Download Vulnerability Manager for Databases 5.1.0 Product Guide

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
page
37
page
38
page
39
page
40
Document related concepts

Commitment ordering wikipedia , lookup

SQL wikipedia , lookup

Microsoft Access wikipedia , lookup

Serializability wikipedia , lookup

Entity–attribute–value model wikipedia , lookup

Global serializability wikipedia , lookup

Extensible Storage Engine wikipedia , lookup

Microsoft SQL Server wikipedia , lookup

IMDb wikipedia , lookup

Oracle Database wikipedia , lookup

Functional Database Model wikipedia , lookup

Ingres (database) wikipedia , lookup

Microsoft Jet Database Engine wikipedia , lookup

Open Database Connectivity wikipedia , lookup

Concurrency control wikipedia , lookup

Relational model wikipedia , lookup

Database wikipedia , lookup

Clusterpoint wikipedia , lookup

ContactPoint wikipedia , lookup

Database model wikipedia , lookup

Transcript 
Product Guide
McAfee Vulnerability Manager for
Databases 5.1.0
For use with ePolicy Orchestrator 4.6.0-5.1.0 Software
COPYRIGHT
Copyright © 2014 McAfee, Inc. Do not copy without permission.
TRADEMARK ATTRIBUTIONS
McAfee, the McAfee logo, McAfee Active Protection, McAfee DeepSAFE, ePolicy Orchestrator, McAfee ePO, McAfee EMM, Foundscore, Foundstone, Policy
Lab, McAfee QuickClean, Safe Eyes, McAfee SECURE, SecureOS, McAfee Shredder, SiteAdvisor, McAfee Stinger, McAfee Total Protection, TrustedSource,
VirusScan, WaveSecure are trademarks or registered trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries. Other
names and brands may be claimed as the property of others.
Product and feature names and descriptions are subject to change without notice. Please visit mcafee.com for the most current products and features.
LICENSE INFORMATION
License Agreement
NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS
FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU
HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR
SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A
FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET
FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF
PURCHASE FOR A FULL REFUND.
2
McAfee Vulnerability Manager for Databases 5.1.0
Product Guide
Contents
1
2
Introduction
5
Key features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
How McAfee Vulnerability Manager for Databases works . . . . . . . . . . . . . . . . . . .
Supported databases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5
6
6
7
Installation
9
Install the extension . . . .
Install the license . . . . .
Features added to the ePolicy
Uninstall the extension . . .
3
. . . . . . . . . . .
. . . . . . . . . . .
Orchestrator environment
. . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. . 9
.
10
. . 10
.
11
Database configuration
13
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Add a DBMS to the System Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Import a DBMS into the System Tree . . . . . . . . . . . . . . . . . . . . . . . . . .
Edit DBMS name and description . . . . . . . . . . . . . . . . . . . . . . . . . . .
Edit the DBMS advanced properties . . . . . . . . . . . . . . . . . . . . . . . . . .
Remove a DBMS from the System Tree . . . . . . . . . . . . . . . . . . . . . . . . .
Scan engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Manage credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Edit DBMS credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Edit operating system credentials . . . . . . . . . . . . . . . . . . . . . . . .
Edit tunnel properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Manage credential sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Add a credential set . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Edit credential set metadata . . . . . . . . . . . . . . . . . . . . . . . . . .
Add credentials to a credential set . . . . . . . . . . . . . . . . . . . . . . .
Edit the credentials in a credential set . . . . . . . . . . . . . . . . . . . . . .
Delete credentials from a credential set . . . . . . . . . . . . . . . . . . . . .
Delete a credential set . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Edit the DBMS credential set . . . . . . . . . . . . . . . . . . . . . . . . . .
Enable or disable operating system checks . . . . . . . . . . . . . . . . . . . . . . .
Password check exclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Exclude users from password checks . . . . . . . . . . . . . . . . . . . . . .
Include users in password checks . . . . . . . . . . . . . . . . . . . . . . . .
4
Database vulnerability checks
23
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
View the database vulnerability checks list . . . . . . . . . . . . . . . . . . . . . . .
View database vulnerability check details . . . . . . . . . . . . . . . . . . . . . . . .
Add a custom database vulnerability check . . . . . . . . . . . . . . . . . . . . . . .
Delete a custom database vulnerability check . . . . . . . . . . . . . . . . . . . . . .
Edit database vulnerability checks . . . . . . . . . . . . . . . . . . . . . . . . . . .
McAfee Vulnerability Manager for Databases 5.1.0
13
13
15
15
15
16
16
16
16
17
17
18
18
18
19
19
19
20
20
20
20
21
21
21
23
24
24
24
25
25
Product Guide
3
Contents
Edit database vulnerability check metadata . . . . . . . . . . . . . . . . . . . . . . .
Export database vulnerability checks . . . . . . . . . . . . . . . . . . . . . . . . . .
Import database vulnerability checks . . . . . . . . . . . . . . . . . . . . . . . . .
Reset predefined database vulnerability checks . . . . . . . . . . . . . . . . . . . . .
Custom check syntax examples . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5
Database vulnerability scans
31
Define a database vulnerability scan . . . . . . . . . . . . . . . . . . . . . . . . . .
Assign DBMS groups and DBMSs to DVM scans . . . . . . . . . . . . . . . . . . . . .
Schedule a database vulnerability scan . . . . . . . . . . . . . . . . . . . . . . . . .
Remove a database vulnerability scan from the schedule . . . . . . . . . . . . . . . . . .
Run a database vulnerability scan manually . . . . . . . . . . . . . . . . . . . . . . .
Delete a database vulnerability scan . . . . . . . . . . . . . . . . . . . . . . . . . .
View DVM scan results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
View the DVM Events list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
View DVM event details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Dashboards and monitors for Vulnerability Manager for Databases . . . . . . . . . . . . . .
Queries and reports for McAfee Vulnerability Manager for Databases . . . . . . . . . . . . .
Custom queries and reports . . . . . . . . . . . . . . . . . . . . . . . . . .
Index
4
McAfee Vulnerability Manager for Databases 5.1.0
26
26
26
27
27
31
32
32
33
33
34
34
34
35
35
36
36
37
Product Guide
1
Introduction
McAfee® Vulnerability Manager for Databases is an enterprise-level security scanner for database
management systems (DBMSs). This product evaluates risk from all known threats and classifies them
into distinct priority levels, provides fix scripts, and includes recommendations.
With McAfee Vulnerability Manager for Databases, you can run scheduled and on-demand scans that
use credentialed database-security checks based on the knowledge of industry leading experts. The
software contains several predefined reports on the database security configuration to meet the
requirements of internal and external auditors. You can also create custom checks and reports to tailor
the product to your own environment.
McAfee Vulnerability Manager for Databases is an extension for use with McAfee® ePolicy Orchestrator
(McAfee ePO™) software 4.6 or later. After installing the extension, McAfee Vulnerability Manager for
Databases is available from the McAfee ePO console.
Contents
Key features
How McAfee Vulnerability Manager for Databases works
Supported databases
Deployment
Key features
McAfee Vulnerability Manager for Databases scans multiple databases to identify and evaluate
potential risks to the enterprise's sensitive data.
McAfee Vulnerability Manager for Databases discovers databases on your network and determines if
the latest patches have been applied. It also tests for common weaknesses such as weak passwords,
default accounts, and other common threats. McAfee Vulnerability Manager for Databases conducts
