IBM®InfoSphere®中国体育彩票开奖®数据库漏洞评估(VA)模块扫描您的数据库基础架构以获取漏洞,并使用实时和历史数据提供安全姿势的持续评估。这种能力包括基于行业最佳实践的全面预配置测试库,例如计算机互联网安全(CIS)基准和由国防部创建的数据库安全技术实施指南(DOD)。这些测试检查常见的漏洞,例如缺少修补程序,弱密码,错误配置的权限和默认帐户,以及每个DBMS平台的独特漏洞。 

此帖子是记录如何配置IBM 中国体育彩票开奖进行漏洞评估的步骤。 

漏洞评估的准备

1 下载脚本以在DB服务器中运行以创建用户和正确的权限
使用SSH客户端登录IBM 中国体育彩票开奖 Central Manager的CLI。
使用User GuardCli1登录

将Guiuser设置为启用文件服务。

login as: guardcli1
Pre-authentication banner message from server:
|
| IBM 中国体育彩票开奖, Command Line Interface (CLI)
|
End of banner message from server
[email protected]'s password:
Access denied
[email protected]'s password:
Last failed login: Wed Jul  3 10:17:36 EDT 2019 from 10.10.136.2 on ssh:notty
There was 1 failed login attempt since the last successful login.
Welcome guardcli1 - this is your first login in this system.
Your password has expired.
Changing password for 'guardcli1'.
Enter current password:
Enter new password:
Re-enter new password:
Bad password: it is based on a dictionary word
Changing password for 'guardcli1'.
Enter current password:
Enter new password:
Re-enter new password:
test-igcm1.51sec.org> set guiuser admin
Enter current password:
err

test-igcm1.51sec.org> set guiuser jyan
Enter current password:
ok

test-igcm1.51sec.org>
test-igcm1.51sec.org>
test-igcm1.51sec.org> fileserver 10.10.136.2 2600

Starting the file server...
The file server is ready at //test-igcm1.fabiandinkins.com:8445这 timeout has been set to 2600 seconds and it may timeout during the uploading.

The upload will only be accessible from the IP you are logged in from: 10.10.136.2

Press ENTER to stop the file server.

Warning: Stop the fileserver because of timeout. The file upload may not complete.
Stopping process
ok
test-igcm1.51sec.org>


将我们的浏览器打开到IBM 中国体育彩票开奖 Central Manager的端口8445网页:

然后单击“日志\ debug-logs \ gdmmonitor_scripts”,您将使用所有GDMMonitor SQL脚本页面到达页面。

由于我们使用DB2数据库作为VA示例,因此允许单击GDMMonitor-db2.sql文件以查看其中的内容。

--===================================================================================
-- ------------------------------
-- Description
-- ------------------------------
-- Database Type: DB2 LUW
--
-- This script grants the required privileges for VA on the database.
-- 
--
--       This script must be executed using a DB2 user with either DBADM or SECADM authority.
--
--       This script does not create a user.  You can grant these privileges to any user(s) you 
--       choose to perform your scan.  If you choose to create a new OS user for this function, the Linux syntax 
--       can be as simple as:  
--
--   groupadd gdmmon
--   useradd -m -d /home/gdm_user -g gdmmon gdm_user  
--                      passwd gdm_user
--
-- ------------------------------
-- Before running this script
-- ------------------------------
-- 
-- Make sure you have created an OS group called "gdmmon".  Make sure your scan user is a member of the "gdmmon" group. 
--
-- ------------------------------
-- How to Run
-- ------------------------------
--
-- You can run these grants in any JDBC client, just make sure the statement separator is set to 'go'
-- You can also run this in the DB2 CLI using the terminator as 'go' which is the default.
--
-- To run this script using the DB2 CLI, run the following:
--
-- db2 connect to <database> user <db2inst1> using <password>
-- db2 -tdgo -vf gdmmonitor-db2.sql
--
-- ------------------------------
-- after runnign this script
-- ------------------------------
-- Nothing to do
--
-- ------------------------------
-- User/Password to use
-- ------------------------------
-- User: <gdm_user>
-- Pass: user defined 
-- Role: gdmmon

--===================================================================================


