CAS templates

Guardium provides a set of CAS templates, one for each type of data repository.

CAS templates - Db2

OS Script

Designates an OS script to run. Must begin with the variable $SCRIPTS, which refers to the scripts directory beneath the CAS home directory, and identify the script to run, e.g., $HOME/ db2_spm_log_path_group_test.sh". The script itself must, of course, reside in the CAS $SCRIPTS directory. Output from the script is stored in the Guardium® database to be used by security assessments. This can be either a shell or batch script to run, or a set of commands to enter on the command line. Because of the fickle nature of Java's parsing, it is suggested that you put all but the simplest commands into a script rather than run directly. On UNIX the script is run in the environment of the OS user entered. Three environment variables will be defined for the run environment which the user could use in writing scripts: $UCAS is the DB username, $PCAS is the DB password, and $ICAS is the DB instance name. For Windows these three values will be appended as the last three arguments to the batch file execution. For example, if you had an OS Script template %SCRIPTS%\MyScript.bat my-arg1 my-arg2, then %3, %4 and %5 would be the DB username, password, and instance name respectively.

File

Designates a file to be tracked and monitored by security assessments. The path to the file can be absolute, or relative to the $INSTHOME variable. Set the value of the $INSTHOME variable in Database Instance Directory on the Datasource Definition panel. This is assumed to name a single file. Environment variables from the OS user environment can be used in the file name and will be expanded. For example, $HOME/START.sh will name the startup script in the DB2® user's home directory.

File Pattern

Designates a group of files to be tracked and monitored by security assessments. The path to the files can be absolute, or relative to the $INSTHOME variable. Set the value of the $INSTHOME variable in Database Instance Directory on the Datasource Definition panel. A .. in the path indicates one or more directories between the portion of the path before it and the portion of the path after it. A .+ in the path indicates exactly one directory between the portion of the path before it and the portion of the path after it. For example: $INSTHOME/sqllib/../db2.* is just a short-hand for creating many single file identifications from a single identification string, a file pattern which will match all files in the directory. A file pattern can be viewed as a series of regular expressions separated by /'s. A file is matched if each element of its full path can be matched by one of the regular expressions in order. If an element of the pattern is an environment variable, it is expanded before the match begins. If .. is one of the elements of the pattern, it will match zero or more directory levels. For example, /usr/local/../foo will match /usr/local/foo and /usr/local/gunk/junk/bunk/foo. Using more than one .. element in a file pattern should not be necessary and is discouraged because it makes the pattern very slow to expand. Because of the confusion with its use in regular expressions \ cannot be used as a separator as it might be in Windows.

Additionally, the Guardium UNIX/Db2 Assessment: UNIX - Db2 for UNIX set includes the following templates:

Db2govd Setuid Bits Is Not Set

This test monitors that the SETUID bit on Db2GOVD has been disabled

Db2start Setuid Bits Is Not Set

This test monitors that the SETUID bit on Db2START has been disabled

Db2stop Setuid Bits Is Not Set

This test monitors that the SETUID bit on Db2STOP has been disabled

File ownership

This test monitors file ownership, and changes thereto, of Db2 files.

File permissions

This test monitors file permissions, and changes thereto, of Db2 files.

CAS templates - Informix

OS Script

Designates an OS script to run. Must begin with the variable $SCRIPTS, which refers to the scripts directory beneath the CAS home directory, and identify the script to run, e.g., $HOME/ informix_rootpath_owner.sh". The script itself must, of course, reside in the CAS $SCRIPTS directory. Output from the script is stored in the Guardium database to be used by security assessments. This can be either a shell/batch script to be run, or a set of commands that could be entered on the command line. Because of the fickle nature of Java's parsing it is suggested that any but the simplest commands be put into a script rather than run directly. On UNIX the script is run in the environment of the OS user entered. Three environment variables will be defined for the run environment which the user could use in writing scripts: $UCAS is the DB username, $PCAS is the DB password, and $ICAS is the DB instance name. For Windows these three values will be appended as the last three arguments to the batch file execution. For example, if you had an OS Script template %SCRIPTS%\MyScript.bat my-arg1 my-arg2, then %3, %4 and %5 would be the DB username, password, and instance name respectively.

