Running database entitlement reports

Database entitlement reports provide up-to-date snapshots of database users and their required access privileges. Learn how to prepare and run these reports to validate and ensure that users have only the privileges that are needed to perform their duties.

Before you begin

This task requires downloading scripts from a Guardium system and running those scripts on a database server. You need to identify the IP address of the machine that is used to access the Guardium system for downloading scripts. The address can be either an individual workstation where you download the scripts before you transfer them to a database server, or the database server itself. If the relevant scripts for Vulnerability Assessment are already download and run, you can start at step 5.

About this task

Along with authenticating users and restricting role-based access privileges to data, even for the most privileged database users, periodically perform entitlement reviews: validate and ensure that users have only the privileges that are required to perform their duties. This process is known as database user rights attestation reporting.

You can use the Guardium predefined database entitlement (privilege) reports to see who has system privileges and who granted these privileges to other users and roles. Database entitlement reports are important for auditors who are tracking changes to database access, and to ensure that security holes do not exist from lingering accounts or ill-granted privileges.

DB entitlement reports use the Custom Domain feature of Guardium® to create links between the external data on the selected database with the internal data of the predefined entitlement reports. Predefined entitlement reports are available for many data sources, including: Oracle; MYSQL; DB2®; Sybase; Sybase IQ; Informix®; MS SQL 2000/2005/2008; Netezza®; Teradata; and PostgreSQL; Db2 on z/OS. For MS SQL Server and Oracle databases you can also use Entitlement Optimization to access this information. For a full description of the domains in the DB entitlement reports, see Database Entitlement Reports. (For more information about the Custom Domain Builder, Custom Query Builder, or Custom Table Builder, see External data correlation.

DB Entitlement Reports require access to the database and specific database privileges, similar to Vulnerability Assessments (VA). Both are enabled by scripts that are run in the database itself. (The scripts are used for both VA and entitlement reporting.) Use these database-specific SQL scripts as guidance to define database user roles that connect to the database. Once created, these groups or roles can be assigned to any database user who needs to run an assessment. The available scripts are:
  • gdmmonitor-db2.sql (for Db2)
  • create_CKADBVA_schema_tables_zOS.sql (for Db2 on zOS)
  • gdmmonitor-db2-zOS.sql (for Db2 on zOS)
  • gdmmonitor-mss.sql (for MS-SQL 2005 and up)
  • gdmmonitor-mss.sql(for MS-SQL 2005 and up)
  • gdmmonitor-mss-SA.sql (for MS-SQL)
  • gdmmonitor-mys.sql (for MySQL)
  • gdmmonitor-netezza.sql (for Netezza)
  • gdmmonitor-ora.sql (for Oracle)
  • gdmmonitor-ora-container.sql (for Oracle Container DB)
  • gdmmonitor-postgres.sql (for PostgreSQL)
  • gdmmonitor-syb.sql (for Sybase)
  • gdmmonitor-teradata.sql (for Teradata)
  • gdmmonitor-sybaseIQ.sql (for SybaseIQ)
  • Jconnect_SybaseIQ_requirement.txt (for SybaseIQ)
  • gdmmonitor-db2-IBMi.sql (for Db2 on iSeries)
  • gdmmonitor-Aster.sql (for Aster)
  • gdmmonitor-mongodb24.sql (for Mongodb 2.4)
  • gdmmonitor-mongodb26andAbove.sql (for Mongodb 2.6 and above)
  • gdmmonitor-hive-Cloudera.sql (for Hive on Cloudera Hadoop distribution)
  • gdmmonitor-Cloudera-Manager.sql (for Cloudera Manager)
  • gdmmonitor-DSE-Cassandra.sql (for DataStax Cassandra)
  • gdmmonitor-SAP-Hana.sql (For SAP Hana)
  • gdmmonitor-Apache-Cassandra.sql (For Apache Cassandra)
  • gdmmonitor-azure.sql (For SQL DB Azure)
  • gdmmonitor-Couchbase.sql (For Couchbase)
  • gdmmonitor-ifx.sql (For Informix)
  • gdmmonitor-mariaDB.sql (For MariaDB)
  • gdmmonitor-mongodb26-To-34.sql (For MongoDB version 2.6 to 3.4)
  • gdmmonitor-mongodb36andAbove.sql (For MongoDB version 3.6 and up)
  • gdmmonitor-mss2000-only.sql (For MS SQL Server 2000)
  • gdmmonitor-Neo4j.sql (For Neo4j)
  • gdmmonitor-ora-autonomous.sql (For Oracle autonomous)
  • gdmmonitor-ora-RDS.sql (For Oracle RDS)
  • gdmmonitor-PerconaMySQL.sql (For Percona MySQL)
  • gdmmonitor-postgres.sql (For PostgreSQL)
  • gdmmonitor-Redshift.sql (For Redshift)
  • gdmmonitor-Snowflake.sql (For Snowflake)
  • gdmmonitor-syb.sql (For Sybase)
  • gdmmonitor-sybaseIQ.sql (For SybaseIQ)
  • gdmmonitor-teradata.sql (For Teradata)
Important: Before you run any scripts, be sure to read the instructions in the script headers and review the database actions that the script takes.

Procedure

  1. On a Guardium system, enable the file server by using the fileserver CLI command.
    For example, to enable the file server for 1 hour and download the scripts to a system with IP address 10.0.0.1, use the following command:
    fileserver 10.0.0.1 3600
    When successfully initiated, the output is similar to:
    
    Starting the file server...
    The file server is ready at https://guardium.host.com:8445
    The timeout has been set to 3600 seconds and it may timeout during the uploading.
    
    The upload will only be accessible from the IP you are logged in from: 10.0.0.1
    
    Press ENTER to stop the file server.
  2. On the machine where you download the scripts, use a web browser to access the file server.
    For example, to access the scripts on a Guardium system that runs at https://guardium.host.com:8445, enter the following URL:
    https://guardium.host.com:8445/log/debug-logs/gdmmonitor_scripts/
  3. Download the required scripts using the web browser's Right-click > Save link as... action or a similar function.
    Review the README.txt files to identify the correct scripts to use for specific database types.
  4. Follow the instructions in the file header.
  5. Add data sources or databases to the appliance.
  6. Assign data sources to entitlements (browse to Comply > Custom Reporting > Custom Table Builder. Select the custom table listing of your entitlement. Click Upload Data. Assign data sources to the entitlement report at the Import Data menu screen. When you are done, click Run Once Now.
  7. To see entitlement reports, type the report name in the Quick Search.