.
After logging into the Guardium interface:
Click on the Assess/Harden tab.
You will be taken to another panel where a new lower set of tabs will be displayed for the Assess/Harden process flow.
Click on the Vulnerability Assessment tab.
A process flow for Assessments will be displayed.
Or, as the admin user:
Click on the Tools tab
Click on the Config & Control tab
Click on the Security Assessment Builder link in the left hand column menu
Click on the New button to open the Security Assessment Builder panel.
Enter a unique name for the assessment in the Description box.
The following fields (starting date, ending date, client IP address, and server IP address) apply only to observed tests but the start date and end date are mandatory even if no observed tests are included in the assessment.
Enter the starting date for the assessment in the Period From box, using the calendar tool or relative date picker tool.
See Selecting or Entering Dates for assistance
Enter the ending date for the assessment in the To box using the calendar tool or relative date picker tool.
See Selecting or Entering Dates for assistance
(optional) Indicate which client IP addresses in the Client IP or IP subnet box are to be selected for the assessment by doing one of the following:
Leave the Client IP address or subnet box empty to select all clients
Enter a complete IP address to select only a specific client
Select a subnet from which all clients are to be included by using a wildcard character (asterisk or percent) in the appropriate location. For example, to include all clients whose IP address begins with 192.168, enter 192.168.*.*
(optional) Indicate which Server IP addresses in the Server IP or IP subnet box are to be selected for the assessment by doing one of the following:
Leave the Server IP address or subnet box empty to select all servers
Enter a complete IP address to select only a specific client
Select a subnet from which all servers are to be included by using a wildcard character (asterisk or percent) in the appropriate location. For example, to include all servers whose IP address begins with 192.168.2, enter 192.168.2.*
Click on the Add Datasource button to bring up the Datasource Finder and select the datasource(s) to be used for tests other than observed tests.
See Datasources for assistance
Do one of the following:
Click the Back button to return to the Assessment Finder panel
Click the Apply button to save the assessment
The Assessment Finder panel is the starting point for creating or modifying assessments.
To open the Assessment Finder panel:
Open the Assessment panel.
See Finding the Guardium Vulnerability Assessment panel for assistance.
Select Assessment Builder or Define what database you want assessed
To modify an assessment definition:
Use the drop-down list box to Select an Assessment you would like to modify.
Click on the Modify button to open the Security Assessment Builder panel.
See Create a New Assessment to assist in changing information.
Click the Roles button if you want to assign one or more security roles for this assessment definition.
See Add Roles to an Assessment to assist in role assignment.
Click the Configure Tests if you want to add one or more tests for this assessment definition.
See Add a Test to an assessment to assist in adding tests.
Do one of the following:
Click the Back button to return to the Security Assessment Builder panel
Click the Revert button to restore all values in this panel to the last values saved
Click the Apply button to save the assessment
To clone a security assessment definition:
Use the drop-down list box to Select an Assessment you would like to clone.
Click on the Clone button to open a copy of the selected assessment in the Security Assessment panel.
See Create a New Assessment to assist in changing information.
Note: After an assessment is run and results are produced, you cannot remove the definition of that assessment. To prevent other users from accessing or running an assessment you no longer use, you can have the administrator define a special security role for inactive assessments, then assign that role to the assessment, but to no users.
To remove a security assessment definition:
Use the drop-down list box to Select an Assessment you would like to remove.
Click on the Remove button to delete the selected assessment.
See Create a New Assessment to assist in changing information.
Adding tests to an assessment can be done after the Apply button has been pressed in creating a new assessment, during the modification or cloning of an assessment, or through the selection of an assessment from the Assessment Finder panel.
Note: There is a limitation, by default, of 10000 test results allowed per assessment. As tests or datasources are added, an estimation of the number of results is calculated and limited to 10000.
To add test by selecting through the Assessment Finder panel:
Use the drop-down list box to Select an Assessment you would like to define tests for.
Click on the Configure Tests button to open the Assessment Test Selections panel.
