Database privileges for vulnerability assessments and classification

Guardium provides a set of scripts to simplify the creation of groups or roles with minimum privileges required for running vulnerability assessments.

Before you begin

This task requires downloading scripts from a Guardium system and running those scripts on a database server. You will need to identify the IP address of the machine used to access the Guardium system. This could be the IP address of an individual workstation where you will download the scripts before transferring them to a database server, or it could be the IP address of the database server itself.

About this task

A user requires access to the database and specific database privileges to run Guardium vulnerability assessments and Guardium classifier. Guardium provides a set of scripts to simplify the creation of groups or roles with minimum privileges required for running vulnerability assessments. Once created, these groups or roles can be assigned to any database user who needs to run an assessment. You will create a Guardium datasource with this user to perform the VA scan.

Scripts are provided to support most database types and are designed to be run in the database tool itself. Each script includes detailed instructions in the script header. The privileges granted for each database type can be seen in the script looking at each grants.
Important: Before running any scripts, database administrators should read the instructions in the script headers and review the database actions that will be taken by the script.

Procedure

  1. On a Guardium system, enable the file server using the fileserver CLI command.
    For example, to enable the file server for one hour and download the scripts to a system with IP address 10.0.0.1, use the following command:
    fileserver 10.0.0.1 3600
    When successfully initiated, the file server should display output similar to the following:
    
    Starting the file server...
    The file server is ready at https://guardium.host.com:8445
    The timeout has been set to 3600 seconds and it may timeout during the uploading.
    
    The upload will only be accessible from the IP you are logged in from: 10.0.0.1
    
    Press ENTER to stop the file server.
  2. On the machine where you will download the scripts, use a web browser to access the file server.
    For example, for a Guardium system running at https://guardium.host.com:8445, access the scripts for vulnerability assessment and classification at the following URLs:
    https://guardium.host.com:8445/log/debug-logs/gdmmonitor_scripts/
    https://guardium.host.com:8445/log/debug-logs/classification_role/
    Important: Discovery processes of the Guardium classifier require a higher level of database access than is required for vulnerability assessment tests. It is recommended to use the scripts in gdmmonitor_scripts for vulnerability assessment and the scripts in classification_role for the classifier.
  3. Download the required scripts using the web browser's Right-click > Save link as... action or a similar function.
    Review the README.txt files to identify the correct scripts to use for specific database types.
    Tip: The following scripts are for Microsoft SQL Server:
    • gdmmonitor-mss.sql is for Microsoft SQL Server
    • gdmmonitor-mss-SA.sql provides administrative privileges required for six of the Microsoft SQL Server vulnerability assessment tests. If you do not allow these privileges, the tests will return errors indicating inadequate privileges. These six tests represent no more than 5% of the available tests.

What to do next

Once you have downloaded the scripts required for your database servers, closely review and follow the instructions in the script headers.