GRANT CONNECT ON DATABASE                 TO GROUP gdmmon
go


GRANT SELECT ON TABLE SYSCAT.COLAUTH      TO GROUP gdmmon
go
GRANT SELECT ON TABLE SYSCAT.DBAUTH       TO GROUP gdmmon
go
GRANT SELECT ON TABLE SYSCAT.INDEXAUTH    TO GROUP gdmmon
go
GRANT SELECT ON TABLE SYSCAT.LIBRARYAUTH  TO GROUP gdmmon
go
GRANT SELECT ON TABLE SYSCAT.PACKAGEAUTH  TO GROUP gdmmon
go
GRANT SELECT ON TABLE SYSCAT.PASSTHRUAUTH TO GROUP gdmmon
go
GRANT SELECT ON TABLE SYSCAT.ROUTINEAUTH  TO GROUP gdmmon
go
GRANT SELECT ON TABLE SYSCAT.SCHEMAAUTH   TO GROUP gdmmon
go
GRANT SELECT ON TABLE SYSCAT.SEQUENCEAUTH TO GROUP gdmmon
go
GRANT SELECT ON TABLE SYSCAT.TABAUTH      TO GROUP gdmmon
go
GRANT SELECT ON TABLE SYSCAT.TBSPACEAUTH  TO GROUP gdmmon
go
GRANT SELECT ON TABLE SYSCAT.TABLES       TO GROUP gdmmon
go
GRANT SELECT ON TABLE SYSCAT.INDEXES      TO GROUP gdmmon
go
GRANT SELECT ON TABLE SYSCAT.LIBRARIES    TO GROUP gdmmon
go
GRANT SELECT ON TABLE SYSCAT.MODULES      TO GROUP gdmmon
go
GRANT SELECT ON TABLE SYSCAT.PACKAGES     TO GROUP gdmmon
go
GRANT SELECT ON TABLE SYSCAT.ROUTINES     TO GROUP gdmmon
go
GRANT SELECT ON TABLE SYSCAT.SCHEMATA     TO GROUP gdmmon
go
GRANT SELECT ON TABLE SYSCAT.SEQUENCES    TO GROUP gdmmon
go
GRANT SELECT ON TABLE SYSCAT.TABLESPACES  TO GROUP gdmmon
go
GRANT SELECT ON TABLE SYSIBM.SYSROUTINEAUTH  TO GROUP gdmmon
go
GRANT SELECT ON TABLE SYSCAT.ROLEAUTH     TO GROUP gdmmon
go
GRANT SELECT ON TABLE SYSCAT.ROLES    TO GROUP gdmmon
go
GRANT SELECT ON TABLE SYSCAT.CONTEXTS    TO GROUP gdmmon
go
GRANT SELECT ON TABLE SYSCAT.AUDITPOLICIES TO GROUP gdmmon
go
GRANT SELECT ON TABLE SYSCAT.AUDITUSE    TO GROUP gdmmon
go
GRANT SELECT ON TABLE SYSCAT.TRIGGERS    TO GROUP gdmmon
go
GRANT SELECT ON TABLE SYSCAT.MODULES    TO GROUP gdmmon
go
GRANT SELECT ON TABLE SYSCAT.NICKNAMES    TO GROUP gdmmon
go
GRANT SELECT ON TABLE SYSCAT.TABCONST    TO GROUP gdmmon
go
GRANT SELECT ON TABLE SYSCAT.THRESHOLDS   TO GROUP gdmmon
go
GRANT SELECT ON TABLE SYSIBM.SYSDUMMY1    TO GROUP gdmmon
go

-- JDBC Access
GRANT EXECUTE ON PACKAGE NULLID.SYSSH200  TO GROUP gdmmon
go

-- For DB2 8.1 fixpack 9 and higher this table function is need to determine the database version 
-- IF YOU ARE RUNNING OLDER VERSION, YOU MAY SEE ERROR ON THESE GRANT WHICH CAN BE IGNORE 
GRANT EXECUTE ON FUNCTION SYSPROC.ENV_GET_INST_INFO TO GROUP gdmmon
go
GRANT EXECUTE ON FUNCTION SYSPROC.ENV_GET_SYS_INFO TO GROUP gdmmon
go
--SYSPROC.ADMIN_GET_ENCRYPTION_INFO is available in DB2 10.5 and higher.
GRANT EXECUTE ON FUNCTION SYSPROC.ADMIN_GET_ENCRYPTION_INFO TO GROUP gdmmon
go
GRANT EXECUTE ON FUNCTION SYSPROC.ENV_GET_REG_VARIABLES TO GROUP gdmmon
go

--This grant For DB2 9.5 and above only.  This is very important, if database is created using RESTRICTIVE option
--then most privilege are revoke to PUBLIC by default. We will need this grant to select certain catalog view or else error.
GRANT USAGE ON WORKLOAD SYSDEFAULTUSERWORKLOAD TO GROUP GDMMON
go
GRANT SELECT ON TABLE SYSIBMADM.PRIVILEGES TO GROUP GDMMON
go