more than 4,000 vulnerability checks against leading database systems, including Oracle, SQL Server,
IBM DB2, PostgreSQL, Azure SQL, and MySQL. It provides:
Visibility into database vulnerabilities — By improving visibility into database vulnerabilities and
providing expert recommendations for remediation, McAfee Vulnerability Manager for Databases
reduces the likelihood of a damaging breach, and saves money through better preparation for audits
and compliance with regulatory mandates.
Risk evaluation — McAfee Vulnerability Manager for Databases evaluates risk from all known threat
vectors. It clearly classifies threats into distinct priority levels, provides fix scripts, and includes
recommendations.
High-speed, high-efficiency password checking — McAfee Vulnerability Manager for Databases
offers the fastest weak password detection methods available, flagging accounts with simple
passwords, default passwords, and shared passwords.
McAfee Vulnerability Manager for Databases 5.1.0
Product Guide
5
1
Introduction
How McAfee Vulnerability Manager for Databases works
How McAfee Vulnerability Manager for Databases works
As soon as the extension for McAfee Vulnerability Manager for Databases is installed, the McAfee ePO
server can connect directly to the databases using JDBC, and to the underlying operating systems
using DCOM or SSH.
Using the appropriate credentials, the product runs checks against the databases (using SQL queries)
and their underlying operating systems (using shell scripts). All results are transferred back to the
McAfee ePO back-end database where they can be queried and added to reports.
Database vulnerability checks and scans
A database vulnerability scan comprises a set of checks that are run against specific databases to
identify specific conditions or vulnerabilities.
Checks are organized in categories, groups, and severity levels so that you can tailor the scans to
meet your security needs. In addition to using predefined checks, you can also define custom checks.
You define the checks that are included in a scan, and which databases or database groups to run the
scans on. Scans can be scheduled to run at set intervals or they can be run on demand anytime.
The credentials required to connect to the database for scanning are configured in the McAfee ePO
console, either per database or using credential sets (if credentials are shared among DBMSs).
Use of the terms DBMS (database management system) and database vary according to platform
vendor. In general, DBMS refers to the overall database system, including the data and the
infrastructure around it, whereas database can refer to the data tables only. In this document, the
terms are used interchangeably.
Supported databases
McAfee Vulnerability Manager for Databases can be used to perform vulnerability scans on several
types of databases.
The supported databases include:
6
•
IBM DB2 8.1 or later for Linux, UNIX and Windows
•
Microsoft SQL Azure
•
Microsoft SQL Server 2000 or later
•
MySQL 4.0 or later
•
Oracle 8i or later
•
PostgreSQL 8.3 or later
•
Sybase ASE 12.5 or later
•
Teradata v12, v13, v14 — Database discovery, sensitive data discovery, custom checks, and
password cracking
•
Informix v10.0, v11.1, v11.5, v11.7 — Database discovery, sensitive data discovery and custom
checks
•
SAP HANA v1 — Database discovery, data discovery and custom checks
McAfee Vulnerability Manager for Databases 5.1.0
Product Guide
Introduction
Deployment
1
Deployment
Before the software can access and scan databases, you must install the McAfee Vulnerability Manager
for Databases extension on McAfee ePO and add databases to the System Tree.
Required components
•
McAfee ePolicy Orchestrator 4.6 or later
•
McAfee Vulnerability Manager for Databases extension
McAfee Vulnerability Manager for Databases 5.1.0
Product Guide
7
1
Introduction
Deployment
8
McAfee Vulnerability Manager for Databases 5.1.0
Product Guide
2
Installation
For McAfee Vulnerability Manager for Databases to be used within ePolicy Orchestrator, you must first
download and install the product extension.
Contents
Install the extension
Install the license
Features added to the ePolicy Orchestrator environment
Uninstall the extension
Install the extension
The McAfee Vulnerability Manager for Databases extension installs the Database Security, Advanced
Management, and Help Content extensions.
Before you begin
Back up the McAfee ePO back-end database.
If you previously installed and uninstalled the product extension, you must remove some
files manually. Contact McAfee technical support for details.
Task
For option definitions, click ? in the interface.
1
From the McAfee website, download the McAfee Vulnerability Manager for Databases DBSecurity
‑<version><build>.zip file to a temporary location.
2
From the McAfee ePO console, click Menu | Software | Extensions.
3
In the Extensions pane, select Database Security, then click Install Extension.
4
Select DBSecurity‑<version><build>.zip, then click OK.
The file is automatically extracted.
5
Select the Database Security package for installation, then click OK.
The installation begins. It might take several minutes to complete.
When the installation is complete, Database Security, Advanced Management, and Help Content appear in the
Extensions list.
We recommend that you add the DVM Checks and DVM Scans shortcut icons to McAfee ePO for easier
navigation during the scan configuration process.
McAfee Vulnerability Manager for Databases 5.1.0
Product Guide
9
2
Installation
Install the license
By default, the extension is installed with a 30-day evaluation license. EVAL appears on the shortcut
icons and at the top of the DVM Scans and DVM Checks pages. The evaluation version has several
limitations, including a limit of five check results per DBMS. If you already have a license, we
recommend that you install it now.
Install the license
By default, the extension is installed using an evaluation license. EVAL appears on the shortcut icons
and on the DBMS Scans and DBMS Checks pages. You must install a full license to view the full list of scan
results.
Task
For option definitions, click ? in the interface.
1
Click Menu | Configuration | Server Settings.
2
From the Setting Categories list, select DBMS Vulnerability Manager.
3
Click Browse to locate and select the license key file, then click Open.
4
Click Upload.
The license is installed and the term EVAL is removed from the shortcut icons and the respective
pages. All product functionality is now available.
Features added to the ePolicy Orchestrator environment
The extension adds or uses these features in the ePolicy Orchestrator environment.
Feature
Details
Server tasks
Enables users of the extension to create and schedule DVM scan tasks.
System Tree
Adds two submenus to the Actions menu in the Systems tab:
• Database Vulnerability — Includes options for adding, importing, and exporting DBMSs,
assigning DBMSs to servers, viewing and updating connection properties, and more.
Systems
submenu
Policy
submenu
Adds one new option to the Systems submenu:
• Credential Catalog — Manage predefined sets of credentials that can be assigned to
multiple databases.
Adds two new options to the Policy submenu:
• DVM Checks — View, add, and edit DVM checks.
• DVM Scans — Define, edit, schedule, and run DVM scans to identify risks and
problems on your DBMSs.
10
McAfee Vulnerability Manager for Databases 5.1.0
Product Guide
Installation
Uninstall the extension
Feature
Details
Reporting
submenu
Adds one new option to the Reporting submenu:
Permission sets
Adds these preconfigured user roles:
2
• Database Security Events — View events detected by DVM checks and scans.
• Database Security Administrator — By default, the Database Security Administrator can create,
edit, or delete Scheduler tasks and queries. This user can view and edit all DVM
properties, including permission and policy configurations, dashboards, and the
credential catalog. This user can also view, delete, and purge events.
• Database Security Operator — By default, the Database Security Operator can view the System
Tree and all DVM properties, the audit log, credential catalog, and can edit the
dashboards. This user can also view the events in the Threat Event Log.
• Database Security Reviewer — By default, the Database Security Reviewer can view the System
Tree, DVM results, and weak passwords.
Uninstall the extension
You can uninstall the McAfee Vulnerability Manager for Databases extension using the McAfee ePO
