Software Updates

Database Security Update 5.38 for Software Updates

Written by | Feb 13, 2019 10:46:00 AM

Knowledgebase version 5.38 includes new checks for Microsoft SQL Server, MySQL, and PostgreSQL. It has updated checks for MySQL and Sybase ASE and also introduces the DISA-STIG Oracle 12c V1R12, DISA-STIG PostgreSQL EDB V1R5, and DISA-STIG SQL Server 2012 V1R18 policies as well as updated several existing policies. This release also adds a MySQL 8 User Creation Script for the upcoming AppDetectivePRO and DbProtect updates that will include support for version 8 of MySQL.

New Vulnerability and Configuration Check Highlights

Microsoft SQL Server

  • Access to linked servers
    • Report the list of linked servers defined in the local server.
    • Risk: Informational
  • Allow Polybase Export feature must be disabled
    • Verify that the 'allow polybase export' configuration option is disabled.
    • Risk: Medium
  • Customer Feedback and Error Reporting
    • Verify that SQL Server Customer Feedback and Error Reporting is disabled.
    • Risk: Informational
  • External Scripts Enabled feature must be disabled
    • Verify that the 'external scripts enabled' configuration option is disabled.
    • Risk: Medium
  • Hadoop Connectivity feature must be disabled
    • Verify that the 'hadoop connectivity' configuration option is disabled.
    • Risk: Medium
  • Remote Data Archive feature must be disabled
    • Verify that the 'remote data archive' configuration option is disabled.
    • Risk: Medium
  • Replication XPs feature must be disabled
    • Verify that the 'replication xps' configuration option is disabled.
    • Risk: Medium
  • SQL Server Mirroring endpoint encryption
    • Verify that SQL Server Mirroring endpoint utilizes AES encryption.
    • Risk: Medium
  • SQL Server Service Broker endpoint encryption
    • Verify that SQL Server Service Broker endpoint utilizes AES encryption.
    • Risk: Medium
  • SQL Server Usage and Error Reporting Auditing
    • Verify that the SQL Server Usage and Error Reporting Auditing is enabled.
    • Risk: Medium
  • Stored procedures and functions that utilize impersonation
    • Report the list of stored procedures and functions that utilize EXECUTE AS.
    • Risk: Medium
  • The NT AUTHORITY\SYSTEM account is used for administration
    • Check permissions granted to the NT AUTHORITY\SYSTEM account.
    • Risk: High
  • User Options feature must be disabled
    • Verify that the 'user options' configuration option is disabled.
    • Risk: Low

MySQL

  • Critical Patch Update - January 2019
  • Check version to determine if the database contains vulnerabilities described by Critical Patch Update - January 2019.
  • Risk: Medium
  • Require current password when changing the password
    • Verify that non-privileged users must provide their current password at the time they set a new password.
    • Risk: Low