--These are require to check configuration parameters as of DB2 9.1 and higher
GRANT SELECT ON TABLE SYSIBMADM.DBCFG  TO GROUP gdmmon
go
GRANT SELECT ON TABLE SYSIBMADM.DBMCFG TO GROUP gdmmon
go

--These are require for dependcies entitlement queries as of DB2 9.1 and higher
GRANT SELECT ON TABLE SYSCAT.TABDEP      TO GROUP gdmmon
go
GRANT SELECT ON TABLE SYSCAT.TRIGDEP     TO GROUP gdmmon
go
GRANT SELECT ON TABLE SYSCAT.ROUTINEDEP  TO GROUP gdmmon
go
GRANT SELECT ON TABLE SYSCAT.PACKAGEDEP  TO GROUP gdmmon
go


--
-- DB2 Command line privilege need to execute queries when CAS script connected to database.
-- When a DB2 database is created using the RESTRICTIVE keyword.  Most objects are not granted to PUBLIC, hence we need this.
-- Therefore we need these privileges to be able to connect to DB2 command line and issue select queries for VA.
-- The below store procedure find package name in NULLID schema begin with SQLC2 and grant execute to gdmmon group.
-- This stored procedure is tested using DB2 8.2 to latest DB2 release on various platform and has the blessing of DB2 security team.
--

create procedure P_GrantPackage

LANGUAGE SQL

begin

declare executestring varchar(100);
declare v_PkgSchema varchar(50);
declare v_PackageName varchar(50);
declare SQLCODE int default 0;


declare c_grant_package cursor for 
 SELECT PKGSCHEMA, PKGNAME 
 FROM SYSCAT.PACKAGES
 WHERE PKGNAME LIKE 'SQLC2%';

open c_grant_package;
fetch_loop:
loop
fetch c_grant_package into v_PkgSchema, v_PackageName;
 if (SQLCODE <> 0) then
    leave fetch_loop;
 end if;
 set executestring = 'GRANT EXECUTE ON PACKAGE ' ||v_PkgSchema|| '.' || v_PackageName || ' TO GROUP GDMMON'; 
        execute immediate executestring;
end loop fetch_loop;
close c_grant_package;

end
go

CALL P_GrantPackage
go

drop procedure P_GrantPackage
go




我们必须按照指令创建GDMMON组,并在DB2服务器上添加GDM_USER。

创建合适组后,我们可以在DB2服务器上运行脚本。

参考: 介绍中国体育彩票开奖漏洞评估
笔记:

  • 对于漏洞评估和权利报告,在查找脚本以授予权利报告的权限时,请在GDMMonitor_scripts目录中使用脚本。不要使用entitlement_monitor_role文件夹,这些文件夹不再更新。
  • 使用到期的产品许可证密钥或具有有限数量的数据源许可证时,可能会出现以下消息: 无法添加DataSource。已达到许可证允许的最大数据源数。  许可证有效期至 日期和 数据源数量 可以看出 系统配置 小组的 管理员控制台。漏洞或分类过程 N 数据源被计算为 N 每次运行时都会扫描。
  • 瓜根漏洞评估需要访问它评估的数据库。为此,中国体育彩票开奖为一组SQL脚本(每个数据库类型的一个脚本)提供了在数据库中创建要由中国体育彩票开奖使用的用户和角色。
  • 构建后,中国体育彩票开奖系统上可在中国体育彩票开奖系统上使用模板脚本,并可通过以下路径上通过Firectorver找到和下载: / log / debug-logs / gdmmonitor_scripts /。更多信息可用 Readme.txt. file.
2 Create DataSource
如果尚未定义DataSource,则需要根据DB信息创建一个新的。

保护 - 安全评估建设者

1 Create a new VA

2 Choose datasource


3 Configure Tests
测试通过InfoSphere 中国体育彩票开奖知识库服务每季度更新。您还可以定义自定义测试,并安排包含扫描,报告分发,电子签名和升级的自动审计任务。
您需要讲述您的评估,将用于评估您的数据库的测试。您可以根据DB类型选择这些预定义的测试。

4 Run it Once 

5 View results


6 检查中国体育彩票开奖 Job队列


安排评估

1 符合 - 审核流程建设者

2 Add a Task
您需要添加您在Protect - Security评估Builder中的上一步中定义的任务。

3 将用户添加到发送报告并创建计划

您还需要添加要发送谁发送结果并创建计划以运行此审核过程。

YouTube:v vullnbilty评估:

    参考

    来自Blogger. http://blog.fabiandinkins.com/2019/07/ibm-guardium-configure-db2.html

    经过 jonny.

    发表评论