IBM®InfoSphere®Guardium®数据库漏洞评估(VA)模块扫描数据库基础结构中的漏洞,并使用实时和历史数据对您的安全状况进行持续评估。此功能包括基于行业最佳实践的全面的预配置测试库,例如由国防部(DoD)创建的计算机Internet安全(CIS)基准和数据库安全技术实施指南(STIG)。这些测试检查常见漏洞,例如缺少补丁,弱密码,错误配置的特权和默认帐户,以及每个DBMS平台的独特漏洞。 

这篇文章是记录如何配置IBM 卫报的步骤 漏洞评估。 

漏洞评估的准备

1 下载脚本以在DB Server中运行以创建用户和适当的权限
使用SSH客户端登录到IBM 卫报 Central Manager的CLI。
使用guardcli1用户登录

设置您的guuser 然后启用文件服务。

login as: guardcli1
Pre-authentication banner message from server:
|
| IBM 卫报, Command Line Interface (CLI)
|
End of banner message from server
[email protected]'s password:
Access denied
[email protected]'s password:
Last failed login: Wed Jul  3 10:17:36 EDT 2019 from 10.10.136.2 上 ssh:notty
There was 1 failed login attempt since the last successful login.
Welcome guardcli1 - this is your first login in this system.
Your password has expired.
Changing password for 'guardcli1'.
Enter current password:
Enter new password:
Re-enter new password:
Bad password: it is based 上 a dictionary word
Changing password for 'guardcli1'.
Enter current password:
Enter new password:
Re-enter new password:
test-igcm1.51sec.org> set guiuser admin
Enter current password:
err

test-igcm1.51sec.org> set guiuser jyan
Enter current password:
ok

test-igcm1.51sec.org>
test-igcm1.51sec.org>
test-igcm1.51sec.org> fileserver 10.10.136.2 2600

Starting the file server...
The file server is ready at //test-igcm1.fabiandinkins.com:8445的 timeout has been set to 2600 seconds and it may timeout during the uploading.

The upload will 上ly be accessible from the IP you are logged in from: 10.10.136.2

Press ENTER to stop the file server.

Warning: Stop the fileserver because of timeout. 的 file upload may not complete.
Stopping process
ok
test-igcm1.51sec.org>


打开浏览器,访问您的IBM 卫报 Central Manager的端口8445网页:

然后单击logs \ debug-logs \ gdmmonitor_scripts,您将转到包含所有gdmmonitor sql脚本页面的页面。

由于我们使用DB2数据库作为VA示例,因此请单击gdmmonitor-db2.sql文件以查看其中的内容。

--===================================================================================
-- ------------------------------
-- Description
-- ------------------------------
-- Database Type: DB2 LUW
--
-- This script grants the required privileges for VA 上 the database.
-- 
--
--       This script must be executed using a DB2 user with either DBADM or SECADM authority.
--
--       This script does not create a user.  You can grant these privileges to any user(s) you 
--       choose to perform your scan.  If you choose to create a new OS user for this function, the 的Linux syntax 
--       can be as simple as:  
--
--   groupadd gdmmon
--   useradd -m -d /home/gdm_user -g gdmmon gdm_user  
--                      passwd gdm_user
--
-- ------------------------------
-- Before running this script
-- ------------------------------
-- 
-- Make sure you have created an OS group called "gdmmon".  Make sure your scan user is a member of the "gdmmon" group. 
--
-- ------------------------------
-- How to Run
-- ------------------------------
--
-- You can run these grants in any JDBC client, just make sure the statement separator is set to 'go'
-- You can also run this in the DB2 CLI using the terminator as 'go' which is the default.
--
-- To run this script using the DB2 CLI, run the following:
--
-- db2 connect to <database> user <db2inst1> using <password>
-- db2 -tdgo -vf gdmmonitor-db2.sql
--
-- ------------------------------
-- after runnign this script
-- ------------------------------
-- Nothing to do
--
-- ------------------------------
-- User/Password to use
-- ------------------------------
-- User: <gdm_user>
-- Pass: user defined 
-- Role: gdmmon

--===================================================================================


