* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Vulnerability Manager for Databases 5.1.0 Product Guide
Survey
Document related concepts
Commitment ordering wikipedia , lookup
Microsoft Access wikipedia , lookup
Serializability wikipedia , lookup
Entity–attribute–value model wikipedia , lookup
Global serializability wikipedia , lookup
Extensible Storage Engine wikipedia , lookup
Microsoft SQL Server wikipedia , lookup
Oracle Database wikipedia , lookup
Functional Database Model wikipedia , lookup
Ingres (database) wikipedia , lookup
Microsoft Jet Database Engine wikipedia , lookup
Open Database Connectivity wikipedia , lookup
Concurrency control wikipedia , lookup
Relational model wikipedia , lookup
Clusterpoint wikipedia , lookup
Transcript
Product Guide McAfee Vulnerability Manager for Databases 5.1.0 For use with ePolicy Orchestrator 4.6.0-5.1.0 Software COPYRIGHT Copyright © 2014 McAfee, Inc. Do not copy without permission. TRADEMARK ATTRIBUTIONS McAfee, the McAfee logo, McAfee Active Protection, McAfee DeepSAFE, ePolicy Orchestrator, McAfee ePO, McAfee EMM, Foundscore, Foundstone, Policy Lab, McAfee QuickClean, Safe Eyes, McAfee SECURE, SecureOS, McAfee Shredder, SiteAdvisor, McAfee Stinger, McAfee Total Protection, TrustedSource, VirusScan, WaveSecure are trademarks or registered trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries. Other names and brands may be claimed as the property of others. Product and feature names and descriptions are subject to change without notice. Please visit mcafee.com for the most current products and features. LICENSE INFORMATION License Agreement NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND. 2 McAfee Vulnerability Manager for Databases 5.1.0 Product Guide Contents 1 2 Introduction 5 Key features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . How McAfee Vulnerability Manager for Databases works . . . . . . . . . . . . . . . . . . . Supported databases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 6 6 7 Installation 9 Install the extension . . . . Install the license . . . . . Features added to the ePolicy Uninstall the extension . . . 3 . . . . . . . . . . . . . . . . . . . . . . Orchestrator environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 . 10 . . 10 . 11 Database configuration 13 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Add a DBMS to the System Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . Import a DBMS into the System Tree . . . . . . . . . . . . . . . . . . . . . . . . . . Edit DBMS name and description . . . . . . . . . . . . . . . . . . . . . . . . . . . Edit the DBMS advanced properties . . . . . . . . . . . . . . . . . . . . . . . . . . Remove a DBMS from the System Tree . . . . . . . . . . . . . . . . . . . . . . . . . Scan engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Manage credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Edit DBMS credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . Edit operating system credentials . . . . . . . . . . . . . . . . . . . . . . . . Edit tunnel properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Manage credential sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Add a credential set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Edit credential set metadata . . . . . . . . . . . . . . . . . . . . . . . . . . Add credentials to a credential set . . . . . . . . . . . . . . . . . . . . . . . Edit the credentials in a credential set . . . . . . . . . . . . . . . . . . . . . . Delete credentials from a credential set . . . . . . . . . . . . . . . . . . . . . Delete a credential set . . . . . . . . . . . . . . . . . . . . . . . . . . . . Edit the DBMS credential set . . . . . . . . . . . . . . . . . . . . . . . . . . Enable or disable operating system checks . . . . . . . . . . . . . . . . . . . . . . . Password check exclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Exclude users from password checks . . . . . . . . . . . . . . . . . . . . . . Include users in password checks . . . . . . . . . . . . . . . . . . . . . . . . 4 Database vulnerability checks 23 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . View the database vulnerability checks list . . . . . . . . . . . . . . . . . . . . . . . View database vulnerability check details . . . . . . . . . . . . . . . . . . . . . . . . Add a custom database vulnerability check . . . . . . . . . . . . . . . . . . . . . . . Delete a custom database vulnerability check . . . . . . . . . . . . . . . . . . . . . . Edit database vulnerability checks . . . . . . . . . . . . . . . . . . . . . . . . . . . McAfee Vulnerability Manager for Databases 5.1.0 13 13 15 15 15 16 16 16 16 17 17 18 18 18 19 19 19 20 20 20 20 21 21 21 23 24 24 24 25 25 Product Guide 3 Contents Edit database vulnerability check metadata . . . . . . . . . . . . . . . . . . . . . . . Export database vulnerability checks . . . . . . . . . . . . . . . . . . . . . . . . . . Import database vulnerability checks . . . . . . . . . . . . . . . . . . . . . . . . . Reset predefined database vulnerability checks . . . . . . . . . . . . . . . . . . . . . Custom check syntax examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Database vulnerability scans 31 Define a database vulnerability scan . . . . . . . . . . . . . . . . . . . . . . . . . . Assign DBMS groups and DBMSs to DVM scans . . . . . . . . . . . . . . . . . . . . . Schedule a database vulnerability scan . . . . . . . . . . . . . . . . . . . . . . . . . Remove a database vulnerability scan from the schedule . . . . . . . . . . . . . . . . . . Run a database vulnerability scan manually . . . . . . . . . . . . . . . . . . . . . . . Delete a database vulnerability scan . . . . . . . . . . . . . . . . . . . . . . . . . . View DVM scan results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . View the DVM Events list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . View DVM event details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Dashboards and monitors for Vulnerability Manager for Databases . . . . . . . . . . . . . . Queries and reports for McAfee Vulnerability Manager for Databases . . . . . . . . . . . . . Custom queries and reports . . . . . . . . . . . . . . . . . . . . . . . . . . Index 4 McAfee Vulnerability Manager for Databases 5.1.0 26 26 26 27 27 31 32 32 33 33 34 34 34 35 35 36 36 37 Product Guide 1 Introduction McAfee® Vulnerability Manager for Databases is an enterprise-level security scanner for database management systems (DBMSs). This product evaluates risk from all known threats and classifies them into distinct priority levels, provides fix scripts, and includes recommendations. With McAfee Vulnerability Manager for Databases, you can run scheduled and on-demand scans that use credentialed database-security checks based on the knowledge of industry leading experts. The software contains several predefined reports on the database security configuration to meet the requirements of internal and external auditors. You can also create custom checks and reports to tailor the product to your own environment. McAfee Vulnerability Manager for Databases is an extension for use with McAfee® ePolicy Orchestrator (McAfee ePO™) software 4.6 or later. After installing the extension, McAfee Vulnerability Manager for Databases is available from the McAfee ePO console. Contents Key features How McAfee Vulnerability Manager for Databases works Supported databases Deployment Key features McAfee Vulnerability Manager for Databases scans multiple databases to identify and evaluate potential risks to the enterprise's sensitive data. McAfee Vulnerability Manager for Databases discovers databases on your network and determines if the latest patches have been applied. It also tests for common weaknesses such as weak passwords, default accounts, and other common threats. McAfee Vulnerability Manager for Databases conducts more than 4,000 vulnerability checks against leading database systems, including Oracle, SQL Server, IBM DB2, PostgreSQL, Azure SQL, and MySQL. It provides: Visibility into database vulnerabilities — By improving visibility into database vulnerabilities and providing expert recommendations for remediation, McAfee Vulnerability Manager for Databases reduces the likelihood of