Product Documentation
Abstract
This document provides the requirements for granting privileges, roles, or both to the account that performs the IBM Guardium Vulnerability Assessment scan on Amazon Relational Database Service. Due to the lack of certain system-administrative privileges to execute the gdmmonitor scripts, which creates a VA privileged account for the Amazon Relational Database Service, this document provides you with a workaround.
Content
VA Privilege Role requirements on MS-SQL Server Amazon Relational Database Service
The Amazon RDSADMIN account has full capability and proper privileges to run all Guardium MS-SQL Server VA tests, except for CAS. The CAS agent is not supported on an Amazon Relational Database Service instance. If you are required to create a separate user to run
MS-SQL Server VA tests, note the new user requires the following roles and privileges in order to run all of the tests:
· setupadmin server role
· read only database role (on each database where grants are allowed)
· VIEW ANY DATABASE privilege
· VIEW ANY DEFINITION privilege
· VIEW SERVER STATE privilege
VA Privilege requirements on Oracle Amazon Relational Database Service
The Amazon Relational Database Service ADMIN account has full capability and proper privileges to run all Guardium Oracle VA tests, except for CAS. The CAS agent is not supported on an Amazon Relational Database Service instance. If you are required to create a separate user to run Oracle VA tests, note the new user requires the following role, SELECT_CATALOG_ROLE, in order to run most of the tests. However, note due to Amazon Relational Database Service privilege restrictions, the following two tests must be run as the RDSADMIN account:
1. Default Accounts Password Changed
2. Default Accounts Password Changed - DBA_USERS_WITH_DEFPWD
VA Privilege requirements on MySQL Amazon Relational Database Service
The Amazon Relational Database Service ADMIN account has full capability and proper privileges to run all Guardium MySQL VA tests, except for CAS. The CAS agent is not supported on an Amazon Relational Database Service instance. If you are required to create a separate user to run MySQL VA tests, you can refer to the Guardium gdmmonitor-mys.sql script. This script can be executed by using the RDSADMIN account and creates a lesser privileged user.
Use this requirement to create the MySQL VA scan account:
GRANT SELECT ON mysql.user TO sqlguard@<guardium-host-name> IDENTIFIED BY 'S0meC0mp1exPwd930'
VA Privilege requirements on PostgreSQL Amazon Relational Database Service
The Amazon Relational Database Service ADMIN account has full capability and proper privileges to run all Guardium PostgreSQL VA tests, except for CAS. The CAS agent is not supported on an Amazon Relational Database Service instance. If you are required to create a separate user to run PostgreSQL VA tests, you can refer to the Guardium gdmmonitor-postgres.sql script. This script can be executed by using the RDSADMIN account and creates a lesser privileged user.
Use this requirement to create the PostgreSQL VA scan account:
CREATE USER "sqlguard" WITH PASSWORD 'S0meC0mp1exPwd930'
NOSUPERUSER NOINHERIT NOCREATEDB NOCREATEROLE;
GRANT CONNECT ON DATABASE postgres TO sqlguard;
For more information on VA’s remediation detail for Amazon Relational Database Service databases, see specific database spreadsheets attached to this document.
Was this topic helpful?
Document Information
Modified date:
02 October 2023
UID
swg27050667