Scuba is a free tool that scans leading enterprise databases for security vulnerabilities and configuration flaws, including patch levels, that allows you to uncover potential database security risks. It includes more than 2,300 assessment tests for Oracle, Microsoft SQL Server, SAP Sybase, IBM DB2 and MySQL. It’s possible to run a Scuba scan from any Windows, Mac or Linux client.
Depending on your database size, users, groups and network connection, an average Scuba scan normally takes 2-3 minutes. No pre-installation or other dependencies are required – all you need to do is download the tool. Once you install you’re ready to go! We’ve compiled these five useful tips to help get you started with Scuba.
#1: Selecting a User
The easiest method will be to select a user with full permissions (DBA role/level). However, if you do not own the database or you wish to create a dedicated user for the assessment scan, you can ask your DBA team to create a user with the least permissions required, as described in the documentation guide (see Figures 1 and 2).
Figure 1: To access the documentation guide in Scuba, click Help and then Support from the navigation menu.
Figure 2: Required permissions for each database type can be found in the documentation guide.
If you’re uncertain whether the required user permissions were set properly, you can verify that right after a scan has finished (Figure 3). If the highlighted warning below is not visible with your results, it means permissions for that user are sufficient for a Scuba scan.
Figure 3: Indication of insufficient permissions to complete a Scuba scan (click to enlarge image).
#2: Reading the Scan Results
The Results pane shows a summary of scanned assessments found within your database. Hovering over the doughnut chart will show the absolute number per result, rather than just percentage (Figure 4).
“Passed” means the database does not have this issue/vulnerability, while “Failed” means there is an issue or an exploitable vulnerability within your database. “Info” are tests that include potential risks and best practices offered by Imperva security researchers, as well as recommendations from well-known regulations, such as CIS and DISA (STIG) for how to remediate them. It is highly recommended to review all these risks and assess them according to your company’s security policies.
Figure 4: Scan results summary (click to enlarge image).
#3: Identifying Vulnerabilities
The list of all current exploitable vulnerabilities is probably the most critical piece of information you need. You can sort by the “Test” column and look for tests that start with “CVE-“ (Figure 5) to find these vulnerabilities.
Expanding the CVE test result can help you understand what the CVE is about, including a full description (under “Link”) and the suggested remediation. Updating your database to the latest version is the best security option.
Figure 5: CVE detailed description (click to enlarge image).
#4: Finding Suggested Remediation for Assessments
Many of the tests include a remediation description. A test with remediation is identified with the medical kit icon (Figure 6). Some will include tips and best practices for remediation and some may even include the exact SQL to execute. Sometimes it’s as simple as hovering over the medical kit icon to find the information.
Figure 6: Hover over the medical kit icon for quick remediation view (click to enlarge image).
The number next to the tabular icon represents how many data fields Scuba found for that specific test (Figure 7). For example, the screenshot below shows “Users Assigned DBA Role” (all non-default DBA users, total of 2) for your review, as well as recommended remediation.
Figure 7: Detailed view of data fields and full remediation explanation (click to enlarge image).
Note: While Scuba may find more than 50 results, the free tool display is limited to show only up to 50 data results per test (Figure 8). Full display results and more features are available with SecureSphere Database Discovery and Assessment.
Figure 8: Data field results, limited to up to 50 data results per test with Scuba (click to enlarge image).
#5: Checking Compliance Status
To understand the database compliance status, check your score with the “Compliance Readiness” gauge. In the example below, a score of 68% means 68% of the total CIS and DISA (STIG) assessments passed successfully. Meaning, this database does not pass a third of all compliance tests that Scuba offers.
In order to analyze each one of the failed compliance tests, you can sort by the “Compliance” column (Figure 9).
Figure 9: Compliance scan results (click to enlarge image).
Still having issues?
You’re welcome to contact us at any time with issues or questions from within the tool itself. Just click the “contact us” link to email our support team (Figure 10).
Figure 10: How to contact the Scuba support team
For more information on how to use Scuba, watch our short demo.