a damaging breach, and saves money through better preparation for audits and compliance with regulatory mandates. Risk evaluation — McAfee Vulnerability Manager for Databases evaluates risk from all known threat vectors. It clearly classifies threats into distinct priority levels, provides fix scripts, and includes recommendations. High-speed, high-efficiency password checking — McAfee Vulnerability Manager for Databases offers the fastest weak password detection methods available, flagging accounts with simple passwords, default passwords, and shared passwords. McAfee Vulnerability Manager for Databases 5.1.0 Product Guide 5 1 Introduction How McAfee Vulnerability Manager for Databases works How McAfee Vulnerability Manager for Databases works As soon as the extension for McAfee Vulnerability Manager for Databases is installed, the McAfee ePO server can connect directly to the databases using JDBC, and to the underlying operating systems using DCOM or SSH. Using the appropriate credentials, the product runs checks against the databases (using SQL queries) and their underlying operating systems (using shell scripts). All results are transferred back to the McAfee ePO back-end database where they can be queried and added to reports. Database vulnerability checks and scans A database vulnerability scan comprises a set of checks that are run against specific databases to identify specific conditions or vulnerabilities. Checks are organized in categories, groups, and severity levels so that you can tailor the scans to meet your security needs. In addition to using predefined checks, you can also define custom checks. You define the checks that are included in a scan, and which databases or database groups to run the scans on. Scans can be scheduled to run at set intervals or they can be run on demand anytime. The credentials required to connect to the database for scanning are configured in the McAfee ePO console, either per database or using credential sets (if credentials are shared among DBMSs). Use of the terms DBMS (database management system) and database vary according to platform vendor. In general, DBMS refers to the overall database system, including the data and the infrastructure around it, whereas database can refer to the data tables only. In this document, the terms are used interchangeably. Supported databases McAfee Vulnerability Manager for Databases can be used to perform vulnerability scans on several types of databases. The supported databases include: 6 • IBM DB2 8.1 or later for Linux, UNIX and Windows • Microsoft SQL Azure • Microsoft SQL Server 2000 or later • MySQL 4.0 or later • Oracle 8i or later • PostgreSQL 8.3 or later • Sybase ASE 12.5 or later • Teradata v12, v13, v14 — Database discovery, sensitive data discovery, custom checks, and password cracking • Informix v10.0, v11.1, v11.5, v11.7 — Database discovery, sensitive data discovery and custom checks • SAP HANA v1 — Database discovery, data discovery and custom checks McAfee Vulnerability Manager for Databases 5.1.0 Product Guide Introduction Deployment 1 Deployment Before the software can access and scan databases, you must install the McAfee Vulnerability Manager for Databases extension on McAfee ePO and add databases to the System Tree. Required components • McAfee ePolicy Orchestrator 4.6 or later • McAfee Vulnerability Manager for Databases extension McAfee Vulnerability Manager for Databases 5.1.0 Product Guide 7 1 Introduction Deployment 8 McAfee Vulnerability Manager for Databases 5.1.0 Product Guide 2 Installation For McAfee Vulnerability Manager for Databases to be used within ePolicy Orchestrator, you must first download and install the product extension. Contents Install the extension Install the license Features added to the ePolicy Orchestrator environment Uninstall the extension Install the extension The McAfee Vulnerability Manager for Databases extension installs the Database Security, Advanced Management, and Help Content extensions. Before you begin Back up the McAfee ePO back-end database. If you previously installed and uninstalled the product extension, you must remove some files manually. Contact McAfee technical support for details. Task For option definitions, click ? in the interface. 1 From the McAfee website, download the McAfee Vulnerability Manager for Databases DBSecurity ‑<version><build>.zip file to a temporary location. 2 From the McAfee ePO console, click Menu | Software | Extensions. 3 In the Extensions pane, select Database Security, then click Install Extension. 4 Select DBSecurity‑<version><build>.zip, then click OK. The file is automatically extracted. 5 Select the Database Security package for installation, then click OK. The installation begins. It might take several minutes to complete. When the installation is complete, Database Security, Advanced Management, and Help Content appear in the Extensions list. We recommend that you add the DVM Checks and DVM Scans shortcut icons to McAfee ePO for easier navigation during the scan configuration process. McAfee Vulnerability Manager for Databases 5.1.0 Product Guide 9 2 Installation Install the license By default, the extension is installed with a 30-day evaluation license. EVAL appears on the shortcut icons and at the top of the DVM Scans and DVM Checks pages. The evaluation version has several limitations, including a limit of five check results per DBMS. If you already have a license, we recommend that you install it now. Install the license By default, the extension is installed using an evaluation license. EVAL appears on the shortcut icons and on the DBMS Scans and DBMS Checks pages. You must install a full license to view the full list of scan results. Task For option definitions, click ? in the interface. 1 Click Menu | Configuration | Server Settings. 2 From the Setting Categories list, select DBMS Vulnerability Manager. 3 Click Browse to locate and select the license key file, then click Open. 4 Click Upload. The license is installed and the term EVAL is removed from the shortcut icons and the respective pages. All product functionality is now available. Features added to the ePolicy Orchestrator environment The extension adds or uses these features in the ePolicy Orchestrator environment. Feature Details Server tasks Enables users of the extension to create and schedule DVM scan tasks. System Tree Adds two submenus to the Actions menu in the Systems tab: • Database Vulnerability — Includes options for adding, importing, and exporting DBMSs, assigning DBMSs to servers, viewing and updating connection properties, and more. Systems submenu Policy submenu Adds one new option to the Systems submenu: • Credential Catalog — Manage predefined sets of credentials that can be assigned to multiple databases. Adds two new options to the Policy submenu: • DVM Checks — View, add, and edit DVM checks. • DVM Scans — Define, edit, schedule, and run DVM scans to identify risks and problems on your DBMSs. 10 McAfee Vulnerability Manager for Databases 5.1.0 Product Guide Installation Uninstall the extension Feature Details Reporting submenu Adds one new option to the Reporting submenu: Permission sets Adds these preconfigured user roles: 2 • Database Security Events — View events detected by DVM checks and scans. • Database Security Administrator — By default, the Database Security Administrator can create, edit, or delete Scheduler tasks and queries. This user can view and edit all DVM properties, including permission and policy configurations, dashboards, and the credential catalog. This user can also view, delete, and purge events. • Database Security Operator — By default, the Database Security Operator can view the System Tree and all DVM properties, the audit log, credential catalog, and can edit the dashboards. This user can also view the events in the Threat Event Log. • Database Security Reviewer — By default, the Database Security Reviewer can view the System Tree, DVM results, and weak passwords. Uninstall the extension You can uninstall the McAfee Vulnerability Manager for Databases extension using the McAfee ePO console. Uninstalling an extension permanently deletes its data. McAfee Vulnerability Manager for Databases uses two extensions, the Database Security extension and the Advanced Management extension. If the Advanced Management extension was installed for use by McAfee Vulnerability Manager for Databases only, it can be uninstalled together with the Database Security extension. Task For option definitions, click ? in the interface. 