PostgreSQL

  • Check hba conf file to see if values hostssl AND cert is used
    • Verify that the PostgreSQL pg_hba.conf file contains the following: type: hostssl method: cert
    • Risk: Medium
  • Check hba conf file to see if values hostssl AND clientcert is used
    • Verify that the PostgreSQL pg_hba.conf file contains the following: type: hostssl options: clientcert=1
    • Risk: Medium
  • Ensure auditing is enabled for all direct access to databases
  • Verify that the following PostgreSQL EDB parameters are configured correctly: edb_statement edb_connect edb_disconnect
  • Risk: Medium
  • Ensure edb_audit is configured correctly
    • Verify that the PostgreSQL EDB parameter edb_audit is properly configured and ENABLED.
    • Risk: Medium
  • Ensure edb_audit_connect is configured correctly
    • Verify that the PostgreSQL EDB parameter edb_audit_connect is properly configured.
    • Risk: Medium
  • Ensure edb_audit_statement is configured correctly
    • Verify that the PostgreSQL EDB parameter edb_audit_statement is properly configured.
    • Risk: Medium
  • Ensure fips option is included in OpenSSL version
    • Verify that a FIPS compliant OpenSSL library is installed.
    • Risk: Medium
  • Ensure security label policies are enabled
    • Verify that there are security label policies are enabled on database objects for PostgreSQL EDB.
    • Risk: Medium
  • Ensure the permissions on the edb_audit directory are correct
    • Verify that the permissions on the PostgreSQL EDB edb_audit directory are correct.
    • Risk: Medium
  • Ensure the permissions on the server.key file are correct
    • Verify that the permissions of the PostgreSQL parameter ssl_cert_file (server.key) are correct.
    • Risk: Medium
  • Ensure there is a connection limit for each role and aligns with organization policies
  • Verify that the PostgreSQL connection limit for roles is enabled and aligned with your organization's policies.
  • Risk: Medium
  • Ensure there is monitoring of database objects to prevent unauthorized modifications
    • Verify that there are jobs enabled that prevent unauthorized modification of database objects.
    • Risk: Medium
  • Ensure users who have access to data input are protected from SQL injection
    • Verify that the database users responsible for data input are protected against SQL injection.
    • Risk: Medium
  • Must disable network protocols, functions, and ports deemed unsecure
  • Verify that the PostgreSQL pg_hba.conf file contains certain logic and that the port is an acceptable secured port.
  • Risk: Medium
  • Verify sample databases are removed from PostgreSQL installation
    • Verify that the sample databases of the PostgreSQL installation are removed.
    • Risk: Medium

Updated Checks

MySQL

  • Latest release not installed
    • Support MySQL 5.6.43, 5.7.25
    • Risk: High
  • Release update not installed on time
    • Support MySQL 5.6.43, 5.7.25
    • Risk: High

Sybase

  • Latest patch not applied
    • Support SAP ASE 16.0 SP03 PL06
    • Risk: High
  • Patch not applied on time
    • Support SAP ASE 16.0 SP03 PL06
    • Risk: High

New Policies

  • DISA-STIG Oracle 12c V1R12 - Audit (Built-in)
    • This policy has been created with the guidelines mapped out in the DOD Security Technical Implementation Guides "Oracle Database 12c Security Technical Implementation Guide Version 1 Release 12".
  • DISA-STIG PostgreSQL EDB V1R5 - Audit (Built-In)
    • This policy has been created with guidance of the configuration parameters outlined by the DISA-STIG PostgreSQL EDB Advanced Server Security Technical Implementation Guide Version 1, Release 5.
  • DISA-STIG SQL Server 2012 V1R18 - Audit (Built-in)
    • This policy has been created with guidance of the configuration parameters outlined by the DISA-STIG Microsoft SQL Server 2012 Security Technical Implementation Guide Version 1, Release 18.