GRANT CONNECT ON DATABASE                 TO GROUP gdmmon
go


GRANT SELECT ON TABLE SYSCAT.COLAUTH      TO GROUP gdmmon
go
GRANT SELECT ON TABLE SYSCAT.DBAUTH       TO GROUP gdmmon
go
GRANT SELECT ON TABLE SYSCAT.INDEXAUTH    TO GROUP gdmmon
go
GRANT SELECT ON TABLE SYSCAT.LIBRARYAUTH  TO GROUP gdmmon
go
GRANT SELECT ON TABLE SYSCAT.PACKAGEAUTH  TO GROUP gdmmon
go
GRANT SELECT ON TABLE SYSCAT.PASSTHRUAUTH TO GROUP gdmmon
go
GRANT SELECT ON TABLE SYSCAT.ROUTINEAUTH  TO GROUP gdmmon
go
GRANT SELECT ON TABLE SYSCAT.SCHEMAAUTH   TO GROUP gdmmon
go
GRANT SELECT ON TABLE SYSCAT.SEQUENCEAUTH TO GROUP gdmmon
go
GRANT SELECT ON TABLE SYSCAT.TABAUTH      TO GROUP gdmmon
go
GRANT SELECT ON TABLE SYSCAT.TBSPACEAUTH  TO GROUP gdmmon
go
GRANT SELECT ON TABLE SYSCAT.TABLES       TO GROUP gdmmon
go
GRANT SELECT ON TABLE SYSCAT.INDEXES      TO GROUP gdmmon
go
GRANT SELECT ON TABLE SYSCAT.LIBRARIES    TO GROUP gdmmon
go
GRANT SELECT ON TABLE SYSCAT.MODULES      TO GROUP gdmmon
go
GRANT SELECT ON TABLE SYSCAT.PACKAGES     TO GROUP gdmmon
go
GRANT SELECT ON TABLE SYSCAT.ROUTINES     TO GROUP gdmmon
go
GRANT SELECT ON TABLE SYSCAT.SCHEMATA     TO GROUP gdmmon
go
GRANT SELECT ON TABLE SYSCAT.SEQUENCES    TO GROUP gdmmon
go
GRANT SELECT ON TABLE SYSCAT.TABLESPACES  TO GROUP gdmmon
go
GRANT SELECT ON TABLE SYSIBM.SYSROUTINEAUTH  TO GROUP gdmmon
go
GRANT SELECT ON TABLE SYSCAT.ROLEAUTH     TO GROUP gdmmon
go
GRANT SELECT ON TABLE SYSCAT.ROLES    TO GROUP gdmmon
go
GRANT SELECT ON TABLE SYSCAT.CONTEXTS    TO GROUP gdmmon
go
GRANT SELECT ON TABLE SYSCAT.AUDITPOLICIES TO GROUP gdmmon
go
GRANT SELECT ON TABLE SYSCAT.AUDITUSE    TO GROUP gdmmon
go
GRANT SELECT ON TABLE SYSCAT.TRIGGERS    TO GROUP gdmmon
go
GRANT SELECT ON TABLE SYSCAT.MODULES    TO GROUP gdmmon
go
GRANT SELECT ON TABLE SYSCAT.NICKNAMES    TO GROUP gdmmon
go
GRANT SELECT ON TABLE SYSCAT.TABCONST    TO GROUP gdmmon
go
GRANT SELECT ON TABLE SYSCAT.THRESHOLDS   TO GROUP gdmmon
go
GRANT SELECT ON TABLE SYSIBM.SYSDUMMY1    TO GROUP gdmmon
go

-- JDBC Access
GRANT EXECUTE ON PACKAGE NULLID.SYSSH200  TO GROUP gdmmon
go

-- For DB2 8.1 fixpack 9 and higher this table function is need to determine the database version 
-- IF YOU ARE RUNNING OLDER VERSION, YOU MAY SEE ERROR ON THESE GRANT WHICH CAN BE IGNORE 
GRANT EXECUTE ON FUNCTION SYSPROC.ENV_GET_INST_INFO TO GROUP gdmmon
go
GRANT EXECUTE ON FUNCTION SYSPROC.ENV_GET_SYS_INFO TO GROUP gdmmon
go
--SYSPROC.ADMIN_GET_ENCRYPTION_INFO is available in DB2 10.5 and higher.
GRANT EXECUTE ON FUNCTION SYSPROC.ADMIN_GET_ENCRYPTION_INFO TO GROUP gdmmon
go
GRANT EXECUTE ON FUNCTION SYSPROC.ENV_GET_REG_VARIABLES TO GROUP gdmmon
go

--This grant For DB2 9.5 and above 上ly.  This is very important, if database is created using RESTRICTIVE option
--then most privilege are revoke to PUBLIC by default. We will need this grant to select certain catalog view or else error.
GRANT USAGE ON WORKLOAD SYSDEFAULTUSERWORKLOAD TO GROUP GDMMON
go
GRANT SELECT ON TABLE SYSIBMADM.PRIVILEGES TO GROUP GDMMON
go

