Introducing Guardium Vulnerability Assessment

Guardium Vulnerability Assessment enables you to identify and correct security vulnerabilities in your database infrastructure.

Database Vulnerability Assessment is used to scan the database infrastructure for vulnerabilities and provide evaluation of database and data security health, with real time and historical measurements.

Vulnerability Assessment uses three types of artifacts:
Test
A test checks the database environment for vulnerabilities for a particular threat or area of concern.
Assessment
An assessment is a job that includes a set of tests that are run together.
Data source
The source of data itself, such as a database or XML file, and the connection information necessary for accessing the data.
The Guardium® Vulnerability Assessment application enables organizations to identify and address database vulnerabilities in a consistent and automated fashion. Guardium’s assessment process evaluates the health of your database environment and recommends improvement by:
  • Assessing system configuration against best practices and finding vulnerabilities or potential threats to database resources, including configuration and behavioral risks. For example, identifying all default accounts that haven’t been disabled; checking public privileges and authentication methods chosen, etc.
  • Finding any inherent vulnerabilities present in the IT environment, like missing security patches,
  • Recommending and prioritizing an action plan based on discovered areas of most critical risks and vulnerabilities. The generation of reports and recommendations provide guidelines on how to meet compliance changes and elevate security of the evaluated database environment
Guardium’s Database Vulnerability Assessment combines two essential testing methods to guarantee full depth and breadth of coverage. It leverages multiple sources of information to compile a full picture of the security health of the database and data environment.
  1. Agent-based-Using software installed on each endpoint (e.g. database server). They can determine aspects of the endpoint that cannot be determined remotely, such as administrator’s access to sensitive data directly from the database console.
  2. Scanning-Interrogating an endpoint over the network through credentialed access.
Included in the Guardium Vulnerability and Threat Management solution are:
  • Database Auto-Discovery performs a network auto-discovery of the database environment and creates graphical representation of interactions among database clients and servers.
  • Database Content Classifier automatically discovers and classifies sensitive data, such as 16-digit credit card numbers and 9-digit Social Security numbers—helping organizations quickly identify faulty business or IT processes that store confidential data.
  • Database Vulnerability Assessment scans the database infrastructure for vulnerabilities and provides evaluation of database and data security health, with real time and historical measurements.
  • CAS (Configuration Auditing System) tracks all changes to items such as database structures, security and access controls, critical data values, and database configuration files.
  • Compliance Workflow Automation automates the entire compliance process through starting with assessment and hardening, activity monitoring to audit reporting, report distribution, and sign-off by key stakeholders.

CAS (Configuration Auditing System) plays an important role in the identification of vulnerabilities and threats. Guardium pre-configured and user-defined CAS templates can be used in the Assessment test and bring a holistic view of the customer’s database environment; With CAS, Guardium can identify vulnerabilities to the database in the OS level such as file permissions, ownership and environment variables. These tests can be seen through the CAS Template Set Definition panel and have the word Assessment in their name.

Note: Configuration Auditing System (CAS) is only supported in English.

Common Vulnerabilities and Exposures (CVE®) is a dictionary of common names (i.e., CVE Identifiers) for publicly known information security vulnerabilities. CVE’s common identifiers makes it easier to share data across separate network security databases and tools, and provide a baseline for evaluating coverage such that, if a report incorporates CVE Identifiers, users may quickly and accurately access fix information in one or more separate CVE-compatible databases to remediate the problem.

Numerous organizations have made their information security products and services CVE compatible by incorporating CVE Identifiers. Guardium constantly monitors the common vulnerabilities and exposures (CVE) from the MITRE Corporation and add these tests for the relevant database related vulnerabilities.

To aid in the finding of individual vulnerabilities while viewing the CVE names for specific databases, the user, when configuring tests through Security Assessment Builder, can select the CVE radio button for the desired database and then select and add the appropriate CVE identifier. Additional information can always be found on the master copy of the CVE list maintained by the MITRE Corporation.

