Database Scanning
The relational database management system is the workhorse powering web applications and other business processes grounded in information technology. There are two aspects to protecting databases from exploits. First is the code that brings each application to life. Managing code-based vulnerabilities entails static line-by-line review or each program, coupled with dynamic scanning of finished applications such as with QualysGuard Web Application Security. But there's a "meat-and-potatoes" aspect to securing databases that also must not be ignored: Continuous monitoring of access controls and other settings that directly affect the database.
RELATED LINKS
Understanding and Selecting a Database Assessment Solution
QualysGuard IT Security and Compliance Suite
How Qualys Solutions Help You Protect Databases
Qualys solutions in the QualysGuard IT Security and Compliance Suite enable stronger security for relational databases.
QualysGuard Vulnerability Management provides the ability to remotely detect more than 540 vulnerabilities for database platforms including Oracle, Microsoft SQL Server, DB2, MySQL, and Postgres.
QualysGuard Policy Compliance also supports access control and database settings for the following relational database management systems:
- Oracle 9i (a total of 176 controls are addressed by QualysGuard PC)
- Oracle 10g (197 controls)
- Oracle 11g (199 controls)
- Microsoft SQL Server 2000 (71 controls)
- Microsoft SQL Server 2005 (92 controls)
- Microsoft SQL Server 2008 (91 controls)
The table below provides a small sample subset of access controls and database settings addressed by QualysGuard Policy Compliance for Oracle 11g. For a complete list of controls to this, or other database management systems, please contact us for more information.
| Oracle 11g Database Control ID (sample subset) |
Statement Addressed by QualysGuard Policy Compliance |
|---|---|
| Access Control 1786 | Current list of accounts having access to 'WITH GRANT' privilege |
| Access Control 1785 | Current list of accounts having access to 'WITH ADMIN' privilege |
| Access Control 1784 | Current list of accounts having access to 'X$' tables |
| Access Control 1556 | Current list of accounts having privileges assigned directly (Guidance = None) |
| Access Control 1464 | Current list of 'roles' that are not password protected (Guidance = None) |
| Access Control 1461 | Revocation of the PUBLIC privilege within the DBMS_OBFUSCATION_TOOLKIT |
| Access Control 1354 | Current list of accounts having access to the 'CREATE' privilege |
| Database Setting 3427 | Status of the Oracle 'System Identifier' (SID) |
| Database Setting 3404 | Current list of ORACLE accounts with 'PRIVATE_SGA' set to 'UNLIMITED' |
| Database Setting 3403 | Status of the 'PRIVATE_SGA' setting |
| Database Setting 3395 | Current list of 'ORACLE accounts with CPU_PER_SESSION set to UNLIMITED' |
| Database Setting 3392 | Status of the 'CPU_PER_SESSION' setting |
| Database Setting 3391 | Current list of 'ORACLE accounts with IDLE_TIME set to UNLIMITED' |
| Database Setting 3390 | Status of the 'IDLE_TIME' setting (in minutes) |
Learn More About Database Scanning
Links in the sidebar will lead you to more information about Qualys Solutions for database scanning.
