Security Resources

Software Updates

Database Security Update 5.38 for Software Updates

Knowledgebase version 5.38 includes new checks for Microsoft SQL Server, MySQL, and PostgreSQL. It has updated checks for MySQL and Sybase ASE and also introduces the DISA-STIG Oracle 12c V1R12, DISA-STIG PostgreSQL EDB V1R5, and DISA-STIG SQL Server 2012 V1R18 policies as well as updated several existing policies. This release also adds a MySQL 8 User Creation Script for the upcoming AppDetectivePRO and DbProtect updates that will include support for version 8 of MySQL.

New Vulnerability and Configuration Check Highlights

Microsoft SQL Server

  • Access to linked servers
    • Report the list of linked servers defined in the local server.
    • Risk: Informational
  • Allow Polybase Export feature must be disabled
    • Verify that the 'allow polybase export' configuration option is disabled.
    • Risk: Medium
  • Customer Feedback and Error Reporting
    • Verify that SQL Server Customer Feedback and Error Reporting is disabled.
    • Risk: Informational
  • External Scripts Enabled feature must be disabled
    • Verify that the 'external scripts enabled' configuration option is disabled.
    • Risk: Medium
  • Hadoop Connectivity feature must be disabled
    • Verify that the 'hadoop connectivity' configuration option is disabled.
    • Risk: Medium
  • Remote Data Archive feature must be disabled
    • Verify that the 'remote data archive' configuration option is disabled.
    • Risk: Medium
  • Replication XPs feature must be disabled
    • Verify that the 'replication xps' configuration option is disabled.
    • Risk: Medium
  • SQL Server Mirroring endpoint encryption
    • Verify that SQL Server Mirroring endpoint utilizes AES encryption.
    • Risk: Medium
  • SQL Server Service Broker endpoint encryption
    • Verify that SQL Server Service Broker endpoint utilizes AES encryption.
    • Risk: Medium
  • SQL Server Usage and Error Reporting Auditing
    • Verify that the SQL Server Usage and Error Reporting Auditing is enabled.
    • Risk: Medium
  • Stored procedures and functions that utilize impersonation
    • Report the list of stored procedures and functions that utilize EXECUTE AS.
    • Risk: Medium
  • The NT AUTHORITY\SYSTEM account is used for administration
    • Check permissions granted to the NT AUTHORITY\SYSTEM account.
    • Risk: High
  • User Options feature must be disabled
    • Verify that the 'user options' configuration option is disabled.
    • Risk: Low

MySQL

  • Critical Patch Update - January 2019
  • Check version to determine if the database contains vulnerabilities described by Critical Patch Update - January 2019.
  • Risk: Medium
  • Require current password when changing the password
    • Verify that non-privileged users must provide their current password at the time they set a new password.
    • Risk: Low

PostgreSQL

  • Check hba conf file to see if values hostssl AND cert is used
    • Verify that the PostgreSQL pg_hba.conf file contains the following: type: hostssl method: cert
    • Risk: Medium
  • Check hba conf file to see if values hostssl AND clientcert is used
    • Verify that the PostgreSQL pg_hba.conf file contains the following: type: hostssl options: clientcert=1
    • Risk: Medium
  • Ensure auditing is enabled for all direct access to databases
  • Verify that the following PostgreSQL EDB parameters are configured correctly: edb_statement edb_connect edb_disconnect
  • Risk: Medium
  • Ensure edb_audit is configured correctly
    • Verify that the PostgreSQL EDB parameter edb_audit is properly configured and ENABLED.
    • Risk: Medium
  • Ensure edb_audit_connect is configured correctly
    • Verify that the PostgreSQL EDB parameter edb_audit_connect is properly configured.
    • Risk: Medium
  • Ensure edb_audit_statement is configured correctly
    • Verify that the PostgreSQL EDB parameter edb_audit_statement is properly configured.
    • Risk: Medium
  • Ensure fips option is included in OpenSSL version
    • Verify that a FIPS compliant OpenSSL library is installed.
    • Risk: Medium
  • Ensure security label policies are enabled
    • Verify that there are security label policies are enabled on database objects for PostgreSQL EDB.
    • Risk: Medium
  • Ensure the permissions on the edb_audit directory are correct
    • Verify that the permissions on the PostgreSQL EDB edb_audit directory are correct.
    • Risk: Medium
  • Ensure the permissions on the server.key file are correct
    • Verify that the permissions of the PostgreSQL parameter ssl_cert_file (server.key) are correct.
    • Risk: Medium
  • Ensure there is a connection limit for each role and aligns with organization policies
  • Verify that the PostgreSQL connection limit for roles is enabled and aligned with your organization's policies.
  • Risk: Medium
  • Ensure there is monitoring of database objects to prevent unauthorized modifications
    • Verify that there are jobs enabled that prevent unauthorized modification of database objects.
    • Risk: Medium
  • Ensure users who have access to data input are protected from SQL injection
    • Verify that the database users responsible for data input are protected against SQL injection.
    • Risk: Medium
  • Must disable network protocols, functions, and ports deemed unsecure
  • Verify that the PostgreSQL pg_hba.conf file contains certain logic and that the port is an acceptable secured port.
  • Risk: Medium
  • Verify sample databases are removed from PostgreSQL installation
    • Verify that the sample databases of the PostgreSQL installation are removed.
    • Risk: Medium

