Question & Answer
Question
We like to know the minimum required users/roles privileges needed across different database types to successfully do VA scan.
Answer
Guardium provides a list of database-specific SQL script to prepare the database environment for Vulnerability Assessment. It's one script per database type. It must executed at the start. Each script contains detailed information on how to define database users/roles with sufficient credentials to connect to the database.
There are some gdm^ scripts found in appliance under /var/log/guard/gdmmonitor_scripts folder. Refer to README.txt to know which script to use for which database. Read the header of each script
careful, it tells you exactly what you need to do. They are retrievable using fileserver.
Available scripts are
Script Name | Database Server Type |
gdmmonitor-db2.sql | DB2 |
Create_CKADBVA_schema_tables_zOS.sql | DB2 on zOS |
gdmmonitor-db2-zOS.sq | DB2 on zOS |
gdmmonitor-ifx.sql | Informix |
gdmmonitor-mss.sql | MS-SQL 2005 and up |
gdmmonitor-mss2000-only.sql | MS-SQL 2000 only |
gdmmonitor-mss-SA.sql | MS-SQL |
gdmmonitor-mys.sql | MySQL |
gdmmonitor-netezza.sql | Netezza |
gdmmonitor-netezza.sql | Oracle |
gdmmonitor-ora-container.sq | Oracle Container DB |
gdmmonitor-postgres.sql | PostgreSQL |
gdmmonitor-syb.sql | Sybase |
gdmmonitor-teradata.sql | Teradata |
gdmmonitor-sybaseIQ.sql | SybaseIQ |
Jconnect_SybaseIQ_requirement.txt | SybaseIQ |
These scripts are found under /var/log/guard/gdmmonitor_scripts folder in the appliance. They are retrievable using fileserver and GUI. Each script takes care of setting up user/role privileges automatically. Guardium does not need system privilege (admin or superuser).
Some database types has pre-requirement before running script:
Database Type: MSSQL
* gdmmonitor-mss.sql
This script creates a role called 'gdmmonitor' for ALL databases. It grants some system catalogs to this role for Security Assessment & entitlement use. Then adds a user called "sqlguard" to all databases and grants this user gdmmonitor role.
* gdmmonitor-mss-SA.sql
This script grant SYSADMIN server role to sqlguard user. There are certain MSSQL VA tests where SYSADMIN privilege is require. If you executed those tests without SYSADMIN privilege, it will error and advise you to grant SYSADMIN server role. If you wishes to execute those tests, you must grant SYSADMIN server role to your datasource user.
Difference between the two scripts is we do not grant SYSADMIN privilege in our gdmmonitor-mss.sql.
--
-- **NOTE**: This script should be run for all SQL Server 2005 and higher releases only.
-- If you are running SQL Server 2000 please use gdmmonitor-mss2000-only.sql
-- ------------------------------
-- before running this script
-- ------------------------------
-- SQL login user must exist before running this script.
-- you MUST CREATE A SQL LOGIN CALLED 'sqlguard'
-- This sqlguard login doesn't need to be added to any database or given
-- any privilege. The script will take care of that.
Database type: DB2
-- This script grants the required privileges for VA on the database. You don't have to do anything.
-- ------------------------------
-- before running this script
-- ------------------------------
-- The role and the user must exist as an OS group before running this script.
-- Example using AIX:
-- # mkgroup gdmmon
-- # mkuser pgrp=gdmmon groups=gdmmon <gdm_user>
-- # passwd <gdm_user>
--
-- Example using Linux:
-- # groupadd gdmmon
-- # useradd -m /home/gdm_user -g gdmmon gdm_user
-- # passwd gdm_user
Database type: Oracle
-- This script creates a 'gdmmonitor' role required for Classification and Assessment on the database.
--
-- Note: This script grants execution of the user-defined
-- password verification function to 'gdmmonitor' so that
-- assessment tests may evaluate password strength.
-- Make sure that the user executing this script has
-- Authority to grant execution to the function used
-- to verify password strength.
--
-- ------------------------------
-- before running this script
-- ------------------------------
-- Nothing
Database Type: Teradata
-- This script creates a role called 'gdmmonitor'.
-- It grants some system catalogs to this role to allow Classification and Assessment on the database.
-- It then grant a user called "sqlguard" to gdmmonitor role.
--
-- ------------------------------
-- before running this script
-- ------------------------------
-- you MUST CREATE A SQL LOGIN CALLED 'sqlguard'
-- This sqlguard login doesn't need to be added to any database or given
-- any privilege. The script will take care of that.
Was this topic helpful?
Document Information
Modified date:
16 June 2018
UID
swg22008986