Knowledgebase version 5.38 includes new checks for Microsoft SQL Server, MySQL, and PostgreSQL. It has updated checks for MySQL and Sybase ASE and also introduces the DISA-STIG Oracle 12c V1R12, DISA-STIG PostgreSQL EDB V1R5, and DISA-STIG SQL Server 2012 V1R18 policies as well as updated several existing policies. This release also adds a MySQL 8 User Creation Script for the upcoming AppDetectivePRO and DbProtect updates that will include support for version 8 of MySQL.
New Vulnerability and Configuration Check Highlights
Microsoft SQL Server
- Access to linked servers
- Report the list of linked servers defined in the local server.
- Risk: Informational
- Allow Polybase Export feature must be disabled
- Verify that the 'allow polybase export' configuration option is disabled.
- Risk: Medium
- Customer Feedback and Error Reporting
- Verify that SQL Server Customer Feedback and Error Reporting is disabled.
- Risk: Informational
- External Scripts Enabled feature must be disabled
- Verify that the 'external scripts enabled' configuration option is disabled.
- Risk: Medium
- Hadoop Connectivity feature must be disabled
- Verify that the 'hadoop connectivity' configuration option is disabled.
- Risk: Medium
- Remote Data Archive feature must be disabled
- Verify that the 'remote data archive' configuration option is disabled.
- Risk: Medium
- Replication XPs feature must be disabled
- Verify that the 'replication xps' configuration option is disabled.
- Risk: Medium
- SQL Server Mirroring endpoint encryption
- Verify that SQL Server Mirroring endpoint utilizes AES encryption.
- Risk: Medium
- SQL Server Service Broker endpoint encryption
- Verify that SQL Server Service Broker endpoint utilizes AES encryption.
- Risk: Medium
- SQL Server Usage and Error Reporting Auditing
- Verify that the SQL Server Usage and Error Reporting Auditing is enabled.
- Risk: Medium
- Stored procedures and functions that utilize impersonation
- Report the list of stored procedures and functions that utilize EXECUTE AS.
- Risk: Medium
- The NT AUTHORITY\SYSTEM account is used for administration
- Check permissions granted to the NT AUTHORITY\SYSTEM account.
- Risk: High
- User Options feature must be disabled
- Verify that the 'user options' configuration option is disabled.
- Risk: Low
MySQL
- Critical Patch Update - January 2019
- Check version to determine if the database contains vulnerabilities described by Critical Patch Update - January 2019.
- Risk: Medium
- Require current password when changing the password
- Verify that non-privileged users must provide their current password at the time they set a new password.
- Risk: Low
PostgreSQL
- Check hba conf file to see if values hostssl AND cert is used
- Verify that the PostgreSQL pg_hba.conf file contains the following: type: hostssl method: cert
- Risk: Medium
- Check hba conf file to see if values hostssl AND clientcert is used
- Verify that the PostgreSQL pg_hba.conf file contains the following: type: hostssl options: clientcert=1
- Risk: Medium
- Ensure auditing is enabled for all direct access to databases
- Verify that the following PostgreSQL EDB parameters are configured correctly: edb_statement edb_connect edb_disconnect
- Risk: Medium
- Ensure edb_audit is configured correctly
- Verify that the PostgreSQL EDB parameter edb_audit is properly configured and ENABLED.
- Risk: Medium
- Ensure edb_audit_connect is configured correctly
- Verify that the PostgreSQL EDB parameter edb_audit_connect is properly configured.
- Risk: Medium
- Ensure edb_audit_statement is configured correctly
- Verify that the PostgreSQL EDB parameter edb_audit_statement is properly configured.
- Risk: Medium
- Ensure fips option is included in OpenSSL version
- Verify that a FIPS compliant OpenSSL library is installed.
- Risk: Medium
- Ensure security label policies are enabled
- Verify that there are security label policies are enabled on database objects for PostgreSQL EDB.
- Risk: Medium
- Ensure the permissions on the edb_audit directory are correct
- Verify that the permissions on the PostgreSQL EDB edb_audit directory are correct.
- Risk: Medium
- Ensure the permissions on the server.key file are correct
- Verify that the permissions of the PostgreSQL parameter ssl_cert_file (server.key) are correct.
- Risk: Medium
- Ensure there is a connection limit for each role and aligns with organization policies
- Verify that the PostgreSQL connection limit for roles is enabled and aligned with your organization's policies.
- Risk: Medium
- Ensure there is monitoring of database objects to prevent unauthorized modifications
- Verify that there are jobs enabled that prevent unauthorized modification of database objects.
- Risk: Medium
- Ensure users who have access to data input are protected from SQL injection
- Verify that the database users responsible for data input are protected against SQL injection.
