CAS templates
Guardium provides a set of CAS templates, one for each type of data repository.
CAS templates - Db2
OS Script
Designates an OS script to run. Must begin with the variable $SCRIPTS, which refers to the
scripts directory beneath the CAS home directory, and identify the script to run, e.g.,
$HOME/ db2_spm_log_path_group_test.sh"
. The script itself must, of course, reside
in the CAS $SCRIPTS directory. Output from the script is stored in the Guardium® database to be used by security assessments. This can be either a
shell or batch script to run, or a set of commands to enter on the command line. Because of the
fickle nature of Java's parsing, it is suggested that you put all but the simplest commands into a
script rather than run directly. On UNIX the script is run in the environment of the OS user
entered. Three environment variables will be defined for the run environment which the user could
use in writing scripts: $UCAS is the DB username, $PCAS is the DB password, and $ICAS is the DB
instance name. For Windows these three values will be
appended as the last three arguments to the batch file execution. For example, if you had an OS
Script template %SCRIPTS%\MyScript.bat my-arg1 my-arg2
, then %3, %4 and %5 would be
the DB username, password, and instance name respectively.
File
Designates a file to be tracked and monitored by security assessments. The path to the file can be absolute, or relative to the $INSTHOME variable. Set the value of the $INSTHOME variable in Database Instance Directory on the Datasource Definition panel. This is assumed to name a single file. Environment variables from the OS user environment can be used in the file name and will be expanded. For example, $HOME/START.sh will name the startup script in the DB2® user's home directory.
File Pattern
Designates a group of
files to be tracked and monitored by security assessments. The path
to the files can be absolute, or relative to the $INSTHOME variable.
Set the value of the $INSTHOME variable in Database Instance
Directory on the Datasource Definition panel.
A .. in the path indicates one or more directories between
the portion of the path before it and the portion of the path after
it. A .+ in the path indicates exactly one directory between
the portion of the path before it and the portion of the path after
it. For example: $INSTHOME/sqllib/../db2.*
is just
a short-hand for creating many single file identifications from a
single identification string, a file pattern which will match all
files in the directory. A file pattern can be viewed as a series of
regular expressions separated by /'s. A file is matched if each element
of its full path can be matched by one of the regular expressions
in order. If an element of the pattern is an environment variable,
it is expanded before the match begins. If .. is one of the
elements of the pattern, it will match zero or more directory levels.
For example, /usr/local/../foo will match /usr/local/foo and /usr/local/gunk/junk/bunk/foo.
Using more than one .. element in a file pattern should not
be necessary and is discouraged because it makes the pattern very
slow to expand. Because of the confusion with its use in regular expressions \ cannot
be used as a separator as it might be in Windows.
Additionally, the Guardium UNIX/Db2 Assessment: UNIX - Db2 for UNIX set includes the following templates:
Db2govd Setuid Bits Is Not Set
This test monitors that the SETUID bit on Db2GOVD has been disabled
Db2start Setuid Bits Is Not Set
This test monitors that the SETUID bit on Db2START has been disabled
Db2stop Setuid Bits Is Not Set
This test monitors that the SETUID bit on Db2STOP has been disabled
File ownership
This test monitors file ownership, and changes thereto, of Db2 files.
File permissions
This test monitors file permissions, and changes thereto, of Db2 files.
CAS templates - Informix
OS Script
Designates an OS script to run. Must begin with the variable $SCRIPTS, which refers to the
scripts directory beneath the CAS home directory, and identify the script to run, e.g.,
$HOME/ informix_rootpath_owner.sh"
. The script itself must, of course, reside in
the CAS $SCRIPTS directory. Output from the script is stored in the Guardium database to be used by security assessments. This can be either a
shell/batch script to be run, or a set of commands that could be entered on the command line.
