Vulnerability assessment (VA) policies : Penetration tests : Configuring and running penetration test assessments
 
Configuring and running penetration test assessments
To configure and run penetration testing against target databases
1. Ensure that the FortiDB database user specified in the target configuration for the database you want to test has the required privileges.
For more information see “Privileges for VA assessments, privilege summaries, and penetration tests”.
2. In the navigation menu, go to Administration > Global Configuration, and then click the Assessment tab.
3. Complete the following settings:
Enable Pen Test
Select True.
Enable Pen Test For All Users in Database
(software-only version)
When set to false, all pentest policies except Default Password test the database using the usernames in <dbtype>user.txt only.
When set to true, the policies test using all database usernames.
For information on creating the <dbtype>user.txt file, see step 5.
For more information on the file, see “Files used for penetration tests”.
Pen Test Method
Specify the method that FortiDB uses to connect to databases for penetration tests using one of the following values:
1 - Login method
2 - Hash-based method (available for Oracle or Microsoft SQL databases only)
3 - Hybrid method (FortiDB uses the hash-based method when it is available)
For more information on these settings, see “Connection options for penetration tests”.
Pen Test Password Dictionary
Specify the file that contains the passwords that the Dictionary policy checks.
If you do not select a file, the policy uses the default dictionary.
The Browse button allows you to select a dictionary file. Click Save to complete your selection.
FortiDB does not display the name of the uploaded file.
To restore the default dictionary, select the Pen Test Password Dictionary item, click Restore Default(s), and then click Save. Your dictionary file is deleted.
For software-only versions of FortiDB, for information on creating the dictionary.txt file, see step 5.
For more information on the password dictionary file, see “Files used for penetration tests”.
4. To make your pentest settings take effect, restart FortiDB.
5. For software version users:
If you set Enable Pen Test For All Users in Database to false, copy the <dbtype>user.txt file from <FortiDB installation directory>/etc/conf/pentest to <FortiDB installation directory>/conf/pentest, where <dbtype> is the string that specifies the type of database to assess. Replace the system account and password values in the file with the values that you want the pentest policies to use (except the Default Password policy).
For the oradefault.txt file, ensure that the system account and password values are in uppercase.
If you want the Default Password policy to use a custom list of system accounts with default passwords instead of the default list, copy the <dbtype>default.txt file from <FortiDB installation directory>/etc/conf/pentest to <FortiDB installation directory>/conf/pentest, where <dbtype> is the string that specifies the type of database to assess. Replace the usernames and password values in the file with the values that you want the Default Password policy to use.
For the orauser.txt file, ensure that the usernames and passwords are in uppercase.
If you did not use the Pen Test Password Dictionary property to select a password dictionary file and want the Dictionary policy to use a custom dictionary, copy the dictionary.txt file from <FortiDB installation directory>/etc/conf/pentest to <FortiDB installation directory>/conf/pentest. Replace the password values in the file with the values that you want the Dictionary policy to use.
For more information on the files, see “Files used for penetration tests”.
6. Go to Policy > VA Policy Groups, and then click Pen Test Policy Group.
7. To enable or disable pentest policies, select the checkbox for one or more polices, and then click Enable or Disable.
8. Optionally, to edit a policy, click the policy name, edit the settings, and then click Save.
9. Assign the Pen Test Policy Group to a new or existing assessment.
For detailed instructions, see “Adding or modifying assessments”.
10. Run the assessment.
For detailed instructions, see “Running assessments”.
11. Evaluate the results of your assessment.
 
"Failed" means your passwords are weak and may not protect you from malicious login attempts.
See also
Connection options for penetration tests
Files used for penetration tests