- Risk: Medium
- Must disable network protocols, functions, and ports deemed unsecure
- Verify that the PostgreSQL pg_hba.conf file contains certain logic and that the port is an acceptable secured port.
- Risk: Medium
- Verify sample databases are removed from PostgreSQL installation
- Verify that the sample databases of the PostgreSQL installation are removed.
- Risk: Medium
Updated Checks
MySQL
- Latest release not installed
- Support MySQL 5.6.43, 5.7.25
- Risk: High
- Release update not installed on time
- Support MySQL 5.6.43, 5.7.25
- Risk: High
Sybase
- Latest patch not applied
- Support SAP ASE 16.0 SP03 PL06
- Risk: High
- Patch not applied on time
- Support SAP ASE 16.0 SP03 PL06
- Risk: High
New Policies
- DISA-STIG Oracle 12c V1R12 - Audit (Built-in)
- This policy has been created with the guidelines mapped out in the DOD Security Technical Implementation Guides "Oracle Database 12c Security Technical Implementation Guide Version 1 Release 12".
- DISA-STIG PostgreSQL EDB V1R5 - Audit (Built-In)
- This policy has been created with guidance of the configuration parameters outlined by the DISA-STIG PostgreSQL EDB Advanced Server Security Technical Implementation Guide Version 1, Release 5.
- DISA-STIG SQL Server 2012 V1R18 - Audit (Built-in)
- This policy has been created with guidance of the configuration parameters outlined by the DISA-STIG Microsoft SQL Server 2012 Security Technical Implementation Guide Version 1, Release 18.
Updated Policies
- Base Line - Audit (Built-in)
- MySQL: Critical Patch Update - January 2019: Medium
- Oracle: Critical Patch Update/Patch Set Update - January 2019: Medium
- Basel II - Audit (Built-in)
- MySQL: Critical Patch Update - January 2019: Medium
- Oracle: Critical Patch Update/Patch Set Update - January 2019: Medium
- New Checks
- MySQL: Critical Patch Update - January 2019: Medium
- Oracle: Critical Patch Update/Patch Set Update - January 2019: Medium
- New Checks
- Basel II - Pen Test (Built-in)
- Best Practices for Federal Gov. - Audit (Built-in)
- Microsoft SQL Server: Access to linked servers: Informational
- Microsoft SQL Server: Allow Polybase Export feature must be disabled: Medium
- Microsoft SQL Server: Customer Feedback and Error Reporting: Informational
- Microsoft SQL Server: External Scripts Enabled feature must be disabled: Medium
- Microsoft SQL Server: Hadoop Connectivity feature must be disabled: Medium
- Microsoft SQL Server: Remote Data Archive feature must be disabled: Medium
- Microsoft SQL Server: Replication XPs feature must be disabled: Medium
- Microsoft SQL Server: SQL Server Mirroring endpoint encryption: Medium
- Microsoft SQL Server: SQL Server Service Broker endpoint encryption: Medium
- Microsoft SQL Server: SQL Server Usage and Error Reporting Auditing: Medium
- Microsoft SQL Server: Stored procedures and functions that utilize impersonation: Medium
- Microsoft SQL Server: The NT AUTHORITY\SYSTEM account is used for administration: High
- Microsoft SQL Server: User Options feature must be disabled: Low
- MySQL: Critical Patch Update - January 2019: Medium
- MySQL: Require current password when changing the password: Medium
- Oracle: Critical Patch Update/Patch Set Update - January 2019: Medium
- CIS v1.0.0 for MySQL 5.7 - Audit (Built-in)
- MySQL: Critical Patch Update - January 2019: Medium
- CIS v1.0.0 for Oracle 11gR1&R2 - Audit (Built-in)
- Oracle: Critical Patch Update/Patch Set Update - January 2019: Medium
- CIS v2.0 for Oracle 12c - Audit (Built-In)
- Oracle: Critical Patch Update/Patch Set Update - January 2019: Medium
- CIS v2.2.0 for Oracle 11gR2 - Audit (Built-In)
- Oracle: Critical Patch Update/Patch Set Update - January 2019: Medium
- CNIL - Audit (Built-in)
- MySQL: Critical Patch Update - January 2019: Medium
- MySQL: Require current password when changing the password: Medium
- Oracle: Critical Patch Update/Patch Set Update - January 2019: Medium
- DISA-STIG Database Security - Audit (Built-in)
- Microsoft SQL Server: Access to linked servers: Informational
- Microsoft SQL Server: Allow Polybase Export feature must be disabled: Medium
- Microsoft SQL Server: Customer Feedback and Error Reporting: Informational
- Microsoft SQL Server: External Scripts Enabled feature must be disabled: Medium
- Microsoft SQL Server: Hadoop Connectivity feature must be disabled: Medium