To keep CVEs current within the Guardium solution, Guardium will download and use the most current CVE database to populate a database table with all current CVE entries and candidates. Guardium the programmatically compares the downloaded CVE data with the CVE data already in the Guardium Vulnerability Assessment repository; producing a list of new CVEs for review. Guardium Database Security Team then manually reviews these candidates for the Guardium Vulnerability Knowledgebase, tests them and adds the relevant ones to the GA Guardium Vulnerability Assessment Knowledgebase. These tests are tagged with the appropriate CVE number, and once in the GA repository, these tests can automatically run using the Guardium Vulnerability Assessment application.

Note:
  • For both Vulnerability Assessments and Entitlements Reporting, when looking for scripts to grant privileges for entitlement reporting, use scripts in the gdmmonitor_scripts directory. Do not use the entitlement_monitor_role folder, which is no longer updated.
  • When using an expiring product license key, or license with a limited number of datasources, the following message may appear: Cannot add datasource. The maximum number of datasources allowed by license has been reached. The License valid until date and Number of datasources can be seen on the System Configuration panel of the Administrator Console. A Vulnerability or Classification process with N datasources are counted as N scans every time they run.

  • Guardium Vulnerability Assessments requires access to the databases it evaluates. To do this, Guardium provides a set of SQL scripts (one script for each database type) that creates users and roles in the database to be used by Guardium.

    The template scripts are available on the Guardium system once it is built and can be found and downloaded via fileserver at the following path: /log/debug-logs/gdmmonitor_scripts/. More information is available in the README.txt file.

Guardium Vulnerability Assessment Test Exceptions

The Guardium vulnerability assessment test exception groups are prepopulated with the default members, schema, objects, or privileges created when a database is installed. Use these groups to avoid false-positives when running vulnerability assessments. If an assessment fails, link the appropriate exception group to the test to exclude the default members and run the test again: if the test now runs without violations, this indicates that the initial violations were due to the default members, schema, objects, or privileges created when the database was installed.

For more information, see Test Exceptions.

MongoDB

Developed in 2007, MongoDB is a NoSQL, document-oriented database. MongoDB uses JSON documents with dynamic schemas (this format is called BSON). In MongoDB, a collection is the equivalent of a RDBMS table while documents are equivalent to records in an RDBMS table.

MongoDB is the largest and fastest growing NoSQL database system. It tends to be used as an operational system and as a backend for web applications due to an ease of programming for non-relationally formatted data like JSON documents which are often found in web applications.

  • First NoSQL database supported for Guardium Vulnerability Assessment (VA)

  • First non-JDBC database connection. Connection uses a Java driver.

  • MongoDB data sources support SSL server and client/server connections with SSL client certificates.

  • Guardium's VA solution for MongoDB Clusters can be run on mongos, a primary node and all secondary nodes for replica sets.

  • Entitlement reports and Query Based Builder are not supported for MongoDB.

MongoDB Datasource with SSL

You can import server cert which we do behind the scene for self signed. Customer can also import their certificate. Certificates also work on central manager and push down to collectors.

CAS for MongoDB

The Mongo CAS Assessment template allows you to specify multiple paths in the datasource to scan various components of the file system.

Teradata Aster

Aster Data

Acquired by Teradata in 2011, typically used for data warehousing and analytic applications (OLAP). Aster Data created a framework called SQL-MapReduce that allows the Structured Query Language (SQL) to be used with Map Reduce. Most often associated with clickstream kinds of applications.

A security assessment should be created to execute all tests on the queen node. All database connections for Aster Data goes through the queen node only.

Testing on worker and loader nodes are only required when performing CAS tests (File permission and File ownership).

Privilege tests loop through all the databases in a given Aster’s instance.

SAP HANA

SAP HANA is an in-memory, column-oriented, relational database management system developed and marketed by SAP SE. HANA's architecture is designed to handle both high transaction rates and complex query processing on the same platform.