Questions About PFCLScan
Adrian Lane (https://securosis.com/) emailed me yesterday to ask some questions about PFCLScan and I responded to him via email. As the questions were great and the answers may be useful to others I have decided to publish his questions and my answers here; so here they are:
- What versions of Oracle are supported?
Directly/natively we support all supported versions of Oracle, so 10.2.0.5 to current 188.8.131.52. We also support natively Oracle 184.108.40.206 to 10.2.0.5 (unsupported by Oracle). We can also support earlier versions of Oracle, even down to version 7 because we have an "offline mode" whereby a policy can be "dumped" to a script it means that we can run the same policy through older Oracle clients but from within the PFCLScan software. We may also support older Oracle NET clients in a future version
- Do you offer users a recommended set of credentials to run the scan with?
Yes, the credentials are simple, read only. The basic set is just three privileges (actually two plus the ability to connect to the database). As these two privileges are sweeping (SELECT ANY TABLE and SELECT ANY DICTIONARY) we can also specifiy lower privileges but this means a lot more individual ones; this is safer but strangely people perfer the simplicity. If its for a one off audit then simplicity is fine if the account is created and removed for the audit; if its longer term and multiple scans (we recommend this) then we also recommend having the more detailed privileges which are less than the sweeping ones.
- Does the scan cover the OS layer as well as the DB Internals?
Yes, we can scan scan the operating system as well. this is done via an ssh (telnet also works but not recommended) connection. For scanning Unix/Linux this is fine but for Windows ssh needs to be installed on the targets which it is not always available. We are working to look at adding WMI but this will be in a future release. We currently have shipped audit policies for the database layer. The tool can run OS layer checks now but we have not shipped built audit policies for the OS layer yet. We will ship linux/Unix policies in a future release. We also support many other check types such as sftp, ftp, ftps, interview (so you can use PFCLScan to host questions and gather answers and notes, the results of which can be fed into furthr checks using any check type/language. We also support external checks (run anything via the DOS prompt) and also checks written in PFCLLuaScript (Lua with our extensions) so that checks can be written that can analyse data gathered via other checks offline in the tool itself.
- Can scans be automated/scheduled?
The PFCLScan software can be run from the command line. There is a simple batch script interface that allows the "engines" to run from the command line so that you can design projects/policies and reports in the GUI and then automate or integrate with other software. PFCLScan uses XML for all projects/policies/results/ so it consumes XML and produces XML as its configurations and results. Currently we support scheduling via Windows AT or SCHTASKS. We are looking to bring scheduling inside the tool but the Windows facilities work just fine for now. Because we use a template based reporting language all reports can be any text file (XML, HTML, SQL or ...) we an produce input for any other software easily and automated. We can also generate projects and policies for PFCLScan itself using PFCLScans report engine. Also PFCLScan can itself be run as a check in one of its own policies ad-infinitum so PFCLScan can also generate projects and policies for itself so automation is very powerful. For instance we can start with a spreadsheet of database connect details and run a single project that will take each connect details, check if each is live and reachable and then generate an audit project for each live database and run it and generate detailed reports for each or generate a single report across all databases. A sinngle project can also include multiple database targets and servers.
- Sounds like the deployment model is to install on the same platform as the database - is this correct?
No, the deployment is to install PFCLScan on a PC or laptop running Windows and to scan one or many databases from one or multiple PC's. Although it is not on the road-map we have talked about supporting the engines on Linux but not the GUI. This is a possibility if enough interest is shown.
The PC deployment is also why we created a simple license model so that one person can install once with a "Pro" license and scan as many targets as they wish or an organisation can install on as many PC's as needed to scan all databases. This is the "Enterprise" license.