Fortinet black logo

Handbook (HTML)

Home FortiDB 5.1.14 Handbook (HTML)

Configuring and running penetration test assessments

5.1.14
5.1.14
5.1.13
5.1.12
5.1.11
5.1.10
5.1.9
5.1.8
5.1.7
5.1.6
5.1.5
5.1.2
5.1.1
5.0.0
Copy Link
Copy Doc ID 73ac471a-9afd-11ea-8862-00505692583a:878440

Configuring and running penetration test assessments

To configure and run penetration testing against target databases
  1. Ensure that the FortiDB database user specified in the target configuration for the database you want to test has the required privileges.

    2. For more information see Privileges for VA assessments, privilege summaries, and penetration tests.

  2. In the navigation menu, go to Administration > Global Configuration, and then click the Assessment tab.
  3. Complete the following settings:
    4. Enable Pen Test Select True.

    Enable Pen Test For All Users in Database

    (software-only version)

    When set to false, all pentest policies except Default Password test the database using the usernames in <dbtype>user.txt only.

    When set to true, the policies test using all database usernames.

    For information on creating the <dbtype>user.txt file, see step Configuring and running penetration test assessments.

    For more information on the file, see Files used for penetration tests.
    Pen Test Method

    Specify the method that FortiDB uses to connect to databases for penetration tests using one of the following values:

    • 1 - Login method
    • 2 - Hash-based method (available for Oracle or Microsoft SQL databases only)
    • 3 - Hybrid method (FortiDB uses the hash-based method when it is available)

    For more information on these settings, see Connection options for penetration tests.
    Pen Test Password Dictionary

    Specify the file that contains the passwords that the Dictionary policy checks.

    If you do not select a file, the policy uses the default dictionary.

    The Browse button allows you to select a dictionary file. Click Save to complete your selection.

    FortiDB does not display the name of the uploaded file.

    To restore the default dictionary, select the Pen Test Password Dictionary item, click Restore Default(s), and then click Save. Your dictionary file is deleted.

    For software-only versions of FortiDB, for information on creating the dictionary.txt file, see step Configuring and running penetration test assessments.

    For more information on the password dictionary file, see Files used for penetration tests.
  4. To make your pentest settings take effect, restart FortiDB.
  5. For software version users:
    • If you set Enable Pen Test For All Users in Database to false, copy the <dbtype>user.txt file from <FortiDB installation directory>/etc/conf/pentest to <FortiDB installation directory>/conf/pentest, where <dbtype> is the string that specifies the type of database to assess. Replace the system account and password values in the file with the values that you want the pentest policies to use (except the Default Password policy).
    • For the oradefault.txt file, ensure that the system account and password values are in uppercase.
    • If you want the Default Password policy to use a custom list of system accounts with default passwords instead of the default list, copy the <dbtype>default.txt file from <FortiDB installation directory>/etc/conf/pentest to <FortiDB installation directory>/conf/pentest, where <dbtype> is the string that specifies the type of database to assess. Replace the usernames and password values in the file with the values that you want the Default Password policy to use.
    • For the orauser.txt file, ensure that the usernames and passwords are in uppercase.
    • If you did not use the Pen Test Password Dictionary property to select a password dictionary file and want the Dictionary policy to use a custom dictionary, copy the dictionary.txt file from <FortiDB installation directory>/etc/conf/pentest to <FortiDB installation directory>/conf/pentest. Replace the password values in the file with the values that you want the Dictionary policy to use.

    6. For more information on the files, see Files used for penetration tests.

  6. Go to Policy > VA Policy Groups, and then click Pen Test Policy Group.
  7. To enable or disable pentest policies, select the checkbox for one or more polices, and then click Enable or Disable.
  8. Optionally, to edit a policy, click the policy name, edit the settings, and then click Save.
  9. Assign the Pen Test Policy Group to a new or existing assessment.