1 Click Menu | Software | Extensions. 2 From the Extensions list, select Database Security and the corresponding Help Content extension, then click Remove. 3 When prompted to confirm, click OK. 4 If Database Security was the only product installed that uses the Advanced Management extension, select it from the Extensions list, then repeat steps 2 through 4 to remove the extension. The DBMS systems are not automatically removed from the System Tree. If necessary, you can delete them manually. McAfee Vulnerability Manager for Databases 5.1.0 Product Guide 11 2 Installation Uninstall the extension 12 McAfee Vulnerability Manager for Databases 5.1.0 Product Guide 3 Database configuration McAfee Vulnerability Manager for Databases can be used to scan the databases configured in the McAfee ePO System Tree for vulnerabilities and security-related problems. Contents Overview Add a DBMS to the System Tree Import a DBMS into the System Tree Edit DBMS name and description Edit the DBMS advanced properties Remove a DBMS from the System Tree Scan engine Manage credentials Manage credential sets Enable or disable operating system checks Password check exclusions Overview McAfee Vulnerability Manager for Databases works within McAfee ePO to remotely connect to and scan databases and their underlying systems, and run database-level and operating system-level checks. McAfee Vulnerability Manager for Databases connects directly to the databases using JDBC, and to the underlying operating systems using DCOM or SSH. To enable a remote connection, the DBMS must be added to the System Tree as a managed system. No agent installation is required on the host. McAfee Vulnerability Manager for Databases runs credentialed checks, therefore the credentials (user names, passwords, or certificates) need to be stored in the database configuration. The credentials are used to remotely connect to the DBMS or operating system to perform vulnerability checks. Add a DBMS to the System Tree Vulnerability Manager for Databases can be used to scan multiple DBMSs. DBMSs can be added manually to the configuration or they can be imported from a CSV file. Task For option definitions, click ? in the interface. 1 Click Menu | Systems | System Tree, then click the Systems tab. 2 Select Actions | Database Vulnerability | Add DBMS (DVM). McAfee Vulnerability Manager for Databases 5.1.0 Product Guide 13 3 Database configuration Add a DBMS to the System Tree 3 From the DBMS Type drop-down list, select the database type (for example, Oracle, MSSQL, MYSQL, SQL Azure, PostgreSQL, or Sybase). 4 In the Host/IP field, enter the name or IP address of the host server, then click Test to verify its validity. 5 In the Port field, enter the port number used to connect to the database. Enter more database properties, such as the SID (Oracle system ID) or instance, if required for the selected database type. Click Test to validate the connection properties. 6 (Optional) In the DBMS Credentials section, select the default set of shared credentials to use to connect to this database. The available credential sets are configured in the Credential Catalog. 7 Configure the credentials used to connect to the DBMS in one of the following ways: • To use shared credentials from the Credential Catalog to connect to the DBMS, select Credential Set. • To use credentials defined for this DBMS only, select Username and Password and enter the user name and password, then click Test Connection to verify their validity. The permissions required for the scan vary according to the database type. In most cases, the user requires administrator rights, but does not require write permissions. A DBMS vendor-specific script is provided to enable you to create a user with the minimum required permissions. Click the create scanuser link to download the script. Run the script to create a scan user and enter the resulting user name and password. 8 9 To enable testing of the operating system, select Enable OS Checks, then configure the credentials used to connect to the operating system: • To use shared credentials from the credentials catalog to connect to the operating system, select Use credential set from the credentials repository catalog. • To use credentials defined for this DBMS only, select Username and Password, then enter the user name and password. • To use a certificate, select Enable Certificate and upload the certificate, then enter the user name and password. Click Test OS Connection to validate the credentials. 10 (Optional) In the Advanced section, configure an alternative JDBC connection string and the connection properties to be used by technical support personnel for troubleshooting or as an alternative connection. 11 (Optional) In the Scan Engine section, configure the scan engine for this database to reduce the load on McAfee ePO. a From the Scan Engine drop-down list, select a system where the scan engine is deployed. b Click Test Connection. If a scan engine is selected, all connection tests on this page are carried out through the McAfee Agent and not through McAfee ePO itself. The name of the engine appears in the Server Task Log when the scan is run. 12 (Optional) To allow connections to the DBMS through tunnels, select Enable Tunnel, then click Configure Tunnel to set the tunnel properties. 13 Click OK. 14 McAfee Vulnerability Manager for Databases 5.1.0 Product Guide Database configuration Import a DBMS into the System Tree 3 Import a DBMS into the System Tree You can import one or more DBMSs into the System Tree using a CSV file. Before you begin Prepare a CSV file that includes a line for each DBMS, containing the DBMS properties as a comma-separated list, in the following format: NAME,DBTYPE,DBHOST,DBPORT,DBSID,DBUSERNAME,DBPASSWORD,INSTANCE,USEPORT,V A_CON_URL,ENABLE_OS,OS_CON_TYPE,OSUSERNAME,OSPASSWORD,OSPORT,OS_CERTIF ICATE,ENABLE_TUNNEL,TUNNEL_HOST,TUNNEL_PORT,TUNNEL_USERNAME,TUNNEL_PASS WORD,TUNNEL_CERTIFICATE,CREDNETIAL_SET,CRED_USE_DB,CRED_USE_OS,CRED_USE _TUNNEL,ADVANCED_PROPS Include a header or blank line at the beginning of the file, because the import process imports data starting with the second line of the file. Task For option definitions, click ? in the interface. 1 Click Menu | Systems | System Tree, then click the Systems tab. 2 Select Actions | Database Vulnerability | Import DBMS. 3 Select the CSV file containing the DBMS information. 4 Click OK. Edit DBMS name and description You can edit the name and description of an existing DBMS. Task For option definitions, click ? in the interface. 1 On the Systems tab, select the DBMS, then select Actions | Database Vulnerability | Edit DBMS Name/ Description. 2 Edit the DBMS name and/or description, then click OK. Edit the DBMS advanced properties The advanced properties of a DBMS are used to change the JDBC communication properties. These properties should only be edited per specific instructions from McAfee technical support. Task For option definitions, click ? in the interface. 1 On the Systems tab, select the DBMS, then select Actions | Database Vulnerability | Advanced Properties. 2 Edit the DBMS connection parameters, then click OK. McAfee Vulnerability Manager for Databases 5.1.0 Product Guide 15 3 Database configuration Remove a DBMS from the System Tree Remove a DBMS from the System Tree If you no longer need to monitor the activity of a DBMS, you can remove it from the System Tree. Task For option definitions, click ? in the interface. 1 On the Systems tab, select the DBMS, then select Actions | Directory Management | Delete. 