Enable a group of users to run vulnerability assessments,
and configure and run the tests.
About this task
Deployment Steps
- Vulnerability Assessment is deployed from the Guardium system.
- User runs a Guardium-supplied script against the target database to create a role with the
appropriate privileges. User then creates a datasource connection to the database.
- Create a security assessment, then select your datasources and desired tests to execute.
- Once the execution is done, a report is created, showing what tests have passed and/or failed
along with detailed hardening recommendations.
IBM for i version support:
- IBM for i 6.1, 7.1 and 7.2 partitions
- VA test Coverage (115 tests in total)
- Profiles with Special Authorities
- Profiles with access to Database Function Usage
- Password policies
- Database Objects privilege granted to PUBLIC
- Database Objects privilege granted to individual user
- Database Objects privilege granted with grant option
- Security APARs
- Entitlement Reports
- Profiles with Special Authorities
- Group granted to user
- Database Objects privilege granted to PUBLIC
- Database Executable Objects privileges granted to PUBLIC
- Database Objects privilege granted to individual user
- Database Objects privilege granted with grant option
Procedure
- Use the Group Builder to create a
group of users that you want to use VA. Open the Group Builder by
clicking .
The next step uses a script for a group named gdmmonitor.
- Run the following script on your Db2 for i system to grant privileges needed for
executing VA to the group. This is done outside the Guardium system using a database native
client.
grant select on SYSIBMADM.FUNCTION_INFO to gdmmonitor;
grant select on SYSIBMADM.FUNCTION_USAGE to gdmmonitor;
grant select on SYSIBMADM.GROUP_PROFILE_ENTRIES to gdmmonitor;
grant select on SYSIBMADM.SYSTEM_VALUE_INFO to gdmmonitor;
grant select on SYSIBMADM.USER_STORAGE to gdmmonitor;
grant select on Qsys2.Authorizations to gdmmonitor;
grant select on SYSIBMADM.USER_INFO to gdmmonitor;
grant select on QSYS2.SYSSCHEMAAUTH to gdmmonitor;
grant select on QSYS2.SYSTABAUTH to gdmmonitor;
grant select on QSYS2.SYSPACKAGEAUTH to gdmmonitor;
grant select on QSYS2.SYSROUTINEAUTH to gdmmonitor;
grant select on QSYS2.SYSSEQUENCEAUTH to gdmmonitor;
grant select on QSYS2.SYSCOLAUTH to gdmmonitor;
For IBM Db2 for i v7.1 and higher, also include the scripts:
grant select on QSYS2.SYSVARIABLEAUTH to gdmmonitor;
grant select on QSYS2.SYSXSROBJECTAUTH to gdmmonitor;
- Create a JDBC connection to your Db2 for i system. To open the Select datasource
window, browse to . Click to create a new datasource, and select Security
Assessment as the application type. For more information, see Creating a datasource definition.
- Click New and enter the appropriate information. For
Connection Property, enter
property1=com.ibm.as400.access.AS400JDBCDriver;translate binary=true
.
- Create an assessment using the Assessment Builder.
Open the Assessment Builder by clicking .
- Enter a description for the assessment.
- To add the datasource created in the previous step, click Add
Datasource, select the datasource from the Select
datasource, and then click Save.
Note: You must click Apply to save the assessment before you can configure
tests.
- Add tests to the assessment by clicking Configure
Tests. Click the IBM for i tab,
select the tests that you want to add, and click Add Selections.
- Click Return to go back to the Security
Assessment Finder. Run the test by clicking Run
Once Now, or schedule the test using Audit Process
Builder. Open the Audit Process Builder by clicking, .
- Click View Results to view the details
of all the executed tests, including recommendations for improving
your score.
Results
What to do when a test fails?
- You can patch your database if it is relating to patches.
- You can re-configure database parameters to best practice recommendation.
- You can revoke objects or system privileges that are not required
by your applications.
- You can revoke objects granted directly to grantee and grant the object privileges to a
role/group and assign the grantee to that role/group.
- You can change password policy setting or change users default
password.
- If your application required specific grant, you can create exception
group and link that to your failed test and re-execute.