PFCLScan is a very powerful open framework based product. Open in the sense that its easy to add your own policies and tests/signatures/rules. There are many names used in the industry for the things we check for in security but in simple terms these are groups of security checks. The grouping is at the policy level and each policy can hold as many checks as needed. The openness of the framework is intended to allow authors of policies and checks to create their own in many different languages and scopes such as SQL, PL/SQL, shell, Lua and much more.
The openness and power is also visible in the hierarchical nature of checks and policies. In simple terms we (or indeed any customer) can write a check where the output of that check can be fed as input to a subsequent check. This can be done statically, i.e. get the data once and use many times in subsequent checks. This could be to get the database version or to get a list of default users. This information can be used many times in multiple checks or many times even in the same check. We will show some examples in this website.
PFCLScan also supports dynamic hierarchical checks. In this mode a list of data items can be created/extracted and then used in further checks where the further check can be run for every data element in the first check. This is a powerful concept and when it is combined with multiple check types even more powerful. For instance a check in one policy may derive a list of certain database or even operating system structures. This list can be used is a subsequent check that does a detailed analysis of those structures; but the key point is that the analysis check doesn’t know what those checks are until it gets them.
PFCLScan Key Scanning Features and Benefits
- Detects weak and insecure passwords for Oracle 10g, 11g and 12c
- Locates passwords stored in the Oracle database
- Tests for secure configuration settings for compliance
- Tests PL/SQL code for insecurities
- Works with Oracle 12cR1 container databases
- Works with Oracle 9i to 12cR1
- Check versions and patches
- Uses Oracle OCI instant client, so no full client installations needed
- Review user privileges and profiles
- Detailed assessment of users and schemas for least privilege
- Detailed review of audit trail configurations
- Tests for root kits, backdoors and forensic evidence of possible attacks
- Detailed Summary reports or detailed reports
- Ability to generate fix scripts
- Powerful interface to allow custom policies to be created
- All of our shipped policies are open and readable and extendable
- Powerful and easy to use reporting language
- Easily expandable and customisable to create your own policies
- Plugins, automation and more
- Command line or GUI
Below is a list of the key concept features of PFCLScan:
PFCLScan is project based. You can create a new project for each of your clients if you are a consultant or for each of your internal scans if you work with only PFCLScan in your own company. You can create as many projects as you wish and open as many as you need in the interface at the same time. A project is a container for each scanning project. A project contains the details for each target you wish to scan, the policies that you wish to use to scan with and also report templates. The project also contains all of the results from every scan that you perform.
The project is a neat container to allow easy and consistent structure for all of your scanning efforts.
PFCLScan has been architected, designed and created by Pete Finnigan an expert in the database security field for almost 15 years. PFCLScan has been designed to create a unique chance to benefit from an experts real world experience in securing data held in Oracle databases. PFCLScan has also been conceived to help you create a secure environment for your data. The product takes you from capture of architecture, data flow and user identification through to an initial deep analysis of a single (or more) database. From there a correction strategy can be developed before implementing scanning, monitoring and compliance testing.
The main focus of the product for us when we designed it was to allow someone to buy it and within a minute or so after installing be able to run an audit against their database.
The second focus was to promote the point that simply running a standard audit designed by someone else is not the perfect solution. The better solution is to conduct a detailed review and design a specific standard or policy that says “what a secure database” looks like for your organisation. We want people to do that and we therefore wanted PFCLScan to be used to implement that policy. We have included many time saving features to allow you to quickly create your own policies that allow you to test your own compliance. These include:
- Libraries to allow quick reuse of code
- Structured policies and checks that allow tests to be re-used easily in different projects
- Projects so that you can design a set of tests and re-use them as many times as you wish on as many targets as you wish
- Heirarchy to allow sophistication and power to be included in your policies
- Different test types including SQL, PL/SQL, Shell, DOS scripts, Lua, sftp, ftp and much more to allow a thorough policy to be created
What we wanted to achieve is sophisitication and power with quick development and implementation and use. We also designed PFCLScan with the developer in mind so we include:
- Instrumentation; We have instrumented the whole of PFCLScan so that you can enable logging, error logging and trace on all of the Graphical user interface and also all of the engines used to execute your policies. These log and trace files are visible within the interface and also searchable. They can be reviewed yourself to help development of your policies or saved and uploaded to support for assistance
- Tuning: we provide reports that show the detailed performance of a whole project, whole policy or individual checks so that you can assess where tuning should take place on your developed policies and tests. You can also change a range of configurations to improve and tune the policies that you have created; these techniques and features are described in the 350 page manual
- Programmers Editor: The interface includes a color syntax highlighting programmers editor to help you develop your own policies and tests. This includes macros and also snippits as well as every editor feature you would expect in a development environment.
- Flexible Interface: The graphical user interface is also created with a developer in mind. You can hide and move and layer windows to your hearts content to make development of your own policies, checks and reports as simple as as quick as possible
- Libraries: You can use our policies and checks in your own policies and checks. None of our checks are hidden, none of our reports are hidden, you can take ours and “save as” and create your own. This is a good aid to fast creation of your own custom policies
PFCLScan Modes of Operation
PFCLScan has two main modes of operation:
PFCLScan is an ideal tool for auditors – targetted at auditing a small number of databases in a deep and methodological way to get the clearest deepest picture of your current security. Ideal for external auditors, internal auditors and DBA’s
PFCLScan is ideal too for end customers to scan many databases with your own custom developed policies or ours to understand which databases must be secured. It also provides a roles as a monitoring or compliance tool. PFCLScan is scalable and can be run remotely or completely from the command line. All of the key scanning functionallity is seperated architecturaly from the console to allow this. This means that 1 + n child engines can be deployed and controlled from the central console. The console also provides centralised reporting.
PFCLScan General Features
Some of the exciting features of PFCLScan are listed below:
- General Features
- Easy to use
- Modern Ribbon interface including fully dockable windows and skins
- Easy installation or upgrades
- Modes of operation: audit, correction, scanning, monitor, compliance and more
- Project driven
- Easily create your own policies and checks
- Built in command line tools for ad-hoc exploration and check/policy development
- Generate fix scripts, audit configuration, IDS/IPS policies, MS Word policies, policies for PFCLScan
- Simple licensing, support, upgrade terms
- Comprehensive editors for targets, policies
- Large suite of shipped policies and checks for deep auditing
- Unique hierarchical policies controlled at compile time or run time
- Unique correllation of results
- Unique loop checks
- Checks in many formats, interview, architecture, SQL, PL/SQL, shell, built in commands and much more
- Built in check command language PFCLScript and PFCLLuaScript
- On line mode or off-line mode – suitable for offline analysis of data
- Full command line support and scriptable
- Customer modification allowed for built in policies and checks
- Built-in Reporting
- Built in sofisticated programmable reporting tool – PFCLReports
- Fully programmable reporting language PFCLReportScript
- Large suite of shipped reports
- Create your own reports in many formats, txt, html, xml, MS Word, or customise ours
- Much More…..