2 When prompted to confirm, click OK. The DBMS is removed from the System Tree and its activity is no longer monitored. Scan engine The McAfee scan engine is a managed product that can be used in conjunction with DVM to lighten the workload placed on the McAfee ePO server. In large-scale deployments that include multiple databases in remote sites, the scan process can become inefficient, complicated, and resource heavy. When the scan engine is used, the McAfee ePO server connects to the scan engine, which connects to the databases to execute the scan. This sequence reduces the number of connections from the centralized McAfee ePO server to the target databases, offloads the scan process from McAfee ePO itself, and improves network security by avoiding opening database ports from the McAfee ePO server to the target databases. You can deploy the scan engine in the same way as any managed McAfee product. The scan engine can be deployed at the host itself, with different drivers providing greater flexibility and increased security. After its deployment, the scan engine can be assigned to databases from their respective DBMS properties pages. Manage credentials You can manage the credentials used to connect to the database, based on connection type and operating system. You can also create sets of shared credentials for use by groups of databases, operating systems, or tunnels. Tasks • Edit DBMS credentials on page 16 You can update the credentials that are used by the DBMS to connect to the database. • Edit operating system credentials on page 17 You can update the credentials used to connect to the operating system that hosts the DBMS. • Edit tunnel properties on page 17 You can update the credentials that are used to authenticate the DBMS when connecting to the host through another host over an SSH connection. Alternatively, you can upload a tunnel certificate or apply the credentials contained in an existing credential set to a selected DBMS. Edit DBMS credentials You can update the credentials that are used by the DBMS to connect to the database. 16 McAfee Vulnerability Manager for Databases 5.1.0 Product Guide 3 Database configuration Manage credentials Task For option definitions, click ? in the interface. 1 On the Systems tab, select the DBMS, then select Actions | Database Vulnerability | Edit DBMS Credentials. 2 Enter the user name and password. 3 Click Test Connection to validate the credentials. 4 Click Save. Edit operating system credentials You can update the credentials used to connect to the operating system that hosts the DBMS. Task For option definitions, click ? in the interface. 1 On the Systems tab, select the DBMS, then select Actions | Database Vulnerability | Edit OS Credentials. 2 Edit the operating system credential details. 3 Click Test OS Connection to validate the updated credentials. 4 Click Save. Edit tunnel properties You can update the credentials that are used to authenticate the DBMS when connecting to the host through another host over an SSH connection. Alternatively, you can upload a tunnel certificate or apply the credentials contained in an existing credential set to a selected DBMS. Task For option definitions, click ? in the interface. 1 On the Systems tab, select the DBMS, then select Actions | DBMSs DVM | Edit Tunnel Properties. 2 In the Host and Port fields, specify the Host IP address or server name and port used to connect to the host. 3 In the Tunnel Credentials section, select one of the following options: • Credential Set: Use the tunnel credentials in the credential set assigned to this DBMS. • Username and Password: Use a user name and password for authentication. If selected, enter the required username and password. • Enable Tunnel Certificate: Use a tunnel certificate for authentication. If selected, click Browse to locate and upload the tunnel certificate. Enter the required user name and password, select the applicable types of connections, then click Save. 4 To test the connection to the DBMS, click Test Connection. 5 To test the connection to the operating system, click Test OS Connection. 6 Click Save. The tunnel is configured and the tunnel credentials or certificate are applied to the DBMS. McAfee Vulnerability Manager for Databases 5.1.0 Product Guide 17 3 Database configuration Manage credential sets Manage credential sets Credential sets enable you to assign a shared set of credentials to multiple databases without the need to manually enter them for each database. Credential sets are managed in the Credential Catalog Tasks • Overview on page 18 A credential set can contain different credentials for different types of databases, operating systems, and tunnels. Credential sets are managed in the Credential Catalog. • Add a credential set on page 18 You can add credential sets and assign them to DBMSs that share credentials for specific types of databases, operating systems, or tunnels. • Edit credential set metadata on page 19 You can edit the name and description of an existing credential set. • Add credentials to a credential set on page 19 You can add the credentials for different types of databases, operating systems, and tunnels to a single credential set. The credentials are added separately for each type of database, operating system, or tunnel. • Edit the credentials in a credential set on page 19 You can edit the credentials defined in a credential set. • Delete credentials from a credential set on page 20 You can remove credentials from a credential set. • Delete a credential set on page 20 You can delete a credential set that is no longer required. • Edit the DBMS credential set on page 20 You can edit the DBMS credentials using credential sets. You can change the credentials set configured for the DBMS, or you can specify which credentials in the set to use for this DBMS. Overview A credential set can contain different credentials for different types of databases, operating systems, and tunnels. Credential sets are managed in the Credential Catalog. The existing credential sets are listed in the Credential Catalog. Select a credential set from the list to view the types of database, operating system, and tunnel credentials included in the credential set, and their respective credentials. Add a credential set You can add credential sets and assign them to DBMSs that share credentials for specific types of databases, operating systems, or tunnels. Task For option definitions, click ? in the interface. 18 1 Click Menu | Systems | Credential Catalog. 2 On the Credential Catalog page, select Credential Set Actions | New Credential Set. McAfee Vulnerability Manager for Databases 5.1.0 Product Guide Database configuration Manage credential sets 3 On the New Credential Set page, enter the name of the credential set and an optional description. 4 Click OK. 3 The credential set is empty until you add specific credentials to it. Edit credential set metadata You can edit the name and description of an existing credential set. Task For option definitions, click ? in the interface. 1 Click Menu | Systems | Credential Catalog. 2 Select the credential set, then select Credential Set Actions | Edit Credential Set. 3 Edit the name and description of the credential set, then click OK. Add credentials to a credential set You can add the credentials for different types of databases, operating systems, and tunnels to a single credential set. The credentials are added separately for each type of database, operating system, or tunnel. Task For option definitions, click ? in the interface. 1 On the Credential Catalog page, select the credential set, then select Credential Set Actions | Add Credential. 2 From the Credential Type drop-down list, select the type of database, operating system, or tunnel where you want to add credentials. 3 Enter the credential user name and password. 4 Enter a brief description of the use case for these credentials. 5 Click OK. Repeat for additional types of databases, operating systems, or tunnels. Edit the credentials in a credential set You can edit the credentials defined in a credential set. Task For option definitions, click ? in the interface. 1 On the Credential Catalog page, select the credential set. The existing credentials for the selected set are listed under Credential Set Details. 2 Select the Edit Credential link for the credential type that you want to edit. 3 Update the user name and password. 4 Click OK. McAfee Vulnerability Manager for Databases 5.1.0 Product Guide 19 3 Database configuration Enable or disable operating system checks Delete credentials from a credential set You can remove credentials from a credential set. Credentials removed from a credential set are also removed from any assets where the set was previously assigned. You must add new credentials or assign a different credential set to access those assets in the future. Task For option definitions, click ? in the interface. 