File

Designates a file to be tracked and monitored by security assessments. The path to the file can be absolute, or relative to the $ INFORMIXDIR variable. Set the value of the $INFORMIXDIR variable in Database Instance Directory on the Datasource Definition panel. This is assumed to name a single file. Environment variables from the OS user environment can be used in the file name and will be expanded. For example, $HOME/START.sh will name the startup script in the Informix® user's home directory.

Additionally, the Guardium UNIX/Informix Assessment for UNIX set includes the following templates:

Scan log files for errors

This test monitors for error in the online.log file

File ownership

This test monitors file ownership, and changes thereto, of Informix files.

File permissions

This test monitors file permissions, and changes thereto, of Informix files.

CAS templates - Oracle

OS Script

Designates an OS script to run. Must begin with the variable $SCRIPTS, which refers to the scripts directory beneath the CAS home directory, and identify the script to run, e.g., $SCRIPTS/oracle_user.sh. The script itself must, of course, reside in the CAS $SCRIPTS directory. Output from the script is stored in the Guardium database to be used by security assessments. (This can be either a shell/batch script to be run, or a set of commands that could be entered on the command line. Because of the fickle nature of Java's parsing it is suggested that any but the simplest commands be put into a script rather than run directly. On UNIX the script is run in the environment of the OS user entered. Three environment variables will be defined for the run environment which the user could use in writing scripts: $UCAS is the DB username, $PCAS is the DB password, and $ICAS is the DB instance name. For Windows these three values will be appended as the last three arguments to the batch file execution. For example, if you had an OS Script template $SCRIPTS/mysql_mysqld_user.sh, then %3, %4 and %5 would be the DB username, password, and instance name respectively. )

File

Designates a file to be tracked and monitored. The path to the file can be absolute, or relative to the $ORACLE_HOME variable. The value of the $ORACLE_HOME variable is the value you set in the Database Instance Directory field of the Datasource Definition panel. (This is assumed to name a single file. Environment variables from the OS user environment can be used in the file name and will be expanded. For example, $HOME/START.sh will name the startup script in the Oracle user's home directory.)

File Pattern

Designates a group of files to be tracked and monitored. The path to the files can be absolute, or relative to the $ORACLE_HOME variable. Set the value of the $ORACLE_HOME variable in Database Instance Directory on the Datasource Definition panel. A .. in the path indicates one or more directories between the portion of the path before it and the portion of the path after it. A .+ in the path indicates exactly one directory between the portion of the path before it and the portion of the path after it. For example: $ORACLE_HOME/oradata/../*.dbf (This is just a short-hand for creating many single file identifications from a single identification string, a file pattern. A file pattern can be viewed as a series of regular expressions separated by /'s. A file is matched if each element of its full path can be matched by one of the regular expressions in order. If an element of the pattern is an environment variable, it is expanded before the match begins. If .. is one of the elements of the pattern, it will match zero or more directory levels. For example, /usr/local/../foo will match /usr/local/foo and /usr/local/gunk/junk/bunk/foo. Using more than one .. element in a file pattern should not be necessary and is discouraged because it makes the pattern very slow to expand. Because of the confusion with its use in regular expressions \ cannot be used as a separator as it might be in Windows. The file pattern shown previously is not correct because *.dbf is not a valid regular expression. It should be .*dbf.

Additionally, the default Guardium UNIX/Oracle template set includes the following templates:

ADMIN_RESTRICTIONS Is On

This test monitors that the listener.ora parameter ADMIN_RESTRICTIONS is set properly.

File ownership

This test monitors file ownership, and changes thereto, of the Oracle data files, logs, executables, etc.

File permissions

This test monitors file permissions, and changes thereto, on the Oracle data files, logs, executables, etc.

Scan log files for errors

This test scans the Oracle log files for occurrences of error strings.

SPOOLMAIN.LOG Does Not Exist

This test checks the existence of the Oracle SPOOLMAIN.LOG.

CAS templates - MongoDB

MongoDB is typically used as an operational system and as a backend for web applications due to ease of programming for non-relational formatted data like JSON documents.

Use the UNIX/MongoDB template to specify multiple paths and multiple directories in the datasource to scan various components as specified in the MongoDB datasource definition.

Scan a file pattern by selecting template items beginning with a $.

Do not select the $SCRIPTS/mongodb_unmask_value.sh item - it is a Guardium reserve item.

