IBM®InfoSphere®Guardium®数据库漏洞评估(VA)模块扫描数据库基础结构中的漏洞,并使用实时和历史数据对您的安全状况进行持续评估。此功能包括基于行业最佳实践的全面的预配置测试库,例如由国防部(DoD)创建的计算机Internet安全(CIS)基准和数据库安全技术实施指南(STIG)。这些测试检查常见漏洞,例如缺少补丁,弱密码,错误配置的特权和默认帐户,以及每个DBMS平台的独特漏洞。
这篇文章是记录如何配置IBM 卫报的步骤 漏洞评估。
漏洞评估的准备
1 下载脚本以在DB Server中运行以创建用户和适当的权限 |
使用SSH客户端登录到IBM 卫报 Central Manager的CLI。
使用guardcli1用户登录
设置您的guuser 然后启用文件服务。
login as: guardcli1 Pre-authentication banner message from server: | | IBM 卫报, Command Line Interface (CLI) | End of banner message from server [email protected]'s password: Access denied [email protected]'s password: Last failed login: Wed Jul 3 10:17:36 EDT 2019 from 10.10.136.2 上 ssh:notty There was 1 failed login attempt since the last successful login. Welcome guardcli1 - this is your first login in this system. Your password has expired. Changing password for 'guardcli1'. Enter current password: Enter new password: Re-enter new password: Bad password: it is based 上 a dictionary word Changing password for 'guardcli1'. Enter current password: Enter new password: Re-enter new password: test-igcm1.51sec.org> set guiuser admin Enter current password: err test-igcm1.51sec.org> set guiuser jyan Enter current password: ok test-igcm1.51sec.org> test-igcm1.51sec.org> test-igcm1.51sec.org> fileserver 10.10.136.2 2600 Starting the file server... The file server is ready at //test-igcm1.fabiandinkins.com:8445的 timeout has been set to 2600 seconds and it may timeout during the uploading. The upload will 上ly be accessible from the IP you are logged in from: 10.10.136.2 Press ENTER to stop the file server. Warning: Stop the fileserver because of timeout. 的 file upload may not complete. Stopping process ok test-igcm1.51sec.org>
打开浏览器,访问您的IBM 卫报 Central Manager的端口8445网页:
然后单击logs \ debug-logs \ gdmmonitor_scripts,您将转到包含所有gdmmonitor sql脚本页面的页面。
由于我们使用DB2数据库作为VA示例,因此请单击gdmmonitor-db2.sql文件以查看其中的内容。
--=================================================================================== -- ------------------------------ -- Description -- ------------------------------ -- Database Type: DB2 LUW -- -- This script grants the required privileges for VA 上 the database. -- -- -- This script must be executed using a DB2 user with either DBADM or SECADM authority. -- -- This script does not create a user. You can grant these privileges to any user(s) you -- choose to perform your scan. If you choose to create a new OS user for this function, the 的Linux syntax -- can be as simple as: -- -- groupadd gdmmon -- useradd -m -d /home/gdm_user -g gdmmon gdm_user -- passwd gdm_user -- -- ------------------------------ -- Before running this script -- ------------------------------ -- -- Make sure you have created an OS group called "gdmmon". Make sure your scan user is a member of the "gdmmon" group. -- -- ------------------------------ -- How to Run -- ------------------------------ -- -- You can run these grants in any JDBC client, just make sure the statement separator is set to 'go' -- You can also run this in the DB2 CLI using the terminator as 'go' which is the default. -- -- To