1 On the Credential Catalog page, select the credential set. The existing credentials for the selected set are listed under Credential Set Details. 2 Select the Delete Credential link for the credential type that you want to delete. 3 When prompted to confirm, click OK. Delete a credential set You can delete a credential set that is no longer required. If a credential set is deleted, the corresponding credentials are removed from any assets where the set was previously assigned. Task For option definitions, click ? in the interface. 1 On the Credential Catalog page, select the credential set, then select Credential Set Actions | Delete Credential Set. 2 When prompted to confirm, click OK. Edit the DBMS credential set You can edit the DBMS credentials using credential sets. You can change the credentials set configured for the DBMS, or you can specify which credentials in the set to use for this DBMS. Task For option definitions, click ? in the interface. 1 On the Systems tab, select the DBMS, then select Actions | Database Vulnerability | Edit DBMS Credentials. 2 To assign a credential set to the DBMS, select the set from the Credential Set drop-down list. 3 To use the credentials in the credential set for specific types of connections, select the corresponding checkboxes. If the checkbox for a connection type is not selected, that type of credential is not used regardless of whether it is in included in the credential set. 4 Click Save. Enable or disable operating system checks You can configure whether or not operating system checks are performed on a DBMS host. 20 McAfee Vulnerability Manager for Databases 5.1.0 Product Guide 3 Database configuration Password check exclusions Task For option definitions, click ? in the interface. 1 On the Systems tab, select the DBMS, then select Actions | Database Vulnerability | Enable/Disable OS Checks. 2 Select either Enable or Disable, then click OK. Password check exclusions When a user is omitted from the password check process, the user password is not checked against the weak password dictionary. Sometimes, it is necessary to exclude a user when a specific user password is known to be weak but can't be changed. Multiple users can be excluded from the password check process for a DBMS. Exclude users from password checks You can exempt specific users from the password strength compliance check for a specific DBMS. Task For option definitions, click ? in the interface. 1 On the Systems tab, select the DBMS, then select Actions | Database Vulnerability | Edit Password Check Exclusions. 2 Enter the user name of the user to exempt from the password checks, then click OK. To exempt more than one user, enter the user names as a comma-separated list. The passwords of the specified user names are not checked for compliance. Include users in password checks You can remove users from the password-strength compliance check exemption list. For example, you can reinforce weak password checks on users for a specific DBMS. Task For option definitions, click ? in the interface. 1 On the Systems tab, select the DBMS, then select Actions | Database Vulnerability | Edit Password Check Exclusions. 2 Delete the user names from the password check exemption list, then click OK. McAfee Vulnerability Manager for Databases 5.1.0 Product Guide 21 3 Database configuration Password check exclusions 22 McAfee Vulnerability Manager for Databases 5.1.0 Product Guide 4 Database vulnerability checks Database vulnerability (DVM) checks are used to identify the existence of a specific condition or vulnerability, check security patch levels, and discover weak passwords. Contents Overview View the database vulnerability checks list View database vulnerability check details Add a custom database vulnerability check Delete a custom database vulnerability check Edit database vulnerability checks Edit database vulnerability check metadata Export database vulnerability checks Import database vulnerability checks Reset predefined database vulnerability checks Custom check syntax examples Overview DVM checks are the building blocks of every DVM scan. McAfee Vulnerability Manager for Databases includes thousands of predefined checks organized in categories and groups. In addition, you can define custom checks and include them in DVM scans in combination with predefined checks. Check categories and groups The predefined checks are automatically grouped into default categories. Each predefined check is assigned to a single category that reflects its main focus. Custom checks are automatically assigned to the "custom" category. Check groups are used to include multiple checks in a scan without the need to add them individually. Each check can be assigned to multiple check groups, with the check remaining in its original category. Each check category has a check group of the same name. The check group automatically includes all checks in the corresponding category. You can add checks to a check group. All checks in a group are included in a scan when that category is selected in the scan definition, even if the additional checks are not listed under the category on the DVM Checks page. McAfee Vulnerability Manager for Databases 5.1.0 Product Guide 23 4 Database vulnerability checks View the database vulnerability checks list View the database vulnerability checks list The checks list includes all checks, both predefined and custom checks. You can view all of the checks in the list or you can view the checks in a specific category. Task For option definitions, click ? in the interface. 1 Click Menu | Policy | DVM Checks. The Database Vulnerability Manager - DBMS Checks page lists the name, severity, and a brief description of each check. The checks list includes predefined checks and any existing custom checks. 2 To view the checks for a specific category, select the category in the left pane. 3 (Optional) Sort the checks according to a specific column by clicking the column header. 4 (Optional) Use the Quick find option to search for a specific check or a check that contains a specific term. View database vulnerability check details You can view a summary of the properties of a specific vulnerability check, including the check name, ID, description, severity, and check groups. Task For option definitions, click ? in the interface. 1 Click Menu | Policy | DVM Checks. 2 On the Database Vulnerability Manager - DBMS Checks page, click the name of the check to view its details. Add a custom database vulnerability check A custom database vulnerability check identifies the existence of a specific condition or vulnerability, based on a Yes/No test, or it can return a set of relevant data. You can define new custom checks and include them in vulnerability scans. Task For option definitions, click ? in the interface. 24 1 Click Menu | Policy | DVM Checks. 2 Select the check category in the left pane, then select Actions | Add New DBMS Check. 3 In the Check Name field, enter a name for the check. 4 From the Result Type drop-down list, select the type of check results you want. McAfee Vulnerability Manager for Databases 5.1.0 Product Guide Database vulnerability checks Delete a custom database vulnerability check 5 4 In the Check (SQL Query/OS Script) field, enter the check parameters in SQL command format. For example: The following ResultSet check returns a list of users granted the DBA role when run on an Oracle database: select * from dba_role_privs where granted_role = 'DBA' The following Yes/No command returns a Yes result if dynamic SQL is detected in Oracle outside of SYS: select 'yes' from dual where exists (select 1 from dba_source where upper(text) like '%EXECUTE IMMEDIATE%' and owner <> 'SYS'); For additional examples, see Custom check syntax examples on page 27. 6 From the Severity drop-down list, select the level of severity to be assigned to the check results. 7 In the Check Groups field, enter the check groups to be included in the custom check. As you begin to type, the auto-complete feature displays the list of existing check groups. To create a new check group, type in its name. 8 From the System Check Groups drop-down list, select one or more check groups (DBMS types) to be included in the operating system check. 