Introducing Guardium Vulnerability Assessment

Guardium Vulnerability Assessment enables you to identify and correct security vulnerabilities in your database infrastructure.

Database Vulnerability Assessment is used to scan the database infrastructure for vulnerabilities and provide evaluation of database and data security health, with real time and historical measurements.

Vulnerability Assessment uses three types of artifacts:

Test: A test checks the database environment for vulnerabilities for a particular threat or area of concern.

Assessment: An assessment is a job that includes a set of tests that are run together.

Data source: The source of data itself, such as a database or XML file, and the connection information necessary for accessing the data.

The Guardium® Vulnerability Assessment application enables organizations to identify and address database vulnerabilities in a consistent and automated fashion. Guardium’s assessment process evaluates the health of your database environment and recommends improvement by:

Assessing system configuration against best practices and finding vulnerabilities or potential threats to database resources, including configuration and behavioral risks. For example, identifying all default accounts that haven’t been disabled; checking public privileges and authentication methods chosen, etc.
Finding any inherent vulnerabilities present in the IT environment, like missing security patches,
Recommending and prioritizing an action plan based on discovered areas of most critical risks and vulnerabilities. The generation of reports and recommendations provide guidelines on how to meet compliance changes and elevate security of the evaluated database environment

Guardium’s Database Vulnerability Assessment combines two essential testing methods to guarantee full depth and breadth of coverage. It leverages multiple sources of information to compile a full picture of the security health of the database and data environment.

Agent-based-Using software installed on each endpoint (e.g. database server). They can determine aspects of the endpoint that cannot be determined remotely, such as administrator’s access to sensitive data directly from the database console.
Scanning-Interrogating an endpoint over the network through credentialed access.

Included in the Guardium Vulnerability and Threat Management solution are:

Database Auto-Discovery performs a network auto-discovery of the database environment and creates graphical representation of interactions among database clients and servers.
Database Content Classifier automatically discovers and classifies sensitive data, such as 16-digit credit card numbers and 9-digit Social Security numbers—helping organizations quickly identify faulty business or IT processes that store confidential data.
Database Vulnerability Assessment scans the database infrastructure for vulnerabilities and provides evaluation of database and data security health, with real time and historical measurements.
CAS (Configuration Auditing System) tracks all changes to items such as database structures, security and access controls, critical data values, and database configuration files.
Compliance Workflow Automation automates the entire compliance process through starting with assessment and hardening, activity monitoring to audit reporting, report distribution, and sign-off by key stakeholders.

CAS (Configuration Auditing System) plays an important role in the identification of vulnerabilities and threats. Guardium pre-configured and user-defined CAS templates can be used in the Assessment test and bring a holistic view of the customer’s database environment; With CAS, Guardium can identify vulnerabilities to the database in the OS level such as file permissions, ownership and environment variables. These tests can be seen through the CAS Template Set Definition panel and have the word Assessment in their name.

Note: Vulnerability Assessment (VA) and Configuration Auditing System (CAS) are only supported in English.

Common Vulnerabilities and Exposures (CVE®) is a dictionary of common names (i.e., CVE Identifiers) for publicly known information security vulnerabilities. CVE’s common identifiers makes it easier to share data across separate network security databases and tools, and provide a baseline for evaluating coverage such that, if a report incorporates CVE Identifiers, users may quickly and accurately access fix information in one or more separate CVE-compatible databases to remediate the problem.

Numerous organizations have made their information security products and services CVE compatible by incorporating CVE Identifiers. Guardium constantly monitors the common vulnerabilities and exposures (CVE) from the MITRE Corporation and add these tests for the relevant database related vulnerabilities.

To aid in the finding of individual vulnerabilities while viewing the CVE names for specific databases, the user, when configuring tests through Security Assessment Builder, can select the CVE radio button for the desired database and then select and add the appropriate CVE identifier. Additional information can always be found on the master copy of the CVE list maintained by the MITRE Corporation.