Because of the fickle nature of Java's parsing it is suggested that any but the simplest commands be
put into a script rather than run directly. On UNIX the script is run in the environment of the OS
user entered. Three environment variables will be defined for the run environment which the user
could use in writing scripts: $UCAS is the DB username, $PCAS is the DB password, and $ICAS is the
DB instance name. For Windows these three values will be
appended as the last three arguments to the batch file execution. For example, if you had an OS
Script template %SCRIPTS%\MyScript.bat my-arg1 my-arg2
, then %3, %4 and %5 would be
the DB username, password, and instance name respectively.
File
Designates a file to be tracked and monitored by security assessments. The path to the file can be absolute, or relative to the $ INFORMIXDIR variable. Set the value of the $INFORMIXDIR variable in Database Instance Directory on the Datasource Definition panel. This is assumed to name a single file. Environment variables from the OS user environment can be used in the file name and will be expanded. For example, $HOME/START.sh will name the startup script in the Informix® user's home directory.
Additionally, the Guardium UNIX/Informix Assessment for UNIX set includes the following templates:
Scan log files for errors
This test monitors for error in the online.log file
File ownership
This test monitors file ownership, and changes thereto, of Informix files.
File permissions
This test monitors file permissions, and changes thereto, of Informix files.
CAS templates - Oracle
OS Script
Designates an OS script to run. Must begin with the variable $SCRIPTS, which refers to the scripts directory beneath the CAS home directory, and identify the script to run, e.g., $SCRIPTS/oracle_user.sh. The script itself must, of course, reside in the CAS $SCRIPTS directory. Output from the script is stored in the Guardium database to be used by security assessments. (This can be either a shell/batch script to be run, or a set of commands that could be entered on the command line. Because of the fickle nature of Java's parsing it is suggested that any but the simplest commands be put into a script rather than run directly. On UNIX the script is run in the environment of the OS user entered. Three environment variables will be defined for the run environment which the user could use in writing scripts: $UCAS is the DB username, $PCAS is the DB password, and $ICAS is the DB instance name. For Windows these three values will be appended as the last three arguments to the batch file execution. For example, if you had an OS Script template $SCRIPTS/mysql_mysqld_user.sh, then %3, %4 and %5 would be the DB username, password, and instance name respectively. )
File
Designates a file to be tracked and monitored. The path to the file can be absolute, or relative to the $ORACLE_HOME variable. The value of the $ORACLE_HOME variable is the value you set in the Database Instance Directory field of the Datasource Definition panel. (This is assumed to name a single file. Environment variables from the OS user environment can be used in the file name and will be expanded. For example, $HOME/START.sh will name the startup script in the Oracle user's home directory.)
File Pattern
Designates a group of files to be tracked and monitored. The path to the files can be absolute, or relative to the $ORACLE_HOME variable. Set the value of the $ORACLE_HOME variable in Database Instance Directory on the Datasource Definition panel. A .. in the path indicates one or more directories between the portion of the path before it and the portion of the path after it. A .+ in the path indicates exactly one directory between the portion of the path before it and the portion of the path after it. For example: $ORACLE_HOME/oradata/../*.dbf (This is just a short-hand for creating many single file identifications from a single identification string, a file pattern. A file pattern can be viewed as a series of regular expressions separated by /'s. A file is matched if each element of its full path can be matched by one of the regular expressions in order. If an element of the pattern is an environment variable, it is expanded before the match begins. If .. is one of the elements of the pattern, it will match zero or more directory levels. For example, /usr/local/../foo will match /usr/local/foo and /usr/local/gunk/junk/bunk/foo. Using more than one .. element in a file pattern should not be necessary and is discouraged because it makes the pattern very slow to expand. Because of the confusion with its use in regular expressions \ cannot be used as a separator as it might be in Windows. The file pattern shown previously is not correct because *.dbf is not a valid regular expression. It should be .*dbf.
Additionally, the default Guardium UNIX/Oracle template set includes the following templates:
ADMIN_RESTRICTIONS Is On
This test monitors that the listener.ora parameter ADMIN_RESTRICTIONS is set properly.
