Managing Pen Tests

This topic describes how to configure and run Penetration Testing against target databases you specify.

1. You can set the following properties in the System Configuration component of the FortiDB application.

   Pen Test-related System Properties:

   Property	Purpose	Possible Values and Default Values
   Enable Pen Test	When set to true, the Pen Test capability is enabled. When set to false, which is the default, the Pen Test capability is disabled.	true or false. The default value is false.
   Enable Pen Test For All Users in Database (Standalone only)	When set to false, FortiDB uses the user names in <dbtype>user.txt, where dbtype represents the target-database type and is one of these strings: ora for Oracle sql for MS-SQL db2 for DB2 UDB syb for Sybase mysql for MySQL When set to true, FortiDB ignores the user names in <dbtype>user.txt.	true or false. The default value is true.
   Pen Test Method	The Login method actually logins in to your target databases. Caution:Be careful when using this method. Since its login attempts may be unsuccessful, it can result in preventing any, even approved, users from logging in to your target database. The Hash-based method is a safer, offline approach, but is available for only Oracle and MS SQL target databases. (A 'hash' is the value obtained after encrypting a clear-text string.) With the Hybrid method, FortiDB attempts the best available method. If the hash-based method is available, as will be the case with Oracle and MS-SQL targets, FortiDB uses it.	1=Login method 2=Hash-based method 3=Hybrid The default value is Hybrid. (If you select the Hash-based method for Sybase or DB2 targets, none of the Pen Test rules will be applied, your assessment result will be essentially empty, and no error will be signaled.)
   Pen Test Password Dictionary	A file containing the passwords to be checked when executing the Dictionary Penetration test. The Browse button allows you to select your dictionary file. You need to select the Save button to complete your selection.	“Built-in Dictionary” indicates that the default dictionary is being used. “User Dictionary” indicates that you have uploaded your own dictionary file. The filename of the dictionary you upload will not appear here. Note:When you restore the default dictionary by checking the checkbox, and selecting Restore Default(s) and then Save, your dictionary file will be deleted from the system.

   Note: After changing Pen Test properties, you must restart FortiDB to take your change into effect.
2. Decide which of the following policies are suitable for your organization. This table explains which files each Pen Test Policy uses:

   Policy Name	File Used	Evaluate Content
   Default Password	<dbtype>default.txt	All the username/password pairs in the file.
   Username Reversed	<dbtype>user.txt	The pairing of usernames in the file with those same user names reversed as passwords.
   Same as Username	<dbtype>user.txt	The pairing of usernames in the file with those same usernames as passwords.
   Username Following Number	<dbtype>user.txt	The pairing of usernames in the file with those same usernames followed by one or more numbers as passwords.
   Number Following Username	<dbtype>user.txt	The paring of usernames with those same usernames preceding one or more numbers as the passwords.
   Dictionary	<dbtype>user.txt, dictionary.txt	The pairing of username in the <dbtype>user.txt file with every password in dictionary.txt file.

3. (For standalone users) If you set Enable Pen Test For All Users in Database to false, you must copy all of the files in the table below from <FortiDB-install directory>/etc/conf/pentest to <FortiDB-install directory>/conf/pentest and edit them. The user name and password both have to be uppercase in the Oracle-related oradefault.txt and orauser.txt files.

   Filename	Content
   <dbtype>default.txt	A list of user name and password pairs that will be used for Default Password policy.
   <dbtype>user.txt	A list of system or user accounts. The user names in this file will be used for all policies except for Default Password policy.
   dictionary.txt	A list of passwords to use for Pen Test Dictionary policy. You can use your dictionary file by setting the Pen Test Password Dictionary property in the Assessment tab of the System Configuration page. Note: When FortiDB executes the Pen Test Dictionary policy, the domain name automatically added in the password list.

   Note: The Enable Pen Test for All Users in Database property is not available for Appliance users.
4. If you use Dictionary Policy, you can set your own dictionary file using Pen Test Password Dictionary property in the Assessment tab of the System Configuration page.
5. You might also have to set proper privileges on your target database. For more information see Target Privilege Matrix.
6. Select the Policy Groups link in the Policy Management section of the left-side tree-navigation menu.
7. Select the Pen Test Policy Group.
8. Activate (or deactivate) Pen Test policies you want to run by checking the check box(es) next to each policy of interest and then clicking the Enable or (Disable) button.
9. Optionally you can edit each policy by clicking on it and then modifying one or more of the following items. After you modify a policy, select the Save button on the Policy details page.
   • Severity
   • Classification
   • Keywords
   • Status
10. Go to the Assessments link in the Assessment Management section of the left-side tree-navigation menu and create an assessment:
    1. In the Policies tab of the Assessment page, select the Pen Test Policy Group within the Available Policy Groups list and then select the right arrow.
    2. Save your Pen Test Assessment.
    3. Run the Pen Test assessment.
    4. Evaluate the results of your assessment.
       Note: "Failed" means your passwords are weak and may not protect you from malicious login attempts.