To keep CVEs current within the Guardium solution, Guardium will download and use the most current CVE database to populate a database table with all current CVE entries and candidates. Guardium the programmatically compares the downloaded CVE data with the CVE data already in the Guardium Vulnerability Assessment repository; producing a list of new CVEs for review. Guardium Database Security Team then manually reviews these candidates for the Guardium Vulnerability Knowledgebase, tests them and adds the relevant ones to the GA Guardium Vulnerability Assessment Knowledgebase. These tests are tagged with the appropriate CVE number, and once in the GA repository, these tests can automatically run using the Guardium Vulnerability Assessment application.

Note:

For both Vulnerability Assessments and Entitlements Reporting, when looking for scripts to grant privileges for entitlement reporting, use scripts in the gdmmonitor_scripts directory. Do not use the entitlement_monitor_role folder, which is no longer updated.
When using an expiring product license key, or license with a limited number of datasources, the following message may appear: Cannot add datasource. The maximum number of datasources allowed by license has been reached. The License valid until date and Number of datasources can be seen on the System Configuration panel of the Administrator Console. A Vulnerability or Classification process with N datasources are counted as N scans every time they run.
Guardium Vulnerability Assessments requires access to the databases it evaluates. To do this, Guardium provides a set of SQL scripts (one script for each database type) that creates users and roles in the database to be used by Guardium.

The template scripts are available on the Guardium system once it is built and can be found and downloaded via fileserver at the following path: /log/debug-logs/gdmmonitor_scripts/. More information is available in the README.txt file.

Guardium Vulnerability Assessment Test Exceptions

The Guardium vulnerability assessment test exception groups are pre-populated with the default members, schema, objects, or privileges created when a database is installed. Use these groups to avoid false-positives when running vulnerability assessments. If an assessment fails, link the appropriate exception group to the test to exclude the default members and run the test again: if the test now runs without violations, this indicates that the initial violations were due to the default members, schema, objects, or privileges created when the database was installed.

Table 1. VA groups to test mapping
Group ID	Group Name	Test Name	Test ID	Database Type
82	Sybase Allowed Grants to Public	No Non-Exempt Public Privileges	61	SYBASE ASE
83	MS-SQL Allowed Grants to Public	No Non-Exempt Public Privileges	270	MSSQL
115	DB2 Allowed Grants to Public	No Public Object Privileges	105	DB2 LUW
144	DB2 Allowed Grants to Public non-restrictive	No Public Object Privileges	105	DB2 LUW
116	Teradata Allowed Grants to Public	Object privileges granted to public	2029	TERADATA
117	PostgreSQL Allowed Grants to Public	Objects privileges granted to PUBLIC	315	POSTGRESQL
118	Netezza Allowed Grants to Public	Object privileges granted to public (Netezza)	2053	NETEZZA
65	MS-SQL Database Administrators	Only DBAs In Fixed Server Roles	159	MSSQL
165	Oracle Only DBA Access To SYS.USER$	Only DBA Access To SYS.USER$	222	ORACLE
166	MS-SQL DDL granted to user	DDL granted to user	321	MSSQL
167	MS-SQL Procedures granted to users	Procedures granted to users	322	MSSQL
168	MS-SQL No Individual User Privileges	No Individual User Privileges	154	MSSQL
170	Sybase IQ Procedures and functions granted to PUBLIC	Procedures and functions granted to PUBLIC.	2230	SYBASE IQ
171	Sybase IQ No individual procedures or functions privileges	No individual procedures or functions privileges.	2227	SYBASE IQ
172	MS-SQL No Access to Registry Access Extended procedures	No Access to Registry Access Extended procedures	215	MSSQL
173	MS-SQL Role granted to role	Role granted to role	323	MSSQL
185	MS-SQL Access to server level permissions granted to non-Database Administrators	Access to server level permissions granted to non-Database Administrators	2289	MSSQL
186	MS-SQL MSDB database Role Members Privilege	MSDB database Role Members Privilege	2296	MSSQL
48	DB2 Database Version+Patches	Version: DB2	16	DB2 LUW
48	DB2 Database Version+Patches	DB2 Patch Level	54	DB2 LUW
49	Informix Database Version+Patches	Version: Informix	17	INFORMIX
49	Informix Database Version+Patches	Informix Patch Level	55	INFORMIX
50	MS Sql Server Database Version+Patches	Version: Microsoft SQL Server	18	MSSQL
50	MS Sql Server Database Version+Patches	Microsoft SQL Server Patch Level	56	MSSQL
51	MySql Database Version+Patches	Version: MySql	19	MYSQL
51	MySql Database Version+Patches	MySql Patch Level	57	MYSQL
52	Oracle Database Version+Patches	Oracle Patch Level	58	ORACLE
52	Oracle Database Version+Patches	Version: Oracle	20	ORACLE
53	Sybase Database Version+Patches	Version: Sybase	21	SYBASE ASE
53	Sybase Database Version+Patches	Sybase Patch Level	59	SYBASE ASE
109	Teradata PDE Version+Patches	Version: Teradata PDE	284	TERADATA
109	Teradata PDE Version+Patches	Teradata PDE Patch level	286	TERADATA
110	Teradata TDBMS Version+Patches	Teradata TDBMS Patch level	287	TERADATA
110	Teradata TDBMS Version+Patches	Version: Teradata TDBMS	285	TERADATA
111	Teradata TDGSS Version+Patches	Version: Teradata TDGSS	290	TERADATA
111	Teradata TDGSS Version+Patches	Teradata TDGSS Patch Level	288	TERADATA
112	Teradata TGTW Version+Patches	Version: Teradata TGTW	291	TERADATA
112	Teradata TGTW Version+Patches	Teradata TGTW Patch Level	289	TERADATA
113	Netezza Version+Patches	Netezza version level	306	NETEZZA
113	Netezza Version+Patches	Netezza patch level	307	NETEZZA
114	Postgress Version+Patches	PostGreSQL version level	308	POSTGRESQL
114	Postgress Version+Patches	PostGreSQL patch level	309	POSTGRESQL
169	SybaseIQ Database Version+Patches	Version: Sybase IQ	377	SYBASE IQ
169	SybaseIQ Database Version+Patches	Sybase IQ Patch Level	378	SYBASE IQ