9 To exclude one or more DBMSs from this check, click Remove Check from DBMS, select the databases, then click Select. 10 Click OK. The check can now be included in DBMS scans. Delete a custom database vulnerability check If a custom database vulnerability check is no longer required, you can remove it from the checks list. You can't delete predefined checks. Task For option definitions, click ? in the interface. 1 Click Menu | Policy | DVM Checks. 2 On the DBMS Check Details page, select the check, then select Actions | Delete DBMS Check. 3 When prompted to confirm, click OK. Edit database vulnerability checks You can edit the properties of predefined and custom database vulnerability checks. You can't view or edit the SQL query or operating system script of a predefined check. McAfee Vulnerability Manager for Databases 5.1.0 Product Guide 25 4 Database vulnerability checks Edit database vulnerability check metadata Task For option definitions, click ? in the interface. 1 Click Menu | Policy | DVM Checks. 2 Select the check to edit, then select Actions | Edit DBMS Check. 3 Edit the check properties, then click OK. The check is available to include in database vulnerability scans. Edit database vulnerability check metadata The database vulnerability check metadata includes the check name, severity, and a brief description. You can edit the metadata of both predefined and custom checks. Task For option definitions, click ? in the interface. 1 In the DBMS Check Details page, select the check, then select Actions | Edit Metadata. 2 In the Edit Check Metadata page, edit the check metadata, then click OK. If a custom description is defined, it appears in the events and reports instead of the original description. To view both descriptions, copy the original description and paste it into the custom description. Export database vulnerability checks You can export vulnerability check details into an XML file, for example, to copy checks from one system to another. Task For option definitions, click ? in the interface. 1 Click Menu | Policy | DVM Checks. 2 On the DBMS Check Details page, select one or more checks, then select Actions | Export DBMS Checks. 3 When prompted to confirm, click Yes. Import database vulnerability checks You can import database vulnerability checks from an XML file, for example, to copy custom checks from one system to another. Task For option definitions, click ? in the interface. 26 1 On the Database Vulnerability Manager - DBMS Checks page, select Actions | Import DBMS checks. 2 Select the XML file containing the vulnerability checks, then click OK. McAfee Vulnerability Manager for Databases 5.1.0 Product Guide Database vulnerability checks Reset predefined database vulnerability checks 4 The checks are uploaded and added to the checks list. Reset predefined database vulnerability checks The properties of predefined vulnerability checks can be reset to their default values. Task For option definitions, click ? in the interface. 1 2 Do one of the following: • In the DVM Check Details list, select one or more predefined checks, then select Actions | Reset Predefined DBMS Check. • On the DVM Check Details page for a selected DBMS, select Actions | Reset Predefined DBMS Check. When prompted to confirm, click Yes. Custom check syntax examples The following sections provide examples of different types of vulnerability check parameters in SQL command format. Data Discovery A data discovery check samples data from a list of tables and looks for a specific pattern. This check is commonly used to identify tables that hold sensitive information such as credit card numbers, IDs, or financial data. By default, the check samples the first 10 rows in each searched table and returns the table name if five or more rows contain relevant data. To change the defaults, contact technical support. For example, to select the list of tables to sample: Oracle: select '"'||owner||'"."'||table_name||'"' as FQN, owner as SCHEMA, table_name as "TABLE" from all_tables MSSQL: select '['+TABLE_CATALOG+'].['+TABLE_SCHEMA+'].['+TABLE_NAME+']' as FQN,TABLE_CATALOG as [DB],TABLE_SCHEMA as [schema],TABLE_NAME as [table] from INFORMATION_SCHEMA.TABLES McAfee Vulnerability Manager for Databases 5.1.0 Product Guide 27 4 Database vulnerability checks Custom check syntax examples For example, to set the data regular expression or pattern to search for: Credit card number: (\d{4}[\s|-]?\d{4}[\s|-]?\d{4}[\s|-]?\d{4})|(\d{4}[\s|-]?\d{6}[\s|-]?\d{5}) SSN: (\d{3}-\d{2}-\d{4}) For a full description of how to create a regular expression, see http://java.sun.com/javase/6/ docs/api/java/util/regex/Pattern.html. By default, the test samples the first 10 rows in each searched table and returns the table name if five or more rows contain relevant data. To change the defaults, contact technical support. DBMS result set A DBMS result set runs an SQL query to gather information on database permissions or configuration settings. For example, to show a list of users and their roles: Oracle: select grantee,granted_role from dba_role_privs order by 1,2 MSSQL: select b.name as UserName, c.name as RoleName from sysmembers a join sysusers b on a.memberuid = b.uid join sysusers c on a.groupuid = c.uid order by 1,2 DBMS script result set A DBMS script result set is similar to the DBMS result set, however, you can include additional commands after the select statement. For example, to gather information from a log table and delete the records after fetching them: Oracle: select * from log_table; delete log_table; MSSQL: select * from test.dbo.log_table go delete test.dbo.log_table go DBMS yes/no A DBMS yes/no check runs an SQL query that returns yes or no. A finding is reported only if the query returns yes. 28 McAfee Vulnerability Manager for Databases 5.1.0 Product Guide 4 Database vulnerability checks Custom check syntax examples For example, to check whether or not a database configuration parameter has a specific value: Oracle: select 'yes' from dual where not exists (select 1 from v$parameter where name ='remote_login_passwordfile' and upper(value)='NONE') MSSQL: SELECT 'yes' from master.sys.configurations where name='remote access' and value=1 UNIX result set A UNIX shell script that returns some information from the operating system can be used to gather file permissions, operating system users, or any other operating system-level information. Every line of the output must be preceded by "=#=#=" to be included in the results. For example, to list operating system users: echo "=#=#=Y" cat /etc/passwd | awk -F: '{print "=#=#="$1}' UNIX yes/no A UNIX shell script that returns a yes ( =#=#=Y) or no (=#=#=N ) result. A finding is reported only if the query returns a yes result. For example, to check if the standard Oracle listener ports are in use: port=`grep '(\s*PORT\s*=\s*152[16]\s*)' $ORACLE_HOME/network/admin/listener.ora` if [ `expr "$host" = ""` -eq 0 ] then echo "=#=#=Y" echo "=#=#=Standard ports in listener.ora" else echo "=#=#=N" fi Windows result set A Windows shell script that returns some information from the operating system can be used to gather file permissions, operating system users, or any other operating system-level information. Every line of the output must be preceded by "=#=#=" to be included in the results. For example, to get a list of services: objWMIService = GetObject("winmgmts:\\\\.\\root\\cimv2"); res = objWMIService.ExecQuery("select * from Win32_Service"); enumItems = new Enumerator(res) for (enumItems.moveFirst(); !enumItems.atEnd(); enumItems.moveNext()){ svc = enumItems.item(); msg_text = "=#=#=Y\n"; msg_text += "=#=#=" + svc.Name + " status: " + (svc.Started ? "running" : "stopped"); } WScript.Echo(msg_text); Windows yes/no A Windows shell script that returns a yes ( =#=#=Y) or no (=#=#=N ) result. A finding is reported only if the query returns a yes result. McAfee Vulnerability Manager for Databases 5.1.0 Product Guide 29 4 Database vulnerability checks Custom check syntax examples For example, to check whether SQL Server 2008 is installed: var TEST_FAIL_HEADER = "=#=#=Y\n"; var TEST_OK = "=#=#=N"; try { objWMIService = GetObject("winmgmts:\\\\.