If the template item is not specified as part of the Database Instance Directory in the MongoDB datasource definition, the item will be skipped over and not scanned.

Note: For CAS scripts to work, you must enable log in for the MongoDB account on the Mongo DB server. To enable log in, log in as root, run the command chsh mongod, and when prompted for new shell, enter /bin/bash.
Note: You can create your own template with multiple file paths for any type of datasource. When creating your own template, we recommend that you use the UNIX/MongoDB as a reference. To create a new template for a MongoDB datasource, you can clone and modify the UNIX/MongoDB template.
Note: MongoDB datasources support SSL server and client/server connections with SSL client certificates. MongoDB connections use a Java driver, instead of a JDBC database connection.
Note: The VA solution for MongoDB clusters can be run on mongos, a primary node and all secondary nodes for replica sets.

CAS templates - Netezza®

File Ownership

This test checks whether the files are owned and belongs to the correct group according to the definition within the CAS template.

File Permission

This test checks whether the file permission is properly set according to the definition within the CAS template.

Scan Log files for errors

This test checks for these events (FATAL, ERROR, DEBUG, ABORT and PANIC) in these two log files. /nz/kit/log/postgres/pg.log and /nz/kit/log/startupsvr/startupsvr.log

Configuration for Oracle RAC systems

This is the required configuration for Oracle RAC systems.
Change guard_tap.ini on each node installed with S-TAP:
unix_domain_socket_marker=<key>
where <key> value can be found in listener.ora in the IPC protocol definition
Example 1:
If the following is a description in the listener.ora
LISTENER=(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=IPC)(KEY=ORCL))))
Then change the following parameter accordingly
unix_domain_socket_marker=ORCL
Example 2:
In the case where there is more than one IPC line in listener.ora, use a common denominator of all the key LISTENER=(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=IPC)(KEY=LISTENER)))) LISTENER_SCAN1=(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=IPC)(KEY=LISTENER_SCAN1)))) LISTENER_SCAN2=(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=IPC)(KEY=LISTENER_SCAN2)))) LISTENER_SCAN3=(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=IPC)(KEY=LISTENER_SCAN3))))
Guardium uses a string search in the path so LISTENER will work for all four and should be used in this case:
unix_domain_socket_marker=LISTENER

CAS templates - PostgreSQL

Note: It is very important that PostgreSQL_BIN and PostgreSQL_DATA environment variables are defined correctly. An invalid setting causes other CAS assessment tests not to work properly or at all.

File Ownership

This test checks whether the files are owned and belongs to the correct group according to the definition within the CAS template.

File Permission

This test checks whether the file permission is properly set according to the definition within the CAS template.

PostgreSQL_BIN environment variable defined

This test check if the $PostgreSQL_BIN environment variable is defined in your database server. This variable need to be defined under the root account for UNIX/Linux or you can add to .profile for root login. For Windows OS, it needed to be defined for the Administrator login. For Red Hat Linux®, PostgreSQL BIN folder is usually in /usr/bin. For Solaris, it is usually something like /data/postgres/postgres/8.3-community/bin/64. Setting this environment variable is very important as other assessment tests relied on the location of this folder.

PostgreSQL_DATA environment variable defined

This test check if the $PostgreSQL_DATA environment variable is defined in your database server. This variable need to be defined under the root account for UNIX/Linux or you can add to .profile for root login. For Windows OS, it needed to be defined for the Administrator login. For Red Hat Linux, the default for DATA folder is usually in /var/lib/pgsql/data. For Solaris, there is no consistent location. Setting this environment variable is very important as other assessment tests relied on the location of this folder to find the correct configuration files.

CAS templates - SQL Server

OS Script

Designates an OS script to run. Output from the script is stored in the Guardium database. This can be either a shell/batch script to be run, or a set of commands that could be entered on the command.

Registry Variable

Search Windows registry for specific key value that are required by security assessments test.