Updated Checks

MySQL

  • Latest release not installed
    • Support MySQL 5.6.43, 5.7.25
    • Risk: High
  • Release update not installed on time
    • Support MySQL 5.6.43, 5.7.25
    • Risk: High

Sybase

  • Latest patch not applied
    • Support SAP ASE 16.0 SP03 PL06
    • Risk: High
  • Patch not applied on time
    • Support SAP ASE 16.0 SP03 PL06
    • Risk: High

New Policies

  • DISA-STIG Oracle 12c V1R12 - Audit (Built-in)
    • This policy has been created with the guidelines mapped out in the DOD Security Technical Implementation Guides "Oracle Database 12c Security Technical Implementation Guide Version 1 Release 12".
  • DISA-STIG PostgreSQL EDB V1R5 - Audit (Built-In)
    • This policy has been created with guidance of the configuration parameters outlined by the DISA-STIG PostgreSQL EDB Advanced Server Security Technical Implementation Guide Version 1, Release 5.
  • DISA-STIG SQL Server 2012 V1R18 - Audit (Built-in)
    • This policy has been created with guidance of the configuration parameters outlined by the DISA-STIG Microsoft SQL Server 2012 Security Technical Implementation Guide Version 1, Release 18.

Updated Policies

  • Base Line - Audit (Built-in)
    • New Checks
      • MySQL: Critical Patch Update - January 2019: Medium
      • Oracle: Critical Patch Update/Patch Set Update - January 2019: Medium
  • Basel II - Audit (Built-in)
    • New Checks
      • MySQL: Critical Patch Update - January 2019: Medium
      • Oracle: Critical Patch Update/Patch Set Update - January 2019: Medium
    • Basel II - Pen Test (Built-in)
      • New Checks
        • MySQL: Critical Patch Update - January 2019: Medium
        • Oracle: Critical Patch Update/Patch Set Update - January 2019: Medium
  • Best Practices for Federal Gov. - Audit (Built-in)
    • New Checks
      • Microsoft SQL Server: Access to linked servers: Informational
      • Microsoft SQL Server: Allow Polybase Export feature must be disabled: Medium
      • Microsoft SQL Server: Customer Feedback and Error Reporting: Informational
      • Microsoft SQL Server: External Scripts Enabled feature must be disabled: Medium
      • Microsoft SQL Server: Hadoop Connectivity feature must be disabled: Medium
      • Microsoft SQL Server: Remote Data Archive feature must be disabled: Medium
      • Microsoft SQL Server: Replication XPs feature must be disabled: Medium
      • Microsoft SQL Server: SQL Server Mirroring endpoint encryption: Medium
      • Microsoft SQL Server: SQL Server Service Broker endpoint encryption: Medium
      • Microsoft SQL Server: SQL Server Usage and Error Reporting Auditing: Medium
      • Microsoft SQL Server: Stored procedures and functions that utilize impersonation: Medium
      • Microsoft SQL Server: The NT AUTHORITY\SYSTEM account is used for administration: High
      • Microsoft SQL Server: User Options feature must be disabled: Low
      • MySQL: Critical Patch Update - January 2019: Medium
      • MySQL: Require current password when changing the password: Medium
      • Oracle: Critical Patch Update/Patch Set Update - January 2019: Medium
  • CIS v1.0.0 for MySQL 5.7 - Audit (Built-in)
    • New Checks
      • MySQL: Critical Patch Update - January 2019: Medium
  • CIS v1.0.0 for Oracle 11gR1&R2 - Audit (Built-in)
    • New Checks
      • Oracle: Critical Patch Update/Patch Set Update - January 2019: Medium
  • CIS v2.0 for Oracle 12c - Audit (Built-In)
    • New Checks
      • Oracle: Critical Patch Update/Patch Set Update - January 2019: Medium
  • CIS v2.2.0 for Oracle 11gR2 - Audit (Built-In)
    • New Checks