- Microsoft SQL Server: Remote Data Archive feature must be disabled: Medium
- Microsoft SQL Server: Replication XPs feature must be disabled: Medium
- Microsoft SQL Server: SQL Server Mirroring endpoint encryption: Medium
- Microsoft SQL Server: SQL Server Service Broker endpoint encryption: Medium
- Microsoft SQL Server: SQL Server Usage and Error Reporting Auditing: Medium
- Microsoft SQL Server: Stored procedures and functions that utilize impersonation: Medium
- Microsoft SQL Server: The NT AUTHORITY\SYSTEM account is used for administration: High
- Microsoft SQL Server: User Options feature must be disabled: Low
- MySQL: Critical Patch Update - January 2019: Medium
- Oracle: Critical Patch Update/Patch Set Update - January 2019: Medium
- DISA-STIG Oracle 11gR2 V1R14 - Audit (Built-in)
- Oracle: Critical Patch Update/Patch Set Update - January 2019: Medium
- DISA-STIG Oracle 12c V1R11 - Audit (Built-in)
- Oracle: Critical Patch Update/Patch Set Update - January 2019: Medium
- Database Best Practices
- Microsoft SQL Server: Access to linked servers: Informational
- Microsoft SQL Server: Allow Polybase Export feature must be disabled: Medium
- Microsoft SQL Server: External Scripts Enabled feature must be disabled: Medium
- Microsoft SQL Server: Hadoop Connectivity feature must be disabled: Medium
- Microsoft SQL Server: Remote Data Archive feature must be disabled: Medium
- Microsoft SQL Server: Replication XPs feature must be disabled: Medium
- Microsoft SQL Server: SQL Server Usage and Error Reporting Auditing: Medium
- Microsoft SQL Server: Stored procedures and functions that utilize impersonation: Medium
- Microsoft SQL Server: The NT AUTHORITY\SYSTEM account is used for administration: High
- Microsoft SQL Server: User Options feature must be disabled: Low
- MySQL: Critical Patch Update - January 2019: Medium
- MySQL: Require current password when changing the password: Medium
- Oracle: Critical Patch Update/Patch Set Update - January 2019: Medium
- Download - Pen Test (Built-in)
- MySQL: Critical Patch Update - January 2019: Medium
- Oracle: Critical Patch Update/Patch Set Update - January 2019: Medium
- EU Data Protection Directive - Audit (Built-in)
- MySQL: Critical Patch Update - January 2019: Medium
- Oracle: Critical Patch Update/Patch Set Update - January 2019: Medium
- EU Data Protection Directive - Pen Test (Built-in)
- MySQL: Critical Patch Update - January 2019: Medium
- Oracle: Critical Patch Update/Patch Set Update - January 2019: Medium
- FISMA - Audit (Built-in)
- MySQL: Critical Patch Update - January 2019: Medium
- Oracle: Critical Patch Update/Patch Set Update - January 2019: Medium
- FISMA - Pen Test (Built-in)
- MySQL: Critical Patch Update - January 2019: Medium
- Oracle: Critical Patch Update/Patch Set Update - January 2019: Medium
- FedRAMP - Audit (Built-in)
- New Checks
- MySQL: Critical Patch Update - January 2019: Medium
- MySQL: Require current password when changing the password: Medium
- Oracle: Critical Patch Update/Patch Set Update - January 2019: Medium
- Full - Pen Test (Built-in)
- MySQL: Critical Patch Update - January 2019: Medium
- Oracle: Critical Patch Update/Patch Set Update - January 2019: Medium
- Gramm-Leach-Bliley Act - Audit (Built-in)
- MySQL: Critical Patch Update - January 2019: Medium
- Oracle: Critical Patch Update/Patch Set Update - January 2019: Medium
- Gramm-Leach-Bliley Act - Pen Test (Built-in)
- MySQL: Critical Patch Update - January 2019: Medium
- Oracle: Critical Patch Update/Patch Set Update - January 2019: Medium
- HIPAA - Audit (Built-in)
- MySQL: Critical Patch Update - January 2019: Medium
- Oracle: Critical Patch Update/Patch Set Update - January 2019: Medium
- HIPAA - Pen Test (Built-in)
- MySQL: Critical Patch Update - January 2019: Medium
- Oracle: Critical Patch Update/Patch Set Update - January 2019: Medium
- Heavy - Pen Test (Built-in)
- MySQL: Critical Patch Update - January 2019: Medium
- Oracle: Critical Patch Update/Patch Set Update - January 2019: Medium
- Integrity - Audit (Built-in)
- MySQL: Critical Patch Update - January 2019: Medium
- Oracle: Critical Patch Update/Patch Set Update - January 2019: Medium
- MITS - Audit (Built-in)
- MySQL: Critical Patch Update - January 2019: Medium
- Oracle: Critical Patch Update/Patch Set Update - January 2019: Medium