run this script using the DB2 CLI, run the following: -- -- db2 connect to <database> user <db2inst1> using <password> -- db2 -tdgo -vf gdmmonitor-db2.sql -- -- ------------------------------ -- after runnign this script -- ------------------------------ -- Nothing to do -- -- ------------------------------ -- User/Password to use -- ------------------------------ -- User: <gdm_user> -- Pass: user defined -- Role: gdmmon --=================================================================================== GRANT CONNECT ON DATABASE TO GROUP gdmmon go GRANT SELECT ON TABLE SYSCAT.COLAUTH TO GROUP gdmmon go GRANT SELECT ON TABLE SYSCAT.DBAUTH TO GROUP gdmmon go GRANT SELECT ON TABLE SYSCAT.INDEXAUTH TO GROUP gdmmon go GRANT SELECT ON TABLE SYSCAT.LIBRARYAUTH TO GROUP gdmmon go GRANT SELECT ON TABLE SYSCAT.PACKAGEAUTH TO GROUP gdmmon go GRANT SELECT ON TABLE SYSCAT.PASSTHRUAUTH TO GROUP gdmmon go GRANT SELECT ON TABLE SYSCAT.ROUTINEAUTH TO GROUP gdmmon go GRANT SELECT ON TABLE SYSCAT.SCHEMAAUTH TO GROUP gdmmon go GRANT SELECT ON TABLE SYSCAT.SEQUENCEAUTH TO GROUP gdmmon go GRANT SELECT ON TABLE SYSCAT.TABAUTH TO GROUP gdmmon go GRANT SELECT ON TABLE SYSCAT.TBSPACEAUTH TO GROUP gdmmon go GRANT SELECT ON TABLE SYSCAT.TABLES TO GROUP gdmmon go GRANT SELECT ON TABLE SYSCAT.INDEXES TO GROUP gdmmon go GRANT SELECT ON TABLE SYSCAT.LIBRARIES TO GROUP gdmmon go GRANT SELECT ON TABLE SYSCAT.MODULES TO GROUP gdmmon go GRANT SELECT ON TABLE SYSCAT.PACKAGES TO GROUP gdmmon go GRANT SELECT ON TABLE SYSCAT.ROUTINES TO GROUP gdmmon go GRANT SELECT ON TABLE SYSCAT.SCHEMATA TO GROUP gdmmon go GRANT SELECT ON TABLE SYSCAT.SEQUENCES TO GROUP gdmmon go GRANT SELECT ON TABLE SYSCAT.TABLESPACES TO GROUP gdmmon go GRANT SELECT ON TABLE SYSIBM.SYSROUTINEAUTH TO GROUP gdmmon go GRANT SELECT ON TABLE SYSCAT.ROLEAUTH TO GROUP gdmmon go GRANT SELECT ON TABLE SYSCAT.ROLES TO GROUP gdmmon go GRANT SELECT ON TABLE SYSCAT.CONTEXTS TO GROUP gdmmon go GRANT SELECT ON TABLE SYSCAT.AUDITPOLICIES TO GROUP gdmmon go GRANT SELECT ON TABLE SYSCAT.AUDITUSE TO GROUP gdmmon go GRANT SELECT ON TABLE SYSCAT.TRIGGERS TO GROUP gdmmon go GRANT SELECT ON TABLE SYSCAT.MODULES TO GROUP gdmmon go GRANT SELECT ON TABLE SYSCAT.NICKNAMES TO GROUP gdmmon go GRANT SELECT ON TABLE SYSCAT.TABCONST TO GROUP gdmmon go GRANT SELECT ON TABLE SYSCAT.THRESHOLDS TO GROUP gdmmon go GRANT SELECT ON TABLE SYSIBM.SYSDUMMY1 TO GROUP gdmmon go -- JDBC Access GRANT EXECUTE ON PACKAGE NULLID.SYSSH200 TO GROUP gdmmon go -- For DB2 8.1 fixpack 9 and higher this table function is need to determine the database version -- IF YOU ARE RUNNING OLDER VERSION, YOU MAY SEE ERROR ON THESE GRANT WHICH CAN BE IGNORE GRANT EXECUTE ON FUNCTION SYSPROC.ENV_GET_INST_INFO TO GROUP gdmmon go GRANT EXECUTE ON FUNCTION SYSPROC.ENV_GET_SYS_INFO TO GROUP gdmmon go --SYSPROC.ADMIN_GET_ENCRYPTION_INFO is available in DB2 10.5 and higher. GRANT EXECUTE ON FUNCTION SYSPROC.ADMIN_GET_ENCRYPTION_INFO TO GROUP gdmmon go GRANT EXECUTE ON FUNCTION SYSPROC.ENV_GET_REG_VARIABLES TO GROUP gdmmon go --This