Updated Policies

  • Base Line - Audit (Built-in)
    • MySQL: Critical Patch Update - January 2019: Medium
    • Oracle: Critical Patch Update/Patch Set Update - January 2019: Medium
    • New Checks
  • Basel II - Audit (Built-in)
    • MySQL: Critical Patch Update - January 2019: Medium
    • Oracle: Critical Patch Update/Patch Set Update - January 2019: Medium
    • New Checks
      • MySQL: Critical Patch Update - January 2019: Medium
      • Oracle: Critical Patch Update/Patch Set Update - January 2019: Medium
    • New Checks
    • Basel II - Pen Test (Built-in)
  • Best Practices for Federal Gov. - Audit (Built-in)
    • Microsoft SQL Server: Access to linked servers: Informational
    • Microsoft SQL Server: Allow Polybase Export feature must be disabled: Medium
    • Microsoft SQL Server: Customer Feedback and Error Reporting: Informational
    • Microsoft SQL Server: External Scripts Enabled feature must be disabled: Medium
    • Microsoft SQL Server: Hadoop Connectivity feature must be disabled: Medium
    • Microsoft SQL Server: Remote Data Archive feature must be disabled: Medium
    • Microsoft SQL Server: Replication XPs feature must be disabled: Medium
    • Microsoft SQL Server: SQL Server Mirroring endpoint encryption: Medium
    • Microsoft SQL Server: SQL Server Service Broker endpoint encryption: Medium
    • Microsoft SQL Server: SQL Server Usage and Error Reporting Auditing: Medium
    • Microsoft SQL Server: Stored procedures and functions that utilize impersonation: Medium
    • Microsoft SQL Server: The NT AUTHORITY\SYSTEM account is used for administration: High
    • Microsoft SQL Server: User Options feature must be disabled: Low
    • MySQL: Critical Patch Update - January 2019: Medium
    • MySQL: Require current password when changing the password: Medium
    • Oracle: Critical Patch Update/Patch Set Update - January 2019: Medium
    • New Checks
  • CIS v1.0.0 for MySQL 5.7 - Audit (Built-in)
    • MySQL: Critical Patch Update - January 2019: Medium
    • New Checks
  • CIS v1.0.0 for Oracle 11gR1&R2 - Audit (Built-in)
    • Oracle: Critical Patch Update/Patch Set Update - January 2019: Medium
    • New Checks
  • CIS v2.0 for Oracle 12c - Audit (Built-In)
    • Oracle: Critical Patch Update/Patch Set Update - January 2019: Medium
    • New Checks
  • CIS v2.2.0 for Oracle 11gR2 - Audit (Built-In)
    • Oracle: Critical Patch Update/Patch Set Update - January 2019: Medium
    • New Checks
  • CNIL - Audit (Built-in)
    • MySQL: Critical Patch Update - January 2019: Medium
    • MySQL: Require current password when changing the password: Medium
    • Oracle: Critical Patch Update/Patch Set Update - January 2019: Medium
    • New Checks
  • DISA-STIG Database Security - Audit (Built-in)
    • Microsoft SQL Server: Access to linked servers: Informational
    • Microsoft SQL Server: Allow Polybase Export feature must be disabled: Medium
    • Microsoft SQL Server: Customer Feedback and Error Reporting: Informational
    • Microsoft SQL Server: External Scripts Enabled feature must be disabled: Medium
    • Microsoft SQL Server: Hadoop Connectivity feature must be disabled: Medium
    • Microsoft SQL Server: Remote Data Archive feature must be disabled: Medium
    • Microsoft SQL Server: Replication XPs feature must be disabled: Medium
    • Microsoft SQL Server: SQL Server Mirroring endpoint encryption: Medium
    • Microsoft SQL Server: SQL Server Service Broker endpoint encryption: Medium
    • Microsoft SQL Server: SQL Server Usage and Error Reporting Auditing: Medium
    • Microsoft SQL Server: Stored procedures and functions that utilize impersonation: Medium
    • Microsoft SQL Server: The NT AUTHORITY\SYSTEM account is used for administration: High
    • Microsoft SQL Server: User Options feature must be disabled: Low
    • MySQL: Critical Patch Update - January 2019: Medium
    • Oracle: Critical Patch Update/Patch Set Update - January 2019: Medium
    • New Checks
  • DISA-STIG Oracle 11gR2 V1R14 - Audit (Built-in)
    • Oracle: Critical Patch Update/Patch Set Update - January 2019: Medium
    • New Checks
  • DISA-STIG Oracle 12c V1R11 - Audit (Built-in)
    • Oracle: Critical Patch Update/Patch Set Update - January 2019: Medium
    • New Checks