      • Oracle: Critical Patch Update/Patch Set Update - January 2019: Medium
  • CNIL - Audit (Built-in)
    • New Checks
      • MySQL: Critical Patch Update - January 2019: Medium
      • MySQL: Require current password when changing the password: Medium
      • Oracle: Critical Patch Update/Patch Set Update - January 2019: Medium
  • DISA-STIG Database Security - Audit (Built-in)
    • New Checks
      • Microsoft SQL Server: Access to linked servers: Informational
      • Microsoft SQL Server: Allow Polybase Export feature must be disabled: Medium
      • Microsoft SQL Server: Customer Feedback and Error Reporting: Informational
      • Microsoft SQL Server: External Scripts Enabled feature must be disabled: Medium
      • Microsoft SQL Server: Hadoop Connectivity feature must be disabled: Medium
      • Microsoft SQL Server: Remote Data Archive feature must be disabled: Medium
      • Microsoft SQL Server: Replication XPs feature must be disabled: Medium
      • Microsoft SQL Server: SQL Server Mirroring endpoint encryption: Medium
      • Microsoft SQL Server: SQL Server Service Broker endpoint encryption: Medium
      • Microsoft SQL Server: SQL Server Usage and Error Reporting Auditing: Medium
      • Microsoft SQL Server: Stored procedures and functions that utilize impersonation: Medium
      • Microsoft SQL Server: The NT AUTHORITY\SYSTEM account is used for administration: High
      • Microsoft SQL Server: User Options feature must be disabled: Low
      • MySQL: Critical Patch Update - January 2019: Medium
      • Oracle: Critical Patch Update/Patch Set Update - January 2019: Medium
  • DISA-STIG Oracle 11gR2 V1R14 - Audit (Built-in)
    • New Checks
      • Oracle: Critical Patch Update/Patch Set Update - January 2019: Medium
  • DISA-STIG Oracle 12c V1R11 - Audit (Built-in)
    • New Checks
      • Oracle: Critical Patch Update/Patch Set Update - January 2019: Medium
  • Database Best Practices
    • New Checks
      • Microsoft SQL Server: Access to linked servers: Informational
      • Microsoft SQL Server: Allow Polybase Export feature must be disabled: Medium
      • Microsoft SQL Server: External Scripts Enabled feature must be disabled: Medium
      • Microsoft SQL Server: Hadoop Connectivity feature must be disabled: Medium
      • Microsoft SQL Server: Remote Data Archive feature must be disabled: Medium
      • Microsoft SQL Server: Replication XPs feature must be disabled: Medium
      • Microsoft SQL Server: SQL Server Usage and Error Reporting Auditing: Medium
      • Microsoft SQL Server: Stored procedures and functions that utilize impersonation: Medium
      • Microsoft SQL Server: The NT AUTHORITY\SYSTEM account is used for administration: High
      • Microsoft SQL Server: User Options feature must be disabled: Low
      • MySQL: Critical Patch Update - January 2019: Medium
      • MySQL: Require current password when changing the password: Medium
      • Oracle: Critical Patch Update/Patch Set Update - January 2019: Medium
  • Download - Pen Test (Built-in)
    • New Checks
      • MySQL: Critical Patch Update - January 2019: Medium
      • Oracle: Critical Patch Update/Patch Set Update - January 2019: Medium
  • EU Data Protection Directive - Audit (Built-in)
    • New Checks
      • MySQL: Critical Patch Update - January 2019: Medium
      • Oracle: Critical Patch Update/Patch Set Update - January 2019: Medium
  • EU Data Protection Directive - Pen Test (Built-in)
    • New Checks
      • MySQL: Critical Patch Update - January 2019: Medium
