Types of vulnerability assessments

Edit online

Guardium® Vulnerability Assessment provides more than two thousand predefined tests to check database configuration parameters, privileges, and other vulnerabilities. Some tests can also be customized to meet specific requirements.

Vulnerability assessment test types

A vulnerability assessment might contain one or more of the following types of tests: predefined or custom.

Predefined tests are designed to illustrate common vulnerability issues that might be encountered in database environments. However, due to the highly variable nature of database applications, some of these tests might be suitable for certain databases but totally inappropriate for others, even if they are within the same organization.

With Guardium Vulnerability Assessment, you can customize some of the predefined tests to meet specific requirements of your organization. Additionally, to keep your assessments current with industry best practices and to protect against newly discovered vulnerabilities, new tests are distributed on a quarterly basis through the Guardium Database Protection Service (DPS). For more information, see Installing IBM Guardium Database Protection Service updates.

Predefined tests include Privilege, Authentication, Configuration, Version, CVE, Security APAR, Query-based, and CAS-based tests. Query-based and CAS-based tests can also be customized.

Categories of tests

The current categories with some high-level tests for security-related vulnerabilities include:
  • Privilege
    • Object creation/usage rights
    • Privilege grants to DBA and individual users
    • System level rights
  • Authentication
    • User account usage
    • Remote login usage
    • Password regulations
  • Configuration
    • Database specific parameter settings
    • System level parameter settings
  • Version
    • Database versions
    • Database patch levels
  • Other
    • Installed sample databases
    • File ownership
    • File permissions

CVE tests

Guardium constantly monitors the Common Vulnerabilities and Exposures (CVE) system from The MITRE Corporation and adds these tests for the relevant database-related vulnerabilities.

Security APAR tests

Guardium adds predefined security Authorized Program Analysis Report (APAR) tests to monitor relevant database-related vulnerabilities.

Query-based tests

A query-based test is either a predefined or custom test that can be quickly and easily created by defining your own test criteria. See Defining a query-based test for additional information on building a custom query-based test.

CAS-based tests

A CAS-based test is either a predefined or custom test that is based on a Configuration Auditing System (CAS) template item of type OS Script command and uses CAS collected data.

Users can specify the template item and test it against the contents of the CAS results. See Create a New Template Set for assistance on creating an OS Script type CAS template.

Guardium is preconfigured with some CAS template items of type OS Script that can be used for creating a CAS-based test. These tests can be accessed through the CAS Template Set Definition panel and contain the word Assessment. For instance, the UNIX®/Oracle set for assessments is named Guardium UNIX/Oracle Assessment. Additionally, any template added that involves file permissions will also be used for permission and ownership checking. See Modify a Template Set for viewing these template sets and seeing those items with type OS Script.

Both predefined and custom tests can be selected during the creation or modification of CAS-based tests. For more information, see Defining a CAS-based test.