5.10 DB2AUTH Registry Variable

Information

The DB2AUTH registry variable is used to control various authentication related behaviors in Db2.

The following settings are recommended for this registry variable:

Use DISABLE_CHGPASS which disables the ability to change a user's password from the client.

Use JCC_ENFORCE_SECMEC which enforces that the Db2 server does not accept a clear text password security mechanism when using SERVER_ENCRYPT authentication type.

If CLIENT authentication is being used which is not recommended as discussed in section 6.2, it is also recommended to set this registry variable to TRUSTEDCLIENT_SRVENC and not TRUSTEDCLIENT_DATAENC. TRUSTEDCLIENT_SRVENC forces untrusted clients to use SERVER_ENCRYPT authentication type while TRUSTEDCLIENT_DATAENC forces them to use DATA_ENCRYPT.

If DB2AUTH is not set to DISABLE_CHGPASS, refer to the DB2CHGPWD_EEE registry variable section which specifies whether users are able to change passwords through Db2 in a partitioned database environment.

Rationale:

Allowing a client to change a user's password through Db2 commands is not recommended since Db2 may not enforce the expected password change rules. In addition, the password change requests going through Db2 may not be audited as expected.

Plain text passwords sent across an unsecure network are exposed and can be intercepted by a malicious user.

DATA_ENCRYPT is deprecated since it uses DES encryption algorithm which is cryptographically weak. Furthermore, enforcing SERVER_ENCRYPT ensures that the user ID and password are encrypted when sent from the client to the server.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Run the following command to set the DB2AUTH registry variable to the appropriate values:

db2set DB2AUTH=<comma separated values>

See Also

https://workbench.cisecurity.org/benchmarks/10752

Item Details

Category: ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|AC-17(2), 800-53|IA-5, 800-53|IA-5(1), 800-53|SC-8, 800-53|SC-8(1), CSCv7|14.4

Plugin: Unix

Control ID: 9776d6e1473f115b512bc1cadba8bd5d53dca3da7ed60c8d6a762098d3dda4d7