Deploying VA for DB2 for i

Enable a group of users to run vulnerability assessments, and configure and run the tests.

About this task

Deployment Steps

Vulnerability Assessment is deployed from the Guardium system.
User runs a Guardium-supplied script against the target database to create a role with the appropriate privileges. User then creates a datasource connection to the database.
Create a security assessment, then select your datasources and desired tests to execute.
Once the execution is done, a report is created, showing what tests have passed and/or failed along with detailed hardening recommendations.

IBM for i version support:

IBM for i 6.1, 7.1 and 7.2 partitions

VA test Coverage (115 tests in total):

Profiles with Special Authorities

Profiles with access to Database Function Usage

Password policies

Database Objects privilege granted to PUBLIC

Database Objects privilege granted to individual user

Database Objects privilege granted with grant option

Security APARs

Entitlement Reports:

Profiles with Special Authorities

Group granted to user

Database Objects privilege granted to PUBLIC

Database Executable Objects privileges granted to PUBLIC

Database Objects privilege granted to individual user

Database Objects privilege granted with grant option

Procedure

Use the Group Builder to create a group of users that you want to use VA. Open the Group Builder by clicking Setup > Tools and View > Group Builder. The next step uses a script for a group named gdmmonitor.

Run the following script on your DB2 for i system to grant privileges needed for executing VA to the group. This is done outside the Guardium system using a database native client.

grant select on SYSIBMADM.FUNCTION_INFO to gdmmonitor;
grant select on SYSIBMADM.FUNCTION_USAGE to gdmmonitor;
grant select on SYSIBMADM.GROUP_PROFILE_ENTRIES to gdmmonitor;
grant select on SYSIBMADM.SYSTEM_VALUE_INFO to gdmmonitor;
grant select on SYSIBMADM.USER_STORAGE to gdmmonitor;
grant select on Qsys2.Authorizations to gdmmonitor;
grant select on SYSIBMADM.USER_INFO to gdmmonitor;
grant select on QSYS2.SYSSCHEMAAUTH to gdmmonitor;
grant select on QSYS2.SYSTABAUTH to gdmmonitor;
grant select on QSYS2.SYSPACKAGEAUTH to gdmmonitor;
grant select on QSYS2.SYSROUTINEAUTH to gdmmonitor;
grant select on QSYS2.SYSSEQUENCEAUTH to gdmmonitor;
grant select on QSYS2.SYSCOLAUTH to gdmmonitor;

For IBM DB2 for i v7.1 and higher, also include the scripts:

grant select on QSYS2.SYSVARIABLEAUTH to gdmmonitor;
grant select on QSYS2.SYSXSROBJECTAUTH to gdmmonitor;

Create a JDBC connection to your DB2 for i system . Open Datasource Finder by clicking Setup > Tools and Views > Datasource Definitions, and then Security Assessment from the Application Selection menu.
1. Click New and enter the appropriate information. For Connection Property, enter property1=com.ibm.as400.access.AS400JDBCDriver;translate binary=true.
Create an assessment using the Assessment Builder. Open the Assessment Builder by clicking Harden > Vulnerability Assessment > Assessment Builder.
1. Enter a description for the assessment.
2. Add the datasource created in the previous step by clicking Add Datasource, selecting the datasource from the Datasource Finder, and clicking Add.
  Note: You must click Apply to save the assessment before you can configure tests.
Add tests to the assessment by clicking Configure Tests. Click the IBM for i tab, select the tests that you want to add, and click Add Selections.
Click Return to go back to the Security Assessment Finder. Run the test by clicking Run Once Now, or schedule the test using Audit Process Builder. Open the Audit Process Builder by clicking, Discover > Classifications > Audit Process Builder.
Click View Results to view the details of all the executed tests, including recommendations for improving your score.

Results

What to do when a test fails?

You can patch your database if it is relating to patches.
You can re-configure database parameters to best practice recommendation
You can revoke objects or system privileges that are not required by your applications.
You can revoke objects granted directly to grantee and grant the object privileges to a role/group and assign the grantee to that role/group
You can change password policy setting or change users default password.
If your application required specific grant, you can create exception group and link that to your failed test and re-execute.