Click on the radio button for the type (predefined, custom, query based or all) of assessment to add.
See one of the following types for assistance:
Click on a database tab (ORACLE, DB2, SYBASE, MS SQL SERVER, INFORMIX, MYSQL) to view and select assessments specifically for those database environments. Test defined for a specific database type will be executed on all database sources of that type. Tests marked with a '*' are CAS based. CAS tests, when added to the list of tests for an assessment, are displayed in italics and have a hover feature that displays a tooltip. This tooltip provides information about which template must be activated to provide the necessary information for the test. Additionally you may click on the Observed tab for observed tests.
Click on the tests you would like to add to this assessment.
Click the Add Selections button to add the tests to the assessment.
Click the Edit Icon next to the Tuning column to bring up the Assessment Test Tuning panel and adjust test parameters
Not available for all tests but the Tuning of test parameters allows you to change the Severity of an assessment and additional runtime parameters that effect the triggering of an assessment. These parameters are shown next to the severity under the tuning column and are an additional prompt in the Assessment Test Tuning panel.
Check the Save as Default if you have changed the severity and want this new severity as the default setting.
Check the Comment button if you would like to add a comment definition to the test. These comments will then show up when viewing ANY RESULT PAST OR PRESENT for executions of the test, including each instance of the test when it runs multiple times in an assessment or other assessments that use the test.
After adjusting the tuning parameters you may click on the Cancel button to abort your changes, click on the Restore Default to put tuning parameters back to their original values, or click on the Accept button to save your changes.
Click the Groups button to modify or create groups.
A set of groups are preloaded with the Guardium application for specific use with Assessments and any groups created here will only be available for use with assessments. For example there are groups defined that will check for database version and patch level. These groups can be modified to adhere to a companies own internal version and patch levels as it would not be appropriate to test for an Oracle version 11 when you are satisfied with Oracle version 10. See Groups for additional assistance on Modify Existing Groups, and Manage Members for Selected Groups.
Do one of the following:
Click the Back button to return to the Security Assessment Builder panel
Click the Done button to return to the Assessment Finder panel
Adding tests to an assessment can be done after the Apply button has been pressed in creating a new assessment, during the modification or cloning of an assessment, or through the selection of an assessment from the Assessment Finder panel.
To remove assessment tests:
Use the drop-down list box to Select an Assessment you would like to remove tests from.
Click on the Configure Tests button to open the Assessment Test Selections panel.
Click in the check box next to the tests you would like to remove.
Click on the Remove Selected to delete the selected assessments.
Do one of the following:
Click the Back button to return to the Security Assessment Builder panel
Click the Done button to return to the Assessment Finder panel
Adding Roles to an assessment can be done after the Apply button has been pressed in creating a new assessment or through the modification of an assessment. Assessments are protected by Security Roles and if an assessment you want to use does not appear in the list, your user account is not authorized to access that assessment. Likewise, with no roles assigned, only you (the assessment owner) will be authorized to access this definition. To allow other users to access this assessment you will need to grant access to one or more roles.
If you have not just clicked on the Apply button from adding a new assessment, you can assign roles by:
Use the drop-down list box to Select an Assessment you would like to modify.
Click on the Modify button to open the Security Assessment Builder panel.
Click on the Roles button to open the Assign Security Roles panel.
See Security Roles for assistance
Click on the boxes to select/de-select the roles you would like to have assigned for this assessment.
Click the Save button when you are satisfied with the role assignment.
Click the Back button to return to the Security Assessment Builder panel.
Click on the Query-based Tests to open the Query-based Test Finder panel.
Click on the New button to open the Query-base Test Builder panel.
Enter a unique Test Name for the assessment.
From the drop-down box select the Database Type.
From the drop-down box select the Category.
From the drop-down box select the Severity.
Enter the Result text for pass that will be displayed when the test passes.
Enter the Result text for fail that will be displayed when the test fails.
Enter the Recommended text for pass that will be displayed when the test passes.