    10. For detailed instructions, see Adding or modifying assessments.

  10. Run the assessment.

    11. For detailed instructions, see Running assessments.

  11. Evaluate the results of your assessment.
"Failed" means your passwords are weak and may not protect you from malicious login attempts.
See also
Previous
Next

Configuring and running penetration test assessments

To configure and run penetration testing against target databases
  1. Ensure that the FortiDB database user specified in the target configuration for the database you want to test has the required privileges.

    2. For more information see Privileges for VA assessments, privilege summaries, and penetration tests.

  2. In the navigation menu, go to Administration > Global Configuration, and then click the Assessment tab.
  3. Complete the following settings:
    4. Enable Pen Test Select True.

    Enable Pen Test For All Users in Database

    (software-only version)

    When set to false, all pentest policies except Default Password test the database using the usernames in <dbtype>user.txt only.

    When set to true, the policies test using all database usernames.

    For information on creating the <dbtype>user.txt file, see step Configuring and running penetration test assessments.

    For more information on the file, see Files used for penetration tests.
    Pen Test Method

    Specify the method that FortiDB uses to connect to databases for penetration tests using one of the following values:

    • 1 - Login method
    • 2 - Hash-based method (available for Oracle or Microsoft SQL databases only)
    • 3 - Hybrid method (FortiDB uses the hash-based method when it is available)

    For more information on these settings, see Connection options for penetration tests.
    Pen Test Password Dictionary

    Specify the file that contains the passwords that the Dictionary policy checks.

    If you do not select a file, the policy uses the default dictionary.

    The Browse button allows you to select a dictionary file. Click Save to complete your selection.

    FortiDB does not display the name of the uploaded file.

    To restore the default dictionary, select the Pen Test Password Dictionary item, click Restore Default(s), and then click Save. Your dictionary file is deleted.

    For software-only versions of FortiDB, for information on creating the dictionary.txt file, see step Configuring and running penetration test assessments.

    For more information on the password dictionary file, see Files used for penetration tests.
  4. To make your pentest settings take effect, restart FortiDB.
  5. For software version users:
    • If you set Enable Pen Test For All Users in Database to false, copy the <dbtype>user.txt file from <FortiDB installation directory>/etc/conf/pentest to <FortiDB installation directory>/conf/pentest, where <dbtype> is the string that specifies the type of database to assess. Replace the system account and password values in the file with the values that you want the pentest policies to use (except the Default Password policy).
    • For the oradefault.txt file, ensure that the system account and password values are in uppercase.
    • If you want the Default Password policy to use a custom list of system accounts with default passwords instead of the default list, copy the <dbtype>default.txt file from <FortiDB installation directory>/etc/conf/pentest to <FortiDB installation directory>/conf/pentest, where <dbtype> is the string that specifies the type of database to assess. Replace the usernames and password values in the file with the values that you want the Default Password policy to use.
    • For the orauser.txt file, ensure that the usernames and passwords are in uppercase.
    • If you did not use the Pen Test Password Dictionary property to select a password dictionary file and want the Dictionary policy to use a custom dictionary, copy the dictionary.txt file from <FortiDB installation directory>/etc/conf/pentest to <FortiDB installation directory>/conf/pentest. Replace the password values in the file with the values that you want the Dictionary policy to use.

    6. For more information on the files, see Files used for penetration tests.

  6. Go to Policy > VA Policy Groups, and then click Pen Test Policy Group.
  7. To enable or disable pentest policies, select the checkbox for one or more polices, and then click Enable or Disable.
  8. Optionally, to edit a policy, click the policy name, edit the settings, and then click Save.
  9. Assign the Pen Test Policy Group to a new or existing assessment.

    10. For detailed instructions, see Adding or modifying assessments.

  10. Run the assessment.

    11. For detailed instructions, see Running assessments.

  11. Evaluate the results of your assessment.
"Failed" means your passwords are weak and may not protect you from malicious login attempts.
See also
Previous
Next