\\root\\Microsoft\\SqlServer\ \ComputerManagement10"); WScript.Echo(TEST_OK); } catch (e){ WScript.Echo(TEST_ERROR_HEADER + "=#=#=MS SQL Server 2008 is not installed on this machine"); } 30 McAfee Vulnerability Manager for Databases 5.1.0 Product Guide 5 Database vulnerability scans McAfee Vulnerability Manager for Databases enables you to configure databases scans to identify a wide range of risks and problems, such as weak passwords or missing patches. An individual DVM scan consists of selected checks (which can include check groups and categories), selected severity levels, the target DBMSs, and (optionally) scheduling details. Contents Define a database vulnerability scan Assign DBMS groups and DBMSs to DVM scans Schedule a database vulnerability scan Remove a database vulnerability scan from the schedule Run a database vulnerability scan manually Delete a database vulnerability scan View DVM scan results View the DVM Events list View DVM event details Dashboards and monitors for Vulnerability Manager for Databases Queries and reports for McAfee Vulnerability Manager for Databases Define a database vulnerability scan A database vulnerability scan runs one or more groups of checks on the database. Scans can be scheduled at set time intervals or they can be run on demand. Task For option definitions, click ? in the interface. 1 Select Menu | Policy | DVM Scans, then select DBMS Scan Actions | New DBMS Scan. 2 In the DVM Scan Name field, enter a name for the scan. We recommend that the name indicate the nature of the scan (for example, "Monthly vulnerability scan of production databases"). 3 Click DBMS Assignment to select the DBMS groups or DBMSs to run the scan on. 4 In the Select Groups tab, select the check groups that contain the checks to be included in the scan. 5 Click Selected Checks. The checks included in the selected groups are listed in the Selected Checks tab. 6 Select the checks to include in the scan or click the checkbox in the top row to select or deselect all checks. The number of selected checks is indicated below the checks list. McAfee Vulnerability Manager for Databases 5.1.0 Product Guide 31 5 Database vulnerability scans Assign DBMS groups and DBMSs to DVM scans 7 Select the severity levels to be included in the scan. 8 (Optional) Enter a brief description or comment. 9 (Optional) Enable the scheduler, then schedule the scan to run at regular intervals. 10 In the Advanced section, enable or disable these options. • Clear Password Cache (Rescan all users) — Clears the password cache and checks the strength of all user passwords, including passwords detected as weak in previous scans. • Store Detected Weak Passwords in the ePO Database — Encrypts and stores weak passwords in the database. The passwords appear in reports as clear text. 11 Click OK. If the scan is enabled, you can run it now. Assign DBMS groups and DBMSs to DVM scans You can select the DBMS groups and DBMSs to include in a database vulnerability scan. You can also edit the DBMS assignments of an existing scan. Task For option definitions, click ? in the interface. 1 Do one of the following: • On the New DBMS page, click DBMS Assignment. • On the Database Vulnerability Manager - DBMS Scans page, select the scan, then click Edit for the DBMS assignment. 2 To assign a DBMS group and its members to the scan, select the group in the DBMS Group Assignment tab. 3 To assign a specific DBMS to the scan, select it in the DBMS Assignment tab. 4 Click OK. Schedule a database vulnerability scan You can schedule a database vulnerability scan to run at regular intervals, for a limited period of time, or on an ongoing basis. Task For option definitions, click ? in the interface. 1 32 Do one of the following: • New scan — On the New DBMS page, select Enable Scheduler. • Schedule an existing scan — On the DVM Scans page, select the scan, then click the Edit link in the scan run details. McAfee Vulnerability Manager for Databases 5.1.0 Product Guide Database vulnerability scans Remove a database vulnerability scan from the schedule 2 From the Schedule Type drop-down list, select one of these scheduling options: • 3 4 5 5 To run a scan... Select... At intervals throughout the day Select Hourly and indicate the time interval between scans. More than once a day Select Daily and indicate the times to run the scan. On a weekly basis Select Weekly and select the days of the week and the times to run the scan. On a monthly basis Select Monthly and indicate the days of the month and the times to run the scan. On a yearly basis Select Yearly and indicate the days of the year and the times to run the scan. On a custom basis Select Advanced and enter a command in cron syntax to indicate when and how often to run the scan. Set the timeframe for running the scheduled scan: • To automatically run the scan for a limited time, set the start and end dates and times. • To schedule the scan to run indefinitely, set the start time and select No end date. (Optional) Define a blackout window (time frame), during which the scan automatically pauses. a Select Enable Blackout Scheduler. b From the Schedule Type drop-down list, select a scheduling option. c In the Start date field, set the earliest date for the blackout window. d In the Schedule fields, set the start time and duration of the blackout window. Click OK. Remove a database vulnerability scan from the schedule You can remove a database vulnerability scan from the schedule so that it no longer runs automatically. Task For option definitions, click ? in the interface. 1 Select Menu | Policy | DVM Scans. 2 On the Database Vulnerability Manager - DBMS Scans page, select the scan, then select DBMS Scan Actions | Edit DBMS Scan. 3 Deselect Enable Scheduler, then click OK. The schedule for the scan is disabled. You can manually run the scan from the DVM Scans page. Run a database vulnerability scan manually In addition to scheduling database vulnerability scans to run at specific times, you can manually run a DVM scan at any time. McAfee Vulnerability Manager for Databases 5.1.0 Product Guide 33 5 Database vulnerability scans Delete a database vulnerability scan Task For option definitions, click ? in the interface. 1 Select Menu | Policy | DVM Scans. 2 On the Database Vulnerability Manager - DBMS Scans page, select the scan, then click the corresponding Run DBMS Scan link. The Stop and Pause links are displayed while the scan runs. To pause the scan, click Pause. To continue a paused scan from where it left off, click Resume. The scan results include the name of the DBMS and the number of findings for each severity level. Delete a database vulnerability scan You can delete a database vulnerability scan that is no longer needed. Task For option definitions, click ? in the interface. 1 Select Menu | Policy | DVM Scans. 2 On the Database Vulnerability Manager - DBMS Scans page, select the scan, then select DBMS Scan Actions | Delete DBMS Scan. 3 When prompted to confirm, click OK. View DVM scan results You can view the results of scheduled and manually run scans on the Database Vulnerability Manager - DBMS Scans page. Task For option definitions, click ? in the interface. 1 On the Database Vulnerability Manager - DBMS Scans page, select a scan. The results of the most recent run of the selected scan are displayed underScan Summary, including the name of the DBMS and the number of findings for each severity level. 2 Click the number of findings to view the itemized list of findings for the respective severity level. View the DVM Events list The DVM Events page lists the database vulnerability scan findings. 34 McAfee Vulnerability Manager for Databases 5.1.0 Product Guide Database vulnerability scans View DVM event details 5 Task For option definitions, click ? in the interface. 1 Click Menu | Reporting | Database Security Events, then select the DVM Events tab. The DVM Events tab lists the event ID and severity, as well as information on the scan and specific check that detected the event. 2 (Optional) Sort the events according to a specific column by clicking the column header. 3 (Optional) To view the details of a specific event, click the event row. View DVM event details You can view the details of a specific DVM event, including a description of the vulnerability, its implications, and an SQL Fix (if available). Task For option definitions, click ? in the interface. 