console. Uninstalling an extension permanently deletes its data.
McAfee Vulnerability Manager for Databases uses two extensions, the Database Security extension and the
Advanced Management extension. If the Advanced Management extension was installed for use by McAfee
Vulnerability Manager for Databases only, it can be uninstalled together with the Database Security
extension.
Task
For option definitions, click ? in the interface.
1
Click Menu | Software | Extensions.
2
From the Extensions list, select Database Security and the corresponding Help Content extension, then click
Remove.
3
When prompted to confirm, click OK.
4
If Database Security was the only product installed that uses the Advanced Management extension, select it
from the Extensions list, then repeat steps 2 through 4 to remove the extension.
The DBMS systems are not automatically removed from the System Tree. If necessary, you can delete
them manually.
McAfee Vulnerability Manager for Databases 5.1.0
Product Guide
11
2
Installation
Uninstall the extension
12
McAfee Vulnerability Manager for Databases 5.1.0
Product Guide
3
Database configuration
McAfee Vulnerability Manager for Databases can be used to scan the databases configured in the
McAfee ePO System Tree for vulnerabilities and security-related problems.
Contents
Overview
Add a DBMS to the System Tree
Import a DBMS into the System Tree
Edit DBMS name and description
Edit the DBMS advanced properties
Remove a DBMS from the System Tree
Scan engine
Manage credentials
Manage credential sets
Enable or disable operating system checks
Password check exclusions
Overview
McAfee Vulnerability Manager for Databases works within McAfee ePO to remotely connect to and scan
databases and their underlying systems, and run database-level and operating system-level checks.
McAfee Vulnerability Manager for Databases connects directly to the databases using JDBC, and to the
underlying operating systems using DCOM or SSH.
To enable a remote connection, the DBMS must be added to the System Tree as a managed system. No
agent installation is required on the host.
McAfee Vulnerability Manager for Databases runs credentialed checks, therefore the credentials (user
names, passwords, or certificates) need to be stored in the database configuration. The credentials are
used to remotely connect to the DBMS or operating system to perform vulnerability checks.
Add a DBMS to the System Tree
Vulnerability Manager for Databases can be used to scan multiple DBMSs. DBMSs can be added
manually to the configuration or they can be imported from a CSV file.
Task
For option definitions, click ? in the interface.
1
Click Menu | Systems | System Tree, then click the Systems tab.
2
Select Actions | Database Vulnerability | Add DBMS (DVM).
McAfee Vulnerability Manager for Databases 5.1.0
Product Guide
13
3
Database configuration
Add a DBMS to the System Tree
3
From the DBMS Type drop-down list, select the database type (for example, Oracle, MSSQL, MYSQL, SQL
Azure, PostgreSQL, or Sybase).
4
In the Host/IP field, enter the name or IP address of the host server, then click Test to verify its
validity.
5
In the Port field, enter the port number used to connect to the database. Enter more database
properties, such as the SID (Oracle system ID) or instance, if required for the selected database
type. Click Test to validate the connection properties.
6
(Optional) In the DBMS Credentials section, select the default set of shared credentials to use to
connect to this database.
The available credential sets are configured in the Credential Catalog.
7
Configure the credentials used to connect to the DBMS in one of the following ways:
•
To use shared credentials from the Credential Catalog to connect to the DBMS, select Credential Set.
•
To use credentials defined for this DBMS only, select Username and Password and enter the user
name and password, then click Test Connection to verify their validity.
The permissions required for the scan vary according to the database type. In most cases, the user
requires administrator rights, but does not require write permissions. A DBMS vendor-specific script
is provided to enable you to create a user with the minimum required permissions. Click the create
scanuser link to download the script. Run the script to create a scan user and enter the resulting user
name and password.
8
9
To enable testing of the operating system, select Enable OS Checks, then configure the credentials
used to connect to the operating system:
•
To use shared credentials from the credentials catalog to connect to the operating system,
select Use credential set from the credentials repository catalog.
•
To use credentials defined for this DBMS only, select Username and Password, then enter the user
name and password.
•
To use a certificate, select Enable Certificate and upload the certificate, then enter the user name
and password.
Click Test OS Connection to validate the credentials.
10 (Optional) In the Advanced section, configure an alternative JDBC connection string and the
connection properties to be used by technical support personnel for troubleshooting or as an
alternative connection.
11 (Optional) In the Scan Engine section, configure the scan engine for this database to reduce the load
on McAfee ePO.
a
From the Scan Engine drop-down list, select a system where the scan engine is deployed.
b
Click Test Connection.
If a scan engine is selected, all connection tests on this page are carried out through the McAfee
Agent and not through McAfee ePO itself. The name of the engine appears in the Server Task Log
when the scan is run.
12 (Optional) To allow connections to the DBMS through tunnels, select Enable Tunnel, then click Configure
Tunnel to set the tunnel properties.
13 Click OK.
14
McAfee Vulnerability Manager for Databases 5.1.0
Product Guide
Database configuration
Import a DBMS into the System Tree
3
Import a DBMS into the System Tree
You can import one or more DBMSs into the System Tree using a CSV file.
Before you begin
Prepare a CSV file that includes a line for each DBMS, containing the DBMS properties as a
comma-separated list, in the following format:
NAME,DBTYPE,DBHOST,DBPORT,DBSID,DBUSERNAME,DBPASSWORD,INSTANCE,USEPORT,V
A_CON_URL,ENABLE_OS,OS_CON_TYPE,OSUSERNAME,OSPASSWORD,OSPORT,OS_CERTIF
ICATE,ENABLE_TUNNEL,TUNNEL_HOST,TUNNEL_PORT,TUNNEL_USERNAME,TUNNEL_PASS
WORD,TUNNEL_CERTIFICATE,CREDNETIAL_SET,CRED_USE_DB,CRED_USE_OS,CRED_USE
_TUNNEL,ADVANCED_PROPS
Include a header or blank line at the beginning of the file, because the import process
imports data starting with the second line of the file.
Task
For option definitions, click ? in the interface.
1
Click Menu | Systems | System Tree, then click the Systems tab.
2
Select Actions | Database Vulnerability | Import DBMS.
3
Select the CSV file containing the DBMS information.
4
Click OK.
Edit DBMS name and description
You can edit the name and description of an existing DBMS.
Task
For option definitions, click ? in the interface.
1
On the Systems tab, select the DBMS, then select Actions | Database Vulnerability | Edit DBMS Name/
Description.
2
Edit the DBMS name and/or description, then click OK.
Edit the DBMS advanced properties
The advanced properties of a DBMS are used to change the JDBC communication properties. These
properties should only be edited per specific instructions from McAfee technical support.
Task
For option definitions, click ? in the interface.
1
On the Systems tab, select the DBMS, then select Actions | Database Vulnerability | Advanced Properties.
2
Edit the DBMS connection parameters, then click OK.
McAfee Vulnerability Manager for Databases 5.1.0
Product Guide
15
3
Database configuration
Remove a DBMS from the System Tree
Remove a DBMS from the System Tree
If you no longer need to monitor the activity of a DBMS, you can remove it from the System Tree.
Task
For option definitions, click ? in the interface.
1
On the Systems tab, select the DBMS, then select Actions | Directory Management | Delete.
2
When prompted to confirm, click OK.
The DBMS is removed from the System Tree and its activity is no longer monitored.
Scan engine
The McAfee scan engine is a managed product that can be used in conjunction with DVM to lighten the
workload placed on the McAfee ePO server.
In large-scale deployments that include multiple databases in remote sites, the scan process can
become inefficient, complicated, and resource heavy. When the scan engine is used, the McAfee ePO