--These are require to check configuration parameters as of DB2 9.1 and higher
GRANT SELECT ON TABLE SYSIBMADM.DBCFG  TO GROUP gdmmon
go
GRANT SELECT ON TABLE SYSIBMADM.DBMCFG TO GROUP gdmmon
go

--These are require for dependcies entitlement queries as of DB2 9.1 and higher
GRANT SELECT ON TABLE SYSCAT.TABDEP      TO GROUP gdmmon
go
GRANT SELECT ON TABLE SYSCAT.TRIGDEP     TO GROUP gdmmon
go
GRANT SELECT ON TABLE SYSCAT.ROUTINEDEP  TO GROUP gdmmon
go
GRANT SELECT ON TABLE SYSCAT.PACKAGEDEP  TO GROUP gdmmon
go


--
-- DB2 Command line privilege need to execute queries when CAS script connected to database.
-- When a DB2 database is created using the RESTRICTIVE keyword.  Most objects are not granted to PUBLIC, hence we need this.
-- 的refore we need these privileges to be able to connect to DB2 command line and issue select queries for VA.
-- 的 below store procedure find package name in NULLID schema begin with SQLC2 and grant execute to gdmmon group.
-- This stored procedure is tested using DB2 8.2 to latest DB2 release 上 various platform and has the blessing of DB2 security team.
--

create procedure P_GrantPackage

LANGUAGE SQL

begin

declare executestring varchar(100);
declare v_PkgSchema varchar(50);
declare v_PackageName varchar(50);
declare SQLCODE int default 0;


declare c_grant_package cursor for 
 SELECT PKGSCHEMA, PKGNAME 
 FROM SYSCAT.PACKAGES
 WHERE PKGNAME LIKE 'SQLC2%';

open c_grant_package;
fetch_loop:
loop
fetch c_grant_package into v_PkgSchema, v_PackageName;
 if (SQLCODE <> 0) then
    leave fetch_loop;
 end if;
 set executestring = 'GRANT EXECUTE ON PACKAGE ' ||v_PkgSchema|| '.' || v_PackageName || ' TO GROUP GDMMON'; 
        execute immediate executestring;
end loop fetch_loop;
close c_grant_package;

end
go

CALL P_GrantPackage
go

drop procedure P_GrantPackage
go




我们将必须遵循指示信息来创建gdmmon组,并将gdm_user添加到DB2服务器上的该组中。

一旦创建了正确的组,就可以在DB2服务器上运行脚本。

参考: 介绍Guardium漏洞评估
笔记:

  • 对于漏洞评估和权利报告,当寻找脚本来授予特权报告特权时,请使用gdmmonitor_scripts目录中的脚本。不要使用entitlement_monitor_role文件夹,该文件夹不再更新。
  • 当使用到期的产品许可证密钥或数据源数量有限的许可证时,可能会出现以下消息: 无法添加数据源。已达到许可证允许的最大数据源数量。  许可证有效期至 日期和 数据源数量 可以在 系统配置 的面板 管理员控制台。具有以下内容的漏洞或分类过程 N 数据源计为 N 每次运行时进行扫描。
  • 卫报漏洞评估需要访问其评估的数据库。为此,Guardium提供了一组SQL脚本(每种数据库类型一个脚本),该脚本在Guardium使用的数据库中创建用户和角色。
  • 模板脚本一旦构建,就可以在Guardium系统上使用,并且可以通过文件服务器在以下路径中找到和下载: / log / debug-logs / gdmmonitor_scripts /。有关更多信息,请参见 README.txt file.
2 Create DataSource
如果尚未定义数据源,则需要根据数据库信息创建一个新的数据源。

保护–安全评估生成器

1 Create a new VA

2 Choose datasource


3 Configure Tests
通过InfoSphere 卫报知识库服务每季度更新一次测试。您还可以定义自定义测试并安排自动审计任务,包括扫描,报告分发,电子签名和升级。
您将需要告诉您的评估,将使用哪种测试来评估数据库。您可以根据数据库类型选择那些预定义的测试。

4 Run it Once 

5 View results


6 检查Guardium作业队列


进度评估

1 遵守–审核流程构建者

2 Add a Task
您将需要在“保护–安全评估生成器”中添加上一步中定义的任务。

3 添加用户以发送报告并创建时间表

您还需要添加要发送结果的人员,并创建时间表以运行此审核过程。

YouTube:漏洞评估:

    参考文献

    来自Blogger //blog.fabiandinkins.com/2019/07/ibm-guardium-configure-db2.html

    通过 约翰扬

    发表评论