MongoDB

Developed in 2007, MongoDB is a NoSQL, document-oriented database. MongoDB uses JSON documents with dynamic schemas (this format is called BSON). In MongoDB, a collection is the equivalent of a RDBMS table while documents are equivalent to records in an RDBMS table.

MongoDB is the largest and fastest growing NoSQL database system. It tends to be used as an operational system and as a backend for web applications due to an ease of programming for non-relationally formatted data like JSON documents which are often found in web applications.

First NoSQL database supported for Guardium Vulnerability Assessment (VA)
First non-JDBC database connection. Connection uses a Java driver.
MongoDB data sources support SSL server and client/server connections with SSL client certificates.
Guardium's VA solution for MongoDB Clusters can be run on mongos, a primary node and all secondary nodes for replica sets.
Entitlement reports and Query Based Builder are not supported for MongoDB.

MongoDB Datasource with SSL

You can import server cert which we do behind the scene for self signed. Customer can also import their certificate. Certificates also work on central manager and push down to collectors.

CAS for MongoDB

The Mongo CAS Assessment template allows you to specify multiple paths in the datasource to scan various components of the file system.

Teradata Aster

Aster Data

Acquired by Teradata in 2011, typically used for data warehousing and analytic applications (OLAP). Aster Data created a framework called SQL-MapReduce that allows the Structured Query Language (SQL) to be used with Map Reduce. Most often associated with clickstream kinds of applications.

A security assessment should be created to execute all tests on the queen node. All database connections for Aster Data goes through the queen node only.

Testing on worker and loader nodes are only required when performing CAS tests (File permission and File ownership).

Privilege tests loop through all the databases in a given Aster’s instance.

SAP HANA

SAP HANA is an in-memory, column-oriented, relational database management system developed and marketed by SAP SE. HANA's architecture is designed to handle both high transaction rates and complex query processing on the same platform.