Guardium provides a set of scripts to simplify the creation of groups
or roles with minimum privileges required for running vulnerability assessments.
Before you begin
This task requires downloading scripts from a Guardium system and running those scripts on a
database server. You will need to identify the IP address of the machine used to access the Guardium
system. This could be the IP address of an individual workstation where you will download the
scripts before transferring them to a database server, or it could be the IP address of the database
server itself.
About this task
A user requires access to the database and specific database privileges to run Guardium
vulnerability assessments and Guardium classifier. Guardium provides a set of scripts to simplify the creation of groups
or roles with minimum privileges required for running vulnerability assessments. Once
created, these groups or roles can be assigned to any database user who needs to run an assessment.
You will create a Guardium datasource with this user to perform the VA scan.
Scripts are provided to support most database types and are designed to be run in the database
tool itself. Each script includes detailed instructions in the script header. The privileges granted
for each database type can be seen in the script looking at each grants.
Important: Before running any scripts, database administrators should read the instructions
in the script headers and review the database actions that will be taken by the
script.
Procedure
-
On a Guardium system, enable the file server using the fileserver CLI
command.
For example, to enable the file server for one hour and download the scripts to a system
with IP address
10.0.0.1
, use the following command:
fileserver 10.0.0.1 3600
When successfully initiated, the file server should display output similar to the
following:
Starting the file server...
The file server is ready at https://guardium.host.com:8445
The timeout has been set to 3600 seconds and it may timeout during the uploading.
The upload will only be accessible from the IP you are logged in from: 10.0.0.1
Press ENTER to stop the file server.
-
On the machine where you will download the scripts, use a web browser to access the file
server.
For example, for a Guardium system running at
https://guardium.host.com:8445
, access the scripts for vulnerability assessment and
classification at the following URLs:
https://guardium.host.com:8445/log/debug-logs/gdmmonitor_scripts/
https://guardium.host.com:8445/log/debug-logs/classification_role/
Important: Discovery processes of the Guardium classifier require a higher level of
database access than is required for vulnerability assessment tests. It is recommended to use the
scripts in gdmmonitor_scripts
for vulnerability assessment and the scripts in
classification_role
for the classifier.
-
Download the required scripts using the web browser's action or a similar function.
Review the
README.txt files to identify the correct scripts to use for
specific database types.
Tip: The following scripts are for Microsoft SQL Server:
- gdmmonitor-mss.sql is for Microsoft SQL Server
- gdmmonitor-mss-SA.sql provides administrative privileges required for six
of the Microsoft SQL Server vulnerability assessment tests. If you do not allow these privileges,
the tests will return errors indicating inadequate privileges. These six tests represent no more
than 5% of the available tests.
What to do next
Once you have downloaded the scripts required for your database servers, closely review and
follow the instructions in the script headers.