File ownership
This test monitors file ownership, and changes thereto, of the Oracle data files, logs, executables, etc.
File permissions
This test monitors file permissions, and changes thereto, on the Oracle data files, logs, executables, etc.
Scan log files for errors
This test scans the Oracle log files for occurrences of error strings.
SPOOLMAIN.LOG Does Not Exist
This test checks the existence of the Oracle SPOOLMAIN.LOG.
CAS templates - MongoDB
MongoDB is typically used as an operational system and as a backend for web applications due to ease of programming for non-relational formatted data like JSON documents.
Use the UNIX/MongoDB template to specify multiple paths and multiple directories in the datasource to scan various components as specified in the MongoDB datasource definition.
Scan a file
pattern by selecting template items beginning with a $
.
Do not select the $SCRIPTS/mongodb_unmask_value.sh item - it is a Guardium reserve item.
If the template item is not specified as part of the Database Instance Directory in the MongoDB datasource definition, the item will be skipped over and not scanned.
CAS templates - Netezza®
File Ownership
This test checks whether the files are owned and belongs to the correct group according to the definition within the CAS template.
File Permission
This test checks whether the file permission is properly set according to the definition within the CAS template.
Scan Log files for errors
This test checks for these events (FATAL, ERROR, DEBUG, ABORT and PANIC) in these two log files. /nz/kit/log/postgres/pg.log and /nz/kit/log/startupsvr/startupsvr.log
Configuration for Oracle RAC systems
This is the required configuration for Oracle RAC systems.CAS templates - PostgreSQL
File Ownership
This test checks whether the files are owned and belongs to the correct group according to the definition within the CAS template.
File Permission
This test checks whether the file permission is properly set according to the definition within the CAS template.
PostgreSQL_BIN environment variable defined
This test check if the $PostgreSQL_BIN environment variable is defined in your database server. This variable need to be defined under the root account for UNIX/Linux or you can add to .profile for root login. For Windows OS, it needed to be defined for the Administrator login. For Red Hat Linux®, PostgreSQL BIN folder is usually in /usr/bin. For Solaris, it is usually something like /data/postgres/postgres/8.3-community/bin/64. Setting this environment variable is very important as other assessment tests relied on the location of this folder.
PostgreSQL_DATA environment variable defined
This test check if the $PostgreSQL_DATA environment variable is defined in your database server. This variable need to be defined under the root account for UNIX/Linux or you can add to .profile for root login. For Windows OS, it needed to be defined for the Administrator login. For Red Hat Linux, the default for DATA folder is usually in /var/lib/pgsql/data. For Solaris, there is no consistent location. Setting this environment variable is very important as other assessment tests relied on the location of this folder to find the correct configuration files.
CAS templates - SQL Server
OS Script
Designates an OS script to run. Output from the script is stored in the Guardium database. This can be either a shell/batch script to be run, or a set of commands that could be entered on the command.
Registry Variable
Search Windows registry for specific key value that are required by security assessments test.
CAS templates - Sybase
OS Script
Designates an OS script to run. Must begin with the variable $SCRIPTS, which refers to the scripts directory beneath the CAS home directory, and identify the script to run, e.g., $HOME/sybase_sysdevice_type_test.sh. The script itself must, of course, reside in the CAS $SCRIPTS directory. Output from the script is stored in the Guardium database to be used by security assessments. This can be either a shell/batch script to be run, or a set of commands that could be entered on the command line. Because of the fickle nature of Java's parsing it is suggested that any but the simplest commands be put into a script rather than run directly. On UNIX the script is run in the environment of the OS user entered. Three environment variables will be defined for the run environment which the user could use in writing scripts: $UCAS is the DB username, $PCAS is the DB password, and $ICAS is the DB instance name. For Windows these three values will be appended as the last three arguments to the batch file execution. For example, if you had an OS Script template %SCRIPTS%\MyScript.bat my-arg1 my-arg2, then %3, %4 and %5 would be the DB username, password, and instance name respectively.