server connects to the scan engine, which connects to the databases to execute the scan. This
sequence reduces the number of connections from the centralized McAfee ePO server to the target
databases, offloads the scan process from McAfee ePO itself, and improves network security by
avoiding opening database ports from the McAfee ePO server to the target databases.
You can deploy the scan engine in the same way as any managed McAfee product. The scan engine
can be deployed at the host itself, with different drivers providing greater flexibility and increased
security.
After its deployment, the scan engine can be assigned to databases from their respective DBMS properties
pages.
Manage credentials
You can manage the credentials used to connect to the database, based on connection type and
operating system. You can also create sets of shared credentials for use by groups of databases,
operating systems, or tunnels.
Tasks
•
Edit DBMS credentials on page 16
You can update the credentials that are used by the DBMS to connect to the database.
•
Edit operating system credentials on page 17
You can update the credentials used to connect to the operating system that hosts the
DBMS.
•
Edit tunnel properties on page 17
You can update the credentials that are used to authenticate the DBMS when connecting to
the host through another host over an SSH connection. Alternatively, you can upload a
tunnel certificate or apply the credentials contained in an existing credential set to a
selected DBMS.
Edit DBMS credentials
You can update the credentials that are used by the DBMS to connect to the database.
16
McAfee Vulnerability Manager for Databases 5.1.0
Product Guide
3
Database configuration
Manage credentials
Task
For option definitions, click ? in the interface.
1
On the Systems tab, select the DBMS, then select Actions | Database Vulnerability | Edit DBMS Credentials.
2
Enter the user name and password.
3
Click Test Connection to validate the credentials.
4
Click Save.
Edit operating system credentials
You can update the credentials used to connect to the operating system that hosts the DBMS.
Task
For option definitions, click ? in the interface.
1
On the Systems tab, select the DBMS, then select Actions | Database Vulnerability | Edit OS Credentials.
2
Edit the operating system credential details.
3
Click Test OS Connection to validate the updated credentials.
4
Click Save.
Edit tunnel properties
You can update the credentials that are used to authenticate the DBMS when connecting to the host
through another host over an SSH connection. Alternatively, you can upload a tunnel certificate or
apply the credentials contained in an existing credential set to a selected DBMS.
Task
For option definitions, click ? in the interface.
1
On the Systems tab, select the DBMS, then select Actions | DBMSs DVM | Edit Tunnel Properties.
2
In the Host and Port fields, specify the Host IP address or server name and port used to connect to
the host.
3
In the Tunnel Credentials section, select one of the following options:
•
Credential Set: Use the tunnel credentials in the credential set assigned to this DBMS.
•
Username and Password: Use a user name and password for authentication. If selected, enter the
required username and password.
•
Enable Tunnel Certificate: Use a tunnel certificate for authentication. If selected, click Browse to locate
and upload the tunnel certificate. Enter the required user name and password, select the
applicable types of connections, then click Save.
4
To test the connection to the DBMS, click Test Connection.
5
To test the connection to the operating system, click Test OS Connection.
6
Click Save.
The tunnel is configured and the tunnel credentials or certificate are applied to the DBMS.
McAfee Vulnerability Manager for Databases 5.1.0
Product Guide
17
3
Database configuration
Manage credential sets
Manage credential sets
Credential sets enable you to assign a shared set of credentials to multiple databases without the need
to manually enter them for each database.
Credential sets are managed in the Credential Catalog
Tasks
•
Overview on page 18
A credential set can contain different credentials for different types of databases, operating
systems, and tunnels. Credential sets are managed in the Credential Catalog.
•
Add a credential set on page 18
You can add credential sets and assign them to DBMSs that share credentials for specific
types of databases, operating systems, or tunnels.
•
Edit credential set metadata on page 19
You can edit the name and description of an existing credential set.
•
Add credentials to a credential set on page 19
You can add the credentials for different types of databases, operating systems, and
tunnels to a single credential set. The credentials are added separately for each type of
database, operating system, or tunnel.
•
Edit the credentials in a credential set on page 19
You can edit the credentials defined in a credential set.
•
Delete credentials from a credential set on page 20
You can remove credentials from a credential set.
•
Delete a credential set on page 20
You can delete a credential set that is no longer required.
•
Edit the DBMS credential set on page 20
You can edit the DBMS credentials using credential sets. You can change the credentials set
configured for the DBMS, or you can specify which credentials in the set to use for this
DBMS.
Overview
A credential set can contain different credentials for different types of databases, operating systems,
and tunnels. Credential sets are managed in the Credential Catalog.
The existing credential sets are listed in the Credential Catalog. Select a credential set from the list to view
the types of database, operating system, and tunnel credentials included in the credential set, and
their respective credentials.
Add a credential set
You can add credential sets and assign them to DBMSs that share credentials for specific types of
databases, operating systems, or tunnels.
Task
For option definitions, click ? in the interface.
18
1
Click Menu | Systems | Credential Catalog.
2
On the Credential Catalog page, select Credential Set Actions | New Credential Set.
McAfee Vulnerability Manager for Databases 5.1.0
Product Guide
Database configuration
Manage credential sets
3
On the New Credential Set page, enter the name of the credential set and an optional description.
4
Click OK.
3
The credential set is empty until you add specific credentials to it.
Edit credential set metadata
You can edit the name and description of an existing credential set.
Task
For option definitions, click ? in the interface.
1
Click Menu | Systems | Credential Catalog.
2
Select the credential set, then select Credential Set Actions | Edit Credential Set.
3
Edit the name and description of the credential set, then click OK.
Add credentials to a credential set
You can add the credentials for different types of databases, operating systems, and tunnels to a
single credential set. The credentials are added separately for each type of database, operating
system, or tunnel.
Task
For option definitions, click ? in the interface.
1
On the Credential Catalog page, select the credential set, then select Credential Set Actions | Add Credential.
2
From the Credential Type drop-down list, select the type of database, operating system, or tunnel
where you want to add credentials.
3
Enter the credential user name and password.
4
Enter a brief description of the use case for these credentials.
5
Click OK.
Repeat for additional types of databases, operating systems, or tunnels.
Edit the credentials in a credential set
You can edit the credentials defined in a credential set.
Task
For option definitions, click ? in the interface.
1
On the Credential Catalog page, select the credential set.
The existing credentials for the selected set are listed under Credential Set Details.
2
Select the Edit Credential link for the credential type that you want to edit.
3
Update the user name and password.
4
Click OK.
McAfee Vulnerability Manager for Databases 5.1.0
Product Guide
19
3
Database configuration
Enable or disable operating system checks
Delete credentials from a credential set
You can remove credentials from a credential set.
Credentials removed from a credential set are also removed from any assets where the set was
previously assigned. You must add new credentials or assign a different credential set to access those
assets in the future.
Task
For option definitions, click ? in the interface.