1 On the DVM Events tab, click the name of the event. 2 (Optional) Click Exclude Check from DBMS to exclude a DBMS from this check in the future, then click OK when prompted to confirm. Dashboards and monitors for Vulnerability Manager for Databases When the extension is installed, two preconfigured dashboards are created: Database Security and Database Security — Management. The dashboards display general database security monitors, including Vulnerability Manager for Databases-specific monitors. Dashboards are collections of monitors that are essential for managing your environment. You can create and edit multiple dashboards if you have the appropriate permissions. By default, these data monitors appear in the Database Security dashboard: This monitor... Shows... DVM: Recent Events by Category — Last 30 Days Distribution of recent events by category. DVM: Recent Events by Severity — Last 30 Days Distribution of recent events by severity. DVM: Recent Events by DBMS and Category Distribution of recent events by DBMS and category. By default, these data monitors appear in the Database Security — Management dashboard: This monitor... Shows... Database Security Detected DBMS DBMS instances detected by Database Security. DVM: Database Security DBMSs per Scan Engine Breakdown of database instances by configured scan engines. DVM: Scan Engine Versions Breakdown of the scan engine versions. DAM: DBMS Monitoring State Breakdown of DAM DBMS instances by monitoring state. McAfee Vulnerability Manager for Databases 5.1.0 Product Guide 35 5 Database vulnerability scans Queries and reports for McAfee Vulnerability Manager for Databases This monitor... Shows... DAM: Sensors per State Breakdown of the sensor states. DAM: Sensor Versions Breakdown of the sensor versions. Custom dashboards You can create custom dashboards and select which monitors and queries to display. For information about creating and using dashboards, see the ePolicy Orchestrator documentation. Queries and reports for McAfee Vulnerability Manager for Databases The extension includes query and report generation through the ePolicy Orchestrator software. You can create queries from properties stored in the ePolicy Orchestrator database. For more information, see the ePolicy Orchestrator documentation. Organize and maintain custom queries to suit your needs, then use them to run reports. You can export reports into various file formats. Custom queries and reports You can create customized queries and reports with Query Builder. The result types selected in Query Builder identify what type of data the query retrieves. The McAfee Vulnerability Manager for Databases extension adds the Database Vulnerability group of Result Types. This group contains a set of query targets related to database security. Result type Shows this information... Database Security DBMSs Monitored DBMSs Database Security Detected DBMSs Content implementation details for virtual patching and vulnerability assessment Database Security Repository Details of Database Security content implementation of virtual patching and vulnerability assessment DVM: Check Status Check status per scan execution per DBMS DVM: Events All DBMS vulnerability events DVM: Recent Events Results of the most recent execution of checks on DBMSs DVM: Unique Weak Password Events Results of the most recent execution of weak password checks DVM: Verbose Events DBMS events, including result set data For each result type, the extension adds properties in Query Builder for use in custom queries. For more information about creating and using queries and reports, see the ePolicy Orchestrator documentation. 36 McAfee Vulnerability Manager for Databases 5.1.0 Product Guide Index A Advanced Management extension 9 B blackout window, scans 32 C certificates, tunnel 17 check categories and groups 23 compliance checks, password 21 connections, server to database 6 Credential Catalog 18 credential sets 18 about 18 adding 18 adding credentials to set 19 assign to new DBMS 13 changing name 19 DBMS, editing 20 deleting 20 editing 19 editing metadata 19 removing credentials from 20 credentials adding to set 19 DBMS 16 editing in set 19 managing 16 operating system 17 removing from set 20 tunnel 17 D dashboards for Vulnerability Manager for Databases about 35 customizing 35 data discovery checks 27 Database Security dashboards 35 database vulnerability checks, See vulnerability checks database vulnerability scans, See vulnerability scans databases, See DBMSs DBMSs adding 13 advanced properties 13 advanced properties, editing 15 assigning to scans 32 changing name 15 configuration overview 13 connection to 13 credentials, editing 20 editing credentials 16 editing metadata 15 editing operating system credentials 17 importing 15 removing from System Tree 16 SSH connections 17 supported 6 tunnel credentials, updating 17 deployment, Vulnerability Manager for Databases 7 downloads, Vulnerability Manager for Databases extension 9 DVM checks, See vulnerability checks DVM scans, See vulnerability scans DVM users Administrator 10 Event Only Viewer 10 Viewer 10 E evaluation license, limitations 9 events DVM, details 35 DVM, view list 34 excluding DBMS from check 35 exclusion DBMS from checks 35 users from password compliance checks 21 extension, McAfee Advanced Management installing 9 uninstalling 11 extension, McAfee Vulnerability Manager for Databases 9 installing 9 uninstalling 11 DBMS result sets 27 DBMS yes/no checks 27 McAfee Vulnerability Manager for Databases 5.1.0 Product Guide 37 Index F features added to McAfee ePO environment 10 Vulnerability Manager for Databases 5 queries for Vulnerability Manager for Databases (continued) custom 36 Query Builder, Vulnerability Manager for Databases additions 36 query result types 36 R I installation, McAfee Vulnerability Manager for Databases deploying the package 9 downloading the package 9 licensing 10 product extension 9 J reports for Vulnerability Manager for Databases 36 result sets DBMS 27 UNIX 27 Windows 27 risk evaluation 5 roles 10 JDBC communication properties, changing 15 S L scan engine 16 breakdown by version 35 licenses, installing 10 M monitors for Vulnerability Manager for Databases about 35 default 35 O scan results 34 scans 34 DVM, top ten 35 running manually 33 scheduling 32 scanuser creation 13 schedule blackout window 32 removing scan from 33 scans 32 operating system checks enabling 13 enabling or disabling 20 OS credentials, editing 17 overview features added to McAfee ePO environment 10 how DVM works 11 key features 5 supported databases 6 SQL fix 35 supported databases 6 syntax, vulnerability checks 27 System Tree actions added by Vulnerability Manager for Databases 10 adding DBMS 13 importing databases 15 removing a DBMS 16 P T packages deploying 9 downloading installing 9 installing 9 tunnels enabling for DBMS connection 13 testing connections 17 uploading certificates 17 password strength compliance cache 31 passwords adding exemption from compliance checks 21 checking 5 exemption from compliance checks 21 removing exemption from compliance checks 21 permission sets Vulnerability Manager for Databases 10 U Q queries for Vulnerability Manager for Databases about 36 38 McAfee Vulnerability Manager for Databases 5.1.0 UNIX result sets 27 yes/no checks 27 user roles 10 users excluding from password compliance checks 21 including in password compliance checks 21 V vendor-specific scripts for user creation 13 Product Guide Index vulnerability checks 23, 24 about 23 adding 24 categories 23 custom 24 custom check syntax 27 deleting 25 editing 25 editing metadata 26 enabling or disabling 20 exporting 26 groups 23 importing 26 list 24 operating system 20 resetting predefined 27 syntax 27 viewing details 24 viewing, by category 24 vulnerability scans about 31 adding 31 assigning DBMSs 32 McAfee Vulnerability Manager for Databases 5.1.0 vulnerability scans (continued) deleting 34 event details 35 events details 35 findings 34 pausing 33 removing from schedule 33 running manually 33 scheduling 32 viewing results 34 W Windows result sets 27 yes/no checks 27 Y yes/no checks DBMS 27 UNIX 27 Windows 27 Product Guide 39 00