      • Oracle: Critical Patch Update/Patch Set Update - January 2019: Medium
  • FISMA - Audit (Built-in)
    • New Checks
      • MySQL: Critical Patch Update - January 2019: Medium
      • Oracle: Critical Patch Update/Patch Set Update - January 2019: Medium
  • FISMA - Pen Test (Built-in)
    • New Checks
      • MySQL: Critical Patch Update - January 2019: Medium
      • Oracle: Critical Patch Update/Patch Set Update - January 2019: Medium
  • FedRAMP - Audit (Built-in)
    • New Checks
    • MySQL: Critical Patch Update - January 2019: Medium
    • MySQL: Require current password when changing the password: Medium
    • Oracle: Critical Patch Update/Patch Set Update - January 2019: Medium
  • Full - Pen Test (Built-in)
    • New Checks
      • MySQL: Critical Patch Update - January 2019: Medium
      • Oracle: Critical Patch Update/Patch Set Update - January 2019: Medium
  • Gramm-Leach-Bliley Act - Audit (Built-in)
    • New Checks
      • MySQL: Critical Patch Update - January 2019: Medium
      • Oracle: Critical Patch Update/Patch Set Update - January 2019: Medium
  • Gramm-Leach-Bliley Act - Pen Test (Built-in)
    • New Checks
      • MySQL: Critical Patch Update - January 2019: Medium
      • Oracle: Critical Patch Update/Patch Set Update - January 2019: Medium
  • HIPAA - Audit (Built-in)
    • New Checks
      • MySQL: Critical Patch Update - January 2019: Medium
      • Oracle: Critical Patch Update/Patch Set Update - January 2019: Medium
  • HIPAA - Pen Test (Built-in)
    • New Checks
      • MySQL: Critical Patch Update - January 2019: Medium
      • Oracle: Critical Patch Update/Patch Set Update - January 2019: Medium
  • Heavy - Pen Test (Built-in)
    • New Checks
      • MySQL: Critical Patch Update - January 2019: Medium
      • Oracle: Critical Patch Update/Patch Set Update - January 2019: Medium
  • Integrity - Audit (Built-in)
    • New Checks
      • MySQL: Critical Patch Update - January 2019: Medium
      • Oracle: Critical Patch Update/Patch Set Update - January 2019: Medium
  • MITS - Audit (Built-in)
    • New Checks
      • MySQL: Critical Patch Update - January 2019: Medium
      • Oracle: Critical Patch Update/Patch Set Update - January 2019: Medium
  • Massachusetts 201 CMR 17.00
    • New Checks
      • MySQL: Critical Patch Update - January 2019: Medium
      • Oracle: Critical Patch Update/Patch Set Update - January 2019: Medium
  • Medium - Pen Test (Built-in)
    • New Checks
      • MySQL: Critical Patch Update - January 2019: Medium
      • Oracle: Critical Patch Update/Patch Set Update - January 2019: Medium
  • MiFID - Audit (Built-in)
    • New Checks
      • MySQL: Critical Patch Update - January 2019: Medium
      • Oracle: Critical Patch Update/Patch Set Update - January 2019: Medium
  • MiFID - Pen Test (Built-in)
    • New Checks
      • MySQL: Critical Patch Update - January 2019: Medium
      • Oracle: Critical Patch Update/Patch Set Update - January 2019: Medium
  • PCI Data Security Standard - Audit (Built-in)
    • New Checks
      • MySQL: Critical Patch Update - January 2019: Medium
      • Oracle: Critical Patch Update/Patch Set Update - January 2019: Medium
  • PCI Data Security Standard - Pen Test (Built-in)
    • New Checks
      • MySQL: Critical Patch Update - January 2019: Medium
      • Oracle: Critical Patch Update/Patch Set Update - January 2019: Medium
  • Passwords - Audit (Built-in)
    • New Checks
      • MySQL: Require current password when changing the password: Medium
  • Safe - Pen Test (Built-in)
    • New Checks
      • MySQL: Critical Patch Update - January 2019: Medium