1
On the Credential Catalog page, select the credential set.
The existing credentials for the selected set are listed under Credential Set Details.
2
Select the Delete Credential link for the credential type that you want to delete.
3
When prompted to confirm, click OK.
Delete a credential set
You can delete a credential set that is no longer required.
If a credential set is deleted, the corresponding credentials are removed from any assets where the set
was previously assigned.
Task
For option definitions, click ? in the interface.
1
On the Credential Catalog page, select the credential set, then select Credential Set Actions | Delete Credential
Set.
2
When prompted to confirm, click OK.
Edit the DBMS credential set
You can edit the DBMS credentials using credential sets. You can change the credentials set configured
for the DBMS, or you can specify which credentials in the set to use for this DBMS.
Task
For option definitions, click ? in the interface.
1
On the Systems tab, select the DBMS, then select Actions | Database Vulnerability | Edit DBMS Credentials.
2
To assign a credential set to the DBMS, select the set from the Credential Set drop-down list.
3
To use the credentials in the credential set for specific types of connections, select the
corresponding checkboxes.
If the checkbox for a connection type is not selected, that type of credential is not used regardless
of whether it is in included in the credential set.
4
Click Save.
Enable or disable operating system checks
You can configure whether or not operating system checks are performed on a DBMS host.
20
McAfee Vulnerability Manager for Databases 5.1.0
Product Guide
3
Database configuration
Password check exclusions
Task
For option definitions, click ? in the interface.
1
On the Systems tab, select the DBMS, then select Actions | Database Vulnerability | Enable/Disable OS Checks.
2
Select either Enable or Disable, then click OK.
Password check exclusions
When a user is omitted from the password check process, the user password is not checked against
the weak password dictionary.
Sometimes, it is necessary to exclude a user when a specific user password is known to be weak but
can't be changed.
Multiple users can be excluded from the password check process for a DBMS.
Exclude users from password checks
You can exempt specific users from the password strength compliance check for a specific DBMS.
Task
For option definitions, click ? in the interface.
1
On the Systems tab, select the DBMS, then select Actions | Database Vulnerability | Edit Password Check
Exclusions.
2
Enter the user name of the user to exempt from the password checks, then click OK.
To exempt more than one user, enter the user names as a comma-separated list.
The passwords of the specified user names are not checked for compliance.
Include users in password checks
You can remove users from the password-strength compliance check exemption list. For example, you
can reinforce weak password checks on users for a specific DBMS.
Task
For option definitions, click ? in the interface.
1
On the Systems tab, select the DBMS, then select Actions | Database Vulnerability | Edit Password Check
Exclusions.
2
Delete the user names from the password check exemption list, then click OK.
McAfee Vulnerability Manager for Databases 5.1.0
Product Guide
21
3
Database configuration
Password check exclusions
22
McAfee Vulnerability Manager for Databases 5.1.0
Product Guide
4
Database vulnerability checks
Database vulnerability (DVM) checks are used to identify the existence of a specific condition or
vulnerability, check security patch levels, and discover weak passwords.
Contents
Overview
View the database vulnerability checks list
View database vulnerability check details
Add a custom database vulnerability check
Delete a custom database vulnerability check
Edit database vulnerability checks
Edit database vulnerability check metadata
Export database vulnerability checks
Import database vulnerability checks
Reset predefined database vulnerability checks
Custom check syntax examples
Overview
DVM checks are the building blocks of every DVM scan. McAfee Vulnerability Manager for Databases
includes thousands of predefined checks organized in categories and groups. In addition, you can
define custom checks and include them in DVM scans in combination with predefined checks.
Check categories and groups
The predefined checks are automatically grouped into default categories.
Each predefined check is assigned to a single category that reflects its main focus. Custom checks are
automatically assigned to the "custom" category.
Check groups are used to include multiple checks in a scan without the need to add them individually.
Each check can be assigned to multiple check groups, with the check remaining in its original
category.
Each check category has a check group of the same name. The check group automatically includes all
checks in the corresponding category. You can add checks to a check group. All checks in a group are
included in a scan when that category is selected in the scan definition, even if the additional checks
are not listed under the category on the DVM Checks page.
McAfee Vulnerability Manager for Databases 5.1.0
Product Guide
23
4
Database vulnerability checks
View the database vulnerability checks list
View the database vulnerability checks list
The checks list includes all checks, both predefined and custom checks. You can view all of the checks
in the list or you can view the checks in a specific category.
Task
For option definitions, click ? in the interface.
1
Click Menu | Policy | DVM Checks.
The Database Vulnerability Manager - DBMS Checks page lists the name, severity, and a brief description of
each check.
The checks list includes predefined checks and any existing custom checks.
2
To view the checks for a specific category, select the category in the left pane.
3
(Optional) Sort the checks according to a specific column by clicking the column header.
4
(Optional) Use the Quick find option to search for a specific check or a check that contains a specific
term.
View database vulnerability check details
You can view a summary of the properties of a specific vulnerability check, including the check name,
ID, description, severity, and check groups.
Task
For option definitions, click ? in the interface.
1
Click Menu | Policy | DVM Checks.
2
On the Database Vulnerability Manager - DBMS Checks page, click the name of the check to view its details.
Add a custom database vulnerability check
A custom database vulnerability check identifies the existence of a specific condition or vulnerability,
based on a Yes/No test, or it can return a set of relevant data. You can define new custom checks and
include them in vulnerability scans.
Task
For option definitions, click ? in the interface.
24
1
Click Menu | Policy | DVM Checks.
2
Select the check category in the left pane, then select Actions | Add New DBMS Check.
3
In the Check Name field, enter a name for the check.
4
From the Result Type drop-down list, select the type of check results you want.
McAfee Vulnerability Manager for Databases 5.1.0
Product Guide
Database vulnerability checks
Delete a custom database vulnerability check
5
4
In the Check (SQL Query/OS Script) field, enter the check parameters in SQL command format.
For example:
The following ResultSet check returns a list of users granted the DBA role when run on an Oracle
database:
select * from dba_role_privs where granted_role = 'DBA'
The following Yes/No command returns a Yes result if dynamic SQL is detected in Oracle outside of
SYS:
select 'yes' from dual where exists (select 1 from dba_source where upper(text)
like '%EXECUTE IMMEDIATE%' and owner <> 'SYS');
For additional examples, see Custom check syntax examples on page 27.
6
From the Severity drop-down list, select the level of severity to be assigned to the check results.
7
In the Check Groups field, enter the check groups to be included in the custom check.
As you begin to type, the auto-complete feature displays the list of existing check groups. To create
a new check group, type in its name.
8
From the System Check Groups drop-down list, select one or more check groups (DBMS types) to be
included in the operating system check.
9
To exclude one or more DBMSs from this check, click Remove Check from DBMS, select the databases,
then click Select.
10 Click OK.
The check can now be included in DBMS scans.
