Configuring and running penetration test assessments
To configure and run penetration testing against target databases
- Ensure that the FortiDB database user specified in the target configuration for the database you want to test has the required privileges.
- In the navigation menu, go to Administration > Global Configuration, and then click the Assessment tab.
- Complete the following settings:
- 1 - Login method
- 2 - Hash-based method (available for Oracle or Microsoft SQL databases only)
- 3 - Hybrid method (FortiDB uses the hash-based method when it is available)
- To make your pentest settings take effect, restart FortiDB.
-
For software version users:
- If you set Enable Pen Test For All Users in Database to false, copy the <
dbtype>user.tx
t file from<FortiDB installation directory>/etc/conf/pentest
to<FortiDB installation directory>/conf/pentest
, where<dbtype>
is the string that specifies the type of database to assess. Replace the system account and password values in the file with the values that you want the pentest policies to use (except the Default Password policy). - For the
oradefault.txt
file, ensure that the system account and password values are in uppercase. - If you want the Default Password policy to use a custom list of system accounts with default passwords instead of the default list, copy the
<dbtype>default.txt
file from<FortiDB installation directory>/etc/conf/pentest
to<FortiDB installation directory>/conf/pentest
, where<dbtype>
is the string that specifies the type of database to assess. Replace the usernames and password values in the file with the values that you want the Default Password policy to use. - For the
orauser.txt
file, ensure that the usernames and passwords are in uppercase. - If you did not use the Pen Test Password Dictionary property to select a password dictionary file and want the Dictionary policy to use a custom dictionary, copy the
dictionary.txt
file from<FortiDB installation directory>/etc/conf/pentest
to<FortiDB installation directory>/conf/pentest
. Replace the password values in the file with the values that you want the Dictionary policy to use.
- If you set Enable Pen Test For All Users in Database to false, copy the <
- Go to Policy > VA Policy Groups, and then click Pen Test Policy Group.
- To enable or disable pentest policies, select the checkbox for one or more polices, and then click Enable or Disable.
- Optionally, to edit a policy, click the policy name, edit the settings, and then click Save.
- Assign the Pen Test Policy Group to a new or existing assessment.
- Run the assessment.
- Evaluate the results of your assessment.
For more information see Privileges for VA assessments, privilege summaries, and penetration tests.
Enable Pen Test | Select True. |
Enable Pen Test For All Users in Database (software-only version) |
When set to When set to For information on creating the For more information on the file, see Files used for penetration tests. |
Pen Test Method |
Specify the method that FortiDB uses to connect to databases for penetration tests using one of the following values: For more information on these settings, see Connection options for penetration tests. |
Pen Test Password Dictionary |
Specify the file that contains the passwords that the Dictionary policy checks. If you do not select a file, the policy uses the default dictionary. The Browse button allows you to select a dictionary file. Click Save to complete your selection. FortiDB does not display the name of the uploaded file. To restore the default dictionary, select the Pen Test Password Dictionary item, click Restore Default(s), and then click Save. Your dictionary file is deleted. For software-only versions of FortiDB, for information on creating the For more information on the password dictionary file, see Files used for penetration tests. |
For more information on the files, see Files used for penetration tests.
For detailed instructions, see Adding or modifying assessments.
For detailed instructions, see Running assessments.
"Failed" means your passwords are weak and may not protect you from malicious login attempts. |