5.5 Database Manager Configuration Parameter: TRUST_CLNTAUTH

Information

This database manager configuration parameter is only active when the authentication parameter is set to CLIENT which is not a recommended setting as discussed in the [authentication parameter section](#specify-a-secure-authentication-type-authentication). If the parameter is set to CLIENT, the user ID and password are not needed, but if they are provided, authentication will occur at the client. If the parameter is set to SERVER, the user ID and password are needed and will be authenticated at the server.

The recommended value for this parameter is SERVER.

Rationale:

If the server trusts the client to authenticate the connecting user, a malicious user can connect to the database as any user including a database administrator by simply creating that user on the client system.

Impact:

It is important to be aware that the implementation of this recommendation results in a brief downtime. It is therefore advisable to ensure that the setting is implemented during an approved maintenance window.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Attach to the Db2 instance.

db2 => attach to <db2instance>

Run the following command:

db2 => update database manager configuration parameter
using trust_clntauth SERVER

Restart the Db2 instance.

db2 => db2stop
db2 => db2start

See Also

https://workbench.cisecurity.org/benchmarks/10752

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-2(1), 800-53|AC-3

Plugin: Windows

Control ID: e8e8ae62a5631fd2cb623c058439101a646c5f8bcd137cafc7320a012f5651ea