grant For DB2 9.5 and above 上ly. This is very important, if database is created using RESTRICTIVE option --then most privilege are revoke to PUBLIC by default. We will need this grant to select certain catalog view or else error. GRANT USAGE ON WORKLOAD SYSDEFAULTUSERWORKLOAD TO GROUP GDMMON go GRANT SELECT ON TABLE SYSIBMADM.PRIVILEGES TO GROUP GDMMON go --These are require to check configuration parameters as of DB2 9.1 and higher GRANT SELECT ON TABLE SYSIBMADM.DBCFG TO GROUP gdmmon go GRANT SELECT ON TABLE SYSIBMADM.DBMCFG TO GROUP gdmmon go --These are require for dependcies entitlement queries as of DB2 9.1 and higher GRANT SELECT ON TABLE SYSCAT.TABDEP TO GROUP gdmmon go GRANT SELECT ON TABLE SYSCAT.TRIGDEP TO GROUP gdmmon go GRANT SELECT ON TABLE SYSCAT.ROUTINEDEP TO GROUP gdmmon go GRANT SELECT ON TABLE SYSCAT.PACKAGEDEP TO GROUP gdmmon go -- -- DB2 Command line privilege need to execute queries when CAS script connected to database. -- When a DB2 database is created using the RESTRICTIVE keyword. Most objects are not granted to PUBLIC, hence we need this. -- 的refore we need these privileges to be able to connect to DB2 command line and issue select queries for VA. -- 的 below store procedure find package name in NULLID schema begin with SQLC2 and grant execute to gdmmon group. -- This stored procedure is tested using DB2 8.2 to latest DB2 release 上 various platform and has the blessing of DB2 security team. -- create procedure P_GrantPackage LANGUAGE SQL begin declare executestring varchar(100); declare v_PkgSchema varchar(50); declare v_PackageName varchar(50); declare SQLCODE int default 0; declare c_grant_package cursor for SELECT PKGSCHEMA, PKGNAME FROM SYSCAT.PACKAGES WHERE PKGNAME LIKE 'SQLC2%'; open c_grant_package; fetch_loop: loop fetch c_grant_package into v_PkgSchema, v_PackageName; if (SQLCODE <> 0) then leave fetch_loop; end if; set executestring = 'GRANT EXECUTE ON PACKAGE ' ||v_PkgSchema|| '.' || v_PackageName || ' TO GROUP GDMMON'; execute immediate executestring; end loop fetch_loop; close c_grant_package; end go CALL P_GrantPackage go drop procedure P_GrantPackage go
我们将必须遵循指示信息来创建gdmmon组,并将gdm_user添加到DB2服务器上的该组中。
一旦创建了正确的组,就可以在DB2服务器上运行脚本。
参考: 介绍Guardium漏洞评估
笔记:
- 对于漏洞评估和权利报告,当寻找脚本来授予特权报告特权时,请使用gdmmonitor_scripts目录中的脚本。不要使用entitlement_monitor_role文件夹,该文件夹不再更新。
- 当使用到期的产品许可证密钥或数据源数量有限的许可证时,可能会出现以下消息: 无法添加数据源。已达到许可证允许的最大数据源数量。 的 许可证有效期至 日期和 数据源数量 可以在 系统配置 的面板 管理员控制台。具有以下内容的漏洞或分类过程 N 数据源计为 N 每次运行时进行扫描。
-
卫报漏洞评估需要访问其评估的数据库。为此,Guardium提供了一组SQL脚本(每种数据库类型一个脚本),该脚本在Guardium使用的数据库中创建用户和角色。
- 模板脚本一旦构建,就可以在Guardium系统上使用,并且可以通过文件服务器在以下路径中找到和下载: / log / debug-logs / gdmmonitor_scripts /。有关更多信息,请参见 README.txt file.
2 Create DataSource
保护–安全评估生成器
1 Create a new VA
2 Choose datasource
3 Configure Tests
通过InfoSphere 卫报知识库服务每季度更新一次测试。您还可以定义自定义测试并安排自动审计任务,包括扫描,报告分发,电子签名和升级。
您将需要告诉您的评估,将使用哪种测试来评估数据库。您可以根据数据库类型选择那些预定义的测试。
您将需要告诉您的评估,将使用哪种测试来评估数据库。您可以根据数据库类型选择那些预定义的测试。
4 Run it Once
5 View results
6 检查Guardium作业队列
进度评估
来自Blogger //blog.fabiandinkins.com/2019/07/ibm-guardium-configure-db2.html