CAS templates - Sybase

OS Script

Designates an OS script to run. Must begin with the variable $SCRIPTS, which refers to the scripts directory beneath the CAS home directory, and identify the script to run, e.g., $HOME/sybase_sysdevice_type_test.sh. The script itself must, of course, reside in the CAS $SCRIPTS directory. Output from the script is stored in the Guardium database to be used by security assessments. This can be either a shell/batch script to be run, or a set of commands that could be entered on the command line. Because of the fickle nature of Java's parsing it is suggested that any but the simplest commands be put into a script rather than run directly. On UNIX the script is run in the environment of the OS user entered. Three environment variables will be defined for the run environment which the user could use in writing scripts: $UCAS is the DB username, $PCAS is the DB password, and $ICAS is the DB instance name. For Windows these three values will be appended as the last three arguments to the batch file execution. For example, if you had an OS Script template %SCRIPTS%\MyScript.bat my-arg1 my-arg2, then %3, %4 and %5 would be the DB username, password, and instance name respectively.

File

Designates a file to be tracked and monitored by security assessments. The path to the file can be absolute, or relative to the $SYBASE variable. The value of the $SYBASE variable is the value you set in the Database Instance Directory field of the Datasource Definition panel. This is assumed to name a single file. Environment variables from the OS user environment can be used in the file name and will be expanded. For example, $HOME/START.sh will name the startup script in the Sybase user's home directory.

File Pattern

Designates a group of files to be tracked and monitored by security assessments. The path to the files can be absolute, or relative to the $SYBASE variable. The value of the $SYBASE variable is the value you set in the Database Instance Directory field of the Datasource Definition panel. A .. in the path indicates one or more directories between the portion of the path before it and the portion of the path after it. A .+ in the path indicates exactly one directory between the portion of the path before it and the portion of the path after it. For example: $SYBASE/../.*dat" This is just a short-hand for creating many single file identifications from a single identification string, a file pattern. A file pattern can be viewed as a series of regular expressions separated by /'s. A file is matched if each element of its full path can be matched by one of the regular expressions in order. If an element of the pattern is an environment variable, it is expanded before the match begins. If .. is one of the elements of the pattern, it will match zero or more directory levels. For example, /usr/local/../foo will match /usr/local/foo and /usr/local/gunk/junk/bunk/foo. Using more than one .. element in a file pattern should not be necessary and is discouraged because it makes the pattern very slow to expand. Because of the confusion with its use in regular expressions \cannot be used as a separator as it might be in Windows.

Additionally, the Guardium UNIX/Sybase Assessment : UNX - SYBASE set includes the following templates :

Scan log files for errors

This test monitors for errors in Sybase log files.

sysdevice Owner is sysbase

This test monitors for ownership of sysdevice.

File ownership

This test monitors file ownership, and changes thereto, of Sybase files.

File permissions

This test monitors file permissions, and changes thereto, of Sybase files.

CAS templates - Teradata

File ownership

This test checks whether the files are owned and belongs to the correct group according to the definition within the CAS template.

File permission

This test checks whether the file permission is properly set according to the definition within the CAS template.

Aster Data

Aster Data was acquired by Teradata in 2011, typically used for data warehousing and analytic application (OLAP). Aster Data created a framework called SQL-MapReduce that allows the Structured Query Language (SQL) to be used with Map Reduce. Aster Data is most often associated with clickstream kinds of applications.

An Aster nCluster includes a Queen Node Group, a Worker Node Group, and a Loader Node Group. A CAS agent is installed on all three node groups.

A security assessment should be created to execute all tests on the queen node. All database connections for Aster Data go through the queen node only.

Testing on worker and loader nodes are only required when performing CAS tests (File permission and File ownership).

Privilege tests loop through all the databases in a given instance.

When running VA tests that require CAS access, and filling in the CAS datasource configuration choices, specify the usernname that Aster is installed under for Database Instance Account. This username typically is called beehive.

For Database Instance Directory, this is the home directory of the beehive user. The default typically is /home/beehive.

When running VA tests that are do not use CAS, the customer should create their datasource, pointing to the QUEEN node within the cluster.

When running VA tests that are CAS dependent, if the node you are testing is one of the worker, then you would have to setup Custom URL in the datasource to point to the Queen node as that is how it is listening.

Example

Host Name/IP = Worker.guard.xxx.xxx..com or 1xx.1xx.111.111 (This is the actual worker host even though worker is not listening to this. CAS needs this so it can send and receive data from the Worker's node)

Port = 2046 or whatever the port used.

Database = beehive

Custom URL= jdbc:ncluster://aster6q:2406/beehive (This JDBC example shows that we are actually connecting to the aster6q which is the queen node on port 2406 and beehive database)

Database instance account = beehive

Database instance directory = /home/beehive