Oval 5.x Databases Proposal
[OVAL:DB]
Quick Discussion Draft
Ken Lassesen, Patchlink.com
Intellectual Property Statement
PatchLink grants the OVAL™ community an unrestricted use license for any
content of this document when incorporated into OVAL™’s official schema and
official standards.
PatchLink Corporation
3370 N. Hayden Road #123-175
Scottsdale, AZ 85251
T: 480.970.1025
F: 480.970.6323
PatchLink OVAL SOA Series
1. Table of Contents
1. Table of Contents ................................................................................................................... 2
2. Objectives ............................................................................................................................... 3
3. Connections Parameters......................................................................................................... 4
3.1 Implementation Specific Parameters ................................................................................ 5
4. Discussion of Issues ............................................................................................................... 7
4.1 Driverless Definitions ........................................................................................................ 7
4.2 Database Protocol Issues ................................................................................................. 7
4.3 Data Engine and Database Discovery .............................................................................. 8
4.4 Local Database Registry .................................................................................................. 9
4.5 OVAL Parameters ............................................................................................................ 9
4.6 Results ............................................................................................................................10
5. SQL Test Mockup ................................................................................................................. 11
6. Revision History .................................................................................................................... 12
PatchLink Corporation
Oval 5.x Databases Proposal
2
2. Objectives
This proposal examines the issues involved with creating SQL Tests for OVAL. By SQL Tests, it
is intended to mean tests for databases (which generally are ‘SQL’ or relational databases).
The first critical issue is connecting to the database which has a multitude of issues for a
generic solution. These issues include:
 Absence or presence of different drivers for a specific database.
 The need to secure the login and passwords from discover or interception (i.e. OVAL
should not create a vulnerability).
 Multitude of databases
The following assumptions should be assumed:
 All access will be to a local (on the same machine) database.
 The information should not be driver specific/formatted – rather conceptual which may
be mapped into any appropriate drivers that are available.
o The mapping is an implementation specific problem.
o The information should not mandate a specific technology (i.e. JDBC, ODBC,
OLEDB, .Net etc)
Examples of some possible test scenarios:
 Check that the databases are appropriately configured, for example
 Check that all databases (of all types) on the machine require sign ons
o None of the signons use default passwords or empty passwords.
 Check that there is no code that exhibits certain patterns, for example SQL Injection or
equivalent.
It is important to remember that in general we are not checking specific databases for specific
configurations but checking:
 Databases engines of a certain type for certain engine-configuration settings.
 All databases using a specific engine for certain database-configuration settings which
should be applied to all databases.
In other words, we are doing set-operations and not element operations.
The scenario of doing specific checks on specific databases (identified by database name, or
data file name) may need to be done in some cases – for example replicated local database
containing sensitive data.
This is a first draft of a possible solution to a complex problem.
Ken.Lassesen@patchlink.com
PatchLink Corporation
Oval 5.x Databases Proposal
3
3. Connections Parameters
The following parameters are suggested [with equivalent names in square brackets]. The
parameters names are suitable for Xml Attributes (and should be in lower case exclusively).
Note that there are some name space collisions between different drivers, so the definition
should be checked carefully against the driver’s definition.
For more information see the following sites (and links there)
http://www.connectionstrings.com
http://java.sun.com/j2se/1.3/docs/guide/jdbc/getstart/connection.html
http://msdn2.microsoft.com/en-us/library/ms378988.aspx
In some cases, the drivers may be case sensitive to the parameter term being used.





















ApplicationName – rarely used, but some databases have screened connections by
applicationName presented (restricting logins to things like ‘PSSClient’ )
Charset [character set, Encoding]– The character set to use for communications
ConnectionString – for older ORACLE
Data_source [Data Source] – a pointer to a ‘DSN’ or equivalent. Otherwise use Server.
Database [Initial Catalog, Db,DataBase,Catalog,Default Collection,DB, Location, UDB,
DATABASE, instanceName] – the name of the database on the Server.
DBA Privilege - Oracle
Dbf [DbName, AttachDbFilename, Data Source, dbq, DB,Project Name,File Name,
FILEDSN]– The physical location of the database file
DefaultDir – The physical folder containing the database files
Default_Schema [Default Schema]
Dialect [Version]– Used with InterBase and Firebird, Version  SQLite
Driver [DRIVER]– Typically used by ODBC { SQL Server| SYBASE ASE ODBC
Driver|SYBASE SYSTEM 11|INTERSOLV 3.60 32-BIT Sybase | Sybase SQL Anywhere
| Firebird/InterBase(r) driver | SQL Native Client | Ingress |msdaora | MIMER | mySQL}
DriverID – Paradox, DBF, Foxpro
Dsn – Data Source Name
Encrypt [Encrypt Database, SSL]- {yes | no}
Engine – The database engine, in general this will be used instead of Driver or
Provider. The choice of connection mechanism would be the interpreter. There is a
case where the driver or provider is the focus, in which case they should be used1.
Fil – Paradox 5.x only
Integrated_Security [IntegratedSecurity, OSAuthent]
o {‘SSPI’} is equivalent to Trusted_Connection=true
Network_Library [Network Library, Network Transport Library] – { DBMSSOCN |
TCPIP}
Option – MySQL Specific
Package_Collection [Package Collection] – IBM DB2
PipeName [Pipe Name] – For Named Pipe protocol
1
See CVE-2004-1560 , Summary: Microsoft SQL Server 7.0 allows remote attackers to cause a denial of
service (mssqlserver service halt) via a long request to TCP port 1433, possibly triggering a buffer
overflow.
PatchLink Corporation
Oval 5.x Databases Proposal
4













