack can render the database without an archive log if this setting is not set. An archive log will ensure that all transactions can safely be restored or logged for auditing.

Solution

Connect to the Db2 database

db2 => connect to <dbname>

To successfully set the ARCHRETRYDELAY within the 10-30 range, run the following command:

db2 => update database configuration using archretrydelay *nn* (where *nn* is a range between 10-30)

Default Value:

The default value for ARCHRETRYDELAY is 20.

See Also

https://workbench.cisecurity.org/benchmarks/10752

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-11

Plugin: Unix

Control ID: 88c5de23c3af2ddeec4e50907ab9ef88841191710e10e12d9b23f6a07899161a