https://community.hpe.com/t5/operating-system-hp-ux/security-scan-tools/m-p/2743510#M944112 Hi,<BR /><BR />For databases, the ISS Database Scanner works very well in scanning for Oracle-level security loopholes. I am pleased with it. Too bad there isn't one for SAP R/3 level as yet.<BR /><BR />There are two modes, one for normal scan, the other for penetration test.<BR /><BR />The database scan test will scan for invalid password policies, poor passwords, poorly assigned table privileges and roles etc. It will also call the ISS Internet Scanner if it is available on the scanner system.<BR /><BR />The penetration test will try to compromise an Oracle account on your system and read from the hashed password tables to crack additional Oracle passwords.<BR /><BR />Note that you will need the Oracle Net8 (sqlnet) client to be installed on the scanner system to allow it to connect to the scanned system for performing the audits.<BR /><BR />Hope this helps. Regards.<BR /><BR />Steven Sim Kok Leong Thu, 13 Jun 2002 01:30:14 GMT Steven Sim Kok Leong 2002-06-13T01:30:14Z https://community.hpe.com/t5/operating-system-hp-ux/security-scan-tools/m-p/2743508#M944110 Anyone have any information on a good security scan tool that can be run from a desktop PC instead of installing on the actual server?<BR /> Wed, 12 Jun 2002 23:19:21 GMT https://community.hpe.com/t5/operating-system-hp-ux/security-scan-tools/m-p/2743508#M944110 Tony Romero 2002-06-12T23:19:21Z https://community.hpe.com/t5/operating-system-hp-ux/security-scan-tools/m-p/2743509#M944111 Hi,<BR /><BR />The only one I know of (there could be more) is ESM. From what I remember of this you load a client on your HPUX server and run a 'server' session from either a PC or an NT workstation.<BR /><BR /><A href="http://www.enterprise-security.com/unixsecurity.htm" target="_blank">http://www.enterprise-security.com/unixsecurity.htm</A><BR /><BR />HTH<BR />~Michael~ Wed, 12 Jun 2002 23:47:02 GMT https://community.hpe.com/t5/operating-system-hp-ux/security-scan-tools/m-p/2743509#M944111 Michael Tully 2002-06-12T23:47:02Z https://community.hpe.com/t5/operating-system-hp-ux/security-scan-tools/m-p/2743510#M944112 Hi,<BR /><BR />For databases, the ISS Database Scanner works very well in scanning for Oracle-level security loopholes. I am pleased with it. Too bad there isn't one for SAP R/3 level as yet.<BR /><BR />There are two modes, one for normal scan, the other for penetration test.<BR /><BR />The database scan test will scan for invalid password policies, poor passwords, poorly assigned table privileges and roles etc. It will also call the ISS Internet Scanner if it is available on the scanner system.<BR /><BR />The penetration test will try to compromise an Oracle account on your system and read from the hashed password tables to crack additional Oracle passwords.<BR /><BR />Note that you will need the Oracle Net8 (sqlnet) client to be installed on the scanner system to allow it to connect to the scanned system for performing the audits.<BR /><BR />Hope this helps. Regards.<BR /><BR />Steven Sim Kok Leong Thu, 13 Jun 2002 01:30:14 GMT https://community.hpe.com/t5/operating-system-hp-ux/security-scan-tools/m-p/2743510#M944112 Steven Sim Kok Leong 2002-06-13T01:30:14Z https://community.hpe.com/t5/operating-system-hp-ux/security-scan-tools/m-p/2743511#M944113 Hi,<BR /><BR />I forgot to give you the link:<BR /><BR /><A href="http://www.iss.net" target="_blank">http://www.iss.net</A><BR /><BR />You can download a trial, request for a trial license to test your test database on.<BR /><BR />Hope this helps. Regards.<BR /><BR />Steven Sim Kok Leong Thu, 13 Jun 2002 01:32:28 GMT https://community.hpe.com/t5/operating-system-hp-ux/security-scan-tools/m-p/2743511#M944113 Steven Sim Kok Leong 2002-06-13T01:32:28Z https://community.hpe.com/t5/operating-system-hp-ux/security-scan-tools/m-p/2743512#M944114 Check <A href="http://www.cisecurity.org/" target="_blank">http://www.cisecurity.org/</A><BR /><BR />I haven't yet run the HP-UX<BR />tools, but the Cisco tools<BR />run remotely. A quick look<BR />indicates that server access<BR />may be required.<BR /><BR />You could also try any of the<BR />satan derivitives. I don't<BR />know of any for Windows,<BR />but you should be able to<BR />have an old 486 up and running<BR />Linux and scanning within<BR />an hour or two.<BR /> Thu, 13 Jun 2002 13:09:42 GMT https://community.hpe.com/t5/operating-system-hp-ux/security-scan-tools/m-p/2743512#M944114 Bill Thorsteinson 2002-06-13T13:09:42Z