Delete a custom database vulnerability check
If a custom database vulnerability check is no longer required, you can remove it from the checks list.
You can't delete predefined checks.
Task
For option definitions, click ? in the interface.
1
Click Menu | Policy | DVM Checks.
2
On the DBMS Check Details page, select the check, then select Actions | Delete DBMS Check.
3
When prompted to confirm, click OK.
Edit database vulnerability checks
You can edit the properties of predefined and custom database vulnerability checks.
You can't view or edit the SQL query or operating system script of a predefined check.
McAfee Vulnerability Manager for Databases 5.1.0
Product Guide
25
4
Database vulnerability checks
Edit database vulnerability check metadata
Task
For option definitions, click ? in the interface.
1
Click Menu | Policy | DVM Checks.
2
Select the check to edit, then select Actions | Edit DBMS Check.
3
Edit the check properties, then click OK.
The check is available to include in database vulnerability scans.
Edit database vulnerability check metadata
The database vulnerability check metadata includes the check name, severity, and a brief description.
You can edit the metadata of both predefined and custom checks.
Task
For option definitions, click ? in the interface.
1
In the DBMS Check Details page, select the check, then select Actions | Edit Metadata.
2
In the Edit Check Metadata page, edit the check metadata, then click OK.
If a custom description is defined, it appears in the events and reports instead of the original
description. To view both descriptions, copy the original description and paste it into the custom
description.
Export database vulnerability checks
You can export vulnerability check details into an XML file, for example, to copy checks from one
system to another.
Task
For option definitions, click ? in the interface.
1
Click Menu | Policy | DVM Checks.
2
On the DBMS Check Details page, select one or more checks, then select Actions | Export DBMS Checks.
3
When prompted to confirm, click Yes.
Import database vulnerability checks
You can import database vulnerability checks from an XML file, for example, to copy custom checks
from one system to another.
Task
For option definitions, click ? in the interface.
26
1
On the Database Vulnerability Manager - DBMS Checks page, select Actions | Import DBMS checks.
2
Select the XML file containing the vulnerability checks, then click OK.
McAfee Vulnerability Manager for Databases 5.1.0
Product Guide
Database vulnerability checks
Reset predefined database vulnerability checks
4
The checks are uploaded and added to the checks list.
Reset predefined database vulnerability checks
The properties of predefined vulnerability checks can be reset to their default values.
Task
For option definitions, click ? in the interface.
1
2
Do one of the following:
•
In the DVM Check Details list, select one or more predefined checks, then select Actions | Reset
Predefined DBMS Check.
•
On the DVM Check Details page for a selected DBMS, select Actions | Reset Predefined DBMS Check.
When prompted to confirm, click Yes.
Custom check syntax examples
The following sections provide examples of different types of vulnerability check parameters in SQL
command format.
Data Discovery
A data discovery check samples data from a list of tables and looks for a specific pattern. This check is
commonly used to identify tables that hold sensitive information such as credit card numbers, IDs, or
financial data.
By default, the check samples the first 10 rows in each searched table and returns the table name if five
or more rows contain relevant data. To change the defaults, contact technical support.
For example, to select the list of tables to sample:
Oracle:
select '"'||owner||'"."'||table_name||'"' as FQN, owner as SCHEMA, table_name as "TABLE"
from all_tables
MSSQL:
select '['+TABLE_CATALOG+'].['+TABLE_SCHEMA+'].['+TABLE_NAME+']' as FQN,TABLE_CATALOG as
[DB],TABLE_SCHEMA as [schema],TABLE_NAME as [table] from INFORMATION_SCHEMA.TABLES
McAfee Vulnerability Manager for Databases 5.1.0
Product Guide
27
4
Database vulnerability checks
Custom check syntax examples
For example, to set the data regular expression or pattern to search for:
Credit card number:
(\d{4}[\s|-]?\d{4}[\s|-]?\d{4}[\s|-]?\d{4})|(\d{4}[\s|-]?\d{6}[\s|-]?\d{5})
SSN:
(\d{3}-\d{2}-\d{4})
For a full description of how to create a regular expression, see http://java.sun.com/javase/6/
docs/api/java/util/regex/Pattern.html.
By default, the test samples the first 10 rows in each searched table and returns the table name if five
or more rows contain relevant data. To change the defaults, contact technical support.
DBMS result set
A DBMS result set runs an SQL query to gather information on database permissions or configuration
settings.
For example, to show a list of users and their roles:
Oracle:
select grantee,granted_role from dba_role_privs order by 1,2
MSSQL:
select b.name as UserName, c.name as RoleName
from sysmembers a
join sysusers b on a.memberuid = b.uid
join sysusers c on a.groupuid = c.uid
order by 1,2
DBMS script result set
A DBMS script result set is similar to the DBMS result set, however, you can include additional
commands after the select statement.
For example, to gather information from a log table and delete the records after fetching them:
Oracle:
select * from log_table;
delete log_table;
MSSQL:
select * from test.dbo.log_table
go
delete test.dbo.log_table
go
DBMS yes/no
A DBMS yes/no check runs an SQL query that returns yes or no. A finding is reported only if the query
returns yes.
28
McAfee Vulnerability Manager for Databases 5.1.0
Product Guide
4
Database vulnerability checks
Custom check syntax examples
For example, to check whether or not a database configuration parameter has a specific value:
Oracle:
select 'yes' from dual where not exists (select 1 from v$parameter where name
='remote_login_passwordfile' and upper(value)='NONE')
MSSQL:
SELECT 'yes' from master.sys.configurations where name='remote access' and value=1
UNIX result set
A UNIX shell script that returns some information from the operating system can be used to gather file
permissions, operating system users, or any other operating system-level information. Every line of
the output must be preceded by "=#=#=" to be included in the results.
For example, to list operating system users:
echo "=#=#=Y"
cat /etc/passwd | awk -F: '{print "=#=#="$1}'
UNIX yes/no
A UNIX shell script that returns a yes ( =#=#=Y) or no (=#=#=N ) result. A finding is reported only if
the query returns a yes result.
For example, to check if the standard Oracle listener ports are in use:
port=`grep '(\s*PORT\s*=\s*152[16]\s*)' $ORACLE_HOME/network/admin/listener.ora`
if [ `expr "$host" = ""` -eq 0 ]
then
echo "=#=#=Y"
echo "=#=#=Standard ports in listener.ora"
else
echo "=#=#=N"
fi
Windows result set
A Windows shell script that returns some information from the operating system can be used to gather
file permissions, operating system users, or any other operating system-level information. Every line
of the output must be preceded by "=#=#=" to be included in the results.
For example, to get a list of services:
objWMIService = GetObject("winmgmts:\\\\.\\root\\cimv2");
res = objWMIService.ExecQuery("select * from Win32_Service");
enumItems = new Enumerator(res)
for (enumItems.moveFirst(); !enumItems.atEnd(); enumItems.moveNext()){
svc = enumItems.item();
msg_text = "=#=#=Y\n";
msg_text += "=#=#=" + svc.Name + " status: " + (svc.Started ? "running" : "stopped");
}
WScript.Echo(msg_text);
Windows yes/no
A Windows shell script that returns a yes ( =#=#=Y) or no (=#=#=N ) result. A finding is reported only
if the query returns a yes result.
McAfee Vulnerability Manager for Databases 5.1.0
Product Guide
29
4
Database vulnerability checks
Custom check syntax examples
For example, to check whether SQL Server 2008 is installed:
var TEST_FAIL_HEADER = "=#=#=Y\n";
var TEST_OK = "=#=#=N";
try {
objWMIService = GetObject("winmgmts:\\\\.\\root\\Microsoft\\SqlServer\
\ComputerManagement10");
WScript.Echo(TEST_OK);
}
catch (e){
WScript.Echo(TEST_ERROR_HEADER + "=#=#=MS SQL Server 2008 is not installed on this
machine");
}
30
McAfee Vulnerability Manager for Databases 5.1.0
Product Guide
5
Database vulnerability scans
McAfee Vulnerability Manager for Databases enables you to configure databases scans to identify a
wide range of risks and problems, such as weak passwords or missing patches.