  • Database Best Practices
    • Microsoft SQL Server: Access to linked servers: Informational
    • Microsoft SQL Server: Allow Polybase Export feature must be disabled: Medium
    • Microsoft SQL Server: External Scripts Enabled feature must be disabled: Medium
    • Microsoft SQL Server: Hadoop Connectivity feature must be disabled: Medium
    • Microsoft SQL Server: Remote Data Archive feature must be disabled: Medium
    • Microsoft SQL Server: Replication XPs feature must be disabled: Medium
    • Microsoft SQL Server: SQL Server Usage and Error Reporting Auditing: Medium
    • Microsoft SQL Server: Stored procedures and functions that utilize impersonation: Medium
    • Microsoft SQL Server: The NT AUTHORITY\SYSTEM account is used for administration: High
    • Microsoft SQL Server: User Options feature must be disabled: Low
    • MySQL: Critical Patch Update - January 2019: Medium
    • MySQL: Require current password when changing the password: Medium
    • Oracle: Critical Patch Update/Patch Set Update - January 2019: Medium
    • New Checks
  • Download - Pen Test (Built-in)
    • MySQL: Critical Patch Update - January 2019: Medium
    • Oracle: Critical Patch Update/Patch Set Update - January 2019: Medium
    • New Checks
  • EU Data Protection Directive - Audit (Built-in)
    • MySQL: Critical Patch Update - January 2019: Medium
    • Oracle: Critical Patch Update/Patch Set Update - January 2019: Medium
    • New Checks
  • EU Data Protection Directive - Pen Test (Built-in)
    • MySQL: Critical Patch Update - January 2019: Medium
    • Oracle: Critical Patch Update/Patch Set Update - January 2019: Medium
    • New Checks
  • FISMA - Audit (Built-in)
    • MySQL: Critical Patch Update - January 2019: Medium
    • Oracle: Critical Patch Update/Patch Set Update - January 2019: Medium
    • New Checks
  • FISMA - Pen Test (Built-in)
    • MySQL: Critical Patch Update - January 2019: Medium
    • Oracle: Critical Patch Update/Patch Set Update - January 2019: Medium
    • New Checks
  • FedRAMP - Audit (Built-in)
    • New Checks
    • MySQL: Critical Patch Update - January 2019: Medium
    • MySQL: Require current password when changing the password: Medium
    • Oracle: Critical Patch Update/Patch Set Update - January 2019: Medium
  • Full - Pen Test (Built-in)
    • MySQL: Critical Patch Update - January 2019: Medium
    • Oracle: Critical Patch Update/Patch Set Update - January 2019: Medium
    • New Checks
  • Gramm-Leach-Bliley Act - Audit (Built-in)
    • MySQL: Critical Patch Update - January 2019: Medium
    • Oracle: Critical Patch Update/Patch Set Update - January 2019: Medium
    • New Checks
  • Gramm-Leach-Bliley Act - Pen Test (Built-in)
    • MySQL: Critical Patch Update - January 2019: Medium
    • Oracle: Critical Patch Update/Patch Set Update - January 2019: Medium
    • New Checks
  • HIPAA - Audit (Built-in)
    • MySQL: Critical Patch Update - January 2019: Medium
    • Oracle: Critical Patch Update/Patch Set Update - January 2019: Medium
    • New Checks
  • HIPAA - Pen Test (Built-in)
    • MySQL: Critical Patch Update - January 2019: Medium
    • Oracle: Critical Patch Update/Patch Set Update - January 2019: Medium
    • New Checks
  • Heavy - Pen Test (Built-in)
    • MySQL: Critical Patch Update - January 2019: Medium
    • Oracle: Critical Patch Update/Patch Set Update - January 2019: Medium
    • New Checks
  • Integrity - Audit (Built-in)
    • MySQL: Critical Patch Update - January 2019: Medium
    • Oracle: Critical Patch Update/Patch Set Update - January 2019: Medium
    • New Checks
  • MITS - Audit (Built-in)
    • MySQL: Critical Patch Update - January 2019: Medium
    • Oracle: Critical Patch Update/Patch Set Update - January 2019: Medium
    • New Checks
  • Massachusetts 201 CMR 17.00
    • MySQL: Critical Patch Update - January 2019: Medium
    • Oracle: Critical Patch Update/Patch Set Update - January 2019: Medium
    • New Checks
  • Medium - Pen Test (Built-in)
    • MySQL: Critical Patch Update - January 2019: Medium
    • Oracle: Critical Patch Update/Patch Set Update - January 2019: Medium
    • New Checks
  • MiFID - Audit (Built-in)
    • MySQL: Critical Patch Update - January 2019: Medium