Enter the Recommended text for fail that will be displayed when the test fails.
Enter the SQL statement that will be executed for the test.
Note: Do not include any newline characters in the SQL statement.
From the drop-down box select the Return type that will be returned from the SQL statement.
From the drop-down box select the operator that will be used for the condition.
Enter in Compare value that will be used to compare against the return value from the SQL statement using the compare operator. It is this comparison that determines whether this test have passed or failed. You may also click on the RE (regex) to define a regular expression for the compare value.
Do one of the following:
Click the Back button to return to the Assessment Finder panel
Click the Save button to save the Query-based assessment
This newly create query test can now be used when adding tests to an assessment.
See Add a Test to an Assessment for assistance.
Click on the Query-based Tests to open the Query-based Test Finder panel.
From the drop-down box select the Query-based test you would like to modify
Click on the Modify button to open the Query-base Test Builder panel.
See Add a New Query-based Test for field descriptions
Click on the Query-based Tests to open the Query-based Test Finder panel.
From the drop-down box select the Query-based test you would like to remove
Click on the Remove button to delete the Query-base test
CAS-based tests allow users to define custom tests based on a CAS template item of type OS Script command. Users can specify which template item and test against the content of the CAS results. See Create a New Template Set Item for assistance on creating an OS Script type CAS template.
Guardium also comes pre-configured with some CAS template items of type OS Script that can be used for creating a CAS-based test. These tests can be seen through the CAS Template Set Definition panel and have a name which contains the word 'Assessment'. For instance, the Unix/Oracle set for assessments is named 'Guardium Unix/Oracle Assessment'. Additionally, any template that is added that involves file permissions will also be used for permission and ownership checking. See Modify a Template Set Item for viewing these template sets and seeing those items with type OS Script.
Whether using a Guardium pre-configured or defining your own, once defined, these tests will appear for selection during the creation or modification of CAS-based tests. Note the CAS template must be activated on the node corresponding to the data source and the test will be executed for all datasources of the same database type as defined for the test. S-TAP and CAS must be installed and running on examined database server in order for the CAS assessment test to work.
When defining a CAS-based test in an assessment, the database definition in CAS must match exactly the datasource in the assessment. So if you use an IP address or host in the database definition in CAS you need to use that same IP address or host in the assessment. It is also important, since an assessment uses the CAS data, to check the 'keep data' checkbox when defining the CAS template that will be used in a CAS-based test.
Click on the CAS-based Tests to open the CAS-based Test Finder panel.
Click on the New button to open the CAS-base Test Builder panel.
Enter a unique Test Name for the assessment
From the drop-down box select the Database Type
From the drop-down box select the Category
From the drop-down box select the Severity
Enter the Result text for pass that will be displayed when the test passes
Enter the Result text for fail that will be displayed when the test fails
Enter the Recommended text for pass that will be displayed when the test passes
Enter the Recommended text for fail that will be displayed when the test fails
From the drop-down list select the CAS Template to use for the test. These templates are of type OS Script command.
From the drop-down box select the operator that will be used for the condition
Enter the Search string to use that will be used to compare against what is returned from the CAS template using the operator.
Check the Fail if match box if you would like to force a failure when a match is made with the compare.
Do one of the following:
Click the Back button to return to the Assessment Finder panel
Click the Save button to save the Query-based assessment
This newly create CAS test can now be used when adding tests to an assessment.
See Add a Test to an Assessment for assistance.
Click on the CAS-based Tests to open the CAS-based Test Finder panel.
From the drop-down box select the CAS-based test you would like to modify
Click on the Modify button to open the CAS-base Test Builder panel.
See Add a New CAS-based Test for field descriptions
Click on the CAS-based Tests to open the CAS-based Test Finder panel.
From the drop-down box select the CAS-based test you would like to remove
Click on the Remove button to delete the CAS-base test
Assessments, and Classifications, run in their own separate process called the Jobqueue where jobs are queued and have their status maintained. A separate Listener process periodically polls the table looking for waiting jobs to run. See Cls/Asmt Job Queue within Predefined admin Reports for more information.