- Massachusetts 201 CMR 17.00
- MySQL: Critical Patch Update - January 2019: Medium
- Oracle: Critical Patch Update/Patch Set Update - January 2019: Medium
- Medium - Pen Test (Built-in)
- MySQL: Critical Patch Update - January 2019: Medium
- Oracle: Critical Patch Update/Patch Set Update - January 2019: Medium
- MiFID - Audit (Built-in)
- MySQL: Critical Patch Update - January 2019: Medium
- Oracle: Critical Patch Update/Patch Set Update - January 2019: Medium
- MiFID - Pen Test (Built-in)
- MySQL: Critical Patch Update - January 2019: Medium
- Oracle: Critical Patch Update/Patch Set Update - January 2019: Medium
- PCI Data Security Standard - Audit (Built-in)
- MySQL: Critical Patch Update - January 2019: Medium
- Oracle: Critical Patch Update/Patch Set Update - January 2019: Medium
- PCI Data Security Standard - Pen Test (Built-in)
- MySQL: Critical Patch Update - January 2019: Medium
- Oracle: Critical Patch Update/Patch Set Update - January 2019: Medium
- Passwords - Audit (Built-in)
- New Checks
- MySQL: Require current password when changing the password: Medium
- Safe - Pen Test (Built-in)
- MySQL: Critical Patch Update - January 2019: Medium
- Oracle: Critical Patch Update/Patch Set Update - January 2019: Medium
- Sarbanes-Oxley - Audit (Built-in)
- MySQL: Critical Patch Update - January 2019: Medium
- Oracle: Critical Patch Update/Patch Set Update - January 2019: Medium
- Sarbanes-Oxley - Pen Test (Built-in)
- MySQL: Critical Patch Update - January 2019: Medium
- Oracle: Critical Patch Update/Patch Set Update - January 2019: Medium
- Strict - Audit (Built-in)
- Microsoft SQL Server: Access to linked servers: Informational
- Microsoft SQL Server: Allow Polybase Export feature must be disabled: Medium
- Microsoft SQL Server: Customer Feedback and Error Reporting: Informational
- Microsoft SQL Server: External Scripts Enabled feature must be disabled: Medium
- Microsoft SQL Server: Hadoop Connectivity feature must be disabled: Medium
- Microsoft SQL Server: Remote Data Archive feature must be disabled: Medium
- Microsoft SQL Server: Replication XPs feature must be disabled: Medium
- Microsoft SQL Server: SQL Server Mirroring endpoint encryption: Medium
- Microsoft SQL Server: SQL Server Service Broker endpoint encryption: Medium
- Microsoft SQL Server: SQL Server Usage and Error Reporting Auditing: Medium
- Microsoft SQL Server: Stored procedures and functions that utilize impersonation: Medium
- Microsoft SQL Server: The NT AUTHORITY\SYSTEM account is used for administration: High
- Microsoft SQL Server: User Options feature must be disabled: Low
- MySQL: Critical Patch Update - January 2019: Medium
- MySQL: Require current password when changing the password: Medium
- Oracle: Critical Patch Update/Patch Set Update - January 2019: Medium
- PostgreSQL: Check hba conf file to see if values hostssl AND cert is used: Medium
- PostgreSQL: Check hba conf file to see if values hostssl AND clientcert is used: Medium
- PostgreSQL: Ensure auditing is enabled for all direct access to databases: Medium
- PostgreSQL: Ensure edb_audit is configured correctly: Medium
- PostgreSQL: Ensure edb_audit_connect is configured correctly: Medium
- PostgreSQL: Ensure edb_audit_statement is configured correctly: Medium
- PostgreSQL: Ensure fips option is included in OpenSSL version: Medium
- PostgreSQL: Ensure security label policies are enabled: Medium
- PostgreSQL: Ensure the permissions on the edb_audit directory are correct: Medium
- PostgreSQL: Ensure the permissions on the server.key file are correct: Medium
- PostgreSQL: Ensure there is a connection limit for each role and aligns with organization policies: Medium
- PostgreSQL: Ensure there is monitoring of database objects to prevent unauthorized modifications: Medium
- PostgreSQL: Ensure users who have access to data input are protected from SQL injection: Medium
- PostgreSQL: Must disable network protocols, functions, and ports deemed unsecure: Medium
- PostgreSQL: Verify sample databases are removed from PostgreSQL installation: Medium
User Creation Scripts
Availability
- Available to all AppDetectivePRO and DbProtect customers with maintenance (subscription or perpetual) in good standing at no additional cost.
- AppDetectivePRO customers can use the Updater within the product as well