STIGQter: STIG Summary: IBM DB2 V10.5 LUW Security Technical Implementation Guide Version: 1 Release: 4 Benchmark Date: 25 Oct 2019:

DB2 must be configured to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments.

DISA Rule

SV-89159r2_rule

Vulnerability Number

V-74485

Group Title

SRG-APP-000142-DB-000094

Rule Version

DB2X-00-003800

Severity

CAT II

CCI(s)

• CCI-000382 - The organization configures the information system to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services.

Weight

10

Fix Recommendation

Run the following command to set the value of the DB2COMM parameter to the organization-approved communication protocol:

$db2 set DB2COMM=TCPIP,SSL

Set the SSL version:

$db2 update DBM CFG using SSL_VERSIONS TLSV12

The database manager can be set to a service name or an organization-approved port number directly for the SVCENAME parameter.

Use the following command to change the database manager configuration:

$db2 update dbm cfg using svcename <svcename>
Or
$db2 update dbm cfg using svcename <port number>

Notes: Configuring Secure Sockets Layer (SSL) support in a DB2 instance:
http://www.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.admin.sec.doc/doc/t0025241.html

Check Contents

Find out the communication protocol used by running the following command:

$db2set DB2COMM

If DB2 is not set to SSL, this is a finding.

Run the following command to find the service names/port numbers used by the database manager:

$db2 get dbm cfg

Find the port numbers used by the TCP/IP and SSL services used by database manager (SVCNAME, SSL_SVCENAME) or match the service name in services file to find port numbers.

Default Location for services file

Windows Service File: %SystemRoot%\system32\drivers\etc\services
UNIX Services File: /etc/services

If ports used by the database manager are non-approved or deemed unsafe, this is a finding.

Vulnerability Number

V-74485

Documentable

False

Rule Version

DB2X-00-003800

Severity Override Guidance

Find out the communication protocol used by running the following command:

$db2set DB2COMM

If DB2 is not set to SSL, this is a finding.

Run the following command to find the service names/port numbers used by the database manager:

$db2 get dbm cfg

Find the port numbers used by the TCP/IP and SSL services used by database manager (SVCNAME, SSL_SVCENAME) or match the service name in services file to find port numbers.

Default Location for services file

Windows Service File: %SystemRoot%\system32\drivers\etc\services
UNIX Services File: /etc/services

If ports used by the database manager are non-approved or deemed unsafe, this is a finding.

Check Content Reference

M

Target Key

3161

Comments