      • Oracle: Critical Patch Update/Patch Set Update - January 2019: Medium
  • Sarbanes-Oxley - Audit (Built-in)
    • New Checks
      • MySQL: Critical Patch Update - January 2019: Medium
      • Oracle: Critical Patch Update/Patch Set Update - January 2019: Medium
  • Sarbanes-Oxley - Pen Test (Built-in)
    • New Checks
      • MySQL: Critical Patch Update - January 2019: Medium
      • Oracle: Critical Patch Update/Patch Set Update - January 2019: Medium
  • Strict - Audit (Built-in)
    • New Checks
      • Microsoft SQL Server: Access to linked servers: Informational
      • Microsoft SQL Server: Allow Polybase Export feature must be disabled: Medium
      • Microsoft SQL Server: Customer Feedback and Error Reporting: Informational
      • Microsoft SQL Server: External Scripts Enabled feature must be disabled: Medium
      • Microsoft SQL Server: Hadoop Connectivity feature must be disabled: Medium
      • Microsoft SQL Server: Remote Data Archive feature must be disabled: Medium
      • Microsoft SQL Server: Replication XPs feature must be disabled: Medium
      • Microsoft SQL Server: SQL Server Mirroring endpoint encryption: Medium
      • Microsoft SQL Server: SQL Server Service Broker endpoint encryption: Medium
      • Microsoft SQL Server: SQL Server Usage and Error Reporting Auditing: Medium
      • Microsoft SQL Server: Stored procedures and functions that utilize impersonation: Medium
      • Microsoft SQL Server: The NT AUTHORITY\SYSTEM account is used for administration: High
      • Microsoft SQL Server: User Options feature must be disabled: Low
      • MySQL: Critical Patch Update - January 2019: Medium
      • MySQL: Require current password when changing the password: Medium
      • Oracle: Critical Patch Update/Patch Set Update - January 2019: Medium
      • PostgreSQL: Check hba conf file to see if values hostssl AND cert is used: Medium
      • PostgreSQL: Check hba conf file to see if values hostssl AND clientcert is used: Medium
      • PostgreSQL: Ensure auditing is enabled for all direct access to databases: Medium
      • PostgreSQL: Ensure edb_audit is configured correctly: Medium
      • PostgreSQL: Ensure edb_audit_connect is configured correctly: Medium
      • PostgreSQL: Ensure edb_audit_statement is configured correctly: Medium
      • PostgreSQL: Ensure fips option is included in OpenSSL version: Medium
      • PostgreSQL: Ensure security label policies are enabled: Medium
      • PostgreSQL: Ensure the permissions on the edb_audit directory are correct: Medium
      • PostgreSQL: Ensure the permissions on the server.key file are correct: Medium
      • PostgreSQL: Ensure there is a connection limit for each role and aligns with organization policies: Medium
      • PostgreSQL: Ensure there is monitoring of database objects to prevent unauthorized modifications: Medium
      • PostgreSQL: Ensure users who have access to data input are protected from SQL injection: Medium
      • PostgreSQL: Must disable network protocols, functions, and ports deemed unsecure: Medium
      • PostgreSQL: Verify sample databases are removed from PostgreSQL installation: Medium

User Creation Scripts

  • MySQL 8 Added

Availability

  • Available to all AppDetectivePRO and DbProtect customers with maintenance (subscription or perpetual) in good standing at no additional cost.
  • Download SHATTER Knowledgebase from the Trustwave Support Portal. (https: //www.trustwave.com/Company/Support/and select AppDetectivePRO or DbProtect)
  • AppDetectivePRO customers can use the Updater within the product as well