File
Designates a file to be tracked and monitored by security assessments. The path to the file can be absolute, or relative to the $SYBASE variable. The value of the $SYBASE variable is the value you set in the Database Instance Directory field of the Datasource Definition panel. This is assumed to name a single file. Environment variables from the OS user environment can be used in the file name and will be expanded. For example, $HOME/START.sh will name the startup script in the Sybase user's home directory.
File Pattern
Designates a group of files to be tracked and monitored by security assessments. The path to the files can be absolute, or relative to the $SYBASE variable. The value of the $SYBASE variable is the value you set in the Database Instance Directory field of the Datasource Definition panel. A .. in the path indicates one or more directories between the portion of the path before it and the portion of the path after it. A .+ in the path indicates exactly one directory between the portion of the path before it and the portion of the path after it. For example: $SYBASE/../.*dat" This is just a short-hand for creating many single file identifications from a single identification string, a file pattern. A file pattern can be viewed as a series of regular expressions separated by /'s. A file is matched if each element of its full path can be matched by one of the regular expressions in order. If an element of the pattern is an environment variable, it is expanded before the match begins. If .. is one of the elements of the pattern, it will match zero or more directory levels. For example, /usr/local/../foo will match /usr/local/foo and /usr/local/gunk/junk/bunk/foo. Using more than one .. element in a file pattern should not be necessary and is discouraged because it makes the pattern very slow to expand. Because of the confusion with its use in regular expressions \cannot be used as a separator as it might be in Windows.
Additionally, the Guardium UNIX/Sybase Assessment : UNX - SYBASE set includes the following templates :
Scan log files for errors
This test monitors for errors in Sybase log files.
sysdevice Owner is sysbase
This test monitors for ownership of sysdevice.
File ownership
This test monitors file ownership, and changes thereto, of Sybase files.
File permissions
This test monitors file permissions, and changes thereto, of Sybase files.
CAS templates - Teradata
- File ownership
This test checks whether the files are owned and belongs to the correct group according to the definition within the CAS template.
- File permission
This test checks whether the file permission is properly set according to the definition within the CAS template.
- Aster Data
Aster Data was acquired by Teradata in 2011, typically used for data warehousing and analytic application (OLAP). Aster Data created a framework called SQL-MapReduce that allows the Structured Query Language (SQL) to be used with Map Reduce. Aster Data is most often associated with clickstream kinds of applications.
An Aster nCluster includes a Queen Node Group, a Worker Node Group, and a Loader Node Group. A CAS agent is installed on all three node groups.
A security assessment should be created to execute all tests on the queen node. All database connections for Aster Data go through the queen node only.
Testing on worker and loader nodes are only required when performing CAS tests (File permission and File ownership).
Privilege tests loop through all the databases in a given instance.
When running VA tests that require CAS access, and filling in the CAS datasource configuration choices, specify the usernname that Aster is installed under for Database Instance Account. This username typically is called beehive.
For Database Instance Directory, this is the home directory of the beehive user. The default typically is /home/beehive.
When running VA tests that are do not use CAS, the customer should create their datasource, pointing to the QUEEN node within the cluster.
When running VA tests that are CAS dependent, if the node you are testing is one of the worker, then you would have to setup
Custom URL
in the datasource to point to the Queen node as that is how it is listening.Example
Host Name/IP = Worker.guard.xxx.xxx..com or 1xx.1xx.111.111 (This is the actual worker host even though worker is not listening to this. CAS needs this so it can send and receive data from the Worker's node)
Port = 2046 or whatever the port used.
Database = beehive
Custom URL= jdbc:ncluster://aster6q:2406/beehive (This JDBC example shows that we are actually connecting to the aster6q which is the queen node on port 2406 and beehive database)
Database instance account = beehive
Database instance directory = /home/beehive