An individual DVM scan consists of selected checks (which can include check groups and categories),
selected severity levels, the target DBMSs, and (optionally) scheduling details.
Contents
Define a database vulnerability scan
Assign DBMS groups and DBMSs to DVM scans
Schedule a database vulnerability scan
Remove a database vulnerability scan from the schedule
Run a database vulnerability scan manually
Delete a database vulnerability scan
View DVM scan results
View the DVM Events list
View DVM event details
Dashboards and monitors for Vulnerability Manager for Databases
Queries and reports for McAfee Vulnerability Manager for Databases
Define a database vulnerability scan
A database vulnerability scan runs one or more groups of checks on the database. Scans can be
scheduled at set time intervals or they can be run on demand.
Task
For option definitions, click ? in the interface.
1
Select Menu | Policy | DVM Scans, then select DBMS Scan Actions | New DBMS Scan.
2
In the DVM Scan Name field, enter a name for the scan. We recommend that the name indicate the
nature of the scan (for example, "Monthly vulnerability scan of production databases").
3
Click DBMS Assignment to select the DBMS groups or DBMSs to run the scan on.
4
In the Select Groups tab, select the check groups that contain the checks to be included in the scan.
5
Click Selected Checks.
The checks included in the selected groups are listed in the Selected Checks tab.
6
Select the checks to include in the scan or click the checkbox in the top row to select or deselect all
checks.
The number of selected checks is indicated below the checks list.
McAfee Vulnerability Manager for Databases 5.1.0
Product Guide
31
5
Database vulnerability scans
Assign DBMS groups and DBMSs to DVM scans
7
Select the severity levels to be included in the scan.
8
(Optional) Enter a brief description or comment.
9
(Optional) Enable the scheduler, then schedule the scan to run at regular intervals.
10 In the Advanced section, enable or disable these options.
•
Clear Password Cache (Rescan all users) — Clears the password cache and checks the strength of all
user passwords, including passwords detected as weak in previous scans.
•
Store Detected Weak Passwords in the ePO Database — Encrypts and stores weak passwords in the
database. The passwords appear in reports as clear text.
11 Click OK.
If the scan is enabled, you can run it now.
Assign DBMS groups and DBMSs to DVM scans
You can select the DBMS groups and DBMSs to include in a database vulnerability scan. You can also
edit the DBMS assignments of an existing scan.
Task
For option definitions, click ? in the interface.
1
Do one of the following:
•
On the New DBMS page, click DBMS Assignment.
•
On the Database Vulnerability Manager - DBMS Scans page, select the scan, then click Edit for the DBMS
assignment.
2
To assign a DBMS group and its members to the scan, select the group in the DBMS Group Assignment
tab.
3
To assign a specific DBMS to the scan, select it in the DBMS Assignment tab.
4
Click OK.
Schedule a database vulnerability scan
You can schedule a database vulnerability scan to run at regular intervals, for a limited period of time,
or on an ongoing basis.
Task
For option definitions, click ? in the interface.
1
32
Do one of the following:
•
New scan — On the New DBMS page, select Enable Scheduler.
•
Schedule an existing scan — On the DVM Scans page, select the scan, then click the Edit link in the
scan run details.
McAfee Vulnerability Manager for Databases 5.1.0
Product Guide
Database vulnerability scans
Remove a database vulnerability scan from the schedule
2
From the Schedule Type drop-down list, select one of these scheduling options:
•
3
4
5
5
To run a scan...
Select...
At intervals throughout the
day
Select Hourly and indicate the time interval between scans.
More than once a day
Select Daily and indicate the times to run the scan.
On a weekly basis
Select Weekly and select the days of the week and the times to
run the scan.
On a monthly basis
Select Monthly and indicate the days of the month and the
times to run the scan.
On a yearly basis
Select Yearly and indicate the days of the year and the times to
run the scan.
On a custom basis
Select Advanced and enter a command in cron syntax to
indicate when and how often to run the scan.
Set the timeframe for running the scheduled scan:
•
To automatically run the scan for a limited time, set the start and end dates and times.
•
To schedule the scan to run indefinitely, set the start time and select No end date.
(Optional) Define a blackout window (time frame), during which the scan automatically pauses.
a
Select Enable Blackout Scheduler.
b
From the Schedule Type drop-down list, select a scheduling option.
c
In the Start date field, set the earliest date for the blackout window.
d
In the Schedule fields, set the start time and duration of the blackout window.
Click OK.
Remove a database vulnerability scan from the schedule
You can remove a database vulnerability scan from the schedule so that it no longer runs
automatically.
Task
For option definitions, click ? in the interface.
1
Select Menu | Policy | DVM Scans.
2
On the Database Vulnerability Manager - DBMS Scans page, select the scan, then select DBMS Scan Actions | Edit
DBMS Scan.
3
Deselect Enable Scheduler, then click OK.
The schedule for the scan is disabled. You can manually run the scan from the DVM Scans page.
Run a database vulnerability scan manually
In addition to scheduling database vulnerability scans to run at specific times, you can manually run a
DVM scan at any time.
McAfee Vulnerability Manager for Databases 5.1.0
Product Guide
33
5
Database vulnerability scans
Delete a database vulnerability scan
Task
For option definitions, click ? in the interface.
1
Select Menu | Policy | DVM Scans.
2
On the Database Vulnerability Manager - DBMS Scans page, select the scan, then click the corresponding Run
DBMS Scan link.
The Stop and Pause links are displayed while the scan runs.
To pause the scan, click Pause. To continue a paused scan from where it left off, click Resume.
The scan results include the name of the DBMS and the number of findings for each severity level.
Delete a database vulnerability scan
You can delete a database vulnerability scan that is no longer needed.
Task
For option definitions, click ? in the interface.
1
Select Menu | Policy | DVM Scans.
2
On the Database Vulnerability Manager - DBMS Scans page, select the scan, then select DBMS Scan Actions |
Delete DBMS Scan.
3
When prompted to confirm, click OK.
View DVM scan results
You can view the results of scheduled and manually run scans on the Database Vulnerability Manager - DBMS
Scans page.
Task
For option definitions, click ? in the interface.
1
On the Database Vulnerability Manager - DBMS Scans page, select a scan.
The results of the most recent run of the selected scan are displayed underScan Summary, including
the name of the DBMS and the number of findings for each severity level.
2
Click the number of findings to view the itemized list of findings for the respective severity level.
View the DVM Events list
The DVM Events page lists the database vulnerability scan findings.
34
McAfee Vulnerability Manager for Databases 5.1.0
Product Guide
Database vulnerability scans
View DVM event details
5
Task
For option definitions, click ? in the interface.
1
Click Menu | Reporting | Database Security Events, then select the DVM Events tab.
The DVM Events tab lists the event ID and severity, as well as information on the scan and specific
check that detected the event.
2
(Optional) Sort the events according to a specific column by clicking the column header.
3
(Optional) To view the details of a specific event, click the event row.
View DVM event details
You can view the details of a specific DVM event, including a description of the vulnerability, its
implications, and an SQL Fix (if available).
Task
For option definitions, click ? in the interface.
1
On the DVM Events tab, click the name of the event.
2
(Optional) Click Exclude Check from DBMS to exclude a DBMS from this check in the future, then click OK
when prompted to confirm.
Dashboards and monitors for Vulnerability Manager for
Databases
When the extension is installed, two preconfigured dashboards are created: Database Security and Database
Security — Management. The dashboards display general database security monitors, including Vulnerability
Manager for Databases-specific monitors.