Port [Server Port Address, Service, PORT, portNumber]– often a part of the server
address. The port to connect through
Protocol [Network Library,PROTOCOL] – {olsoctcp | onsoctcp} the communications
protocol to be used.
Provider – Typically used by OLE DB {sqloledb| ASAProv | SQLNCLI | Ifxoledbc.2 |
IBMDA400 | SQLBaseOLEDB | IBMDADB2}
ProxyUid [Proxy User ID]
ProxyPwd [Proxy Password]
Pwd [Password, PW,Jet OLEDB:Database Password] – the password for the login
Server [Data Source, Srvr, NA, NetworkAddress,DataSource,System, SRVR,
ServerName, ADDRESS, Location, SERVER, Network Address,ServerAddress] – the IP
or DNS name of the server
ServerType – Used with InterBase and Firebird
SslMode – postgresql
SystemDatabase [Jet OLEDB:System Database] – Microsoft Access database,
contains the master catalog of logins.
Trusted_Connection – {true|false}
Uid [User ID,User Id, UserID, User, userName] – the database login
Version – the version of the engine that the database is formatted in.
Most above information should not be in OVAL – this is information needed to connect to the
database. See below for items that may be cited
3.1 Implementation Specific Parameters
The following items are excluded as being likely unneeded in the description of the database.
The values may be set based upon the drivers being used.
 AllAsText
 ApplicationUsingThreads
 Asynchronous Processing
 BACKGROUNDFETCH
 CollatingSequence [Collating Sequence,Collate]
 Command Loggin
 Compress
 Connection Lifetime
 Connection Timeout
 DataCompression
 Decr Pool Size
 DELETED
 Direct – mySql, appears to be specific to Core Labe .Net Driver
 disableStatementPooling
 Exclusive
 Extended Properties
 Extensions
 Failover Partner [failoverPartner] – SQL Server
 FetchChunkSize
 File Mode – SQL Server 2005 Compact Edition
 FileOpenCache
 Host – name of client
PatchLink Corporation
Oval 5.x Databases Proposal
5































Incr Pool Size
IntlSort
lastUpdateCount
lockTimeout
loginTimeout
LongNames
MARS_Connection [MarsConn, MultipleActiveResultSets] – SQL Server
Max Buffer Size
MaxPoolSize
MaxTextLength
MinPoolSize
NoTXN
NULL
Packet_Size[Packet Size] –
Persist Security Info
Pooling
Poolsize
Role -- interbase
SELECTLOOPS
selectMethod - ["direct"|"cursor"]
sendStringParametersAsUnicode
STATIC CURSORS
StepAPI
SyncPragma
Temp File Max Size
Timeout
TranslationOption
User Instance – SQL Server
UseRemoteConnection
workstationID
xopenStates
PatchLink Corporation
Oval 5.x Databases Proposal
6
4. Discussion of Issues
4.1 Driverless Definitions
The author feels that the following are significant factors for an effective solution:


Remove specific driver dependencies from the tests
There should be an enumeration of database engines
So the test may contain something like:
<sql_test database=”SQLServer2005, SQLServer2005CE, SyBase”>
The interpreter (which may install specific drivers) would then select the appropriate driver to
connect to the database.
4.2 Database Protocol Issues
Most databases support a multitude of protocols with the ability to enable or disable them. This
means that an OVAL interpreter must be able to use all of the protocols available so it is
capable of searching for an open protocol to the server.
Figure 1 Client Protocol Configuration in SQL Server 2005
Additionally, the protocols can be configured, for example for TCP/IP, a different port may be
used. There may be several options as shown with the Virtual Interface Architecture (VIA)
below.
Figure 2 TCP/IP Configuration
PatchLink Corporation
Oval 5.x Databases Proposal
7
Figure 3 Named Pipes Configuration
Figure 4 VIA Configuration
4.3 Data Engine and Database Discovery
It is possible for one server to have multiple instances of a specific database server as well as
older versions concurrent with the latest version. There are two classes of tests which are
apparent:
PatchLink Corporation
Oval 5.x Databases Proposal
8


