STIGQter: STIG Summary: IBM DB2 V10.5 LUW Security Technical Implementation Guide Version: 1 Release: 4 Benchmark Date: 25 Oct 2019:

If passwords are used for authentication, DB2 must transmit only encrypted representations of passwords.

DISA Rule

SV-89161r2_rule

Vulnerability Number

V-74487

Group Title

SRG-APP-000172-DB-000075

Rule Version

DB2X-00-004100

Severity

CAT II

CCI(s)

• CCI-000197 - The information system, for password-based authentication, transmits only cryptographically-protected passwords.

Weight

10

Fix Recommendation

Run the following command to set the value of the authentication encryption to SERVER_ENCRYPT:

$db2 update dbm cfg using authentication server_encrypt

Run the following db2set command to set the value of DB2AUTH to JCC_ENFORCE_SECMEC:

$db2 set DB2AUTH=JCC_ENFORCE_SECMEC
Notes: It is recommended to set the ALTERNATE_AUTH_ENC database manager configuration parameter to AES_ONLY to require that AES encryption be used.

Check Contents

Run the following command to find the value of the authentication parameter:

$db2 get dbm cfg

If the AUTHENTICATION parameter is not set to SERVER_ENCRYPT, this is a finding.

Run the following command to find the value of the registry variable DB2AUTH:

$db2set -all

If the value of DB2AUTH is not set to JCC_ENFORCE_SECMEC, or DB2AUTH is not set (i.e. a row is not returned for DB2AUTH from the above command), this is a finding.

Vulnerability Number

V-74487

Documentable

False

Rule Version

DB2X-00-004100

Severity Override Guidance

Run the following command to find the value of the authentication parameter:

$db2 get dbm cfg

If the AUTHENTICATION parameter is not set to SERVER_ENCRYPT, this is a finding.

Run the following command to find the value of the registry variable DB2AUTH:

$db2set -all

If the value of DB2AUTH is not set to JCC_ENFORCE_SECMEC, or DB2AUTH is not set (i.e. a row is not returned for DB2AUTH from the above command), this is a finding.

Check Content Reference

M

Target Key

3161

Comments