Dashboards are collections of monitors that are essential for managing your environment. You can
create and edit multiple dashboards if you have the appropriate permissions.
By default, these data monitors appear in the Database Security dashboard:
This monitor...
Shows...
DVM: Recent Events by Category — Last 30 Days
Distribution of recent events by category.
DVM: Recent Events by Severity — Last 30 Days
Distribution of recent events by severity.
DVM: Recent Events by DBMS and Category
Distribution of recent events by DBMS and category.
By default, these data monitors appear in the Database Security — Management dashboard:
This monitor...
Shows...
Database Security Detected DBMS
DBMS instances detected by Database Security.
DVM: Database Security DBMSs per Scan Engine Breakdown of database instances by configured scan engines.
DVM: Scan Engine Versions
Breakdown of the scan engine versions.
DAM: DBMS Monitoring State
Breakdown of DAM DBMS instances by monitoring state.
McAfee Vulnerability Manager for Databases 5.1.0
Product Guide
35
5
Database vulnerability scans
Queries and reports for McAfee Vulnerability Manager for Databases
This monitor...
Shows...
DAM: Sensors per State
Breakdown of the sensor states.
DAM: Sensor Versions
Breakdown of the sensor versions.
Custom dashboards
You can create custom dashboards and select which monitors and queries to display.
For information about creating and using dashboards, see the ePolicy Orchestrator documentation.
Queries and reports for McAfee Vulnerability Manager for
Databases
The extension includes query and report generation through the ePolicy Orchestrator software.
You can create queries from properties stored in the ePolicy Orchestrator database. For more
information, see the ePolicy Orchestrator documentation.
Organize and maintain custom queries to suit your needs, then use them to run reports. You can
export reports into various file formats.
Custom queries and reports
You can create customized queries and reports with Query Builder. The result types selected in Query
Builder identify what type of data the query retrieves.
The McAfee Vulnerability Manager for Databases extension adds the Database Vulnerability group of Result
Types. This group contains a set of query targets related to database security.
Result type
Shows this information...
Database Security DBMSs
Monitored DBMSs
Database Security Detected DBMSs
Content implementation details for virtual patching and vulnerability
assessment
Database Security Repository
Details of Database Security content implementation of virtual patching
and vulnerability assessment
DVM: Check Status
Check status per scan execution per DBMS
DVM: Events
All DBMS vulnerability events
DVM: Recent Events
Results of the most recent execution of checks on DBMSs
DVM: Unique Weak Password Events Results of the most recent execution of weak password checks
DVM: Verbose Events
DBMS events, including result set data
For each result type, the extension adds properties in Query Builder for use in custom queries.
For more information about creating and using queries and reports, see the ePolicy Orchestrator
documentation.
36
McAfee Vulnerability Manager for Databases 5.1.0
Product Guide
Index
A
Advanced Management extension 9
B
blackout window, scans 32
C
certificates, tunnel 17
check categories and groups 23
compliance checks, password 21
connections, server to database 6
Credential Catalog 18
credential sets 18
about 18
adding 18
adding credentials to set 19
assign to new DBMS 13
changing name 19
DBMS, editing 20
deleting 20
editing 19
editing metadata 19
removing credentials from 20
credentials
adding to set 19
DBMS 16
editing in set 19
managing 16
operating system 17
removing from set 20
tunnel 17
D
dashboards for Vulnerability Manager for Databases
about 35
customizing 35
data discovery checks 27
Database Security dashboards 35
database vulnerability checks, See vulnerability checks
database vulnerability scans, See vulnerability scans
databases, See DBMSs
DBMSs
adding 13
advanced properties 13
advanced properties, editing 15
assigning to scans 32
changing name 15
configuration overview 13
connection to 13
credentials, editing 20
editing credentials 16
editing metadata 15
editing operating system credentials 17
importing 15
removing from System Tree 16
SSH connections 17
supported 6
tunnel credentials, updating 17
deployment, Vulnerability Manager for Databases 7
downloads, Vulnerability Manager for Databases extension 9
DVM checks, See vulnerability checks
DVM scans, See vulnerability scans
DVM users
Administrator 10
Event Only Viewer 10
Viewer 10
E
evaluation license, limitations 9
events
DVM, details 35
DVM, view list 34
excluding DBMS from check 35
exclusion
DBMS from checks 35
users from password compliance checks 21
extension, McAfee Advanced Management
installing 9
uninstalling 11
extension, McAfee Vulnerability Manager for Databases 9
installing 9
uninstalling 11
DBMS result sets 27
DBMS yes/no checks 27
McAfee Vulnerability Manager for Databases 5.1.0
Product Guide
37
Index
F
features
added to McAfee ePO environment 10
Vulnerability Manager for Databases 5
queries for Vulnerability Manager for Databases (continued)
custom 36
Query Builder, Vulnerability Manager for Databases additions 36
query result types 36
R
I
installation, McAfee Vulnerability Manager for Databases
deploying the package 9
downloading the package 9
licensing 10
product extension 9
J
reports for Vulnerability Manager for Databases 36
result sets
DBMS 27
UNIX 27
Windows 27
risk evaluation 5
roles 10
JDBC communication properties, changing 15
S
L
scan engine 16
breakdown by version 35
licenses, installing 10
M
monitors for Vulnerability Manager for Databases
about 35
default 35
O
scan results 34
scans 34
DVM, top ten 35
running manually 33
scheduling 32
scanuser creation 13
schedule
blackout window 32
removing scan from 33
scans 32
operating system checks
enabling 13
enabling or disabling 20
OS credentials, editing 17
overview
features added to McAfee ePO environment 10
how DVM works 11
key features 5
supported databases 6
SQL fix 35
supported databases 6
syntax, vulnerability checks 27
System Tree
actions added by Vulnerability Manager for Databases 10
adding DBMS 13
importing databases 15
removing a DBMS 16
P
T
packages
deploying 9
downloading
installing 9
installing 9
tunnels
enabling for DBMS connection 13
testing connections 17
uploading certificates 17
password strength compliance cache 31
passwords
adding exemption from compliance checks 21
checking 5
exemption from compliance checks 21
removing exemption from compliance checks 21
permission sets
Vulnerability Manager for Databases 10
U
Q
queries for Vulnerability Manager for Databases
about 36
38
McAfee Vulnerability Manager for Databases 5.1.0
UNIX
result sets 27
yes/no checks 27
user roles 10
users
excluding from password compliance checks 21
including in password compliance checks 21
V
vendor-specific scripts for user creation 13
Product Guide
Index
vulnerability checks 23, 24
about 23
adding 24
categories 23
custom 24
custom check syntax 27
deleting 25
editing 25
editing metadata 26
enabling or disabling 20
exporting 26
groups 23
importing 26
list 24
operating system 20
resetting predefined 27
syntax 27
viewing details 24
viewing, by category 24
vulnerability scans
about 31
adding 31
assigning DBMSs 32
McAfee Vulnerability Manager for Databases 5.1.0
vulnerability scans (continued)
deleting 34
event details 35
events details 35
findings 34
pausing 33
removing from schedule 33
running manually 33
scheduling 32
viewing results 34
W
Windows
result sets 27
yes/no checks 27
Y
yes/no checks
DBMS 27
UNIX 27
Windows 27
Product Guide
39
00
Related documents
Database Management Systems - University of Hawaii at Hilo
Database Management Systems - University of Hawaii at Hilo
Diapositive 1
Diapositive 1
Text 13 Database Management Systems
Text 13 Database Management Systems
Introduction - Rose
Introduction - Rose
Learn about databases here
Learn about databases here
Database Management System Module Title: CAP 364 Module ID
Database Management System Module Title: CAP 364 Module ID
Chapter 11 PowerPoint Question Solution Describe the five logical
Chapter 11 PowerPoint Question Solution Describe the five logical
GHG Inventory review - E-Learning Module
GHG Inventory review - E-Learning Module
CCN2124 Introduction to Databases
CCN2124 Introduction to Databases
Acronyms abbreviations
Acronyms abbreviations
- Google Sites
- Google Sites