    • Oracle: Critical Patch Update/Patch Set Update - January 2019: Medium
    • New Checks
  • MiFID - Pen Test (Built-in)
    • MySQL: Critical Patch Update - January 2019: Medium
    • Oracle: Critical Patch Update/Patch Set Update - January 2019: Medium
    • New Checks
  • PCI Data Security Standard - Audit (Built-in)
    • MySQL: Critical Patch Update - January 2019: Medium
    • Oracle: Critical Patch Update/Patch Set Update - January 2019: Medium
    • New Checks
  • PCI Data Security Standard - Pen Test (Built-in)
    • MySQL: Critical Patch Update - January 2019: Medium
    • Oracle: Critical Patch Update/Patch Set Update - January 2019: Medium
    • New Checks
  • Passwords - Audit (Built-in)
    • New Checks
      • MySQL: Require current password when changing the password: Medium
  • Safe - Pen Test (Built-in)
    • MySQL: Critical Patch Update - January 2019: Medium
    • Oracle: Critical Patch Update/Patch Set Update - January 2019: Medium
    • New Checks
  • Sarbanes-Oxley - Audit (Built-in)
    • MySQL: Critical Patch Update - January 2019: Medium
    • Oracle: Critical Patch Update/Patch Set Update - January 2019: Medium
    • New Checks
  • Sarbanes-Oxley - Pen Test (Built-in)
    • MySQL: Critical Patch Update - January 2019: Medium
    • Oracle: Critical Patch Update/Patch Set Update - January 2019: Medium
    • New Checks
  • Strict - Audit (Built-in)
    • Microsoft SQL Server: Access to linked servers: Informational
    • Microsoft SQL Server: Allow Polybase Export feature must be disabled: Medium
    • Microsoft SQL Server: Customer Feedback and Error Reporting: Informational
    • Microsoft SQL Server: External Scripts Enabled feature must be disabled: Medium
    • Microsoft SQL Server: Hadoop Connectivity feature must be disabled: Medium
    • Microsoft SQL Server: Remote Data Archive feature must be disabled: Medium
    • Microsoft SQL Server: Replication XPs feature must be disabled: Medium
    • Microsoft SQL Server: SQL Server Mirroring endpoint encryption: Medium
    • Microsoft SQL Server: SQL Server Service Broker endpoint encryption: Medium
    • Microsoft SQL Server: SQL Server Usage and Error Reporting Auditing: Medium
    • Microsoft SQL Server: Stored procedures and functions that utilize impersonation: Medium
    • Microsoft SQL Server: The NT AUTHORITY\SYSTEM account is used for administration: High
    • Microsoft SQL Server: User Options feature must be disabled: Low
    • MySQL: Critical Patch Update - January 2019: Medium
    • MySQL: Require current password when changing the password: Medium
    • Oracle: Critical Patch Update/Patch Set Update - January 2019: Medium
    • PostgreSQL: Check hba conf file to see if values hostssl AND cert is used: Medium
    • PostgreSQL: Check hba conf file to see if values hostssl AND clientcert is used: Medium
    • PostgreSQL: Ensure auditing is enabled for all direct access to databases: Medium
    • PostgreSQL: Ensure edb_audit is configured correctly: Medium
    • PostgreSQL: Ensure edb_audit_connect is configured correctly: Medium
    • PostgreSQL: Ensure edb_audit_statement is configured correctly: Medium
    • PostgreSQL: Ensure fips option is included in OpenSSL version: Medium
    • PostgreSQL: Ensure security label policies are enabled: Medium
    • PostgreSQL: Ensure the permissions on the edb_audit directory are correct: Medium
    • PostgreSQL: Ensure the permissions on the server.key file are correct: Medium
    • PostgreSQL: Ensure there is a connection limit for each role and aligns with organization policies: Medium
    • PostgreSQL: Ensure there is monitoring of database objects to prevent unauthorized modifications: Medium
    • PostgreSQL: Ensure users who have access to data input are protected from SQL injection: Medium
    • PostgreSQL: Must disable network protocols, functions, and ports deemed unsecure: Medium
    • PostgreSQL: Verify sample databases are removed from PostgreSQL installation: Medium
    • New Checks

User Creation Scripts

  • MySQL 8 Added

Availability

  • Available to all AppDetectivePRO and DbProtect customers with maintenance (subscription or perpetual) in good standing at no additional cost.
  • AppDetectivePRO customers can use the Updater within the product as well
View full post