There are two options for running assessments:
To modify an assessment definition:
Use the drop-down list box to Select an Assessment you would like to modify.
Click on the Run Once Now button to run the selected assessment.
Note: The assessment will be added to a job queue for immediate processing. A short period of time is required for the job to be executed and viewable.
See View Results of an Assessment to assist in viewing results of an assessment.
You can define and schedule that will automate the running of an assessment definition.
See Define and Schedule an Audit Process.
To view the results of an assessment:
Use the drop-down list box to Select an Assessment you would like to modify.
Click on the View Results button to open the Security Assessment Results window and see reports of the selected assessment.
Additionally you can generate a PDF version of Assessment result clicking the Download PDF button at the bottom of the report.
See Interpreting the results of an Assessment to assist in viewing results of an assessment.
In addition to viewing results through the Assessment Finder, an Assessment report can be built and displayed through a customized pane with a portlet. Optionally, through the portlet, results can be printed, downloaded to pdf, or saved to disk in a comma separated values (CSV) file for external use as in a Microsoft Excel spreadsheet. The process of creating a query for reporting is done through the admin portal. After a query is built, the administrator can grant access to a user who can then use the query for personal reporting.
To build a query for assessment tracking, open the Security Assessment Report Tracking panel:
Log into the Guardium application as the admin user
Click Tools tab
Click Report Building tab
Select Security Assessment Report Tracking from the left hand column options to bring up the Security Assessment Result and Query Finder panel
See Building Queries and Building Reports for assistance in defining a query and building a report
A Assessment evaluates multiple tests based on multiple reports. The overall results are displayed in a separate browser window entitled Security Assessment Results and have the following sections:
The top portion of the Assessment results identifies:
The assessment name
The date and time the assessment was run
The time period for the assessment
The Client and Server IP addresses or subnets
In the upper right-hand corner of the window, there is a drop-down list that you can use to select and display a different result set for the current assessment. The latest result is displayed by default.
The Assessment Results History shows the percentage of tests passing over a period of time. Further recommendations to improve the percentage of passing tests are given under the Assessment Test Results section.
A tabular graph summarizes all the tests that were executed within this assessment. The X-axis represents the test’s severity (CRITICAL, MAJOR, MINOR, CAUTION, or INFOrmational). The Y-axis represents the type of test (Privilege, Authentication, Configuration, Version, or Other). Within the grid is the representation of the number of tests that have either Passed, Failed, or had an Error when trying to execute. These numbers are directly related to the detail for the assessment tests that is given under the Assessment Test Results section.
The Assessment Test Results section provides a detail description of the test taken as well as information about the target datasource, Pass/Fail status, severity, and reason for the current status. Each test name is clickable and will filter all information off the report except for relevant information about that particular test. the percentage of tests passing over a period of time. A hover-over feature on the Reason field will display the recommendation to help remedy failed or tests in error.
When expanded, the Datasource Details section will show all of the datasources that were referenced within this assessment along with some specific environmental information.
When expanded, the Execution Log will show the runtime execution of the assessment test. A timestamp, along with events, and messages can aid in the debugging of issues that might have caused certain tests to fail.
Just to the right of the Results Summary are two filtering options:
Reset Filtering - Removes all filtering options selected through the Filter / Sort Controls options.
Filter / Sort Controls - Use this link to open a filter/sort options for the report. Options allow you to filter by severity, score (pass, fail, or error), and test type (Observed/Database type). The sort option allows you to sort across combinations of severity, score, and datasource. Click on the Apply button when you would like the chosen filter/sort options to take effect.
The Audit Process finder panel is the starting point for creating or modifying an audit process schedule.
To open the Audit Process finder panel:
Open the Assessment panel.
See Finding the Guardium Vulnerability Assessment panel
Select Audit Process builder or Define an Audit Process.
See Audit Processes for assistance in defining an audit process.