Test the configuration of all instances of the database engine on this computer.
Test the configuration of all databases in each instance of the database engine.
Existing OVAL tests can / should be able to determine which database engines and database
drivers are installed. The interpreter would then need to be able to start the engine (if it is
stopped). Starting an engine does not grant access to each of the database that may be
associated with the engine. In some cases applications will mount the databases dynamically
as shown by this connection string for SQLServer 2005
Driver={SQL Native Client}; Server=.\SQLExpress; AttachDbFilename=C:\OVAL\mydbfile.mdf;
Database=dbname;Trusted_Connection=Yes;
Thus the interpreter may need to scan the available disks for database files [this will likely need
to be done by examining the header bytes of each file; often file extensions are changed to
mask the database engine]. In some cases (for example Microsoft Access), the database file(s)
are never loaded with the engine.
4.4 Local Database Registry
At first sight, it could be assumed that using a trusted connection and connecting as the system
administrator would grant you to all databases. Unfortunately when dealing with sensitive data,
this is incorrect. The system administrator may be denied access to the database.
It is suggested for the sake of efficiency that the interpreter implements a secure store listing
each database on the machine (using the parameters describe above) with each connection
node having a unique @id. It is suggested @uid and @pwd be encrypted so they may not be
retrieved except by the interpreter (which would have the key). A utility would allow new @uid
and @pwd to be set/added.
Information that may be returned from the sql_test could include:
 Database Engines Instances checked
 Databases checked
 Databases not checked because of login failure
 Databases not checked because of engine issues (will not mount – typically an engine ::
database mismatched).
This approach would allow all of the desired databases to be checked quickly with complete
automation. Database that lack logins are easily identified and missing data provided.
4.5 OVAL Parameters
In Connections Parameters above there were many parameters needed to connect to a specific
database. In terms of OVAL tests, some of this information may need to be referenced. The
following are suggested:
 Engine – what engine does this apply to
o An enumeration of names is recommended.
 Version – version of the engine
 Database – logical database name
o A pattern match would apply to all databases (including unmounted databases)
 Dbf – physical database file name
o A pattern match would apply to all files with that name
PatchLink Corporation
Oval 5.x Databases Proposal
9

DefaultDir – physical folder containing the database files (where the database consists
of multiple files, i.e. Clipper, FoxPro)
The last item is the command to execute. It is suggested that the commands be serialized into
individual statements as <commands> that is:
<command>SET NOCOUNT ON</command>
<command>SET ROWCOUNT 10</command>
<command>SELECT * FROM SysObjects</command>
Instead of the more problematic
<command>SET NOCOUNT ON;SET ROWCOUNT 10;SELECT * FROM SysObjects</command>
A necessary evil is to implement a command filter for each engine to insure that the commands
will not cause any side effects on the server.
4.6 Results
Return results should always be as XML from the interpreter. The XML may be placed through
a XSLT to give an appropriate OVAL state for the results. See <xmlfilecontent_test> for a
model.
PatchLink Corporation
Oval 5.x Databases Proposal
10
5. SQL Test Mockup
<?xml version="1.0" encoding="utf-8"?>
<oval_definitions>
<!-- Reference to an engine -->
<sql_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions5#database" id="oval:org.mitre.oval:obj:2104" version="1">
<engine>Microsoft SQL Server</engine>
</sql_object>
<sql_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions5#database" id="oval:org.mitre.oval:obj:1104" version="1">
<engine>Microsoft Fox Pro</engine>
</sql_object>
<sql_state xmlns="http://oval.mitre.org/XMLSchema/oval-definitions5#database" id="oval:org.mitre.oval:ste:1154" version="1">
<version operation="greater then">6.5</version>
</sql_state>
<!-- Reference to all databases -->
<sql_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions5#database" id="oval:org.mitre.oval:obj:1104" version="1">
<database operation="pattern match">*</database>
</sql_object>
<!-- Reference to all databases -->
<sql_object xmlns="http://oval.mitre.org/XMLSchema/oval-definitions5#database" id="oval:org.mitre.oval:obj:1104" version="1">
<dbf operation="pattern match">master.mdf</dbf>
</sql_object>
<!-- Execution of code should result in XML being returned -->
<sql_variable xmlns="http://oval.mitre.org/XMLSchema/oval-definitions5#database" id="oval:org.mitre.oval:var:1104" version="1">
<!-- Prevent Row counts being added to response, insure all records are
sent -->
<command>SET NOCOUNT ON</command>
<command>SET ROWCOUNT 0</command>
<command>SELECT * FROM SysObjects</command>
</sql_variable>
<sql_variable xmlns="http://oval.mitre.org/XMLSchema/oval-definitions5#database" id="oval:org.mitre.oval:var:1105" version="1">
<!-- Get all system objects -->
<command>SELECT * FROM SysObjects</command>
</sql_variable>
<sql_test comment="SQLServer 6.5 and later"
xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#database"
id="oval:org.mitre.oval:tst:1105" version="1">
<object object_ref="oval:org.mitre.oval:obj:2104" />
<state state_ref="oval:org.mitre.oval:ste:1154" />
</sql_test>
</oval_definitions>
PatchLink Corporation
Oval 5.x Databases Proposal
11
6. Revision History
Version
1.0
Date
2007-04-18
Author(s)
Ken Lassesen
Description
 Initial Draft for public circulation

Intellectual Property Caveat
The contents of this document may include concepts, algorithms or methodologies that may be
the subject of one or more patent applications.
PatchLink Corporation
Oval 5.x Databases Proposal
12